[Description:]

In the case in which we are blocking the download due to security issues, after unblocking we should apply Always Open similar files, if the option is checked.

[Environment:]

Windows 10

[Steps:]

1. New profile.
2. Open https://www.imperial.ac.uk/computing/csg/guides/java/jsp-tutorial---some-examples-of-java-servlet-pages/
3. Scroll down to Using JDBC in JSP section, right click on Postgres.jsp or MSSQL.jsp and save link as.
4. Unblock download, afterwhich use "Alawys Open similar files" option from the Download panel with setting a default app.
5. Save as again any of the jsp files, unblocking the download.

[Actual Result:]

4. File.jsp is saved
5. File.jsp is saved

[Expected Result:]

4. File.jsp is saved
5. File.jsp is saved and opened.

A few additional notes for this scenario, which have potential for new issues:

1. Save link as triggers Potential security risk, but opening http://www.doc.ic.ac.uk/csg-res/static/jdbc/Postgres.jsp and cotext save as would not. Also, the file saved with content Save as would not have "Always Open" option. (bug 1738918 ?)
2. The Application handler would list the entry as "Text Document".
3. Low severity due to the fact that it's an edge case.
4. Since now Chrome also has an Always Open option, the save as for Note 1 would save the file.jsp.txt, while Firefox saves correctly file.jsp

I'm a bit confused. Can you re-check if bug 1563141 was "fixed" here and now we no longer open files that get unblocked in general? Or...?

And can you check if the behaviour is different with the download improvements pref turned off, and if so, can you run mozregression with that pref enabled, to see which specific change "broke" this?

I don't think this is a regression. The fix from bug 1563141 holds water and I don't think it's regressing anything in relationship with "Always Open similar files" which is a new functionality, which is not available with the download improvements pref turned off.

Giving more thought to this case: do I really want to auto-open a file that it was initially automatically blocked? Considering the high risk potential here, maybe ignoring the "always open similar files" when in this case makes perfect sense. @Gijs, calling it a feature and won't fix then ? :D

Later edit: Chrome for example auto-opens in this case, but given the above reasoning and additional thought, I think we are doing it right and we shouldn't.

(In reply to Adrian Florinescu [:aflorinescu] from comment #3)

Giving more thought to this case: do I really want to auto-open a file that it was initially automatically blocked? Considering the high risk potential here, maybe ignoring the "always open similar files" when in this case makes perfect sense. @Gijs, calling it a feature and won't fix then ? :D

Not that my opinion is really needed here, but I think I agree with this; I don't know if it was ever intentional behavior to refuse to automatically open things after we decided they're suspicious, but it seems like a decent policy regardless.

Thanks Molly! I think so to.
I'll move this towards WFM, let's reopen if we think that's still something to fix here.

Discussing this more in detail with Gijs the other day, this issue is actually invalid, due to the fact that most likely (don't have any non-malware to test with), we would probably still honor auto-open on download (not save link as).