Closed Bug 1749525 Opened 2 years ago Closed 2 years ago

Downloads fail but appear to be complete

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
Firefox 95
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox102 --- fixed

People

(Reporter: steven1350, Assigned: t.yavor, NeedInfo)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(7 files)

webpage.png
41.92 KB, image/png
Details
signin.png
14.53 KB, image/png
Details
download_prompt.png
6.96 KB, image/png
Details
download_blocked.png
66.51 KB, image/png
Details
more_info.png
70.25 KB, image/png
Details
save_filed_contents.png
63.26 KB, image/png
Details
Bug 1749525 - Download fails because it doesn't contain an auth header. r=ckerschb
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0

Steps to reproduce:

I was downloading a DLL file which required "HTTP Basic Authentication".

The webpage was an HTTPs URL, however the download link was an HTTP URL.

The browser gave me a warning about the download link being insecure, and I told it to proceed anyways

Actual results:

The download appears to complete. The file is saved with the name of the file I expect, however if I open the file with a text editor, it only contains the HTTP source of a "401 Forbidden" webpage.

I am thinking that the HTTP Basic Auth headers were not sent when I told the download to proceed after the insecure warning

Expected results:

The file should have downloaded successfully

The Bugbug bot thinks this bug should belong to the 'Firefox::Downloads Panel' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Downloads Panel

Hi,

Do you have a sample website? I tried downloading a dll file here https://www.dlldownloader.com/bicrt-dll/ and managed to download just fine. Also tried https://www.dllme.com/get/23810 but they both download a zip file.

Best,
Clara

Flags: needinfo?(steven1350)

I do not have an example any more (private login & the vendor website corrected the issue once I pointed it out to them.

I think this bug is a combination of two things (it being an DLL file is possibly irrelevant)

To reproduce, the download url needs to be behind an HTTP basic auth, and it needs to be a HTTP url (while the page containing the download url needs to be HTTPS)

So, on the HTTPs webpage, click the HTTP url. A prompt should appear for the basic auth. Once submitted, Firefox will block this download citing security reasons (since its an HTTP download initiated from an HTTPS webpage). There will be an option to re-download anyways and accept the risk. And its here where the bug occurs.

Flags: needinfo?(steven1350)
Attached image webpage.png

Step 1

Attached image signin.png

Step 2

Attached image download_prompt.png

Step 3

Attached image download_blocked.png

Step 4

Attached image more_info.png

Step 5

Attached image save_filed_contents.png

Result

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE

Actually, perhaps this isn't a dupe, though both bugs involve mixed content downloads. Tomer, can you take a look?

Status: RESOLVED → REOPENED
Component: Downloads Panel → DOM: Security
Ever confirmed: true
Flags: needinfo?(lyavor)
Product: Firefox → Core
Resolution: DUPLICATE → ---
See Also: → 1739113

@Gijs:
I would also assume that it isn't a duplicate.
The bug 1739113 is related to the mixed-content-blocker and https-first mode. That one is not related to https-first.
To be honest I am not so much into the mixed-content-blocker, I could imagine that it downloads the result it got for an request without an "Authorization" header but that is just a guess. I will try to get a better look into it.

@Steven:
Did you use the private browsing mode and if not could you give it a try if it is solving your problem?

Flags: needinfo?(lyavor) → needinfo?(steven1350)

Basti, can you help here? Seems like a mixed-content-download blocker problem. I don't think that https-first is involved here at all.

Flags: needinfo?(sstreich)
Assignee: nobody → lyavor
Severity: -- → S2
Priority: -- → P2
Whiteboard: [domsecurity-active]

I would assume this is more a mcb-downloads problem and not a https-first issue.
On the download-block-prompt, the original channel containing the auth info has already been closed.
Pressing "unblock" will then try to re-create the download, thus I think it's very likely the issue is we're dropping the info at that stage.

Flags: needinfo?(sstreich)
Attachment #9262622 - Attachment description: WIP: Bug 1749525 - Download fails because it doesn't contain an auth header. r=ckerschb → Bug 1749525 - Download fails because it doesn't contain an auth header. r=ckerschb
Attachment #9262622 - Attachment description: Bug 1749525 - Download fails because it doesn't contain an auth header. r=ckerschb → WIP: Bug 1749525 - Download fails because it doesn't contain an auth header. r=ckerschb
Attachment #9262622 - Attachment description: WIP: Bug 1749525 - Download fails because it doesn't contain an auth header. r=ckerschb → Bug 1749525 - Download fails because it doesn't contain an auth header. r=ckerschb
Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/256cc209b60a
Download fails because it doesn't contain an auth header. r=Gijs,freddyb

https://hg.mozilla.org/mozilla-central/rev/256cc209b60a

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: