Using Firefox 82, trying to download a file over http (and not https) fails with the error "This file could not be downloaded securely"
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
People
(Reporter: bytehead, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Steps to reproduce:
I click on a link Facebook to download a file. In this case:
http://bryanlprice.com/FloridaVotingRights.pdf
Actual results:
The file does not download. If I check my Downloads, it shows an error:
"This file could not be downloaded securely"
Expected results:
I expect the file to be downloaded. Or, at least presented with some way of downloading the file insecurely. Just blocking the download seems a sure way to make people give up on Firefox.
Reporter | ||
Comment 1•4 years ago
|
||
I'm not the only person seeing this:
https://www.reddit.com/r/firefox/comments/ig6nhk/ff_82_this_file_could_not_be_downloaded_securely/
Updated•4 years ago
|
Comment 3•4 years ago
•
|
||
I assume this is related to bug 1656296. Having said that, download in bug 1660957 seems to work fine on macOS (20200824215021), so it might be Windows only?
The link in comment 0 here gives me a blank page, and another error in console
NS_ERROR_FAILURE: Can't use PDF.js
Comment 4•4 years ago
|
||
try with HTTPS-Only Mode enforce off (In reply to Francesco Lodolo [:flod] from comment #3)
I assume this is related to bug 1656296. Having said that, download in bug 1660957 seems to work fine on macOS (20200824215021), so it might be Windows only?
The link in comment 0 here gives me a blank page, and another error in console
NS_ERROR_FAILURE: Can't use PDF.js
try it with HTTPS-Only Mode enforce off
Comment 5•4 years ago
|
||
(In reply to westsonoma from comment #4)
try it with HTTPS-Only Mode enforce off
It's already disabled.
Comment 6•4 years ago
•
|
||
Blocking HTTP downloads is a Nightly only feature and controlled by the dom.block_download_insecure
preference. I think this intentional behavior, but maybe there is should be an option to explictly retry insecure downloads. Otherwise this is probably a WONTFIX.
Comment 7•4 years ago
|
||
Basti, I think Bug 1660969 will add an unblock
button, right? Once landed can you revisit this bug?
Reporter | ||
Comment 8•4 years ago
|
||
(In reply to Tom Schuster [:evilpie] from comment #6)
Blocking HTTP downloads is a Nightly only feature and controlled by the
dom.block_download_insecure
preference. I think this intentional behavior, but maybe there is should be an option to explictly retry insecure downloads. Otherwise this is probably a WONTFIX.
I changed that preference, and it's now downloading as expected.
Comment 9•4 years ago
|
||
This seems like the same as bug 1654139.
Comment 10•4 years ago
|
||
Let's have this one block the meta bug 1654777 as well. And yes, that is very similar to bug 1654139, but I guess Bug 1660969 will fix that - or at least adds a button to overrule the decision and unblock the download (if really desired).
Updated•4 years ago
|
Comment 11•4 years ago
|
||
Can't reproduce in nightly, seems fixing https://bugzilla.mozilla.org/show_bug.cgi?id=1647829 also fixed this one ?
Comment 12•4 years ago
|
||
Still broke on win 7 nightly 83.0a1 (2020-10-04)
try it with HTTPS-Only Mode enforce off
Comment 13•4 years ago
|
||
I did that already with the link in comment 0, working as expected. PDF loads and then click on save Page as, save it as PDF and the download occurs.
Comment 14•4 years ago
|
||
PDF works, I didn't try it before. But the download does not:
http://www.disksavvy.com/setups_x64/disksavvy_setup_v13.0.18_x64.exe
Comment 15•4 years ago
|
||
Also experiencing this issue here: https://wiki.archlinux.org/index.php/Intel_GVT-g#Using_DMA-BUF_with_UEFI/OVMF
Click on the "extract the OpROM" and the file cannot be downloaded. You have to open the link in new tab, then it can be downloaded.
Comment 16•4 years ago
|
||
Krita Appimage file also fails to download securly
https://download.kde.org/stable/krita/4.4.0/krita-4.4.0-x86_64.appimage
Comment 17•4 years ago
|
||
It looks like this is being triggered for google search links (secure) redirect to insecure addresses.
Search for a document located on a site where a secure connection is not available with Google as the search engine.
Locate a link to the "PDF" version of the document. Click the link to initiate the download directly from search.
When you click on the download status you will see the "This document could not be downloaded securely" message.
Specific Example-
The google result for an HP manual uses the link:
http://h10032.www1.hp.com/ctg/Manual/c05402785 is the intended target.
IF you go to the target by directly "entering" the target URL The download works. Using the google result (reproduced above) causes the message to appear.
Workaround: From the This document could not be downloaded securely" message, right click and select "Copy Download Link".
Paste the result in to the address bar. The download will succeed when going directly to the insecure page.
Comment 19•3 years ago
|
||
(In reply to Jim Coleman from comment #17)
It looks like this is being triggered for google search links (secure) redirect to insecure addresses.
Search for a document located on a site where a secure connection is not available with Google as the search engine.
Locate a link to the "PDF" version of the document. Click the link to initiate the download directly from search.
When you click on the download status you will see the "This document could not be downloaded securely" message.Specific Example-
The google result for an HP manual uses the link:
http://h10032.www1.hp.com/ctg/Manual/c05402785 is the intended target.
IF you go to the target by directly "entering" the target URL The download works. Using the google result (reproduced above) causes the message to appear.
Workaround: From the This document could not be downloaded securely" message, right click and select "Copy Download Link".
Paste the result in to the address bar. The download will succeed when going directly to the insecure page.
In build 84.0a1 (2020-11-11) (64-bit) there is now an option when clicking on the download to either Open or Remove File. Selecting Open does download the file. Use of the work Open is not clear as nothing actually opens. Suggest using Continue With Download or Download instead of Open. Will try to locate original and comment this there as well.
Issue is resolved for my link and the original link as well as the duplicate bug link file.
Comment 20•3 years ago
|
||
I think this can be closed now that bug 1660969 is fixed. Then either mark this as depends on that bug or as a duplicate.
Comment 21•3 years ago
|
||
Closing this, since with 1660969 we have an unblock button now :)
Description
•