Closed Vangelis66 closed 2 years ago
What the hell is this, rejecting the request is technically correct (the best kind of correct).
The redirect goes to https://objects.githubusercontent.com/
and the only similar policy in the CSP in the connect-src
header is for https://objects-origin.githubusercontent.com
. Source zip downloads come from https://codeload.github.com/
, which is not in the allowed domains at all.
This should not work in any browser that loaded the scripts. The reason why it works with disabled Palefill is because then so much breaks that the link is loaded "old-school", not with fetch()
.
The workaround is obviously simple, but... :confused: ?
rejecting the request is technically correct (the best kind of correct). (snipped) This should not work in any browser that loaded the scripts.
FWIW, before submitting this issue, I checked how Chromium (v87-based fork) handles this; NB that Ch87 has full support for the current GitHub incarnation, no additional polyfills are required...
As in my Serpent 52.9.0 copy, the setting in Ch87 for "downloads" is as below:
i.e. "Display a question regarding the saving location of each file before the actual download"
With that setting enforced, left-clicking the mypal-68.12.5.en-US.win32.zip asset referenced in my opening comment produces, as I expect, a "Save As" OS window/dialog :wink: :
The request isn't rejected, the Console however notes the below message:
Full text:
Resource interpreted as Document but transferred with MIME type application/octet-stream:
"https://objects.githubusercontent.com/github-production-release-asset-2e65be/478824817/7fbfc7d0-6f33-4111-9247-791c0ba7372f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220811%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220811T235830Z&X-Amz-Expires=300&X-Amz-Signature=a28ce5268acb25bb543f397693892e20417b51067e530a99eb98f1ef1539681d&X-Amz-SignedHeaders=host&actor_id=9669492&key_id=0&repo_id=478824817&response-content-disposition=attachment%3B%20filename%3Dmypal-68.12.5.en-US.win32.zip&response-content-type=application%2Foctet-stream".
In any case, many thanks for your attention to the filed issue and its subsequent resolution! :+1:
Kindest regards/best wishes :heart:
Specifics:
Browser: Serpent 52.9.0 (2022-08-05) (32-bit) Extension version: 1.19 (latest stable)
STR
Say you arrive in a GitHub Releases page, e.g. https://github.com/Feodor2/Mypal68/releases
In the
Assets
area, (left-)click the*.zip
download link: mypal-68.12.5.en-US.win32.zipExpected behaviour:
This is dependent on a browser setting, e.g. in my case I have it as
Preferences
->General
->Downloads
: Always ask me where to save filesso the default in my user case is to be presented with a "File Save" pop-up/window.
Actual behaviour:
The currently open (Releases) tab is being redirected to an empty (blank) tab, the URL bar now holds the actual download link:
Web Console tells this is CSP related... π
Disabling
palefill
, reloading the Releases page and (left-)clicking anew the download link restores the default behaviour:No CSP errors in Web Console this time... π
Currently, one workaround is to right-click the download link and from the generated context menu select
Save Link As...
; but I'm accustomed to left-clicking, most of the times...