Consider blocking mixed content downloads
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox80 | --- | fixed |
People
(Reporter: ckerschb, Assigned: sstreich)
References
(Depends on 1 open bug, Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
I think we should start warning about mixed content downloads and eventually start blocking mixed insecure downloads.
Updated•5 years ago
|
I proposed this 4 years ago.
Chrome is now implementing this in version 82.
https://www.theverge.com/2020/2/10/21132099/google-chrome-users-block-insecure-downloads-https-android-ios
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Depends on D67351
Comment 4•4 years ago
|
||
Can we have a preference to allow this? I thought Mozilla was supposed to be about empowering the user!
Assignee | ||
Comment 6•4 years ago
|
||
Hi! :) - My current patch adds a preference for that, for you to toggle.
Its dom.block_download_insecure
and it's off by default for everyone except on nightly.
Comment 9•4 years ago
|
||
Backed out for build bustages.
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307349752&repo=autoland&lineNumber=25116
Backout: https://hg.mozilla.org/integration/autoland/rev/dcf0f9b8d89da9d20c0bfc7bed4613df0d880922
Comment 11•4 years ago
|
||
Comment 12•4 years ago
|
||
Backedfor asertion failure on base/LoadInfo.cpp
Backout link: https://hg.mozilla.org/integration/autoland/rev/73bbbedc0d59b1ec6367ff9958eafb93aa375933
Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedTaskRun=Jhkq447lQrOTbNLk9CBtuw.0&revision=2df0c2a2f8662b3ed42c71673a83a2967a87b352&searchStr=bc
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=308056098&repo=autoland&lineNumber=41392
Assignee | ||
Comment 13•4 years ago
|
||
Sorry,
Fixed the assertion, got a green try push now - https://treeherder.mozilla.org/#/jobs?repo=try&revision=0b0586d584c4527f46f23e49ef2aff28b12d80b5
Comment 14•4 years ago
|
||
Comment 15•4 years ago
|
||
bugherder |
Comment 16•4 years ago
|
||
Sebastian, could you please tell me how the latest Nightly 80.0a1 should behave if the mixed content download is made via drag and drop?
For instance, if I try to download a file from https://www.thinkbroadband.com/download by clicking on it, then the download is blocked (as the Opening dialog is never displayed). But if I drag the same file over the Downloads icon in the Navigation bar, then the download is completed. Is this expected?
Thanks!
Assignee | ||
Comment 17•4 years ago
|
||
Hey ! - :)
From my "user-perspective" i would argue that this is a bug. We should with our block rules be consistent.
From the tec side it's kind of expected as dropping a link onto the download button creates a new channel without the context of the original page.
Not connected - Just a note to the bug itself.
Mixed Content Download Blocking weill be staying as nightly only - until we have a better ux to communicate the blocking
Updated•4 years ago
|
Comment 18•4 years ago
|
||
Can we consider backing this out? The user has no idea why the download fails. I don't see how to current implementation is acceptable for Nightly users.
Comment 19•4 years ago
|
||
I'm just a user so it's not my call but would it make more sense to keep this but with dom.block_download_insecure
defaulting to false (to be flipped to true
at a future date)? The feature works, the problem is there's no UX so if you didn't explicitly enable it yourself you have no idea why downloads aren't working.
Reporter | ||
Comment 20•4 years ago
|
||
Please note that the mixed content blocking of downloads is currently enabled in Nightly only. I personally would prefer not to back this patch out, but I agree that we have to improve the user experience before this is ready for release.
Basti is currently working on improving the experience for end users when Firefox blocks insecure downloads.
@Basti, can you link to the right bugs here as well please?
Comment 21•4 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb, back on Aug 24th] from comment #20)
Please note that the mixed content blocking of downloads is currently enabled in Nightly only. I personally would prefer not to back this patch out, but I agree that we have to improve the user experience before this is ready for release.
Basti is currently working on improving the experience for end users when Firefox blocks insecure downloads.
@Basti, can you link to the right bugs here as well please?
FYI, a webcompat/archlinux bug couple caused by the lacking UX around this change: https://bugs.archlinux.org/task/67587 / https://github.com/webcompat/web-bugs/issues/56727 . Hope the UX improves soon, the silent blocking is very confusing.
Comment 22•4 years ago
|
||
I am going to remove the needinfo request. Bug 1656296 should solve this!
Description
•