Incorrect `Sec-Fetch-Mode` header for hyperlink download requests
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | disabled |
firefox76 | --- | disabled |
firefox77 | --- | disabled |
firefox78 | --- | disabled |
firefox79 | --- | disabled |
firefox80 | --- | disabled |
firefox81 | --- | fix-optional |
People
(Reporter: jugglinmike, Assigned: ckerschb)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [domsecurity-active])
Steps to reproduce
-
Create an HTML document with the following markup:
<a download href="http://example.com">Download</a>
-
Open the document in the browser
-
Click the link
Expected: the browser sends a request to example.com bearing a Sec-Fetch-Mode
header with the value "no-cors"
Actual: the browser sends a request to example.com bearing a Sec-Fetch-Mode
header with the value "navigate"
This affects both the <a>
element and the <area>
element.
HTML dictates that following a hyperlink produces a "navigation" request [1],
but it calls for a generic request when downloading a hyperlink [2], and
Fetch specifies that a request's mode is "no-cors" by default [3].
[1] https://html.spec.whatwg.org/#following-hyperlinks-2
[2] https://html.spec.whatwg.org/#downloading-hyperlinks
[3] https://fetch.spec.whatwg.org/#concept-request-mode
Updated•4 years ago
|
Comment 1•4 years ago
|
||
Set release status flags based on info from the regressing bug 1508292
Updated•4 years ago
|
Comment 2•4 years ago
|
||
sec-fetch-* is nightly only, adjusting flags
Assignee | ||
Comment 3•4 years ago
|
||
Thanks for filing the bug. I'll fix that when I get some time.
FWIW, Sec-Fetch-* is Nightly only at the moment and I don't think we are going to ship soonish, so it might take a little time till I get to it.
Reporter | ||
Comment 4•4 years ago
|
||
Thanks for the quick response, Christoph! The request's mode is also observable from a service worker. I haven't checked if the bug is present in that context, but this may be an issue in a stable release.
Comment 5•4 years ago
|
||
I filed https://github.com/whatwg/html/issues/5548. If I try OP btw it doesn't download for me, it navigates there. I suspect that's because you cannot do this for cross-origin resources. I suspect that a more comprehensive set of tests would find oddities here in Chrome as well.
Updated•4 years ago
|
Reporter | ||
Comment 6•4 years ago
|
||
The steps to reproduce are indeed faulty; given this feature's reliance on a same-origin external resource, it's a little hard to reproduce.
You're right about similar oddities in Chromium:
https://bugs.chromium.org/p/chromium/issues/detail?id=1082429
I've updated that report with a link to the new spec bug.
Comment 7•4 years ago
|
||
Christoph, is this shipping in 78? Or is it disabled?
Assignee | ||
Comment 8•4 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #7)
Christoph, is this shipping in 78? Or is it disabled?
It's not shipping. The pref dom.security.secFetch.enabled is only enabled in Nightly.
Comment 9•4 years ago
|
||
The severity field is not set for this bug.
:ckerschb, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 10•4 years ago
|
||
I think this should be fixed in the HTML Standard instead. Resolving accordingly.
Description
•