Firefox Nightly builds are now testing a long-requested privacy tweak: a prompt that asks users whether they want to keep or automatically delete files downloaded during private browsing sessions. The change, first spotted by WindowsReport, addresses years of confusion caused by Firefox’s automatic deletion of certain files when a private window closes. If the experiment succeeds, the feature is expected to ship in Firefox 143.
Mozilla’s nightly release channel currently shows a new dialog that appears whenever a user downloads or opens a file while in private mode. The message reads: “Files stay on your device. Anyone using this device can see downloads, even when you close all private windows.” Users are then offered two immediate choices: “Got it” to keep the file, or “Delete files automatically” to purge it when all private windows are closed. A matching toggle also appears under Settings > General > Downloads, labeled “Delete files downloaded in private browsing when all private windows are closed.”
The hidden deletion that angered users
For years, Firefox’s private browsing mode has quietly removed downloaded files under specific conditions—a design choice meant to protect privacy, but one that often felt like data loss. The logic was simple: if a file is opened automatically (like a PDF rendered in Firefox’s built‑in viewer) rather than explicitly saved, the browser sometimes stores it in a temporary location and deletes it when the session ends. This cleaned up artifacts that could reveal private browsing activity, but it also meant that users who expected the file to remain in their Downloads folder were greeted with an empty directory.
Support forums and social threads are littered with complaints from users who lost PDFs, images, or documents because they assumed a file visible in the Downloads list would persist. The core tension was between Firefox’s privacy-first design goal and the average user’s mental model: a file you can see should be a file you can keep. The new prompt directly bridges that gap by making the lifecycle explicit before the file is ever written to disk.
What’s changing in Nightly
According to the report, the experimental UI introduces two concrete controls:
- Per‑download prompt: When downloading a file in private mode, Firefox now warns that the file will remain on the device and gives two options. The first, “Got it,” keeps the file after the private window closes. The second, “Delete files automatically,” marks the file for deletion once all private windows are shut. This replaces the old hidden logic where the browser unilaterally decided a file’s fate.
- Global Settings toggle: A new checkbox in the Downloads section of Firefox’s Settings lets you set a default behavior for all future private-browsing downloads. Toggling it on triggers automatic deletion; leaving it off ensures downloaded files stay until you manually remove them.
For advanced users, the underlying about:config preferences remain accessible. Preferences like browser.download.start_downloads_in_tmp_dir, browser.download.force_save_internally_handled_attachments, and the newly relevant browser.download.deletePrivate and browser.download.enableDeletePrivate give power users and IT admins fine‑grained control over where files land and when they disappear. Enterprise policies can also enforce behavior across managed fleets.
These changes are strictly experimental for now. The strings and UI elements are present in Firefox Nightly but have not yet appeared in official Mozilla release notes or stable builds. Readers should treat the described behavior as a trial that could be tweaked before reaching the release channel.
Why Mozilla is making this shift now
The automatic deletion feature was originally conceived to honor private browsing’s promise of leaving no local traces. When you view a PDF in private mode, Firefox needs to write that file somewhere so the PDF viewer can display it. By deleting it afterward, the browser minimized the risk that someone else using the same device could stumble upon sensitive documents.
But that privacy gain came at a steep usability cost. Non‑technical users often didn’t know that “opening” a file in private mode was fundamentally different from “saving” it. They assumed Downloads worked like everywhere else—files stay until you delete them. When files vanished, many blamed the browser for losing their data. The predictable result was a flood of support tickets and angry forum posts.
Mozilla’s decision to experiment with a visible prompt signals a recognition that user consent matters more than silent cleanup. By explicitly telling users that downloads will remain and giving them a clear opt‑in for automatic deletion, the browser respects both the need for privacy and the expectation of control. It’s a textbook example of “privacy by consent,” replacing a hidden, paternalistic feature with a transparent one.
The technical underpinnings: preferences and policies
To understand the new behavior, it helps to peek under the hood at the relevant about:config flags. These exist today and will continue to work alongside the new UI:
browser.download.start_downloads_in_tmp_dir(defaultfalse): When set totrue, files opened (rather than saved) are sent to the operating system’s temporary directory instead of the Downloads folder. This helps auto‑cleanup but can confuse users who expect to find those files later.browser.download.force_save_internally_handled_attachments(defaultfalse): Forces Firefox to use the “Save As” dialog for certain internally‑handled file types (like PDFs) that would otherwise be opened automatically. Enabling this gives users explicit control over where and whether a file is kept.browser.download.open_pdf_attachments_inline(defaultfalse): Controls whether PDFs are displayed inside Firefox or handed off to an external application. Inline viewing can trigger the temporary‑file path and subsequent deletion.browser.download.deletePrivate(defaultfalse): This is the preference that the new Settings toggle likely manipulates. Whentrue, Firefox will delete downloads from private browsing when the last private window closes. Previously, this behavior was often tied to internal heuristics rather than a simple toggle.browser.download.enableDeletePrivate(defaulttrue): Enables the abovedeletePrivatefunctionality. Flipping this tofalsedisables automatic deletion entirely, regardless of other settings.
Enterprise administrators can deploy policies like StartDownloadsInTempDirectory to force ephemeral downloads across all users, a practice common in kiosk or shared‑PC environments. The combination of user‑facing toggles, hidden prefs, and enterprise policies gives organizations the flexibility to lock down or liberalize download handling as needed.
The upside: clarity, control, and consent
The new prompt and settings toggle offer several clear benefits:
- Restored user trust: By making the retention decision explicit, Firefox eliminates the “disappearing files” surprise. Users who want privacy can opt into auto‑deletion; everyone else gets predictable behavior.
- Flexible defaults: Power users who value temporary file handling can still configure the browser to delete automatically by flipping the toggle or toggling the relevant about:config flags. Casual users get a simple, understandable choice.
- Better security posture: Warning that files are visible to anyone with device access nudges users to consider broader protections—like full‑disk encryption or separate Windows user accounts—rather than relying solely on browser‑level deletion.
- Reduced support burden: Support forums and Mozilla’s own help articles have long documented the “why did my PDF disappear?” issue. A transparent UI slashes the need for obscure workarounds and reduces confusion.
From a user‑experience perspective, this change aligns Firefox with the mental model most people bring to file downloads: if I can see it, I expect it to stay until I delete it.
Potential pitfalls and edge cases
No UX change is without risks, and a few stand out with this experiment:
- Prompt fatigue: If the warning appears too often—for every tiny download—users may start clicking through without reading, undermining the very consent it’s meant to provide. Mozilla will need to tune the frequency and context carefully.
- Enterprise compliance: Some regulated environments (healthcare, finance, public kiosks) require automatic removal of all browsing artifacts. If the default shifts to “keep files,” IT departments might need to push new policies to maintain compliance.
- Server‑side variability: How a file is delivered matters. Depending on server headers (e.g., Content‑Disposition), some files may still be treated as “opened” rather than “saved,” leading to inconsistent behavior. Users may still need to know tricks like right‑click → “Save Link As…” to guarantee persistence.
- OneDrive and cloud sync: On Windows, the Downloads folder is often synced to OneDrive. A file that appears to be downloaded might actually be a placeholder. The new prompt doesn’t address these files‑on‑demand complexities, so users should verify that important private‑mode downloads are fully local if they need offline access.
What Windows users need to know
For the Windows audience, this change hits a particularly sore spot. The Downloads folder is a cornerstone of the Windows file experience, and users routinely assume anything placed there is permanent. Firefox’s old behavior broke that assumption in a way that felt jarringly un‑Windows‑like. The new prompt restores that expected behavior by default, while still offering a privacy‑conscious option.
If you manage shared Windows machines—such as library PCs, lab computers, or family devices—consider these steps once the feature reaches stable:
- Set a default in Settings: If privacy is paramount, toggle “Delete files downloaded in private browsing when all private windows are closed” to on. If convenience matters more, leave it off.
- Leverage enterprise policies: For bulk deployments, use the
StartDownloadsInTempDirectorypolicy or configure the new toggle via Group Policy/Intune to enforce organizational rules. - Combine with OS‑level protections: Don’t rely on the browser alone for sensitive data. Use separate Windows user accounts, BitLocker encryption, or Windows’ Controlled folder access to add defense in depth.
How to control private‑download behavior today
If you’re running Firefox Nightly or Beta and want to test the new flow, open Settings > General > Downloads and look for the new checkbox. In stable Firefox, you can already mimic much of this control through about:config:
- Type
about:configin the address bar and accept the warning. - Search for
browser.download.deletePrivate. Set it totrueif you want automatic deletion, orfalseto keep files. - To guarantee that files never vanish unexpectedly, set
browser.download.force_save_internally_handled_attachmentstotrue. This forces Firefox to show the Save As dialog for PDFs and other internally‑handled types, giving you explicit control. - Optionally, set
browser.download.start_downloads_in_tmp_dirtotrueto shunt opened files to the temp folder, where they’ll be cleaned up by Windows’ own disk cleanup routines.
A step toward consent‑driven privacy
Firefox’s Nightly experiment acknowledges a simple truth: privacy features work best when users understand and consent to them. By swapping silent, heuristic‑based file deletion for an explicit prompt and a clear settings toggle, Mozilla is making private browsing’s tradeoffs visible—and putting the final call in users’ hands.
The change isn’t final yet. Nightly builds are Mozilla’s playground, and anything from wording to default states could change before Firefox 143. But the direction is unmistakable: user consent over opaque automation. For Windows users who’ve ever lost a downloaded file after closing a private window, that’s a welcome evolution.