Downloads fail but appear to be complete
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox102 | --- | fixed |
People
(Reporter: steven1350, Assigned: t.yavor, NeedInfo)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(7 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Steps to reproduce:
I was downloading a DLL file which required "HTTP Basic Authentication".
The webpage was an HTTPs URL, however the download link was an HTTP URL.
The browser gave me a warning about the download link being insecure, and I told it to proceed anyways
Actual results:
The download appears to complete. The file is saved with the name of the file I expect, however if I open the file with a text editor, it only contains the HTTP source of a "401 Forbidden" webpage.
I am thinking that the HTTP Basic Auth headers were not sent when I told the download to proceed after the insecure warning
Expected results:
The file should have downloaded successfully
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Downloads Panel' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 2•2 years ago
|
||
Hi,
Do you have a sample website? I tried downloading a dll file here https://www.dlldownloader.com/bicrt-dll/ and managed to download just fine. Also tried https://www.dllme.com/get/23810 but they both download a zip file.
Best,
Clara
Reporter | ||
Comment 3•2 years ago
|
||
I do not have an example any more (private login & the vendor website corrected the issue once I pointed it out to them.
I think this bug is a combination of two things (it being an DLL file is possibly irrelevant)
To reproduce, the download url needs to be behind an HTTP basic auth, and it needs to be a HTTP url (while the page containing the download url needs to be HTTPS)
So, on the HTTPs webpage, click the HTTP url. A prompt should appear for the basic auth. Once submitted, Firefox will block this download citing security reasons (since its an HTTP download initiated from an HTTPS webpage). There will be an option to re-download anyways and accept the risk. And its here where the bug occurs.
Reporter | ||
Comment 4•2 years ago
|
||
Step 1
Reporter | ||
Comment 5•2 years ago
|
||
Step 2
Reporter | ||
Comment 6•2 years ago
|
||
Step 3
Reporter | ||
Comment 7•2 years ago
|
||
Step 4
Reporter | ||
Comment 8•2 years ago
|
||
Step 5
Reporter | ||
Comment 9•2 years ago
|
||
Result
Updated•2 years ago
|
Comment 11•2 years ago
|
||
Actually, perhaps this isn't a dupe, though both bugs involve mixed content downloads. Tomer, can you take a look?
Assignee | ||
Comment 12•2 years ago
|
||
@Gijs:
I would also assume that it isn't a duplicate.
The bug 1739113 is related to the mixed-content-blocker and https-first mode. That one is not related to https-first.
To be honest I am not so much into the mixed-content-blocker, I could imagine that it downloads the result it got for an request without an "Authorization" header but that is just a guess. I will try to get a better look into it.
@Steven:
Did you use the private browsing mode and if not could you give it a try if it is solving your problem?
Comment 13•2 years ago
|
||
Basti, can you help here? Seems like a mixed-content-download blocker problem. I don't think that https-first is involved here at all.
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 14•2 years ago
|
||
I would assume this is more a mcb-downloads problem and not a https-first issue.
On the download-block-prompt, the original channel containing the auth info has already been closed.
Pressing "unblock" will then try to re-create the download, thus I think it's very likely the issue is we're dropping the info at that stage.
Assignee | ||
Comment 15•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 16•2 years ago
|
||
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/256cc209b60a Download fails because it doesn't contain an auth header. r=Gijs,freddyb
Comment 17•2 years ago
|
||
bugherder |
Description
•