Open Bug 1374027 Opened 2 years ago Updated 9 months ago

Allow user control for kMDItemWhereFroms xattr metadata writing on downloads in macOS

Categories

(Firefox :: File Handling, enhancement, P3)

All
macOS
enhancement

Tracking

()

People

(Reporter: bugzillaaccount, Unassigned)

References

Details

(Whiteboard: [tor])

I was wondering whether it would be possible to add a pref to control the writing of kMDItemWhereFroms xattrs on macOS? e.g. browser.download.mac.writekMDItemWhereFroms.enabled with a default of true, which controls the functionality added in v51 last year (https://bugzilla.mozilla.org/show_bug.cgi?id=337051) so users who don't want this functionality for privacy or other reasons can easily disable it. 

Safari does not write kMDItemWhereFroms xattrs when in Private Browsing mode. Firefox does, however, so it might be a good idea to consider disabling this functionality in Private Browsing mode as well.

Since TorBrowser is now on FF52ESR, and this would seem even more relevant there, I have made a ticket on trac.torproject.org as well (https://trac.torproject.org/projects/tor/ticket/22642).
OS: Unspecified → Mac OS X
Hardware: Unspecified → All
Whiteboard: [tor]
Target Milestone: Firefox 56 → ---
(In reply to bugzillaaccount from comment #0)
> Safari does not write kMDItemWhereFroms xattrs when in Private Browsing
> mode. Firefox does, however, so it might be a good idea to consider
> disabling this functionality in Private Browsing mode as well.

Not writing download sources in Private Browsing Mode seems like something we might want to do. I'm not familiar enough with the operating system to know if not saving this attribute has any security implication, if this is the case maybe we should just save a predefined address in the attribute instead.

Having an about:config preference seems reasonable too. It can be added together with the above, or in a separate bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Prior to v51 Firefox wrote no xattrs at all, but as far as I remember, the OS still automatically wrote quarantine xattrs. 

If I am wrong, however, and it is a security risk (I'm pretty sure it isn't, but just in case) I would suggest the pref be more granular so there are various modes. 

1) Default for non-private browsing mode which writes full kMDItemWhereFroms xattrs
2) Private Browsing mode default which writes a predefined address (this address shouldn't link the file to Firefox) 
3) An overriding mode which writes no xattrs at all and replicates pre-v51 behavior (so users can still turn it off if they wish)
See Also: → 1432915
You need to log in before you can comment on or make changes to this bug.