Closed Bug 1535950 Opened 6 years ago Closed 5 years ago

On Linux the download URI is saved to GVFS/GIO metadata even in private browsing

Categories

(Toolkit :: Downloads API, defect, P2)

Product:
Toolkit
Component:
Downloads API
Version:
67 Branch
Platform:
Unspecified
Linux
Type:
defect
Points:
2

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox83 --- verified

People

(Reporter: dennis.lissov, Assigned: msirringhaus)

References

Details

(Keywords: privacy)

Attachments

(1 file)

Bug 1535950 - On Linux the download URI is saved to GVFS/GIO metadata even in private browsing. r=mak
47 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

  1. Open Private Browsing window
  2. Visit any download site (for example, https://www.torproject.org/projects/torbrowser.html.en#downloads )
  3. Download some file (for example, tor-browser-linux64-8.0.6_en-US.tar.xz )
  4. Open the directory with the downloaded file in the terminal and issue the following command with the name of the downloaded file
    gio info $filename

Actual results:

$ gio info tor-browser-linux64-8.0.6_en-US.tar.xz
display name: tor-browser-linux64-8.0.6_en-US.tar.xz
[...]
metadata::download-uri: https://dist.torproject.org/torbrowser/8.0.6/tor-browser-linux64-8.0.6_en-US.tar.xz

Expected results:

The GIO metadata for a file downloaded in the private browsing mode shall not contain the URL it was downloaded from. This behavior violates the expectations about the private browsing mode.
For Mac OS the same problem was fixed in bug 1432915.

Ideally the writing for non-private windows should be configurable too, but for private ones this is a definite bug.

OS: Unspecified → Linux
Component: Untriaged → Private Browsing
See Also: → 1590061

Bug 853901 only ported the already existing code from the legacy codebase to the new js-based downloads API, this was instead originally implemented in bug 797349.

I agree that probably we should be skipping it for private browsing, like we do for recent docs.
Patches are welcome, this should be trivial to fix since there is an aIsPrivate argument in DownloadPlatform::DownloadDone.

Keywords: privacy
Priority: -- → P2
Status: UNCONFIRMED → NEW
Points: --- → 2
Ever confirmed: true
Component: Private Browsing → Downloads API
Product: Firefox → Toolkit
See Also: → 797349
Assignee: nobody → msirringhaus
Status: NEW → ASSIGNED
Pushed by mak77@bonardo.net: https://hg.mozilla.org/integration/autoland/rev/5b2d0635405c On Linux the download URI is saved to GVFS/GIO metadata even in private browsing. r=mak

https://hg.mozilla.org/mozilla-central/rev/5b2d0635405c

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox83: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

I have reproduced this issue using Firefox 67.0a1 (2019.03.17) on Ubuntu 20.04.1 x64.
I can confirm this issue is fixed, I verified using Firefox 83.0b10 on Ubuntu 20.04.1 x64.

status-firefox83: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: