Open Bug 894556 Opened 11 years ago Updated 2 years ago

Links with a "download" attribute should not load media in nsVideoDocuments

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Windows 8
Type:
defect

Tracking

()

People

(Reporter: cpearce, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

If a "download" attribute is present on a <a> tag which links to an audio or video file, then when the link is clicked we should download the file, not load it in an nsVideoDocument.

This is a spin off of bug 861090, some people feel very passionately about this...

Testcase:
http://people.mozilla.com/~cpearce/download.html
We support @download for same-origin links.  We do not support it for cross-origin links (like the testcase here) because there were security concerns about forcing a download from a site you don't normally control....
The case against allowing cross-origin downloads is centered around the premise that users could unknowingly download a file from a site containing their own personal information (e.g., gmail.com) and save it using a misleading name (e.g., "30off.coupon.txt") AND THEN proceed to another malicious page where they directly go and manually upload that same file they just downloaded. This is quite far-fetched in my opinion, and anyone who would succumb to such trivial trickery does not deserve to be online in the first place. I mean c'mon...Click here to download our special offer and then re-upload it through our special form! Seriously?? Or, download our special offer and then email it to this Yahoo address for a big discount! Do the people who would fall for this even know how to do email attachments?

I'm all for browser security, but if the good people of Chrome have no problem with it I don't see why Firefox has to be so limiting. At the very least I'd like to see a preference in about:config to enable cross-origin @download for advanced users. Set the default as false. Even better would be a confirmation box similar to the "Although this page is encrypted, information you submit through this form blah blah" or "This page is requesting to install addons" or "The security certificate of this page is invalid" ... I mean, there are myriad ways to heighten the user's awareness and inform them this might not be safe. One extra click or a short (or long?) delay and they can assess the risk.

Chrome is gaining support and web apps are multiplying and limiting a useful feature like this is going to hurt Firefox in the long run. In my case specifically, I develop Greasemonkey scripts and I can say the @download attribute is a much welcome addition to the HTML spec. I only wish I could use it in Firefox the way it was intended.
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.