Open Bug 1808893 Opened 2 years ago Updated 2 months ago

Multiple downloads of PDFs open in tabs, appearing to evade the "one window per click" limit on the popup blocker

Categories

(Firefox :: File Handling, defect, P3)

Product:
Firefox
Component:
File Handling
Type:
defect

Tracking

()

People

(Reporter: alisyarief.404, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug,
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files, 1 obsolete file)

gasskeun.html
499 bytes, text/html
Details
Firefox_Desktop.mp4
3.13 MB, video/mp4
Details
Firefox_Android.mp4
1.72 MB, video/mp4
Details
Attached file gasskeun.html

  • Summary
    For script the button is clicked, it creates a loop that creates 10 anchor elements, sets their href attribute to a URL that points to a manipulate PDF file, sets their download attribute to a filename, and simulates a click on the anchor element using the click() method.

  • Reproduce

Firefox Browser Desktop Version : 108.0.2 (64-bit)
Firefox Browser Android Version : 108.1.1

For testing this script in this website : http://iecoop.id/gasskeun.html

  • Impact

If Attacker set file download function creates 10 anchor elements to 100 or 1000 automatic open many tab and this disturb user Firefox

  • Remediation

Blocking open new tab in function creates 10 anchor elements to download or open tab
After im research just Firefox Browser not blocking mulitple open tab, Different modern browser is blocking for this script

Thanks

Flags: sec-bounty?
Attached video Firefox_Desktop.mp4

Video POC Testing Firefox Browser Desktop

Attached video Firefox_Android.mp4

Video POC Testing Firefox Browser Android

Group: firefox-core-security → core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Summary: Manipulate View or Download Open many new tab Not Blocking → Multiple tabs being opened from a single click aren't blocked by the popup blocker or similar
Group: core-security → dom-core-security

I can't reproduce this issue on Firefox 110. I downloaded the test case, ran it, clicked on the button, then it navigated to http://iecoop.id/file10.pdf which showed a 404 error. It did not open more than one tab. Maybe the test case needs to be same origin with the downloads?

Blocks: eviltraps
Severity: -- → S3

(In reply to Andrew McCreight [:mccr8] from comment #3)

I can't reproduce this issue on Firefox 110. I downloaded the test case, ran it, clicked on the button, then it navigated to http://iecoop.id/file10.pdf which showed a 404 error. It did not open more than one tab. Maybe the test case needs to be same origin with the downloads?

yes Andrew this script to path download, for new test im update script in here

http://iecoop.id/gasskeun_UP.html

update path download directory upload and file DATA

Thanks

I got one PDF "popup", and in the original window an infobar telling me Firefox prevented the opening of 9 pop-up windows.

The ability to open multiple windows from a single user click was fixed in Firefox 65 (bug 675574), and still seems fixed on my build. My first instinct is to ask if you're sure you didn't grant a pop-up blocking exception to your test site, but I assume you already checked that. What's more, if you had allowed the site to open popups we should have seen the "site permission" icon next to the slashed lock icon in your movie, and it's not present. That can't be the explanation.

I just noticed that my profile has the HTTPS-only feature turned on, and that I was testing the secure https:// version of your page. I retested this in a different profile on Firefox Release and made sure I was using the "http://" slashed-lock URL for your site. When I did that I could reproduce the movie: I got ten downloads, and ten new windows showing the downloaded PDF contents. Is both cases the download URLs were on the insecure http: site.

Gijs: is there a difference in how same-origin vs cross-origin downloads are handled? In the same-origin case where I can reproduce the problem I get 10 files downloaded and then, since they are PDFs, opened in new tabs with file:// URLs. In the cross-origin case the one popup that loads is the PDF document loaded from the server and there was no download despite the download attribute. Maybe this is really just a special case of the problem bug 1306334 / bug 1463527 was trying to solve (plus our auto-opening of downloaded PDFs)

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(gijskruitbosch+bugs)
Keywords: csectype-dos
See Also: → 675574, 1306334, 1463527
Summary: Multiple tabs being opened from a single click aren't blocked by the popup blocker or similar → Multiple PDF download tabs being opened from a single click aren't blocked by the popup blocker or similar

(In reply to Daniel Veditz [:dveditz] from comment #5)

Gijs: is there a difference in how same-origin vs cross-origin downloads are handled?

Not in general, though there is for the download attribute (as per spec).

In the same-origin case where I can reproduce the problem I get 10 files downloaded and then, since they are PDFs, opened in new tabs with file:// URLs. In the cross-origin case the one popup that loads is the PDF document loaded from the server and there was no download despite the download attribute.

Right, that's probably per spec - the download attribute on origin A can't override a non-download header from origin B. If B sent Content-Disposition: attachment; filename=whatever.pdf, the behaviour would be the same.

Maybe this is really just a special case of the problem bug 1306334 / bug 1463527 was trying to solve (plus our auto-opening of downloaded PDFs)

Sounds like it, yes. I didn't realize from comment 0 this was about PDF downloads. It's also not quite clear in the screencast where blank new tabs open.

I'm not sure there's any point keeping this hidden - thoughts?

Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(dveditz)

Agreed, this is known behavior we'd like to change

Group: dom-core-security
Depends on: 1306334
Flags: needinfo?(dveditz)
Keywords: csectype-dos
Summary: Multiple PDF download tabs being opened from a single click aren't blocked by the popup blocker or similar → Multiple downloads of PDFs open in tabs, appearing to evade the "one window per click" limit on the popup blocker
Flags: sec-bounty? → sec-bounty-
Component: DOM: Core & HTML → File Handling
Product: Core → Firefox
Priority: -- → P3
Attachment #9387544 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: