Open Bug 1710251 Opened 4 years ago Updated 11 months ago

downloads.download cannot download resources that are protected by CORP (e.g. Instagram images)

Categories

(WebExtensions :: Request Handling, defect, P2)

Product:
WebExtensions
Component:
Request Handling
Version:
Firefox 88
Type:
defect

Tracking

(Not tracked)

People

(Reporter: thecristidima, Unassigned, NeedInfo)

References

Details

(Keywords: dev-doc-needed)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0

Steps to reproduce:

Call browser.downloads.download() with an image URL from instagram (got it from network tab).

Alternatively, use this sample add-on: https://github.com/thecristidima/ff-insta-download-bug

Actual results:

Got a "Failed download" error.

Expected results:

Image should be downloaded (as it does in previous Firefox versions and on current Edge)

The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Networking
Product: Firefox → Core

Thank you for the testcase!!! I was able to reproduce this. I don't think there's a networking issue here, I think this is because the Instagram resource is responding with cross-origin-resource-policy: same-origin which causes the response body to be stripped when the download is initiated from the add-on scope.

I'm not sure what the intended behavior is for this. Essentially I believe that Instagram is using this feature to prevent this kind of thing, and they want users to only be able to initiate the download after navigating to an Instagram web property.

Anne, Christoph, Shane: is the behavior described in comment 0 expected for add-ons initiating downloads? I think it makes sense for CORP to be applied to sites that are trying to load cross-origin sub-resources, and am not sure if the underlying intention applies in the add-on case.

Component: Networking → DOM: Security
Flags: needinfo?(mixedpuppy)
Flags: needinfo?(ckerschb)
Flags: needinfo?(annevk)

Well, extensions have special privileges for a reason and this should probably work. Bug 1670278 and bug 1698863 would be ways of addressing this, though might require the extension to be updated as well.

Component: DOM: Security → Request Handling
Flags: needinfo?(mixedpuppy)
Flags: needinfo?(ckerschb)
Flags: needinfo?(annevk)
Product: Core → WebExtensions
See Also: → 1698863, 1670278

The check here should be expanded to allow moz-extension principals that have the right permissions: https://searchfox.org/mozilla-central/rev/0e8b28fb355afd2fcc69d34e8ed66bbabf59a59a/netwerk/protocol/http/HttpBaseChannel.cpp#2256

Once this bug is resolved, this extra aspect should be documented at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions

The loadingPrincipal for the downloads API is set to the moz-extension:-principal at https://searchfox.org/mozilla-central/rev/0e8b28fb355afd2fcc69d34e8ed66bbabf59a59a/toolkit/components/extensions/parent/ext-downloads.js#930

Ideally we should not relax this for ExpandedPrincipals, because that would allow content scripts running in web pages to bypass the restriction.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: dev-doc-needed
Summary: Add-ons can't download files using Instagram links on Firefox 88 → downloads.download cannot download resources that are protected by CORP (e.g. Instagram images)

Assigning needinfo to myself to see if I should needinfo valentin later or work on this myself.

Severity: -- → S3
Flags: needinfo?(rob)
Priority: -- → P2

You can use the tools to download instagram videos in this article: https://keepvid.ch/download-instagram-video

You need to log in before you can comment on or make changes to this bug.