diff options
author | Florian Bruhin <me@the-compiler.org> | 2021-08-25 08:35:14 +0200 |
---|---|---|
committer | Florian Bruhin <me@the-compiler.org> | 2021-08-25 10:05:28 +0200 |
commit | c022893a76ab388a552b420728edb19fcb122bb8 (patch) | |
tree | 293897fffcad75ba85b7a8d4962c407cc54c8ead | |
parent | 65af6b2125ecc5742e8b1a257ada60d326243ac7 (diff) | |
download | qutebrowser-c022893a76ab388a552b420728edb19fcb122bb8.tar.gz qutebrowser-c022893a76ab388a552b420728edb19fcb122bb8.zip |
Prevent mixed content downloading by default
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
https://therecord.media/firefox-follows-chrome-and-prepares-to-block-insecure-downloads/
-rw-r--r-- | doc/changelog.asciidoc | 2 | ||||
-rw-r--r-- | doc/help/settings.asciidoc | 14 | ||||
-rw-r--r-- | qutebrowser/browser/webengine/webenginedownloads.py | 10 | ||||
-rw-r--r-- | qutebrowser/config/configdata.yml | 13 |
4 files changed, 39 insertions, 0 deletions
diff --git a/doc/changelog.asciidoc b/doc/changelog.asciidoc index f6e2d7be1..57fc9d4e8 100644 --- a/doc/changelog.asciidoc +++ b/doc/changelog.asciidoc @@ -25,6 +25,8 @@ Added - New `content.blocking.hosts.block_subdomains` setting which can be used to disable the subdomain blocking for the hosts-based adblocker introduced in v2.3.0. +- New `downloads.prevent_mixed_content` setting to prevent insecure + mixed-content downloads (true by default). Fixed ~~~~~ diff --git a/doc/help/settings.asciidoc b/doc/help/settings.asciidoc index 9b896107f..1e943c235 100644 --- a/doc/help/settings.asciidoc +++ b/doc/help/settings.asciidoc @@ -209,6 +209,7 @@ |<<downloads.location.suggestion,downloads.location.suggestion>>|What to display in the download filename input. |<<downloads.open_dispatcher,downloads.open_dispatcher>>|Default program used to open downloads. |<<downloads.position,downloads.position>>|Where to show the downloaded files. +|<<downloads.prevent_mixed_content,downloads.prevent_mixed_content>>|Automatically abort insecure (HTTP) downloads originating from secure (HTTPS) pages. |<<downloads.remove_finished,downloads.remove_finished>>|Duration (in milliseconds) to wait before removing finished downloads. |<<editor.command,editor.command>>|Editor (and arguments) to use for the `edit-*` commands. |<<editor.encoding,editor.encoding>>|Encoding to use for the editor. @@ -2888,6 +2889,19 @@ Valid values: Default: +pass:[top]+ +[[downloads.prevent_mixed_content]] +=== downloads.prevent_mixed_content +Automatically abort insecure (HTTP) downloads originating from secure (HTTPS) pages. +For per-domain settings, the relevant URL is the URL initiating the download, not the URL the download itself is coming from. It's not recommended to set this setting to false globally. + +This setting supports URL patterns. + +This setting is only available with the QtWebEngine backend. + +Type: <<types,Bool>> + +Default: +pass:[true]+ + [[downloads.remove_finished]] === downloads.remove_finished Duration (in milliseconds) to wait before removing finished downloads. diff --git a/qutebrowser/browser/webengine/webenginedownloads.py b/qutebrowser/browser/webengine/webenginedownloads.py index fc7ed8ca2..364347206 100644 --- a/qutebrowser/browser/webengine/webenginedownloads.py +++ b/qutebrowser/browser/webengine/webenginedownloads.py @@ -29,6 +29,7 @@ from PyQt5.QtWebEngineWidgets import QWebEngineDownloadItem from qutebrowser.browser import downloads, pdfjs from qutebrowser.utils import (debug, usertypes, message, log, objreg, urlutils, utils, version) +from qutebrowser.config import config class DownloadItem(downloads.AbstractDownloadItem): @@ -298,6 +299,15 @@ class DownloadManager(downloads.AbstractDownloadManager): qt_item.cancel() return + if (url.scheme() == "http" and + origin.isValid() and origin.scheme() == "https" and + config.instance.get("downloads.prevent_mixed_content", url=origin)): + # FIXME show failed download instead + message.error("Aborting insecure download from secure page " + "(see downloads.prevent_mixed_content).") + qt_item.cancel() + return + # Ask the user for a filename - needs to be blocking! question = downloads.get_filename_question( suggested_filename=suggested_filename, url=qt_item.url(), diff --git a/qutebrowser/config/configdata.yml b/qutebrowser/config/configdata.yml index 17f2013b9..7b0cd05f4 100644 --- a/qutebrowser/config/configdata.yml +++ b/qutebrowser/config/configdata.yml @@ -1355,6 +1355,19 @@ downloads.position: default: top desc: Where to show the downloaded files. +downloads.prevent_mixed_content: + type: Bool + default: true + supports_pattern: true + backend: QtWebEngine + desc: + Automatically abort insecure (HTTP) downloads originating from secure + (HTTPS) pages. + + For per-domain settings, the relevant URL is the URL initiating the + download, not the URL the download itself is coming from. It's not + recommended to set this setting to false globally. + downloads.remove_finished: default: -1 type: |