User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Autodownloading allow to malicious .exe (and others) programs be donwloaded without warning. And the small size of this type of programs not permit that downloading window be displayed enough time to take care about. This permit this programs can be executed, leaving at the user without information about the owner and origin of the downloaded files. Reproducible: Always Steps to Reproduce: 1. 2. 3.

What type of warning are you expecting? Any "save to disk" option in a modern browser lets you do this without any type of warning. If you try to open an autodownloaded .exe from the Download Manager, it will give you a warning. The only thing that autodownload does is save to a location automatically, isntead of asking you where to save. And how are you saying this gets triggered for download and execution? Via javascript?

Pages with "popup file" functions (like "popup window" code), start autodownload function in firebird, and this files can be virus or spyware. Is more secure that users always be asked to download a file; because nobody remember exactly what means b.e. "mbs234.exe" in your download folder, really? An improved "block popup files" and not only "block popup windows" option can help.

can you provide a URL where files autodownload like this? I don't think we need to treat users like morons and cripple the browser as a result.

I am a very entusiast of firebird (now firefox) for many years (netscape 2 forward), fast, clean, easy to use, secure and with very, very great development tools. I hope my sugestions can help to do this product better. Please try open www.andr.net, with your firebird with the option: download in "save all files to this folder...". From this site "I have downloaded" the file cmb_243461.exe (size 118kb), without request. I hope this be usefull, (please try many times or waiting some moment for the download occur). Many thanks for your quickly answer and time.

I"m not sure this is a true security issue, since it still requires user intervention. However, reopening for consideration whether we should prompt/warn on automatic download links. I think the ability to disable this is sufficient for security-conscious people, if they're unclear on what they can/can't click on safely.

morphing summary to reflect what this is really about. Pages that initiate automatic downloads should probably prompt the user at some point. Otherwise, someone could find a malicious download later and click to open to find out what it is.

As mentioned in comment 2, I think this should be regarded similarly to pop-up windows (and for the very same rationale that pop-up windows are blocked). If the user doesn't explicitly click a link to initiate a download, some effort should be made to notify the user. This could be a notification (alert in the corner or status bar icon) or a dialog box. Alternatively, automatically downloaded files could be differentiated in the manager by color or a short message. I think either form of notification would be the best because of their simplicity.

set this bug as fixed, until more information can be provided

er, this isn't fixed at all. I wonder if we can hook into permmgr for this. Still, not something critical for 1.0.

If you visit this http://www.freeserials.com/index.shtml site and leave you will hawe in download folder file called cmb_243461.exe and ewerythime you clickk search you will hawe aditional copie. This program is some kind off dialer definetly you dont wont to tuch this program and you want to delete it. But if you dont check emedietly your download folder and forget about it it can be executed by mistake (Since you think that your download folder should contain things you wanted to download ) And this is probalby big security concern. I seenthat in new 1.0 builds there is seccurty for extensins so now it is wirtualy inposible to install extension by accident you haw 3 sec delay and site needs to be whitelist somethig should be done with exe files also!

*** Bug 293420 has been marked as a duplicate of this bug. ***

*** Bug 279478 has been marked as a duplicate of this bug. ***

As I said in 347289 comment 1, this would be annoying and would not improve security at all. Fixing bug 249951 makes a lot more sense.

A lot of sites do this now (including the download pages for Firefox and Thunderbird). I suggest WONTFIX and fixing Bug 249951