If the default action is Save without prompt [and download progress dialog is off], there is no way of user to check the real download URL. Warning and/or option removal needed.

NEW
Unassigned

Status

()

Firefox
File Handling
--
major
14 years ago
2 years ago

People

(Reporter: Daniel Wang, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
(This can be used in combination with bug 249673, bug 204224 or any other
similar bug to hide the true download URL)

On the Thunderbird download page (see URL), Mozilla directly shows the save-file
dialog instead of requiring the user going an extra step with the
what-do-you-want-to-do nag dialog. The nag dialog is important because it shows
the actual address of the file.

We can create a new nag box, or we can reuse the old one but with some options
disabled.

(Note: on some weird case, Mozilla will show the nag box for firefox download
first. I don't know the full MIME type, but it has "msdos" in the type name.)
worksforme (winxp 2004062808, and linux current trunk). I do get the helper app
dialog. do you have any settings for application/octet-stream in
preferences/navigator/helper applications?

> we can reuse the old one but with some options disabled.

what options would that be? "open with default application" is already never
available for executables in that dialog. allowing to open executables with a
virus scanner (or debugger or hex editor ;) ) seems like a good idea to me.

(note: I only know for sure that all of the above is true for mozilla. firefox
forked the frontend code. but the backend code ensures that executables are
never opened directly from the helper app dialog)
(Reporter)

Comment 2

14 years ago
> do you have any settings for application/octet-stream in
> preferences/navigator/helper applications?

Yes! And deleting it does helps.

That said, I swear I did see a download prompt before, and from what I can see
now, the download prompt have "Always ask me" option disabled. So, something
happened that checked the box. Resolving this bug as INVALID (but I'll
investigate this further).
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID
(Reporter)

Comment 3

14 years ago
On second thought, reopen. The real problem is that if the default action is to
save the file, there's no way for user to check and verify the download URL, and
there are ways of spoofing the download URL. Some suggestion:

1. Remove the "Always perform this action..." checkbox from dialog and force
   the user to go through the Helper preferences.
2. Provide a warning on checking this box (on UI and Online Help)
   (CC doc people)

> Resolving this bug as INVALID (but I'll investigate this further).

I tried the download link again, and this time "Always perform this action..."
is checked. The MIME type shown is "application/x-msdos-program". This is two
bugs (one mozilla.org and one browser). Will file new bugs if I cannot find
duplicates.
Blocks: 249757
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Summary: Never directly show Save dialog for .exe file. Show Download Nag Prompt first [prevent hiding of true download URL] → If the default action is Save without prompt [and download progress dialog is off], there is no way of user to check the real download URL. Warning and/or option removal needed.

Comment 4

14 years ago
Is this a Mozilla-Bug, a Firefox-Bug, or a Thunderbird-Bug?

Using Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a2) Gecko/20040705 the page
loads, and a bit later a download box opens, giving me the option to Open or
Save the file, Save checked, and the checkbox for 'always perform this action'
is shown grey and unchecked, can´t be selected.
When I´m canceling this box, and reopen it by clicking on the 'click here' link,
I could make that selection, but I will NEVER do it, not even for checking mozilla!
(Reporter)

Comment 5

14 years ago
I don't have Firefox, so I can only say this is a Mozilla bug.

Mozilla allows 'always perform this action' to be checked for certain .exe MIME
types (e.g. bug 236967). What I'm suggesting is to either remove that option
entirely to prevent users from inadvertantly checking the box (they can still go
through Preferences to check it), or to have a stronger warning message.
Status: REOPENED → NEW
Assignee: file-handling → nobody
QA Contact: ian → file-handling

Updated

2 years ago
Component: File Handling → File Handling
Product: Core → Firefox
Version: Trunk → unspecified
You need to log in before you can comment on or make changes to this bug.