Closed Bug 1638323 Opened 2 years ago Closed 1 year ago

Downloads for CORP-protected resources fail

Categories

(Core :: DOM: Networking, defect)

Product:
Core
Component:
DOM: Networking
Version:
78 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bz, Unassigned)

Details

Attachments

(1 file)

dl_failed.png
8.95 KB, image/png
Details
Attached image dl_failed.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

With reference to bug 1459573

  1. Clone https://github.com/lol768/corp-pdf-testcase and run the test server
  2. Navigate to http://localhost:8080
  3. Open main.pdf by clicking the link
  4. pdf.js will render the PDF
  5. Now attempt to download the PDF by clicking the download icon or using save-as

Actual results:

  1. Download fails, despite the download being initiated from (at least, from the user's perspective!) the same origin as to the one that the resource is served from

Expected results:

  1. Download succeeded

Correction:

Now attempt to download the PDF by clicking the download icon or using save-as

The former works, the latter fails.

Component: Untriaged → DOM: Core & HTML
OS: Unspecified → Linux
Product: Firefox → Core
Hardware: Unspecified → x86_64
Severity: -- → S3

This is linked from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy. Should it be? Do we need to prioritize this?

Flags: needinfo?(ckerschb)

(In reply to Tom Schuster [:evilpie] from comment #3)

This is linked from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy. Should it be? Do we need to prioritize this?

302 to Anne - do we need to prioritize a fix for that?

Flags: needinfo?(ckerschb) → needinfo?(annevk)

Yeah we should fix this as more sites want to deploy this header as part of their Spectre mitigations. I don't really understand why this would fail as downloads are navigations and navigations only check this header as part of COEP and that was not ready yet at that time last year...

Component: DOM: Core & HTML → DOM: Networking
Flags: needinfo?(annevk) → needinfo?(valentin.gosu)

I am having trouble reproducing this bug.
I've followed the instructions in comment 0 and I can download the PDF using the latest nightly or with fx78 (nightly or release) downloaded via mozregression.
I can't figure out what I'm doing wrong. Anne, can you verify if it works for you?

Flags: needinfo?(valentin.gosu) → needinfo?(annevk)

Yeah, I created test.html locally on web-platform-tests with

<p><a href="test.pdf">same-origin</a>
<p><a href="http://www1.web-platform.test:8000/test.pdf">same-site</a>
<p><a href="http://not-web-platform.test:8000/test.pdf">cross-site</a>

and test.pdf.headers containing

Cross-Origin-Resource-Policy: same-origin

and cannot reproduce this. I also tried adding Content-Disposition: attachment so it would attempt to download directly and that also worked.

Adam, thoughts?

Flags: needinfo?(annevk) → needinfo?(bz)

I can't repro this in 89.0a1 (2021-03-29) anymore, it downloads just fine.

Not sure why it wouldn't be reproducible using the same version as I originally reported (it was failing for some reason at least, per the screenshot!), but I can think we can resolve this one and remove the reference to the bug from the docs.

Flags: needinfo?(bz)

Resolving per comment 8

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.