mullvad-browser icon indicating copy to clipboard operation
mullvad-browser copied to clipboard

Published 20 hours ago verified publisher icon mullvad

PDF files are automatically saved to disk

Open ave9858 opened this issue 1 year ago • 4 comments

Other files prompt the user before being saved, and the user can choose to decline. The behavior with PDF files seems unexpected as the user is given no option to decline the download and might not notice a file has been downloaded to disk. The download location is the temp folder, but that folder is not cleared by default on windows and the file remains after the browser is closed.

ave9858 avatar Dec 16 '23 19:12 ave9858

@Thorin-Oakenpants Do you know what's Tor Browser stance on this?

ruihildt avatar Mar 27 '24 15:03 ruihildt

... at a certain point Firefox started downloading PDFs before opening them with pdf.js, so it's a disk leak

also see - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42220

I think our stance has always been to use pdfjs

from my notes

/* enforce PDFJS, disable PDFJS scripting
 * This setting controls if the option "Display in Firefox" is available in the setting below
 *   and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
 * [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1]
 *   It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
 *   It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
 * [NOTE] JS can still force a pdf to open in-browser by bundling its own code
 * [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons
 * [SETTING] General>Applications>Portable Document Format (PDF)
 * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
user_pref("pdfjs.disabled", false); // [DEFAULT: false]
user_pref("pdfjs.enableScripting", false); // [FF86+]

That said the tmp dir should be cleared but that may only apply to non PB windows and I think only applies if opened by an external app.

from my notes

/* remove temp files opened from non-PB windows with an external application
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=302433,1738574 ***/
user_pref("browser.download.start_downloads_in_tmp_dir", true); // [FF102+]
user_pref("browser.helperApps.deleteTempFileOnExit", true);

but yup, pdfs opened in pb mode in gecko should not touch the disk

@PieroV

Thorin-Oakenpants avatar Mar 27 '24 23:03 Thorin-Oakenpants

We already set both that pref and tell the browsers to open PDF (probably it's the default because pdf.js). But I still haven't understood why some PDFs skip this (if it's because of Content-disposition: attachment like I was saying on our issue). We'd need to find exact STR (I know it happens, but I've never tried to write down the circumstances).

PieroV avatar Mar 28 '24 07:03 PieroV

Other files prompt the user before being saved

we also did something recently (my own tickets too and I can't find them) with default prompt to save on both existing and new mimetypes. The thing is the user can tick "don't ask me again" on the first prompt (per mimetype) - we were just setting the default. But that a 'save/download" action .. and here we're talking about PDFs not opening inbrowser as expected

Thorin-Oakenpants avatar Mar 28 '24 18:03 Thorin-Oakenpants