Open Bug 1547345 Opened 5 years ago Updated 2 years ago

Firefox: Automatic Downloads of Certain Files without Visible Prompt

Categories

(Firefox :: File Handling, defect, P3)

Product:
Firefox
Component:
File Handling
Version:
66 Branch
Type:
defect

Tracking

()

People

(Reporter: elliottabarnes, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Observed in firefox 66.0.3 running on Windows 7 X64 in Private Browsing with all default settings on a fresh installation:

  1. Navigate to the following URL:

https://www.manualslib.com/download/357685/Cisco-2612.html

  1. Fill out the captcha presented to you, and click the "Download Manual" button

  2. Rather than right-clicking as suggested, choose the "Download Manual" link - visibly, nothing will be presented on screen

  3. Finally, check the default Firefox Downloads directory - you'll see a file named "2612.pdf", which is the manual from the above web page

You'll note that at no point when clicking the manual was either a prompt displayed asking if the user would like to download the file, or the default PDF.JS viewer opened

Actual results:

No prompt was displayed to the user as to whether they would like to download the manual. This is a security risk.

Expected results:

One of two options - either the standard file download dialog should have been displayed, or the file opened in the built-in PDF.JS viewer.

(In reply to elliottabarnes from comment #0)

One of two options - either the standard file download dialog should have been displayed, or the file opened in the built-in PDF.JS viewer.

Not the second. Web sites already have a way to trigger that (send a proper PDF content-type) which is what the second link does. This link is explicitly forcing a download through an unknown content-type ("binary/octet-stream") although there are better ways for that (content-disposition header, download attribute in HTML). The download-only part isn't a problem, but the lack of asking is. This behavior goes back to before ESR-60 apparently.

I suspect it was an intentional "streamlining" ("I just clicked on a download link! Why does the browser have to ask again?!") but that fails to consider intentional abuse. At the very least swamping someone's disk or worse these days running up huge mobile data bills.

Status: UNCONFIRMED → NEW
Ever confirmed: true

(In reply to Daniel Veditz [:dveditz] from comment #1)

At the very least swamping someone's disk or worse these days running up huge mobile data bills.

There isn't a universal solution to these issues, especially for the second one, since regular network requests can easily happen in the background without saving any data on the local computer. For the first one, we have bug 1306334 to implement protection against sites starting to download many files at once. We still want sites to be able to start one download in response to an explicit user action, or even from script, as it's very common for download landing pages to do that.

Usually on new profiles we still ask the user what to do with the file, but in the end the plan is to allow sites to download all safe file types without asking. I think PDF may be a special case here and already have the new behavior, since it's a safe file type and we have an internally configured viewer.

Sounds like a conscious decision about trade-offs so probably better to discuss as a design/safety issue than as a hidden "vulnerability" where fewer people can have input.

Group: firefox-core-security
See Also: → 1306334

Hi @elliottabarnes, I've tested the issue on Windows 10 on latest nightly 69.0a1 and release 67.0.1 versions. No prompt will be displayed by pressing on "Download Manual" link - that because of automatically download file option.
I will set a component to this issue and further let someone from dev's team to give us a hand with this kind of trigger pop-ups.
Additionally, if I go and enable the option "Always ask" => Menu->Options->General-> Files and Applications-> Applications -> in the table at the option "Portable Document Format(PDF) change the Action to "Always ask" => as a result I'll be triggered by a pop-up with options of opening or downloading the file.
Thanks.

Component: Untriaged → File Handling
Priority: -- → P3

This can be weaponized using iframes.

The 001.html page linked from https://hixie.ch/tests/evil/html/iframe/ embeds 1000 iframes like

<iframe src="data:application/octet-stream,TEST000"></iframe>
<iframe src="data:application/octet-stream,TEST001"></iframe>
<iframe src="data:application/octet-stream,TEST002"></iframe>
...

This causes the hard disk to be flooded without any user prompt, and it locks the FF UI in the mean time.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.