1202187 - Form history not being cleared on shutdown when requested

Status: RESOLVED WORKSFORME

(Toolkit :: Data Sanitization, defect)

Description

[99zx6r]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150826023504

Steps to reproduce:

Click on a download link.
OS prompts asking what to do eg. Save or Open with WinRar
Repeated this for 3 different downloads expecting to choose the best/smallest to download.
Clicked Save on the 140Mb Android 4.0 ISO that i wanted as it was only 140Mb and more than enough for my needs.
Clicked Cancel on the other two within seconds(totalling 600+Mb)
Closed Firefox
(I don't save session history)


Actual results:

1. Firefox downloaded them all anyway
2. Firefox then deleted both download files that i had clicked Cancel when i closed FFox.
(only the one I clicked save on was correctly saved)

I'm using the latest public 40 release, updated a few days ago.


Expected results:

Only the download i clicked Save on should have been downloaded

(and at the very least it should have kept the wasted ones in the users Temp folder that i didn't want and had told Windows 7 to Cancel - lost over 600Mb for absolutely nothing - and no warning confirmations or even download completed to warn that it had ignored me and just downloaded the files anyway - I have a 60MBs+ connection but limited bandwidth...)

This is terrible behaviour and is enough for me to uninstal Firefox unless it is fixed ASAP.

Nothing should download until you confirm that you want it to download by clicking Save or whatever action is appropriate for the file and certainly not if you specifically click Cancel to an OS prompt.

(and at the very least it should be left in the users Temp folder or a prompt shown and even then, if so, I'm finished with Firefox - how do you know the size of  download until you click and get the size...nope it just downloads then deletes everything without warning. I do not want to save session data and want a clean browser with every start but i do not want files i click Cancel on to be downloaded, that's why I clicked Cancel!!! - am i expected to have the FFox download window open 24/7 and to race to stop any downloads as well as clicking Cancel?(trying very hard not to swear here)).

***Let me know if the developers disagree quickly please so I can uninstall and forget about using Firefox ever again.***

Comment 1

[99zx6r]

Attachment: ffox_privacy_settings.PNG

ffox_privacy_settings.PNG

Comment 2

[99zx6r]

go on, waste some data if you like: http://www.android-x86.org/download

(fyi just in case you didn't get the point, you can't risk clicking any of them with the current Firefox)

Comment 3

[99zx6r]

Attachment: ffox_general_settings.PNG

ffox_general_settings.PNG

Comment 4

[Loic]

I can't reproduce it, when I cancel 2 files before downloading them, only the 3rd one is downloaded and when I close FF, it asks me if I want to cancel the download or not.

Is it reproducible with a fresh profile?
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles

Comment 5

[99zx6r]

monitor your internet usage while you try it and you'll see Firefox is actually downloading them into cache anyway, before you click save/open/cancel etc. it won't tell you in Firefox but you will see the data being used up in the background. yeh surprised me too.

please try again, this time whilst monitoring your data usage and you'll see.

Comment 6

[99zx6r]

ok so I guess it's goodbye to Firefox then? - i'm not wasting any more data - I can reproduce it on every machine and install I have. (what a shame, showed such good potential and so much good dev time has been spent on it)

For those with unlimited data it's fine and you won't notice, for those with limited data it'll waste most of it without you even knowing...

fyi you can use something like Glasswire for Windows, set it to graph 5 mins and watch your data disappear before you even have the time to click Cancel on a download. Stored in cache so you don't get to see it inside Firefox until you answer Save or Open at the prompt and if you close FF without clicking Save/Open it all gets deleted. (I need a clean browser with every start)

Comment 8

[99zx6r]

ok 1 last update just to be nice to you guys.

looks like the hidden download data is being stored in the formhistory.sqlite

when i closed the browser it went from over 10Mb down to 192Kb which now just contains just the security data i mentioned

this and the android site are the only sites visited today to re-confirm the original bug report on this machine. It downloaded approx 8-9Mb before I had time to click Cancel.

Now I have reopened and only gone to this site it has stayed at 192Kb

So now well over a Gig wasted on nothing by just using Firefox, thanks....

Comment 9

[99zx6r]

i'm too good to you

if you manually delete the formhistory.sqlite file it didn't make a new one when i went to the android site but it did start downloading in the background.

good luck, 10-4.

Comment 10

[:Gijs (he/him)]

So, this was originally filed about the downloads. We download stuff in the background when you click the link, because that is what 99.99% of users want - it means that when they click open/save/whatever, the download will be done by the time they figured out where they want to put the file. That's better than making them wait. As-is, Firefox does not optimize for bandwidth usage. There is talk about doing a project to improve that ( bug 859998) but so far it hasn't been made a priority.

As it is, I don't think we will be doing anything about the downloads issue you flagged up. They get saved to a Temp dir, and presumably deleted when you click "Cancel" so as not to waste disk space - you indicated you didn't want the file!

I'm going to close as wontfix to reflect the original downloads issue. From your last comments it sounds like the form history got deleted properly on exit.

This isn't really a security bug, but I can't set your comment to "private" so as to hide the personal information you posted. When an admin does that, this bug will be opened up.

Comment 11

[99zx6r]

RE: DOWNLOADS - yeh i just noticed all the 3 main browsers do it now, great if you are on unlimited connection but really bad if you only have a specific amount per month to use and want to check the actual size first....eg like on the site i posted...you want a 141Mb or a 440Mb iso image? you can't tell and it costs at least 10Mb per click to find out (or waste 600Mb if you wait a few seconds on my connection to compare 3 side-by-side - having wasted the data i'd prefer to have just been able to save the big iso as i had already downloaded it without knowing!)

Maybe you could add the option at some time?  (i'll go back to using netlimiter for now)

RE: SECURITY - No quite the opposite, the form data stays forever until you manually delete the file yourself, hence why i'm back using chrome. it's far too easy for anyone to use sqlitebrowserportable.exe to hop on and grab banking details etc from any user who uses Firefox and sets it to clear this data, it doesn't ever clear and won't without a manual file Delete from the specific directory via the OS.

I only used Firefox cause you used to have the reputation of being secure, well you aren't - both IE and Chrome make it much much harder to find that data and it's not saved in plain text, if saved at all. 

I don't want the bug opened cause it will make everyone go looking for saved form data, the entries i posted are the meaningless entries and as you "won't fix" it'll be there for a long time (better make sure no one else logs into your PC with Admin rights cause they will get loads of private data within seconds, I could make a usb switchblade that just copies that file and i've got tons of private stuff about you)


you've changed...i get it.

Comment 12

[Loic]

Can someone remove the "Security-Sensitive" flag, please.

Comment 13

[:Gijs (he/him)]

(In reply to Loic from comment #12)
> Can someone remove the "Security-Sensitive" flag, please.

I don't want to do that without the ability to mark comment 7 private, because it contains personal information. The rehash of bugzilla's security system means I can't do that right now.

 (In reply to 99zx6r from comment #11)
> RE: DOWNLOADS - yeh i just noticed all the 3 main browsers do it now, great
> if you are on unlimited connection but really bad if you only have a
> specific amount per month to use and want to check the actual size
> first....eg like on the site i posted...you want a 141Mb or a 440Mb iso
> image? you can't tell and it costs at least 10Mb per click to find out (or
> waste 600Mb if you wait a few seconds on my connection to compare 3
> side-by-side - having wasted the data i'd prefer to have just been able to
> save the big iso as i had already downloaded it without knowing!)
> 
> Maybe you could add the option at some time?  (i'll go back to using
> netlimiter for now)

Yes, the system does not work well for people on limited bandwidth connections. An option like the one you suggest would be part of solving the bug I linked to earlier.

> RE: SECURITY - No quite the opposite, the form data stays forever until you
> manually delete the file yourself, hence why i'm back using chrome. it's far
> too easy for anyone to use sqlitebrowserportable.exe to hop on and grab
> banking details etc from any user who uses Firefox and sets it to clear this
> data, it doesn't ever clear and won't without a manual file Delete from the
> specific directory via the OS.

If the form history data isn't being deleted that's a bug. Now that you manually deleted the data, if you fill in forms and then exit Firefox, is the data still not deleted? (ie can you reproduce this issue?

> I only used Firefox cause you used to have the reputation of being secure,
> well you aren't - both IE and Chrome make it much much harder to find that
> data and it's not saved in plain text, if saved at all. 

http://superuser.com/questions/224261/google-chrome-view-saved-form-data indicates Chrome uses plaintext sqlite just like us, in their appdata folder, just like us.

I don't think there's a material difference here - the problem is that for some reason it wasn't being cleared correctly.

> I don't want the bug opened cause it will make everyone go looking for saved
> form data, the entries i posted are the meaningless entries and as you
> "won't fix" it'll be there for a long time (better make sure no one else
> logs into your PC with Admin rights cause they will get loads of private
> data within seconds, I could make a usb switchblade that just copies that
> file and i've got tons of private stuff about you)
> 
> 
> you've changed...i get it.

Well no, I misread your comments (specifically, comment #7 and comment #8).

It is difficult to deal with reports like this that have conflicting information about 2 different issues (see also http://www.gijsk.com/blog/2015/08/why-you-might-be-asked-to-file-a-new-bugissue-instead-of-commenting-on-old-ones/ ).

I'm happy to continue to discuss the issue you are/were seeing with formhistory.sqlite, if you are. The sqlite file's contents definitely ought to be deleted on shutdown if you have selected that option in the preferences (the file probably ought to remain so we don't need to create a new, empty database on the next startup). It'd be helpful to have more details here, though. Specifically:

- can you still reproduce this right now (if you go somewhere that saves some form history, verify it ends up in the database, and then close the browser, does the database still not get cleared afterwards?)
- does the data also not get cleared properly if you use History > Clear Recent History... to delete the same, and if so, if any errors appear in the browser console (ctrl-shift-j on windows) when trying to clear the data.