1696174 - downloads.download cannot download blob:-URLs created in content scripts/web pages, Error: Access denied for URL blob:http

Status: NEW

(WebExtensions :: General, defect, P3)

Description

[RichardB]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Steps to reproduce:

When a user clicks on a designated button on our website, Javascript in the web page passes a Blob URL to our add-on so that we can download it using browser.downloads.download. The blob is constructed as follows:

const url = URL.createObjectURL(new Blob([data], {"type": "application/pdf"}));

This url is sent to the add-on in a message. In the background script we receive the message and then call:

browser.downloads.download({url, filename}

Actual results:

The call to downloads.download fails with two error messages, one after the other:

Security Error: Content at moz-extension://f7307337-713b-bb44-8ddc-86d359c328d1/_generated_background_page.html may not load data from blob:https://<server>/4f00834d-e048-ac48-8fc3-cc937471077d.

Uncaught (in promise) Error: Type error for parameter options (Error processing url: Error: Access denied for URL blob:http://<server>/4f00834d-e048-ac48-8fc3-cc937471077d) for downloads.download

(Actual server address replaced with <server>)

Expected results:

The download should succeed. The same code works in Chrome.

Comment 1

[Alex Cornestean]

Hello RichardB,

I’m from QA and I’m attempting to confirm the issue you are having. However due to some lacking skills in building add-ons I would like to ask if you could share the website you mentioned and the add-on which you used when you encountered this issue.

Thank you !

Comment 2

[Rob Wu [:robwu]]

This is a reasonable feature request. data:-URLs don't work with downloads.download either (bug 1622986). This restriction is because of validation by the schema (implementation details mentioned in bug 1622986).

A work-around for this bug is to create the blob:-URL from the background page (unlike Chrome, Blob objects can be sent to the background page with the extension messaging API) or to use <a download> from the content script itself.

Comment 3

[RichardB]

@alex Hey Alex, thanks for your attention to this, I'm just waiting for the approval on example project that is fully testable and I will make this available asap.

Comment 4

[RichardB]

@alex The test project is available at https://github.com/richardebrock/simpleaddon/tree/master/simpleaddon

Comment 5

[Alex Cornestean]

Hello @RichardB !

Sorry for the delay and thank you for the very detailed steps you provided !

Although the issue was already confirmed by Rob in Comment 2, I’ve also reproduced it using the resources from the github test project you provided on the latest Release (86.0.1/20210310152336), Beta (87.0b9/20210311161514) and Nightly (88.0a1/20210315091836) on Windows 10 x64.

Doing as mentioned in the STR from the test project, the “Security Error: Content at moz-extension://f8ade4d8-0a2b-45c0-9120-9eb71baa52cf/_generated_background_page.html may not load data from blob:http://localhost:8181/b9ce7a8a-4568-4eff-a2a7-70ca468b77fc.” is displayed in the add-on console. See the attached screenshot for further details.

I’ll also add the appropriate affected versions to the issue.

Comment 6

[Alex Cornestean]

Attachment: 2021-03-15_13h34_56.png

Comment 7

[Nikita]

I can confirm this issue persists on FireFox version 95.0.2 (64-bit).

I can also confirm that the latest Chrome (96) is not affected. I'm using the same code in both browsers.

Comment 8

[Anthony Ettinger]

Still happening for me too.