Open Bug 1132784 Opened 9 years ago Updated 2 years ago

Pass the right Principal to LoadInfo for downloads

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: ckerschb, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog]) 

Copying over comment from
https://bugzilla.mozilla.org/show_bug.cgi?id=1125991#c17


(In reply to Jonas Sicking (:sicking) from comment #17)
> (In reply to :Paolo Amadini from Bug 1087744 comment #26)
> > Downloads can be initiated in a number of different ways. This includes
> > "Save Page", drive-by downloads started by redirects in conjunction with
> > "Content-Disposition" headers, and finally downloads initiated by single
> > clicks, usually with "Content-Disposition" headers but also, I believe, with
> > the "download" attribute on the "a" element.
> 
> Ideally we would grab the principal of the page which contains the download
> link and forward that principal to the code which calls newChannel here.
> Which means that we need to do that for all the codepaths above.
> 
> Then use that principal as both loadingPrincipal and triggeringPrincipal.
> 
> The result of that would be that we could eventually remove:
> 
> 1. The other security checks that the download code does.
> 2. The code that sets the referrer.
> 3. The code that tracks and sets the private-browsing flag.
> 
> None of that could be removed quite yet though. But hopefully not too far
> into the future.
Assignee: nobody → mozilla
Blocks: 1006868
Status: NEW → ASSIGNED
Depends on: 1125991
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #0)
> > Ideally we would grab the principal of the page which contains the download
> > link and forward that principal to the code which calls newChannel here.

I don't think this is quite right, at least that's not the whole story. If security checks fail at this stage and are not done earlier, we would still show a failed download that can be retried.

Additionally we don't persist principals across sessions, so the download would succeed if retried from history after a browser restart.

> > The result of that would be that we could eventually remove:
> > 2. The code that sets the referrer.
> > 3. The code that tracks and sets the private-browsing flag.

I don't see how we could remove these. We need to know the referrer and the private browsing state for the download management itself, and we persist the referrer to handle restarts.
Blocks: 1006881
Blocks: 1143922
Whiteboard: [domsecurity-backlog]
Assignee: ckerschb → nobody
Status: ASSIGNED → NEW
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.