Prevent mixed content downloading by default

https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
https://therecord.media/firefox-follows-chrome-and-prepares-to-block-insecure-downloads/

4 files changed, 39 insertions, 0 deletions

diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc
index f6e2d7be1..57fc9d4e8 100644
--- a/doc/changelog.asciidoc
+++ b/doc/changelog.asciidoc
@@ -25,6 +25,8 @@ Added
 - New `content.blocking.hosts.block_subdomains` setting which can be used to
   disable the subdomain blocking for the hosts-based adblocker introduced in
   v2.3.0.
+- New `downloads.prevent_mixed_content` setting to prevent insecure
+  mixed-content downloads (true by default).
 
 Fixed
 ~~~~~
diff --git a/doc/help/settings.asciidoc b/doc/help/settings.asciidoc
index 9b896107f..1e943c235 100644
--- a/doc/help/settings.asciidoc
+++ b/doc/help/settings.asciidoc
@@ -209,6 +209,7 @@
 |<<downloads.location.suggestion,downloads.location.suggestion>>|What to display in the download filename input.
 |<<downloads.open_dispatcher,downloads.open_dispatcher>>|Default program used to open downloads.
 |<<downloads.position,downloads.position>>|Where to show the downloaded files.
+|<<downloads.prevent_mixed_content,downloads.prevent_mixed_content>>|Automatically abort insecure (HTTP) downloads originating from secure (HTTPS) pages.
 |<<downloads.remove_finished,downloads.remove_finished>>|Duration (in milliseconds) to wait before removing finished downloads.
 |<<editor.command,editor.command>>|Editor (and arguments) to use for the `edit-*` commands.
 |<<editor.encoding,editor.encoding>>|Encoding to use for the editor.
@@ -2888,6 +2889,19 @@ Valid values:
 
 Default: +pass:[top]+
 
+[[downloads.prevent_mixed_content]]
+=== downloads.prevent_mixed_content
+Automatically abort insecure (HTTP) downloads originating from secure (HTTPS) pages.
+For per-domain settings, the relevant URL is the URL initiating the download, not the URL the download itself is coming from. It's not recommended to set this setting to false globally.
+
+This setting supports URL patterns.
+
+This setting is only available with the QtWebEngine backend.
+
+Type: <<types,Bool>>
+
+Default: +pass:[true]+
+
 [[downloads.remove_finished]]
 === downloads.remove_finished
 Duration (in milliseconds) to wait before removing finished downloads.
diff --git a/qutebrowser/browser/webengine/webenginedownloads.py b/qutebrowser/browser/webengine/webenginedownloads.py
index fc7ed8ca2..364347206 100644
--- a/qutebrowser/browser/webengine/webenginedownloads.py
+++ b/qutebrowser/browser/webengine/webenginedownloads.py
@@ -29,6 +29,7 @@ from PyQt5.QtWebEngineWidgets import QWebEngineDownloadItem
 from qutebrowser.browser import downloads, pdfjs
 from qutebrowser.utils import (debug, usertypes, message, log, objreg, urlutils,
                                utils, version)
+from qutebrowser.config import config
 
 
 class DownloadItem(downloads.AbstractDownloadItem):
@@ -298,6 +299,15 @@ class DownloadManager(downloads.AbstractDownloadManager):
             qt_item.cancel()
             return
 
+        if (url.scheme() == "http" and
+                origin.isValid() and origin.scheme() == "https" and
+                config.instance.get("downloads.prevent_mixed_content", url=origin)):
+            # FIXME show failed download instead
+            message.error("Aborting insecure download from secure page "
+                          "(see downloads.prevent_mixed_content).")
+            qt_item.cancel()
+            return
+
         # Ask the user for a filename - needs to be blocking!
         question = downloads.get_filename_question(
             suggested_filename=suggested_filename, url=qt_item.url(),
diff --git a/qutebrowser/config/configdata.yml b/qutebrowser/config/configdata.yml
index 17f2013b9..7b0cd05f4 100644
--- a/qutebrowser/config/configdata.yml
+++ b/qutebrowser/config/configdata.yml
@@ -1355,6 +1355,19 @@ downloads.position:
   default: top
   desc: Where to show the downloaded files.
 
+downloads.prevent_mixed_content:
+  type: Bool
+  default: true
+  supports_pattern: true
+  backend: QtWebEngine
+  desc:
+    Automatically abort insecure (HTTP) downloads originating from secure
+    (HTTPS) pages.
+
+    For per-domain settings, the relevant URL is the URL initiating the
+    download, not the URL the download itself is coming from. It's not
+    recommended to set this setting to false globally.
+
 downloads.remove_finished:
   default: -1
   type: