Drag and drop of images from HTTP hosts fails in HTTPS-Only Mode
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: 08xjcec48, Assigned: maltejur)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(3 files)
screenshot.png
Steps to reproduce:
- Enable HTTPS-Only Mode in all windows
- Open this image in a new tab and add an HTTPS exception for this site: http://adb.arcadeitalia.net/media/mess.current/ingames/saturn/meltygsk.png
- Open a folder in File Explorer
- Try to drag and drop the image to your folder
Actual results:
Error Moving File or Folder
Unspecified error
Expected results:
It should work, as it does when HTTPS-Only Mode is disabled.
|
||
Comment 1•6 months ago
|
||
Confirming: drag-and-drop re-fetches the image (expecting to find it in the cache), but that request is upgraded despite the site exception. Doesn't matter if the exception is temporary or permanent. A work-around is to "Save" the image using the menu or right-click context menu.
The 08:03 requests below were displaying the image, and the 08:04 requests were from the drag-and-drop.
08:03:16.021 GET http://adb.arcadeitalia.net/favicon.ico [HTTP/1.1 200 OK 192ms]
08:03:16.021 HTTPS-Only Mode: Not upgrading insecure request “http://adb.arcadeitalia.net/favicon.ico” because it is exempt.
...
08:04:03.599 HTTPS-Only Mode: Upgrading insecure request “http://adb.arcadeitalia.net/media/mess.current/ingames/saturn/meltygsk.png” to use “https”.
08:04:03.600 GET https://adb.arcadeitalia.net/media/mess.current/ingames/saturn/meltygsk.png NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY, SSL_ERROR_UNRECOGNIZED_NAME_ALERT)
08:04:04.351 HTTPS-Only Mode: Upgrading insecure request “https://adb.arcadeitalia.net/media/mess.current/ingames/saturn/meltygsk.png” failed. (M21-C12182)
Do exceptions only apply to the top-level document and not to sub-resource requests of a document without an exception? It could be that drag-and-drop is loading it from an unexpected but unprivileged context (like the internal document viewer page?)
|
Assignee | |
Comment 2•6 months ago
|
||
Which platform and version are you both testing this on? This works for me as expected on KDE Wayland (2024-07-21 Nightly). I also don't see a new request when doing a drag-and-drop. I have attached a screen recording, maybe I was also following the steps wrong.
(In reply to Daniel Veditz [:dveditz] from comment #1)
Do exceptions only apply to the top-level document and not to sub-resource requests of a document without an exception? It could be that drag-and-drop is loading it from an unexpected but unprivileged context (like the internal document viewer page?)
The architecture is that all HTTPS-Only flags (like the exemption status) should be carried over to all subresources. So it indeed sounds like the new load for the drag-and-drop you are describing isn't done as a subresource of the original page.
|
|
Assignee | |
Comment 3•6 months ago
|
||
I am able to reproduce this in a macOS VM now. So it indeed seems like depending on the platform, a new request will be sent for drag-and-dropping a image, or the existing image on the page will be used. And in case a new request is being sent, it will not be exempted if the top-level page is exempted. I will investigate this further.
|
|
Assignee | |
Comment 4•6 months ago
|
||
|
|
Assignee | |
Updated•6 months ago
|
|
||
Comment 6•5 months ago
|
||
When dragging an image we set both the kNativeImageMime (which basically whatever bytes are stored for the image in memory) and kFilePromiseURLMime, which is the URL the image was loaded from (source).
When dragging on Windows, we will load the image from the URL again: https://searchfox.org/mozilla-central/rev/55f2ada1564baaeebd69d277b38737961a3ca5f3/widget/windows/nsDataObj.cpp#341-365
Two years ago I added support support for using the correct referrer for those requests in bug 1808146, maybe that could help with implementing this.
Description
•