Downloads for CORP-protected resources fail
Categories
(Core :: DOM: Networking, defect)
Tracking
()
People
(Reporter: bz, Unassigned)
Details
Attachments
(1 file)
8.95 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
With reference to bug 1459573
- Clone https://github.com/lol768/corp-pdf-testcase and run the test server
- Navigate to http://localhost:8080
- Open main.pdf by clicking the link
- pdf.js will render the PDF
- Now attempt to download the PDF by clicking the download icon or using save-as
Actual results:
- Download fails, despite the download being initiated from (at least, from the user's perspective!) the same origin as to the one that the resource is served from
Expected results:
- Download succeeded
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
Correction:
Now attempt to download the PDF by clicking the download icon or using save-as
The former works, the latter fails.
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Updated•5 years ago
|
This is linked from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy. Should it be? Do we need to prioritize this?
Comment 4•4 years ago
|
||
(In reply to Tom Schuster [:evilpie] from comment #3)
This is linked from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy. Should it be? Do we need to prioritize this?
302 to Anne - do we need to prioritize a fix for that?
Comment 5•4 years ago
|
||
Yeah we should fix this as more sites want to deploy this header as part of their Spectre mitigations. I don't really understand why this would fail as downloads are navigations and navigations only check this header as part of COEP and that was not ready yet at that time last year...
Comment 6•4 years ago
|
||
I am having trouble reproducing this bug.
I've followed the instructions in comment 0 and I can download the PDF using the latest nightly or with fx78 (nightly or release) downloaded via mozregression.
I can't figure out what I'm doing wrong. Anne, can you verify if it works for you?
Comment 7•4 years ago
|
||
Yeah, I created test.html
locally on web-platform-tests with
<p><a href="test.pdf">same-origin</a>
<p><a href="http://www1.web-platform.test:8000/test.pdf">same-site</a>
<p><a href="http://not-web-platform.test:8000/test.pdf">cross-site</a>
and test.pdf.headers
containing
Cross-Origin-Resource-Policy: same-origin
and cannot reproduce this. I also tried adding Content-Disposition: attachment
so it would attempt to download directly and that also worked.
Adam, thoughts?
Reporter | ||
Comment 8•4 years ago
|
||
I can't repro this in 89.0a1 (2021-03-29) anymore, it downloads just fine.
Not sure why it wouldn't be reproducible using the same version as I originally reported (it was failing for some reason at least, per the screenshot!), but I can think we can resolve this one and remove the reference to the bug from the docs.
Comment 9•4 years ago
|
||
Resolving per comment 8
Description
•