Closed
Bug 960739
Opened 10 years ago
Closed 10 years ago
[Download Manager API] - Drive-by Downloads
Categories
(Firefox OS Graveyard :: General, defect)
Firefox OS Graveyard
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 948029
People
(Reporter: rfletcher, Unassigned)
References
Details
The Download Manager API does not prompt the user before downloading files with content-type of "application/octet-stream". An attacker could create an <a> tag pointing to a file to DL, then continuously click that link and initiate N downloads on behalf of the user. Files should not be downloaded until user gives express permission, via a confirmation or another means.
Comment 1•10 years ago
|
||
Users typically want this behavior, though: they want their download to start as soon as possible.
Furthermore, the other behavior is not actually implementable: we don't know the type until the download has started! At that point you can either keep buffering the data or drop the download and hope it can be restarted once the user makes a decision (and in many cases, it _can't_; think form POST).
> then continuously click that link and initiate N downloads on behalf of the user
That's worth protecting against, but the right solution is throttling of some sort, not magic travel-backwards-in-time-to-before-we-made-the-request behavior...
Component: DOM → File Handling
Reporter | ||
Comment 2•10 years ago
|
||
This is Firefox OS issue. You bring up good points about implementation. We are most concerned with bandwidth costs associated with large, essentially unauthorized, downloads on the phone in markets where bandwidth come at a premium. Either way, just realizing this is a DUP of 948029
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Component: File Handling → General
Product: Core → Firefox OS
Resolution: --- → DUPLICATE
Comment 3•10 years ago
|
||
Since the duped bug is secure, this probably should be too.
Group: b2g-core-security
Updated•10 years ago
|
Group: core-security
Comment 4•10 years ago
|
||
We don't need to use the more restrictive component-specific security groups unless a bug is sec-high or sec-critical
Group: b2g-core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•