437129 - should we show both the download page domain and the actual domain in the download manager (if they differ)?

Status: NEW

(Toolkit :: Downloads API, defect)

Description

[Seth Spitzer]

should we show both the download page domain and the actual domain in the download manager (if they differ)?

I just downloaded an .exe (example:  http://www.evil.com/setup.exe) from a google doc page (example:  http://docs.google.com/View?docID=...)

In my download manager, I see:

setup.exe
5.5 MB - google.com

I think this is by design (and mentioned in Madhava's blog and Shawn's blog)

But later, when I revisit the download manager, it makes me thing came from google (and therefor I trust it.)

Would it be better to show both domains, assuming they are different?

setup.exe
5.5 MB - google.com (evil.com)

I imagine the original point of showing the domain of the page where you got the item is for mirrored downloads.  (Think "Firefox Setup 2.0.0.14.exe" from mozilla.com, not a mirror like mozilla.mtk.nao.ac.jp)

I'm using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008052308 Minefield/3.0pre

Jesse / Dan, anything to worry about here?

Comment 1

[Shawn Wilsher :sdwilsh]

But if you trust google.com, you should trust whatever they link to, right?

Comment 2

[Seth Spitzer]

> But if you trust google.com, you should trust whatever they link to, right?

But do I trust docs.google.com and user created content?

Comment 3

[Daniel Veditz [:dveditz]]

Or trust links in your GMail?

If we're now showing the site containing the link rather than the content source that seems like a gift to the spoofers. Up to now they've had to come up with innocuous seeming domains, or try to insert lots of spaces to push the real host out of the dialog or other similar tricks (see multiple fixed Firefox security bugs).

Now all they have to do is find an XSS hole on an appropriate domain.