Is the save button delay in a Firefox download dialog a security feature? What does it protect?
Yes, it is a security feature, and the purpose of the delay is to prevent attacks based around tricking the user into entering input to skip past the dialog by popping it up unexpectedly when the user is in the middle of inputting multiple key presses or mouse clicks in quick succession. The two examples that are given in this blog post explaining the feature are:
- A CAPTCHA that asks the user to type the word
only
. When they pressn
, a save dialog is popped up, and then the user will immediately pressl
and theny
, which is the keyboard shortcut for OK on some browsers, unintentionally confirming the download - A webpage that convinces the user to double-click somewhere on screen, positioned so that when the dialog opens after the first click, their mouse pointer is right over the "OK" button, meaning that they immediately confirm it.
By disabling the button for several seconds, the input has no effect.
Mozilla bug report about the issue
Let's imagine that there's no delay, the default action for executable files is to open it, and there's some delay before the page requests the file download. In theory, you could accidentally run a virus if you were typing something at the exact time the dialog popped up. Incredibly rare, but I'm sure it's happened to someone somewhere.
Less maliciously, from a user experience standpoint, the user might be in the middle of pressing space or Enter right when the dialog pops up, therefore accepting the default, and possibly incorrect, action. The short delay prevents the user from accidentally selecting the wrong option.
While I doubt this feature was actually meant to protect anything (I'd rather trust my antivirus to that task), I find that I'm less likely to accidentally do the wrong thing with the file when the UI flushes my input and makes sure I actually meant to perform some action.
There is one thing that none of the other answers have mentioned: many users click OK and download without reading the popup window.
If a user were to download a malicious file accidentally (or was tricked into doing so), and clicks OK on instinct without reading and checking the file they are downloading, then they could miss important security information such as the size, filetype extension and location of the file about to be downloaded.
By disabling the OK for a few seconds, Firefox forces users to think twice and check what they are downloading.