Closed Bug 1614969 Opened 5 years ago Closed 4 years ago

Consider blocking mixed content downloads

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox80 --- fixed

People

(Reporter: ckerschb, Assigned: sstreich)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

Bug 1614969 - Check download with MixedContentBlocker r=ckerschb
47 bytes, text/x-phabricator-request
Details | Review

I think we should start warning about mixed content downloads and eventually start blocking mixed insecure downloads.

See Also: → 1303739

I proposed this 4 years ago.
Chrome is now implementing this in version 82.
https://www.theverge.com/2020/2/10/21132099/google-chrome-users-block-insecure-downloads-https-android-ios

Assignee: nobody → sstreich
Blocks: 1646768
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3685f83e0dc0 Check download with MixedContentBlocker r=ckerschb

Can we have a preference to allow this? I thought Mozilla was supposed to be about empowering the user!

Hi! :) - My current patch adds a preference for that, for you to toggle.
Its dom.block_download_insecure and it's off by default for everyone except on nightly.

Sorry I missed that great idea to block by default though.

Pushed by rmaries@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a10fc7b299ff Check download with MixedContentBlocker r=ckerschb

Fixed the bustage, sorry about that.

Flags: needinfo?(sstreich)
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2df0c2a2f866 Check download with MixedContentBlocker r=ckerschb

Sorry,
Fixed the assertion, got a green try push now - https://treeherder.mozilla.org/#/jobs?repo=try&revision=0b0586d584c4527f46f23e49ef2aff28b12d80b5

Flags: needinfo?(sstreich)
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2b1b3a41c110 Check download with MixedContentBlocker r=ckerschb

https://hg.mozilla.org/mozilla-central/rev/2b1b3a41c110

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Regressions: 1654139

Sebastian, could you please tell me how the latest Nightly 80.0a1 should behave if the mixed content download is made via drag and drop?

For instance, if I try to download a file from https://www.thinkbroadband.com/download by clicking on it, then the download is blocked (as the Opening dialog is never displayed). But if I drag the same file over the Downloads icon in the Navigation bar, then the download is completed. Is this expected?

Thanks!

Flags: needinfo?(sstreich)

Hey ! - :)
From my "user-perspective" i would argue that this is a bug. We should with our block rules be consistent.
From the tec side it's kind of expected as dropping a link onto the download button creates a new channel without the context of the original page.

Not connected - Just a note to the bug itself.
Mixed Content Download Blocking weill be staying as nightly only - until we have a better ux to communicate the blocking

Blocks: improve-download-security
Flags: needinfo?(sstreich)
Regressions: 1654780
Regressions: 1654783
Regressions: 1654878
Regressions: 1656462
Depends on: 1654780
No longer regressions: 1654780
Depends on: 1657179
Regressions: 1657179
No longer depends on: 1657179
Regressions: 1657809
Regressions: 1658014

Can we consider backing this out? The user has no idea why the download fails. I don't see how to current implementation is acceptable for Nightly users.

Flags: needinfo?(sstreich)
Flags: needinfo?(ckerschb)

I'm just a user so it's not my call but would it make more sense to keep this but with dom.block_download_insecure defaulting to false (to be flipped to true at a future date)? The feature works, the problem is there's no UX so if you didn't explicitly enable it yourself you have no idea why downloads aren't working.

Please note that the mixed content blocking of downloads is currently enabled in Nightly only. I personally would prefer not to back this patch out, but I agree that we have to improve the user experience before this is ready for release.

Basti is currently working on improving the experience for end users when Firefox blocks insecure downloads.

@Basti, can you link to the right bugs here as well please?

Flags: needinfo?(ckerschb)

(In reply to Christoph Kerschbaumer [:ckerschb, back on Aug 24th] from comment #20)

Please note that the mixed content blocking of downloads is currently enabled in Nightly only. I personally would prefer not to back this patch out, but I agree that we have to improve the user experience before this is ready for release.

Basti is currently working on improving the experience for end users when Firefox blocks insecure downloads.

@Basti, can you link to the right bugs here as well please?

FYI, a webcompat/archlinux bug couple caused by the lacking UX around this change: https://bugs.archlinux.org/task/67587 / https://github.com/webcompat/web-bugs/issues/56727 . Hope the UX improves soon, the silent blocking is very confusing.

I am going to remove the needinfo request. Bug 1656296 should solve this!

Flags: needinfo?(sstreich)
Regressions: 1668412
No longer regressions: 1668412
Regressions: 1721146
Regressions: 1722286
Depends on: 1754920
Depends on: 1799687
Depends on: 1800453
See Also: 1303739
See Also: → 1877195
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: