Open Bug 1694520 Opened 4 years ago Updated 4 years ago

Dragging images from websites with access control to Explorer results in a 403 page being saved instead

Categories

(Firefox :: Private Browsing, defect, P3)

Product:
Firefox
Component:
Private Browsing
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox88 --- affected

People

(Reporter: xexali3591, Unassigned)

References

Details

(Keywords: parity-chrome)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0

Steps to reproduce:

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0

Note that this appears to be the same bug as Bug 1689600, but it only takes effect on Private Windows, so the steps are nearly identical. This bug has also occurred on Firefox 84 and Firefox 85.

Steps to reproduce:

  1. Log in to a website with access control (e.g. Pixiv) on a Private Window
  2. Open an access-controlled image in a new tab. (if the image was previously saved on a non-Private Window, it will save as expected)
  3. Drag that image and drop into Explorer.

Actual results:

The file saves as the website's 403 page with an image extension (e.g. a 146 byte .png or .jpeg file that is revealed to be HTML code when opened in a text editor) instead of saving the image itself.

Expected results:

The image saves from the Private Window's cache, instead of triggering the website's 403 page. This bug is fixed in non-Private Windows, but still occurs in Private Windows.

Apologies for the repeating lines in the beginning, I'm not used to using Bugzilla.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

This is not a regression. I can reproduce this issue in 78esr, 68esr....45esr as well as Nightly88.0a1.
Chrome's incognito mode works as expected.

Status: UNCONFIRMED → NEW
Has STR: --- → yes
status-firefox88: --- → affected
Ever confirmed: true
Keywords: parity-chrome
Version: Firefox 87 → Trunk

Mirko, this seems similar to the bug you fixed for macOS (albeit for copy-and-paste). Could it be that we need to do something equivalent for Windows?

Component: DOM: Core & HTML → DOM: Drag & Drop
Flags: needinfo?(mbrodesser)

This is not properly reproducible with Ubuntu 18.04. No image is saved, but a link. Both, from a normal and from a private Window.

On Windows, it's reproducible.

Mirko, this seems similar to the bug you fixed for macOS (albeit for copy-and-paste). Could it be that we need to do something equivalent for Windows?

Presumably, this is a different problem, because the issue doesn't occur in non-private browsing mode.

Component: DOM: Drag & Drop → Private Browsing
Flags: needinfo?(mbrodesser)
Product: Core → Firefox
See Also: → 1690532

Some things about this bug that I have learned:

  1. This bug can occur on any page protected under the DDOS-GUARD service. Instead of saving a 403 page however, it saves the DDOS-GUARD "Wait for 5 seconds" page.
  2. When an image is loaded on a non-Private browsing window from a website where this bug can occur (example page: https://www.pixiv.net/en/artworks/66545003), saving it via drag and drop on a Private browsing window will result in the bug not occurring and the image saving as expected. I don't understand why this happens -- maybe this has something to do with the browser's cache or cookies?

I notice saving images in Private browsing mode seems to redownload them instead of saving them from cache, which is pretty bad for anyone with a slow connection or limited data. I think this might be related to the bug, as saving images in Private browsing mode tends to be slower in general than saving from non-Private browsing mode.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.