249756 - If the default action is Save without prompt [and download progress dialog is off], there is no way of user to check the real download URL. Warning and/or option removal needed.

Status: RESOLVED INCOMPLETE

(Firefox :: File Handling, defect)

Description

[Daniel Wang]

(This can be used in combination with bug 249673, bug 204224 or any other
similar bug to hide the true download URL)

On the Thunderbird download page (see URL), Mozilla directly shows the save-file
dialog instead of requiring the user going an extra step with the
what-do-you-want-to-do nag dialog. The nag dialog is important because it shows
the actual address of the file.

We can create a new nag box, or we can reuse the old one but with some options
disabled.

(Note: on some weird case, Mozilla will show the nag box for firefox download
first. I don't know the full MIME type, but it has "msdos" in the type name.)

Comment 1

[Christian :Biesinger (don't email me, ping me on IRC)]

worksforme (winxp 2004062808, and linux current trunk). I do get the helper app
dialog. do you have any settings for application/octet-stream in
preferences/navigator/helper applications?

> we can reuse the old one but with some options disabled.

what options would that be? "open with default application" is already never
available for executables in that dialog. allowing to open executables with a
virus scanner (or debugger or hex editor ;) ) seems like a good idea to me.

(note: I only know for sure that all of the above is true for mozilla. firefox
forked the frontend code. but the backend code ensures that executables are
never opened directly from the helper app dialog)

Comment 2

[Daniel Wang]

> do you have any settings for application/octet-stream in
> preferences/navigator/helper applications?

Yes! And deleting it does helps.

That said, I swear I did see a download prompt before, and from what I can see
now, the download prompt have "Always ask me" option disabled. So, something
happened that checked the box. Resolving this bug as INVALID (but I'll
investigate this further).

Comment 3

[Daniel Wang]

On second thought, reopen. The real problem is that if the default action is to
save the file, there's no way for user to check and verify the download URL, and
there are ways of spoofing the download URL. Some suggestion:

1. Remove the "Always perform this action..." checkbox from dialog and force
   the user to go through the Helper preferences.
2. Provide a warning on checking this box (on UI and Online Help)
   (CC doc people)

> Resolving this bug as INVALID (but I'll investigate this further).

I tried the download link again, and this time "Always perform this action..."
is checked. The MIME type shown is "application/x-msdos-program". This is two
bugs (one mozilla.org and one browser). Will file new bugs if I cannot find
duplicates.

Comment 4

[Hermann Schwab]

Is this a Mozilla-Bug, a Firefox-Bug, or a Thunderbird-Bug?

Using Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a2) Gecko/20040705 the page
loads, and a bit later a download box opens, giving me the option to Open or
Save the file, Save checked, and the checkbox for 'always perform this action'
is shown grey and unchecked, can´t be selected.
When I´m canceling this box, and reopen it by clicking on the 'click here' link,
I could make that selection, but I will NEVER do it, not even for checking mozilla!

Comment 5

[Daniel Wang]

I don't have Firefox, so I can only say this is a Mozilla bug.

Mozilla allows 'always perform this action' to be checked for certain .exe MIME
types (e.g. bug 236967). What I'm suggesting is to either remove that option
entirely to prevent users from inadvertantly checking the box (they can still go
through Preferences to check it), or to have a stronger warning message.

Comment 6

[Timea Cernea [:tbabos][inactive]]

Closing this as resolved:incomplete since it is an old Windows 2000 issue that is no longer a supported OS and the last activity on this ticket was 18 years ago. The current download dialog in the latest Firefox version will show the source of the download.