Closed Bug 1686756 Opened 4 years ago Closed 3 years ago

Insecure downloads with https-only enabled cause zero-byte files to be downloaded.

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1768854

People

(Reporter: frank, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

index.html
92.36 KB, patch
Details | Diff | Splinter Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

Enable http-only mode (dom.security.https_only_mode_ever_enabled)
Navigate to an insecure (http) download link (for example http://speed.hetzner.de/100MB.bin )
Start the download

Actual results:

Firefox will display the proper length of the download and seemingly download the file however it results in a zero byte file

Expected results:

Either an insecure warning should be shown and download halted, or the download should proceed as expected

Erroneously wrote dom.security.https_only_mode_ever_enabled, but meant to say enable https-only mode via dom.security.https_only_mode. Sorry about that.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Julian, can you take a look please?

Flags: needinfo?(julianwels)

could it be because of access ranges downloading such a large file? Downloading the file directly as https:// works fine, but http upgraded (which does make a https request according to devtools) doesn't.

Leli, adding a ni? so to keep this on your radar!

Flags: needinfo?(leli)
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

Leli is on it!

Flags: needinfo?(julianwels)

The download takes more than 3 seconds and is thereby cancelled by the http-background request. --> Bug 1683015

The flag for nsILoadInfo::HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS does not get set before dom.security.https_only_mode_send_http_background_request cancels the request

Does work with dom.security.https_only_mode_send_http_background_request false

Flags: needinfo?(leli)
Flags: needinfo?(brazyfish)
Attachment #9280917 - Flags: ui-review+
Attachment #9280917 - Flags: review+
Attachment #9280917 - Flags: feedback+
Attachment #9280917 - Flags: data-review+
Flags: needinfo?(brazyfish)
Attachment #9280917 - Flags: ui-review+
Attachment #9280917 - Flags: review+
Attachment #9280917 - Flags: feedback+
Attachment #9280917 - Flags: data-review+
Flags: needinfo?(brazyfish)
Attachment #9280917 - Flags: ui-review+
Attachment #9280917 - Flags: review+
Attachment #9280917 - Flags: feedback+
Attachment #9280917 - Flags: data-review+
Flags: needinfo?(brazyfish)
Attachment #9280917 - Flags: ui-review+
Attachment #9280917 - Flags: review+
Attachment #9280917 - Flags: feedback+
Attachment #9280917 - Flags: data-review+
Attachment #9280917 - Flags: ui-review+
Attachment #9280917 - Flags: sec-approval?
Attachment #9280917 - Flags: review+
Attachment #9280917 - Flags: feedback+
Attachment #9280917 - Flags: data-review+
Attachment #9280917 - Flags: checkin+
Attachment #9280917 - Flags: approval-mozilla-release?
Attachment #9280917 - Flags: approval-mozilla-esr91?
Attachment #9280917 - Flags: approval-mozilla-esr102?
Attachment #9280917 - Flags: approval-mozilla-beta?

Redirect a needinfo that is pending on an inactive user to the triage owner.
:freddy, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(frank) → needinfo?(fbraun)

Same as bug 1768854.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(fbraun)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: