Open Bug 1711049 Opened 3 years ago Updated 8 months ago

Require user interaction for all but the first download from a page to prevent download spam

Categories

(Firefox :: Downloads Panel, enhancement, P3)

Product:
Firefox
Component:
Downloads Panel
Type:
enhancement
Points:
1

Tracking

()

People

(Reporter: mtigley, Unassigned)

References

(Depends on 3 open bugs, Blocks 2 open bugs)

Details

(Keywords: csectype-dos, sec-want, Whiteboard: [fidefe-Outreachy2021])

Attachments

(1 obsolete file)

When Bug 1709129 is implemented, we'd need to address the download user experience to require user interaction when multiple downloads occur on the same page.

This means we need to implement a way to prevent download spam (perhaps via a popup blocker, a permission prompt, etc...) otherwise the user would have to deal with the downloads panel opening incessantly on the same page anytime a new download is initiated.

We do have some earlier work for this in Bug 1463527. So it would worth looking at that too.

Type: defect → enhancement
Severity: S3 → --

You can find a breakdown of this project in https://bugzilla.mozilla.org/show_bug.cgi?id=1306334#c2, including suggested telemetry.

This feature alone can keep one person busy for several weeks.

Instead of using just one bug for the entire project as it was attempted in bug 1463527, I recommend landing it in smaller stages, creating an even more detailed feature breakdown. This has been partly started in https://bugzilla.mozilla.org/showdependencytree.cgi?id=1306334&hide_resolved=1.

This feature is the prerequisite for a number of Downloads Panel changes, the easiest of which is the removal of the interstitial dialog for executables only. This is a much smaller subset of what bug 1710941 is trying to do, and it is something I recommend enabling separately in production before any of the other changes, which in turn should happen after the protection from multiple downloads is also enabled.

Instead, the dependency tree for what it's being asked bug 1710941 is quite extensive. There have been various discussions, but no detailed breakdown yet. You can go through these meta-bugs to get an idea of the real complexity of this proposition:

https://bugzilla.mozilla.org/showdependencytree.cgi?id=1270405&hide_resolved=1

Even if it's not the download panel opening, multiple downloads can be a debilitating DOS. If you've said "ask me every time" for a particular type you have a zillion dialogs to clean up. If you have that type always open in a particular app then you get zillions of that app window launched. If you always "Save File" then you've got a mess to clean up there. A single huge file could fill up your disk already, but it's easier to stop and clean up. With multiple downloads they can get a bunch going in parallel depending on our limits on the number of connections.

Blocks: eviltraps
Keywords: csectype-dos, sec-want
See Also: → 832913

This bug has a link there the problem with download spam could be reproduced: https://bugzilla.mozilla.org/show_bug.cgi?id=1328578

Looks like there are 2 solutions to this problem, one being more rigid, but easy to implement, and an other one being more flexible and desired.

  1. Show permission dialog if more than 1 downloads are started from the same URL (as Sagar already attempted to solve it): https://bugzilla.mozilla.org/show_bug.cgi?id=1463527

  2. Count only downloads, not triggered by user. The problem here is how to detect that "download was triggered by user".
    So, what kind of heuristics we can use here?

    Fast pace:

    • Download could be triggered unhumanly fast after the previous download
    • 10 downloads are triggered within the same second
      Lack of mouse movement:
    • Mouse wasn't moving than more than one download was triggered
      Lack of hover events:
    • No hover event was happening before download was "clicked".
      Same file is downloading:
    • Redownload of the same file

Also we can prevent the Unknown content dialog from opening, if an other one is already showing.

(In reply to Ava Katushka from comment #4)

Looks like there are 2 solutions to this problem, one being more rigid, but easy to implement, and an other one being more flexible and desired.

  1. Show permission dialog if more than 1 downloads are started from the same URL (as Sagar already attempted to solve it): https://bugzilla.mozilla.org/show_bug.cgi?id=1463527

  2. Count only downloads, not triggered by user. The problem here is how to detect that "download was triggered by user".
    So, what kind of heuristics we can use here?

    Fast pace:

    • Download could be triggered unhumanly fast after the previous download
    • 10 downloads are triggered within the same second
      Lack of mouse movement:
    • Mouse wasn't moving than more than one download was triggered
      Lack of hover events:
    • No hover event was happening before download was "clicked".
      Same file is downloading:
    • Redownload of the same file

Also we can prevent the Unknown content dialog from opening, if an other one is already showing.

I'm not super familiar with our download code, but since it's handled by nsExternalHelperAppService, perhaps you could use UserActivation::IsHandlingUserInput to determine if the download was triggered from a user interaction.
https://searchfox.org/mozilla-central/rev/b7bc94b4689a7f002c61d016c6e162e5e5708bf3/dom/base/UserActivation.cpp#35

If it's feasible IsHandlingUserInput seems like the simplest way to do it. There are other pre-existing ways for storing user interaction, such as this permission based approach used for the storage access API: https://searchfox.org/mozilla-central/rev/b7bc94b4689a7f002c61d016c6e162e5e5708bf3/toolkit/components/antitracking/ContentBlockingUserInteraction.cpp#50
Storing user interaction as a permission is not ideal though. For anti tracking we'd like to add a new module in the future to replace the permission.

Thank you, Paul!
Using UserActivation::IsHandlingUserInput sounds good to me.

Depends on D118328

Assignee: nobody → ava8katushka
Status: NEW → ASSIGNED

What about Unknown Content Dialog poping up for the download spam? If the download is suspicious for being a spam, should they be shown after the permission prompt? (if allowed) Or emitted all together?

Flags: needinfo?(mtigley)

(In reply to Ava Katushka from comment #8)

What about Unknown Content Dialog poping up for the download spam? If the download is suspicious for being a spam, should they be shown after the permission prompt? (if allowed) Or emitted all together?

We should show the filepicker/unknowncontent dialog for the first download. But subsequent downloads should only show a prompt after a decision has been made on the permission prompt. We only do this if the user has "Always ask" configured from about:preferences.

Flags: needinfo?(mtigley)
Depends on: 1725353
Depends on: 1725354
Depends on: 1725355
Depends on: 1725358
Depends on: 1725360

Comment on attachment 9230463 [details]
Bug 1711049 - Prevent download spam. r?gijs

Revision D119512 was moved to bug 1725353. Setting attachment 9230463 [details] to obsolete.

Attachment #9230463 - Attachment is obsolete: true
Whiteboard: [fidefe-Outreachy2021]
Points: --- → 1
See Also: → 1306334

I do not believe the issue I reported (1759134) is a duplicate of this bug, as it does not solely have to do with the behavior mentioned here. There are functionality issues beyond simply the number of pop-ups generated that the issue I brought up creates. The download check pop-up provided more functionality, and while avoiding spam pop-ups is desirable, it's removal does not only effect this. the pop-up also allowed for case-by-case selective behavior.

For example, if you had clicked on a PDF before, you could then decide FOR THAT PDF if it would be opened or downloaded. Now, all PDFs are either opened or downloaded with no user prompt. The only way to change this on a case-by-case basis is to, before you click, go into the settings and change them for PDFs, then go in again and change them back to your "default" behavior. The complete removal of this pop-up therefore creates MORE clicking and menu fiddling that was not previously needed.

A single unprompted behavior for all file types is not desirable and potentially problematic. Preventing spam pop-ups is a noble goal, and being able to set it so SOME types act this way is handy, but for all types by default is a problem. Being able to set some file types to ask what to do every time (with an option to say to do this every time, thus removing the pop-up AT USER REQUEST, not beyond user control) would be far preferable behavior.

(In reply to void2258 from comment #15)

I do not believe the issue I reported (1759134) is a duplicate of this bug, as it does not solely have to do with the behavior mentioned here.

I provided a long comment in 1759134 explaining why I duplicated here - a bug should cover a single issue - trying to cover 3 or 4 different things in a bug doesn't work, so I think the duplication is correct. I'll respond to you in your original bug rather than cluttering up this one.

See Also: → 741050
Depends on: 1306334
Blocks: 1306334
No longer depends on: 1306334

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Assignee: ava8katushka → nobody
Status: ASSIGNED → NEW
Duplicate of this bug: 1877955
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: