Blocked mixed content downloads are not distinguishable enough from ones blocked by safebrowsing
Categories
(Firefox :: Downloads Panel, defect, P3)
Tracking
()
People
(Reporter: gwarser, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: QA-not-reproducible)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
In about:preferences#privacy all options under "Decpetive content and dangerous software protection" are disabled.
Try watching PDF in this Reddit post: https://www.reddit.com/r/AV1/comments/mfqtr8/aom_decoder_q1_2021/
Actual results:
"File not downloaded: potential security risk"
Expected results:
File should be opened in Firefox PDF viewer.
|
||
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::PDF Viewer' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
It's http instead of https, but this info is not available in "Downloads" view of "Library" window.
|
||
Comment 3•4 years ago
|
||
Was checking these prefs for the mixed content work considered? I could see how they're different kinds of security and even people who disable safebrowsing (e.g. because they distrust google) might actually want mixed content blocking, so I'm not sure what the right answer is...
|
|
||
Comment 4•4 years ago
|
||
Note for the reporter: the mixed content blocking work is still under development and nightly-only at the moment.
Now, when I know why this happened, I don't think this should be linked to "deceptive content" pref, but rather UI of the library should be improved to provide more info about this block.
One more issue - downloads panel with this error pops up after every restart of Firefox.
|
|
||
Comment 7•4 years ago
•
|
||
(In reply to gwarser from comment #6)
One more issue - downloads panel with this error pops up after every restart of Firefox.
Yes, this is tracked in bug 1685737. As a workaround for now, you can right click the item and remove it to stop this happening.
|
|
||
Comment 8•4 years ago
|
||
(In reply to gwarser from comment #5)
Now, when I know why this happened, I don't think this should be linked to "deceptive content" pref, but rather UI of the library should be improved to provide more info about this block.
I've updated the bug's summary to reflect this.
|
|
||
Updated•4 years ago
|
|
||
Comment 9•4 years ago
|
||
Hi,
I am not able to replicate the issue in win 10 pro and ubuntu 20.04, after unchecking all options under "Decepetive content and dangerous software protection" in about:preferences#privacy. I am able to view the pdf from https://www.reddit.com/r/AV1/comments/mfqtr8/aom_decoder_q1_2021/ without issues. Let me know if there's any additional step that could help me reproduce.
Thanks for the report.
Best regards, Clara.
|
|
||
Comment 10•4 years ago
|
||
We've already diagnosed what is happening here, so I think we're good.
|
Reporter | |
Comment 11•4 years ago
|
||
For some reason in my current profile clicking on it always shows download dialog, but on clean profile pdf just opens without asking. But this is just issue with STR.
- Right click on http://downloads.aomedia.org/assets/pdf/AOMedia%20Non%20Member%20Newsletter%20-%20Q12021.pdf
- select "Save link as..."
- confirm
In download widget you will see "File not downloaded: potential security risk"
Hovering mouse cursor over it, will display "Show more information" message, (which BTW is confusing for me in this context)
Clicking on this message will display dialog which explains everything. This is fine.
But if you click on "Show all downloads" and see library window, then there is no information about why file was not downloaded.
|
||
Comment 12•4 years ago
|
||
Was checking these prefs for the mixed content work considered? I could see how they're different kinds of security and even people who disable safebrowsing (e.g. because they distrust google) might actually want mixed content blocking, so I'm not sure what the right answer is...
There was no discussion about this, yet. Personally i think this ( whilst using the same UI) is a different "thing" then using the safebrowsing lists. If there are any strong opinions that it should be somewhat linked to safebrowsing (safebrowsingEnabled && mcbWarningEnabled ) that would be fine too, i think. Not sure who should be making this decision :)
|
||
Comment 13•3 years ago
•
|
||
Hey gwarser,
I tried reproducing this issue on the latest versions of Firefox Nightly 90.0a1 (2021-05-19), Beta 89.0b14 and release 80.0.1 but the download worked without issue and as for the initial issue I can open the file in PDF viewer without any notification of a potential risk.
Since on a clean profile this can't be reproduced it could be that something from your current profile was causing the issue.
Can you test the issue while in Safe Mode? You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .
If possible, you can test this issue on the nightly build as well. Download the build from : https://www.mozilla.org/en-US/firefox/nightly/all/ .
|
|
||
Comment 14•3 years ago
|
||
(In reply to Andrei Purice from comment #13)
Hey gwarser,
I tried reproducing this issue on the latest versions of Firefox Nightly 90.0a1 (2021-05-19), Beta 89.0b14 and release 80.0.1 but the download worked without issue and as for the initial issue I can open the file in PDF viewer without any notification of a potential risk.
The steps in comment #11 reproduce fine for me in nightly - they won't in beta/release because we don't block mixed-content downloads there (yet). If you have questions, please ask me.
|
|
||
Comment 15•3 years ago
|
||
Reproduced on the latest version of Firefox Nightly 93.0a1 (2021-09-01).
Not reproducible on the latest versions of Firefox beta 92.0 or release 91.0.2.
|
||
Comment 16•3 years ago
|
||
This is only reproducible with dom.block_download_insecure = true, which was enabled by default in Firefox 93 with bug 1685479.
Description
•