Closed Bug 1367626 Opened 3 years ago Closed 5 months ago
.downloads .download() should allow setting Referer (and others)
47 bytes, text/x-phabricator-request
|Details | Review|
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce: I understand that Referer is defined as a forbidden header and all. It's fine to prevent altering it in page scripts using XMLHttpRequest. But WebExtensions (specifically background scripts) are privileged code. There's no good reason for the downloads API of WebExtensions to be restricted from setting a Referer header, when WebExtensions can do much more obviously dangerous stuff. In fact, hooking into onBeforeSendHeaders in the webRequest API allows me to modify any header I want, including Referer! We need one of two things: allow setting Referer in the headers property of the options object we pass to download(), or have the request made by download() be subject to webRequest hooks. I would be overjoyed to submit the code changes to enable the first option.
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
This has been added to the agenda for the May 30 WebExtensions Triage meeting at 10:30am PT. Call in info: https://wiki.mozilla.org/Add-ons/Contribute/Triage#Details_.26_How_to_Join Agenda: https://docs.google.com/document/d/1hKKRpGFIaAaI3G_HfPX2Nk8pCchyhUIKJB9y5sIrVV4/edit
none11given: You're asking for a feature without any use case. Why do you need this?
The use case is the same as for why an onBeforeSendHeaders hook lets my set the referrer. I'm the one making the request and I ought to be able to configure it how I want. If you want a specific one for me, I use it in my personal "single click image download" extension in order to download from websites that check your referrer as an anti-leech measure.
Shane, circling back to you about this -- from the meeting notes, it looks like this was approved, P5. Does that still sound right?
Whiteboard: [design-decision-needed][triaged] → [design-decision-approved][triaged]
This is not a small problem. At least on this extension ( https://github.com/harytfw/GlitterDrag ), downloads.download()'s lack of referer settings cause big problems. I think at least the referer should be setted the same as current page url in downloads.download() rather than a blank value.
I think the referer must be setted, because the referer's importance is as same as cookies to recognize the user's on many websites.
Bulk move of bugs per https://bugzilla.mozilla.org/show_bug.cgi?id=1483958
Component: Untriaged → General
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/autoland/rev/f5b29024aa67 browser.downloads.download() should allow setting Referer. r=zombie
You need to log in before you can comment on or make changes to this bug.