Closed Bug 1637747 Opened 4 years ago Closed 4 years ago

Incorrect `Sec-Fetch-Mode` header for hyperlink download requests

Categories

(Core :: DOM: Security, defect, P3)

78 Branch
defect

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox76 --- disabled
firefox77 --- disabled
firefox78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- fix-optional

People

(Reporter: jugglinmike, Assigned: ckerschb)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

Steps to reproduce

  1. Create an HTML document with the following markup:

    <a download href="http://example.com">Download</a>
    
  2. Open the document in the browser

  3. Click the link

Expected: the browser sends a request to example.com bearing a Sec-Fetch-Mode
header with the value "no-cors"

Actual: the browser sends a request to example.com bearing a Sec-Fetch-Mode
header with the value "navigate"

This affects both the <a> element and the <area> element.

HTML dictates that following a hyperlink produces a "navigation" request [1],
but it calls for a generic request when downloading a hyperlink [2], and
Fetch specifies that a request's mode is "no-cors" by default [3].

[1] https://html.spec.whatwg.org/#following-hyperlinks-2
[2] https://html.spec.whatwg.org/#downloading-hyperlinks
[3] https://fetch.spec.whatwg.org/#concept-request-mode

Component: Networking → DOM: Security
Flags: needinfo?(ckerschb)
Regressed by: 1508292
Has Regression Range: --- → yes

Set release status flags based on info from the regressing bug 1508292

sec-fetch-* is nightly only, adjusting flags

Thanks for filing the bug. I'll fix that when I get some time.

FWIW, Sec-Fetch-* is Nightly only at the moment and I don't think we are going to ship soonish, so it might take a little time till I get to it.

Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-active]

Thanks for the quick response, Christoph! The request's mode is also observable from a service worker. I haven't checked if the bug is present in that context, but this may be an issue in a stable release.

I filed https://github.com/whatwg/html/issues/5548. If I try OP btw it doesn't download for me, it navigates there. I suspect that's because you cannot do this for cross-origin resources. I suspect that a more comprehensive set of tests would find oddities here in Chrome as well.

The steps to reproduce are indeed faulty; given this feature's reliance on a same-origin external resource, it's a little hard to reproduce.

You're right about similar oddities in Chromium:

https://bugs.chromium.org/p/chromium/issues/detail?id=1082429

I've updated that report with a link to the new spec bug.

Christoph, is this shipping in 78? Or is it disabled?

Flags: needinfo?(ckerschb)

(In reply to Gian-Carlo Pascutto [:gcp] from comment #7)

Christoph, is this shipping in 78? Or is it disabled?

It's not shipping. The pref dom.security.secFetch.enabled is only enabled in Nightly.

Flags: needinfo?(ckerschb)

The severity field is not set for this bug.
:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ckerschb)
Severity: -- → S4
Flags: needinfo?(ckerschb)

I think this should be fixed in the HTML Standard instead. Resolving accordingly.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.