1689600 - Dragging images from websites with access control to Explorer resulted in 403 page being created instead

Status: VERIFIED FIXED

(Core :: Privacy: Anti-Tracking, defect, P1)

Description

[yaema.vandermerwe]

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

1. Log in to a website with access control (e.g. Pixiv)
2. Open an access-controlled image in a new tab.
3. Drag that image and drop into Explorer.

Actual results:

The file size that Firefox exposed to Explorer is noted to be a constant size instead of the size it's supposed to be. This affects any files from the website.
Examining the image file with a text editor reveals that it is in fact the website's 403 page.

Expected results:

Actual image gets created.
The browser should copy the image data from the tab, and not despatch a separate, non-access-controlled call to the website to create the resource which results in 403 pages.

This is the case (therefore, this bug didn't exist) in previous version of Firefox.

Comment 1

[Alice0775 White]

Regression window:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a55d8ca4738f9b51515959de087df55e5d5999d8&tochange=7e53b5398797485e8f326bde1fcb5820afcbc8a2

Comment 2

[Alice0775 White]

BTW, Bug 1641270 does not fix this case if privacy.partition.network_state = true.

Comment 3

[Tim Huang[:timhuang]]

Hi Alice,

Thanks for providing the regression window. I cannot reproduce this on my MAC though.

Would you be able to provide a link and detailed STR? And is this issue Windows exclusive? Thanks.

Comment 4

[Tim Huang[:timhuang]]

I've found a way to reproduce this on Windows. Thanks.

Comment 5

[Tim Huang[:timhuang]]

Attachment: Bug 1689600 - Making the Drag&Drop downloading be aware of cookieJarSettings on Windows platform. r?smaug

The channel used in Windows for Drag&Drop doesn't have the correct
cookieJarSettings. The patch fixes this issue that it will pass the
correct cookieJarSettings to the channel.

Comment 7

[Pulsebot]

Pushed by tihuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/932f35a99bca
Making the Drag&Drop downloading be aware of cookieJarSettings on Windows platform. r=smaug

Comment 8

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/932f35a99bca

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:timhuang, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 10

[Tim Huang[:timhuang]]

Comment on attachment 9200445 [details]
Bug 1689600 - Making the Drag&Drop downloading be aware of cookieJarSettings on Windows platform. r?smaug

Beta/Release Uplift Approval Request

• User impact if declined: The drag&drop downloading of access-controlled images will break in Windows
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: 1. Log in to a website with access control (e.g. Pixiv)

2. Open an access-controlled image in a new tab.
3. Drag that image and drop it into Explorer.
4. Verify if the image is downloaded correctly.

• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This is a simple fix and only affects Windows.
• String changes made/needed: None

Comment 11

[Pascal Chevrel:pascalc]

Comment on attachment 9200445 [details]
Bug 1689600 - Making the Drag&Drop downloading be aware of cookieJarSettings on Windows platform. r?smaug

Low risk fix according to the author, was on nightly for a few days and this is a recent 85 regression, approved for 86 beta 8, thanks.

Comment 12

[Julien Cristau [:jcristau] (back April 22)]

https://hg.mozilla.org/releases/mozilla-beta/rev/04dcfc871055

Comment 13

[Anca Soncutean, Desktop QA]

Reproduced with Fx 85.0 on Windows 10.
Verified fixed with Fx 86.0b8 and Fx 87.0a1 (2021-02-09) on Windows 10.