Closed Bug 1660952 Opened 6 months ago Closed 2 months ago

Using Firefox 82, trying to download a file over http (and not https) fails with the error "This file could not be downloaded securely"

Categories

(Core :: DOM: Security, defect, P1)

Firefox 82
defect

Tracking

()

RESOLVED DUPLICATE of bug 1660969

People

(Reporter: bytehead, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0

Steps to reproduce:

I click on a link Facebook to download a file. In this case:

http://bryanlprice.com/FloridaVotingRights.pdf

Actual results:

The file does not download. If I check my Downloads, it shows an error:

"This file could not be downloaded securely"

Expected results:

I expect the file to be downloaded. Or, at least presented with some way of downloading the file insecurely. Just blocking the download seems a sure way to make people give up on Firefox.

Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Duplicate of this bug: 1660957

I assume this is related to bug 1656296. Having said that, download in bug 1660957 seems to work fine on macOS (20200824215021), so it might be Windows only?

The link in comment 0 here gives me a blank page, and another error in console

NS_ERROR_FAILURE: Can't use PDF.js

try with HTTPS-Only Mode enforce off (In reply to Francesco Lodolo [:flod] from comment #3)

I assume this is related to bug 1656296. Having said that, download in bug 1660957 seems to work fine on macOS (20200824215021), so it might be Windows only?

The link in comment 0 here gives me a blank page, and another error in console

NS_ERROR_FAILURE: Can't use PDF.js

try it with HTTPS-Only Mode enforce off

(In reply to westsonoma from comment #4)

try it with HTTPS-Only Mode enforce off

It's already disabled.

Blocks: 1656296

Blocking HTTP downloads is a Nightly only feature and controlled by the dom.block_download_insecure preference. I think this intentional behavior, but maybe there is should be an option to explictly retry insecure downloads. Otherwise this is probably a WONTFIX.

Basti, I think Bug 1660969 will add an unblock button, right? Once landed can you revisit this bug?

Flags: needinfo?(sstreich)

(In reply to Tom Schuster [:evilpie] from comment #6)

Blocking HTTP downloads is a Nightly only feature and controlled by the dom.block_download_insecure preference. I think this intentional behavior, but maybe there is should be an option to explictly retry insecure downloads. Otherwise this is probably a WONTFIX.

I changed that preference, and it's now downloading as expected.

This seems like the same as bug 1654139.

Let's have this one block the meta bug 1654777 as well. And yes, that is very similar to bug 1654139, but I guess Bug 1660969 will fix that - or at least adds a button to overrule the decision and unblock the download (if really desired).

Severity: -- → S2
Priority: -- → P1
Whiteboard: [domsecurity-backlog1]

Can't reproduce in nightly, seems fixing https://bugzilla.mozilla.org/show_bug.cgi?id=1647829 also fixed this one ?

Still broke on win 7 nightly 83.0a1 (2020-10-04)
try it with HTTPS-Only Mode enforce off

I did that already with the link in comment 0, working as expected. PDF loads and then click on save Page as, save it as PDF and the download occurs.

PDF works, I didn't try it before. But the download does not:

http://www.disksavvy.com/setups_x64/disksavvy_setup_v13.0.18_x64.exe

Also experiencing this issue here: https://wiki.archlinux.org/index.php/Intel_GVT-g#Using_DMA-BUF_with_UEFI/OVMF
Click on the "extract the OpROM" and the file cannot be downloaded. You have to open the link in new tab, then it can be downloaded.

Krita Appimage file also fails to download securly
https://download.kde.org/stable/krita/4.4.0/krita-4.4.0-x86_64.appimage

It looks like this is being triggered for google search links (secure) redirect to insecure addresses.

Search for a document located on a site where a secure connection is not available with Google as the search engine.
Locate a link to the "PDF" version of the document. Click the link to initiate the download directly from search.
When you click on the download status you will see the "This document could not be downloaded securely" message.

Specific Example-

The google result for an HP manual uses the link:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjDiOHghMXsAhUkoXIEHXr6AQ4QFjAAegQIAhAC&url=http%3A%2F%2Fh10032.www1.hp.com%2Fctg%2FManual%2Fc03975296&usg=AOvVaw1COSg4chA5ao1ebUAENYy7

http://h10032.www1.hp.com/ctg/Manual/c05402785 is the intended target.

IF you go to the target by directly "entering" the target URL The download works. Using the google result (reproduced above) causes the message to appear.

Workaround: From the This document could not be downloaded securely" message, right click and select "Copy Download Link".
Paste the result in to the address bar. The download will succeed when going directly to the insecure page.

Duplicate of this bug: 1674804

(In reply to Jim Coleman from comment #17)

It looks like this is being triggered for google search links (secure) redirect to insecure addresses.

Search for a document located on a site where a secure connection is not available with Google as the search engine.
Locate a link to the "PDF" version of the document. Click the link to initiate the download directly from search.
When you click on the download status you will see the "This document could not be downloaded securely" message.

Specific Example-

The google result for an HP manual uses the link:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjDiOHghMXsAhUkoXIEHXr6AQ4QFjAAegQIAhAC&url=http%3A%2F%2Fh10032.www1.hp.com%2Fctg%2FManual%2Fc03975296&usg=AOvVaw1COSg4chA5ao1ebUAENYy7

http://h10032.www1.hp.com/ctg/Manual/c05402785 is the intended target.

IF you go to the target by directly "entering" the target URL The download works. Using the google result (reproduced above) causes the message to appear.

Workaround: From the This document could not be downloaded securely" message, right click and select "Copy Download Link".
Paste the result in to the address bar. The download will succeed when going directly to the insecure page.

In build 84.0a1 (2020-11-11) (64-bit) there is now an option when clicking on the download to either Open or Remove File. Selecting Open does download the file. Use of the work Open is not clear as nothing actually opens. Suggest using Continue With Download or Download instead of Open. Will try to locate original and comment this there as well.

Issue is resolved for my link and the original link as well as the duplicate bug link file.

I think this can be closed now that bug 1660969 is fixed. Then either mark this as depends on that bug or as a duplicate.

Closing this, since with 1660969 we have an unblock button now :)

Status: NEW → RESOLVED
Closed: 2 months ago
Flags: needinfo?(sstreich)
Resolution: --- → DUPLICATE
Duplicate of bug: 1660969
You need to log in before you can comment on or make changes to this bug.