960739 - [Download Manager API] - Drive-by Downloads

Status: RESOLVED DUPLICATE of bug 948029

(Firefox OS Graveyard :: General, defect)

Description

[Rob Fletcher [:omerta]]

The Download Manager API does not prompt the user before downloading files with content-type of "application/octet-stream".

An attacker could create an <a> tag pointing to a file to DL, then continuously click that link and initiate N downloads on behalf of the user. 

Files should not be downloaded until user gives express permission, via a confirmation or another means.

Comment 1

[Boris Zbarsky [:bzbarsky]]

Users typically want this behavior, though: they want their download to start as soon as possible.

Furthermore, the other behavior is not actually implementable: we don't know the type until the download has started!  At that point you can either keep buffering the data or drop the download and hope it can be restarted once the user makes a decision (and in many cases, it _can't_; think form POST).

> then continuously click that link and initiate N downloads on behalf of the user

That's worth protecting against, but the right solution is throttling of some sort, not magic travel-backwards-in-time-to-before-we-made-the-request behavior...

Comment 2

[Rob Fletcher [:omerta]]

This is Firefox OS issue.

You bring up good points about implementation.

We are most concerned with bandwidth costs associated with large, essentially unauthorized, downloads on the phone in markets where bandwidth come at a premium.

Either way, just realizing this is a DUP of 948029

Comment 3

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Since the duped bug is secure, this probably should be too.

Comment 4

[Daniel Veditz [:dveditz]]

We don't need to use the more restrictive component-specific security groups unless a bug is sec-high or sec-critical