Closed Bug 1487290 Opened 6 years ago Closed 4 months ago

Opening a file downloaded as application/octet-stream has inconsistent behavior in firefox

Categories

(Firefox :: File Handling, defect, P3)

Product:
Firefox
Component:
File Handling
Version:
61 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: adriano.lols, Unassigned)

References

Details

Attachments

(2 files)

ffdownload-testcase.tar.gz
1.11 KB, application/gzip
Details
Current Firefox behavior
561.87 KB, image/png
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180808222917 Steps to reproduce: When downloading a file from a file server that (perhaps erroneously) reports its MIME type as "application/octet-stream", firefox will have diverging ways of handling such file. If opened in the download "mini" list, firefox will first try to use the system's program association set for octet-stream, and if none are found, fallback to a "unknown (by me) method" that opens with the correct association (ex: if you are trying to open a .rar file, the archive manager is correctly opened, even tough it was sent as an octet-stream!) But if instead, you open the "fulll blown" download list (by clicking "show all downloads" in the "mini" download list for instance), opening the very same .rar file advertised as octet-stream will ALWAYS fallback to the "unknown method" and open with the correct association for rar files, even if you have a program to handle octet-stream! (The linux version of firefox was used, it may very well be a specific issue only in linux.) Expected results: First of all, I can't decide which behavior is the correct one. Opening a file with the "unknown method" regardless of any octet-stream association being set may be better for the user (if you open a .rar for instance, you are greeted with a nice archive manager rather than a text or a hexadecimal editor), but always honoring the octet-stream association is the more technically correct behavior. Ultimately fixing this bug is about fixing the behavior disparity in both interfaces and deciding which behavior is the correct one.
Hi, Can you please attach a minimal test case or exact steps so I can reproduce this issue?
Flags: needinfo?(adriano.lols)
Hello David, I've modified a python simple http server script and built a test case to demonstrate this issue. In the attached archive "ffdownload-testcase.tar.gz" you will find: - pserver.py Execute this inside the www directory with a port (Ex: ../pserver.py 8080), also requires python3 If you take a peek at the script you will see that zip files are sent with mime type "application/zip" and tar.gz files with "application/octet-stream". - www/test.zip - www/test.tar.gz Dummy compressed archives you can use to test Firefox's download functionality. I was having issues with firefox caching downloads after you have downloaded a file once, my workaround revolved around renaming those when necessary (don't know if it's possible to temporarily disable Firefox's download cache) - mimeapps.list Provides a baseline file association for octet-stream files and a bunch of archive formats. You may need ghex and file-roller installed, but you can change the associations to your tastes. If you are testing on a vm or some kind of disposable machine, just copy this to ~/.config or ~/.local/share/applications (this one takes precedence).
Flags: needinfo?(adriano.lols)
I don't have the necessary technical knowledge to determine if this issue is reproducible. I think setting it to File handling component will be a good start.
Component: Untriaged → File Handling
Thanks for the report, this is a well-known issue and there may be other bugs on file for it. At the moment we don't have people working on this area of the code, but I'll keep this report open since it has a testcase that can be useful when addressing the issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Severity: normal → S3
See Also: → 1828441

Another instance of this bug, create webcompat issues for Safari.

  1. Go to https://www.oxo.com/compact-cold-brew.html
  2. Click on the instruction Manual aka https://www.oxo.com/amfile/file/download/file/0dIiddoWhrC5HXoHf1PX1nIMPr8vnkBx/product/3685/

Firefox shows the PDF while the site sent:

  • content-type: application/octet-stream
  • x-content-type-options: nosniff

Chrome does the right thing, it downloads the file.

HTTP/1.1 200 
date: Mon, 05 Aug 2024 08:35:17 GMT
content-type: application/octet-stream
content-length: 697740
cf-ray: 8ae573efbc9ff5b3-NRT
cf-cache-status: DYNAMIC
accept-ranges: bytes
cache-control: must-revalidate, post-check=0, pre-check=0
content-disposition: inline; filename=BL_Brew_11237500_Compact_Cold_Brew_Instruction_Booklet_M_H.pdf
expires: Thu, 19 Nov 1981 08:52:00 GMT
last-modified: Mon, 05 Aug 2024 08:35:17 GMT
strict-transport-security: max-age=31557600
pragma: public
traceresponse: 00-17e8c824a6e81a98df81507b503c2483-f5be1be616f2d20f-01
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-content-type-options: nosniff
x-debug-info: eyJyZXRyaWVzIjowfQ==
x-frame-options: SAMEORIGIN
x-platform-server: i-0c294fe8fe2b2ea99, i-0c294fe8fe2b2ea99
x-served-by: cache-iad-kiad7000084-IAD, cache-nrt-rjtf7700032-NRT
x-xss-protection: 1; mode=block
vary: Accept-Encoding
content-security-policy: base-uri 'self' 'unsafe-inline' 'unsafe-eval'; child-src assets.braintreegateway.com c.paypal.com *.paypal.com http: https: blob: 'self' 'unsafe-inline'; connect-src analytics.tiktok.com *.stripe.network www.recaptcha.net *.addressy.com *.klaviyo.com *.datadome.co *.yottaa.net insights.algolia.io us-central1-adaptive-growth.cloudfunctions.net sink.pdst.fm oxo.x57o.net adservice.google.com www.google.com cdn.kustomerapp.com links.services.disqus.com analytics.google.com content.hotjar.io *.sdiapi.com dpm.demdex.net *.omtrdc.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.google-analytics.com *.adobe.io performance.typekit.net commerce.adobedtm.com commerce.adobedc.net api.magento.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com pilot-payflowlink.paypal.com commerce.adobe.io commerce.adobe.net qa-api.magedevteam.com *.algolia.net *.algolia.com *.algolianet.com *.yotpo.com ekr.zdassets.com/ *.iterable.com *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.braintree-api.com *.paypal.com gov-bam.nr-data.net bam.nr-data.net stats.g.doubleclick.net *.oxo.com helenoftroy.tt.omtrdc.net hydroflask-sandbox.api.kustomerapp.com oxo-sandbox.api.kustomerapp.com hydroflask.api.kustomerapp.com oxo.api.kustomerapp.com services.postcodeanywhere.co.uk *.parcellab.com *.rapidspike.com *.brilliantcollector.com cloud.vimeo.com vimeo.com *.clarity.ms bat.bing.com *.kaltura.com *.spectrumcustomizer.com *.acq.io ssl.geoplugin.net *.yimg.com *.hotjar.com vc.hotjar.io *.pndsn.com m.addthis.com ct.pinterest.com pinterest.com ak.sail-horizon.com www.facebook.com public.fbot.me api.sail-personalize.com wss://*.hotjar.com 'self' 'unsafe-inline' www.googleadservices.com googletagmanager.com *.googletagmanager.com *.analytics.google.com *.g.doubleclick.net *.google.com *.google-analytics.com *.trustarc.com; font-src *.sdiapi.com *.klaviyo.com *.typekit.net *.yotpo.com *.googleapis.com *.gstatic.com *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.hydroflask.com *.oxo.com cdn.kustomerapp.com *.trustarc.com *.lightboxcdn.com *.spectrumcustomizer.com data: 'self' 'unsafe-inline' fonts.gstatic.com; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net pilot-payflowlink.paypal.com www.paypal.com www.sandbox.paypal.com *.yotpo.com *.iterable.com *.cardinalcommerce.com *.paypal.com *.oxo.com *.brilliantcollector.com *.facebook.com 'self' 'unsafe-inline'; frame-ancestors *.stripe.com stripe.com *.kmail-lists.com 'self'; manifest-src 'self' 'unsafe-inline'; media-src *.akamaized.net *.kaltura.com cfvod.kaltura.com *.adobe.com *.oxo.com *.vimeocdn.com player.vimeo.com vod-progressive.akamaized.net blob: data: cdnapisec.kaltura.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; style-src cdn.jsdelivr.net *.typekit.net *.klaviyo.com *.adobe.com *.yotpo.com *.googleapis.com mageside.com *.mageside.com *.oxo.com *.pcapredict.com services.postcodeanywhere.co.uk *.lightboxcdn.com *.parcellab.com disqus.com c.disquscdn.com disquscdn.com z.moatads.com moatads.com addthisedge.com v1.addthisedge.com m.addthis.com v1.addthis.com addthis.com loggly.com logs-01.loggly.com ct.pinterest.com pinterest.com s.pinimg.com pinimg.com 'self' 'unsafe-inline' googletagmanager.com *.googletagmanager.com tagmanager.google.com fonts.googleapis.com; worker-src 'self' 'unsafe-inline' 'unsafe-eval' oxo.com/p/1/2 blob:; upgrade-insecure-requests; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?m=UBjwZguJ3UxVYiVTglzFuC22SfT4u9d9ztxrObkqrf8-1722846917-1.0.1.1-yi7pD9_8CooONlutZKww.SoQcYsIJkrfq9BgUHymBI9q93R9f1BHkUqGMJpUbjp1_Kgc5E_eHhcb9SAxLO_CL.Y5Cft1h8h8IiDvyqA.torpgas3B275.n881MFoYiCY26zMkJuCxRG61eGaaPmIN1uFOg44VybvBTXB71oqaiiMC6RB4J.OdGX51mTsAFdLe27y0yYfOn2oVavttHEv.A; report-to cf-zewbegpfalihrhcq, frame-src services.sheerid.com *.stripe.network www.recaptcha.net *.sdiapi.com *.kmail-lists.com fast.amc.demdex.net *.adobe.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.sandbox.paypal.com player.vimeo.com *.youtube.com https://www.google.com/recaptcha/ www.googletagmanager.com *.yotpo.com *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com *.paypal.com doubleclick.net *.doubleclick.net vice01.hydroflask.com hydroflask.attn.tv *.oxo.com *.lightboxcdn.com *.hydroflask.com *.brilliantcollector.com *.demdex.net *.kustomer.support *.kustomer.help *.trustarc.com *.locally.com *.facebook.com *.fbot.me addthisedge.com s7.addthis.com addthis.com disqus.com ct.pinterest.com pinterest.com insight.adsrvr.org match.adsrvr.org helenoftroy.custhelp.com s.amazon-adsystem.com ak.sail-horizon.com helenoftroy.demdex.net promotions.spredfast.com 'self' 'unsafe-inline' *.googletagmanager.com bid.g.doubleclick.net td.doubleclick.net *.fls.doubleclick.net; img-src services.sheerid.com www.ojrq.net *.klaviyo.com *.cloudfront.net match.adsrvr.org insight.adsrvr.org googleads.g.doubleclick.net *.google.co.in google.co.in ce.lijit.com links.services.disqus.com cdn.viglink.com analytics.google.com www.google.com *.baidu.com *.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com data: www.googleadservices.com www.google-analytics.com *.typekit.net www.paypalobjects.com *.ftcdn.net *.behance.net fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com validator.swagger.io *.yotpo.com https://img.youtube.com www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com *.paypal.com mageside.com *.mageside.com *.hydroflask.com hydroflask.attn.tv *.oxo.com *.lightboxcdn.com na-stage.hele.digital *.parcellab.com *.trustarc.com cfvod.kaltura.com *.bing.com *.clarity.ms *.hele.digital via.placeholder.com *.locally.com *.spectrumcustomizer.com stospectstageglobal.blob.core.windows.net blob: cdn.kustomerapp.com *.acq.io *.yimg.com loggly.com logs-01.loggly.com referrer.disqus.com c.disquscdn.com ct.pinterest.com pinterest.com sp.analytics.yahoo.com *.facebook.com scontent-iad3-2.cdninstagram.com stospectprodglobal.blob.core.windows.net 'self' 'unsafe-inline' google.com *.google.com www.gstatic.com ssl.gstatic.com googletagmanager.com *.googletagmanager.com fonts.googleapis.com *.google-analytics.com *.analytics.google.com *.g.doubleclick.net *.fls.doubleclick.net ad.doubleclick.net ade.googlesyndication.com; script-src cdnjs.cloudflare.com analytics.tiktok.com *.stripe.network www.recaptcha.net ajax.cloudflare.com static.cloudflareinsights.com c.amazon-adsystem.com *.klaviyo.com *.yottaa.net *.yottaa.com cdn.pdst.fm c.disquscdn.com cdn.kustomerapp.com unpkg.com *.sdiapi.com f.vimeocdn.com *.adobedtm.com *.adobe.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com secure.authorize.net test.authorize.net www.google-analytics.com assets.adobedtm.com amcglobal.sc.omtrdc.net *.magento-ds.com *.typekit.net www.paypalobjects.com js.braintreegateway.com commerce.adobedtm.com commerce.adobe.net www.sandbox.paypal.com magento-recs-sdk.adobe.net s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.yotpo.com s7.addthis.com *.iterable.com *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com assets.braintreegateway.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com js-agent.newrelic.com bam.nr-data.net bam-cell.nr-data.net mageside.com *.mageside.com doubleclick.net *.hydroflask.com *.oxo.com *.pcapredict.com *.lightboxcdn.com hydroflask.locally.com lightboxapi.azurewebsites.net *.fbot.me services.postcodeanywhere.co.uk *.parcellab.com *.trustarc.com cdn-assets.rapidspike.com cdnapisec.kaltura.com *.brilliantcollector.com cdn.jsdelivr.net js.stripe.com connect.facebook.net bat.bing.com *.clarity.ms *.spectrumcustomizer.com js.acq.io ssl.geoplugin.net *.yimg.com ajax.googleapis.com cdn.pushplanet.com *.cloudfront.net moatads.com z.moatads.com addthisedge.com v1.addthisedge.com m.addthis.com v1.addthis.com addthis.com loggly.com logs-01.loggly.com hot.disqus.com hydroflask.disqus.com oxo.disqus.com stage-hydroflask.disqus.com stage-oxo.disqus.com preprod-hydroflask.disqus.com preprod-oxo.disqus.com prod-hydroflask.disqus.com prod-oxo.disqus.com ct.pinterest.com pinterest.com s.pinimg.com pinimg.com *.impactradius-event.com js.adsrvr.org insight.adsrvr.org ak.sail-horizon.com player.vimeo.com 'self' 'unsafe-inline' 'unsafe-eval' googletagmanager.com *.googletagmanager.com tagmanager.google.com www.googleadservices.com www.google.com googleads.g.doubleclick.net; worker-src 'self' 'unsafe-inline' 'unsafe-eval' oxo.com/p/2/2 blob:; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?m=5wD8vQzjY9JQhq8Gvc42jJzAN1B3ANaIRFPi9nVDT9k-1722846917-1.0.1.1-YF25UPc8Z4IvDjK5Cdorz8EDuIieqvbhp6IGDGSpHYJyi7xTuujDnbQJsdWDq3VCiKVTkhRViZMaYGVTX29uPu23UzZ5421al2D.DZIy0gYyyUHtJdr0QkTeJ4Bm5UfRwI4BQ8lEMRN138Bgdu4dMWm1b1Zyb_zt9.LH4v9BP2moOATtjMN_aoHAzSF3ykVIjxrekdy.1HDrMqOYg9AgPA; report-to cf-zytknusekbcpzwqc
report-to: {"endpoints":[{"url":"https:\/\/csp-reporting.cloudflare.com\/cdn-cgi\/script_monitor\/report?m=vB0.t2rqdXbvFlom3Vk4J4dH51mgukxm79jc9_WDfdo-1722846917-1.0.1.1-VzVs1AwmgIt0ut28Er2rAHQrtBJltGyUWQGygaKMFf8jk53nTuzXUGrCUinZdwtMmaRblQ1NQSi3OSnPGmBP37AlHe2PYlA0BekUH3..ZOa6XnAtaMFQzlbbOTTw5EgDswZgPiNezH8owEDMn6yhW7oJTRdpwYFcc426esIqaJT1ZUcg5B1X2u67k05B0g2mc_8nuWY2ShOLs9dORn.qrg"}],"group":"cf-zvdwqobheuffixgr","max_age":86400}, {"endpoints":[{"url":"https:\/\/csp-reporting.cloudflare.com\/cdn-cgi\/script_monitor\/report?m=jKJGU1yYtKhg0PtepapvObaTMRtOgVMqYHGSX39ct8I-1722846917-1.0.1.1-SQz7t1rzLbHbXWSmxtefMvVMDJC6B8CJuXyud9X3V1iHY1sOkSY6IS0toCYCHmUd2eavjCLorGizvYLZoUUzhlV4JJVgOVWDhhyJhF14LIPpYFowo7QkvgHWsMOaipduB.O7AYGGRcHxACgpqkNho4xgBzBS2QISZWSM6fsjUzrd0uNBSmDXHGjVrg34FUPFhRPtp4WyIzDeFOPqt1Nh2g"}],"group":"cf-llimiyprnobuyity","max_age":86400}, {"endpoints":[{"url":"https:\/\/csp-reporting.cloudflare.com\/cdn-cgi\/script_monitor\/report?m=UBjwZguJ3UxVYiVTglzFuC22SfT4u9d9ztxrObkqrf8-1722846917-1.0.1.1-yi7pD9_8CooONlutZKww.SoQcYsIJkrfq9BgUHymBI9q93R9f1BHkUqGMJpUbjp1_Kgc5E_eHhcb9SAxLO_CL.Y5Cft1h8h8IiDvyqA.torpgas3B275.n881MFoYiCY26zMkJuCxRG61eGaaPmIN1uFOg44VybvBTXB71oqaiiMC6RB4J.OdGX51mTsAFdLe27y0yYfOn2oVavttHEv.A"}],"group":"cf-zewbegpfalihrhcq","max_age":86400}, {"endpoints":[{"url":"https:\/\/csp-reporting.cloudflare.com\/cdn-cgi\/script_monitor\/report?m=5wD8vQzjY9JQhq8Gvc42jJzAN1B3ANaIRFPi9nVDT9k-1722846917-1.0.1.1-YF25UPc8Z4IvDjK5Cdorz8EDuIieqvbhp6IGDGSpHYJyi7xTuujDnbQJsdWDq3VCiKVTkhRViZMaYGVTX29uPu23UzZ5421al2D.DZIy0gYyyUHtJdr0QkTeJ4Bm5UfRwI4BQ8lEMRN138Bgdu4dMWm1b1Zyb_zt9.LH4v9BP2moOATtjMN_aoHAzSF3ykVIjxrekdy.1HDrMqOYg9AgPA"}],"group":"cf-zytknusekbcpzwqc","max_age":86400}
server: cloudflare
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2
Flags: needinfo?(dschubert)

I just re-tested Karl's report, and Firefox seems to behave correctly now. I will note, however, that especially for PDFs, this can be confusing. The default behavior for Firefox in regards to PDF downloads is not to "ask" like I'm screenshotting - it's to open the file inside Firefox with its built-in PDF viewer. However, this can be changed in the settings under General -> Applications.

We disabled sniffing for navigations to application/octet-stream in bug 1828441, so everything works as intended now. I'll close this as fixed by bug 1828441.

Flags: needinfo?(dschubert)
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: