Consider deprecating downloads.open()?
Categories
(WebExtensions :: Compatibility, task, P3)
Tracking
(Not tracked)
People
(Reporter: zombie, Unassigned)
References
Details
(Whiteboard: [mv3-future])
We've heard through the grapevine that Chrome is considering deprecating this and aliasing the method call to downloads.show().
As we've seen this api used to trick users, as well as part of several PoC for sec issues, we might wanna do the same.
|
||
Updated•5 years ago
|
|
Reporter | |
Comment 1•4 years ago
|
||
Resetting to retriage and possibly include in MV3.
|
||
Updated•4 years ago
|
|
|
Reporter | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 2•4 years ago
|
||
https://sql.telemetry.mozilla.org/queries/62842/source?p_permission=downloads.open
currently lists 8.8k entries (i.e. add-ons that request the downloads.open permission; multiple versions of the same add-on are included in this result).
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 3•2 years ago
|
||
Here is the (now public) security bug where deprecation of downloads.open was suggested:
https://bugs.chromium.org/p/chromium/issues/detail?id=1029375#c2
The Chrome extensions Tech Lead objected to the deprecation/removal of downloads.open and offered arguments in favor of keeping it: https://bugs.chromium.org/p/chromium/issues/detail?id=1029375#c7
The downloads.open API currently requires user interaction and the downloads.open permission (with a permission warning) in both Firefox and Chrome. This ought to be sufficient to counter abuse.
|
|
||
Updated•2 years ago
|
Description
•