bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

browser.downloads.download() should allow setting Referer (and others)

UNCONFIRMED
Unassigned

Status

WebExtensions
Untriaged
P5
enhancement
UNCONFIRMED
a year ago
27 days ago

People

(Reporter: none11given, Unassigned)

Tracking

54 Branch

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [design-decision-approved][triaged])

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce:

I understand that Referer is defined as a forbidden header and all. It's fine to prevent altering it in page scripts using XMLHttpRequest.

But WebExtensions (specifically background scripts) are privileged code. There's no good reason for the downloads API of WebExtensions to be restricted from setting a Referer header, when WebExtensions can do much more obviously dangerous stuff. In fact, hooking into onBeforeSendHeaders in the webRequest API allows me to modify any header I want, including Referer!

We need one of two things: allow setting Referer in the headers property of the options object we pass to download(), or have the request made by download() be subject to webRequest hooks.

I would be overjoyed to submit the code changes to enable the first option.

Updated

a year ago
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit

Updated

a year ago
Whiteboard: [design-decision-needed][triaged]

Comment 1

a year ago
This has been added to the agenda for the May 30 WebExtensions Triage meeting at 10:30am PT.

Call in info: https://wiki.mozilla.org/Add-ons/Contribute/Triage#Details_.26_How_to_Join
Agenda: https://docs.google.com/document/d/1hKKRpGFIaAaI3G_HfPX2Nk8pCchyhUIKJB9y5sIrVV4/edit
Flags: needinfo?(mixedpuppy)
none11given: You're asking for a feature without any use case.  Why do you need this?
Flags: needinfo?(none11given)
(Reporter)

Comment 3

a year ago
The use case is the same as for why an onBeforeSendHeaders hook lets my set the referrer. I'm the one making the request and I ought to be able to configure it how I want.

If you want a specific one for me, I use it in my personal "single click image download" extension in order to download from websites that check your referrer as an anti-leech measure.
Flags: needinfo?(none11given)
Shane, circling back to you about this -- from the meeting notes, it looks like this was approved, P5. Does that still sound right?

Updated

10 months ago
Severity: normal → enhancement
Priority: -- → P5

Updated

10 months ago
Duplicate of this bug: 1403785
Flags: needinfo?(mixedpuppy)
Whiteboard: [design-decision-needed][triaged] → [design-decision-approved][triaged]
Duplicate of this bug: 1418636

Comment 7

3 months ago
This is not a small problem. At least on this extension ( https://github.com/harytfw/GlitterDrag ), downloads.download()'s lack of referer settings cause big problems.
I think at least the referer should be setted the same as current page url in downloads.download() rather than a blank value.

Comment 8

3 months ago
I think the referer must be setted, because the referer's importance is as same as cookies to recognize the user's on many websites.

Updated

27 days ago
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.