(In reply to Richard J. Thomas from comment #6) > (In reply to :Gijs (he/him) from comment #1) > > (In reply to Richard J. Thomas from comment #0) > > > - Submit a HTTP POST request to a trusted device, which will issue a HTTP 302 Redirect to another site, hosting a download. > > > > Is the POST part significant here, ie does it not happen with a 302 on a GET request? > > Yes - the download list shows the actual download site for GET requests, but POST triggers this disparity between the download dialog box (if shown) which has the real download site, and the download list showing the trusted device as the host. [snip] > > FWIW, I suspect the current behaviour is intentional... Showing the final origin of the file would mean always showing CDN domains, rather than the domain from which the user believes they downloaded something (because they clicked a link on that domain). Marco, thoughts? > > I trust the two previous clarifications clear this point up too - in a GET (i.e. a user clicking onto or navigating directly to a URL), the final origin matches the dialog, but in POST, the dialog 'from:' does not match the download host in the Download List. Sorry, this has taken me a while to get back to. But already early into my trying to dig into this, I'm a bit surprised. Because I figured, based on this comment, that there's a trivial good/bad difference - the form from comment #0 with a "GET" request to index.php should work (so shows portswigger in the downloads UI), and a form with a "POST" request doesn't (and shows the testcase host, `localhost` in my case). But that's not what I'm seeing, I'm seeing `localhost` everywhere, from a testcase that looks like this adaptation from comment #0: ```html <!DOCTYPE html> <html> <body> <form action="index.php" method="GET"> <input type="submit" value="Submit"> </form> <p>If you click the "Submit" button, the form-data will be sent to a page called "/index.php".</p> </body> </html> ``` (OK, I actually created an `<input type=radio>` set of controls that lets me easily switch between POST and GET, but the effect is the same) Does that match what you're seeing? Maybe I'm misunderstanding where you think the POST/GET difference comes into it? Were you comparing to clicking a link that points to `index.php` , maybe?
Bug 1641487 Comment 10 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Richard J. Thomas from comment #6) > (In reply to :Gijs (he/him) from comment #1) > > (In reply to Richard J. Thomas from comment #0) > > > - Submit a HTTP POST request to a trusted device, which will issue a HTTP 302 Redirect to another site, hosting a download. > > > > Is the POST part significant here, ie does it not happen with a 302 on a GET request? > > Yes - the download list shows the actual download site for GET requests, but POST triggers this disparity between the download dialog box (if shown) which has the real download site, and the download list showing the trusted device as the host. [snip] > > FWIW, I suspect the current behaviour is intentional... Showing the final origin of the file would mean always showing CDN domains, rather than the domain from which the user believes they downloaded something (because they clicked a link on that domain). Marco, thoughts? > > I trust the two previous clarifications clear this point up too - in a GET (i.e. a user clicking onto or navigating directly to a URL), the final origin matches the dialog, but in POST, the dialog 'from:' does not match the download host in the Download List. Sorry, this has taken me a while to get back to. But already early into my trying to dig into this, I'm a bit surprised. Because I figured, based on this comment, that there's a trivial good/bad difference - the form from comment #0 with a "GET" request to index.php should work (so shows portswigger in the downloads UI), and a form with a "POST" request doesn't (and shows the testcase host, `localhost` in my case). But that's not what I'm seeing, I'm seeing `localhost` everywhere, from a testcase that looks like this adaptation from comment #0: ```html <!DOCTYPE html> <html> <body> <form action="index.php" method="GET"> <input type="submit" value="Submit"> </form> <p>If you click the "Submit" button, the form-data will be sent to a page called "/index.php".</p> </body> </html> ``` (OK, I actually created an `<input type=radio>` set of controls that lets me easily switch between POST and GET, but the effect is the same) Does that match what you're seeing? Maybe I'm misunderstanding where you think the POST/GET difference comes into it? Were you comparing to clicking a link that points to `index.php` , maybe?