diff options
| author | Florian Bruhin <me@the-compiler.org> | 2021-08-25 08:35:14 +0200 |
|---|---|---|
| committer | Florian Bruhin <me@the-compiler.org> | 2021-08-25 10:05:28 +0200 |
| commit | c022893a76ab388a552b420728edb19fcb122bb8 (patch) | |
| tree | 293897fffcad75ba85b7a8d4962c407cc54c8ead /qutebrowser | |
| parent | 65af6b2125ecc5742e8b1a257ada60d326243ac7 (diff) | |
| download | qutebrowser-c022893a76ab388a552b420728edb19fcb122bb8.tar.gz qutebrowser-c022893a76ab388a552b420728edb19fcb122bb8.zip | |
Prevent mixed content downloading by default
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
https://therecord.media/firefox-follows-chrome-and-prepares-to-block-insecure-downloads/
Diffstat (limited to 'qutebrowser')
| -rw-r--r-- | qutebrowser/browser/webengine/webenginedownloads.py | 10 | ||||
| -rw-r--r-- | qutebrowser/config/configdata.yml | 13 |
2 files changed, 23 insertions, 0 deletions
diff --git a/qutebrowser/browser/webengine/webenginedownloads.py b/qutebrowser/browser/webengine/webenginedownloads.py index fc7ed8ca2..364347206 100644 --- a/qutebrowser/browser/webengine/webenginedownloads.py +++ b/qutebrowser/browser/webengine/webenginedownloads.py @@ -29,6 +29,7 @@ from PyQt5.QtWebEngineWidgets import QWebEngineDownloadItem from qutebrowser.browser import downloads, pdfjs from qutebrowser.utils import (debug, usertypes, message, log, objreg, urlutils, utils, version) +from qutebrowser.config import config class DownloadItem(downloads.AbstractDownloadItem): @@ -298,6 +299,15 @@ class DownloadManager(downloads.AbstractDownloadManager): qt_item.cancel() return + if (url.scheme() == "http" and + origin.isValid() and origin.scheme() == "https" and + config.instance.get("downloads.prevent_mixed_content", url=origin)): + # FIXME show failed download instead + message.error("Aborting insecure download from secure page " + "(see downloads.prevent_mixed_content).") + qt_item.cancel() + return + # Ask the user for a filename - needs to be blocking! question = downloads.get_filename_question( suggested_filename=suggested_filename, url=qt_item.url(), diff --git a/qutebrowser/config/configdata.yml b/qutebrowser/config/configdata.yml index 17f2013b9..7b0cd05f4 100644 --- a/qutebrowser/config/configdata.yml +++ b/qutebrowser/config/configdata.yml @@ -1355,6 +1355,19 @@ downloads.position: default: top desc: Where to show the downloaded files. +downloads.prevent_mixed_content: + type: Bool + default: true + supports_pattern: true + backend: QtWebEngine + desc: + Automatically abort insecure (HTTP) downloads originating from secure + (HTTPS) pages. + + For per-domain settings, the relevant URL is the URL initiating the + download, not the URL the download itself is coming from. It's not + recommended to set this setting to false globally. + downloads.remove_finished: default: -1 type: |