search

martok / palefill

Inject Polyfills for various web technologies into pages requiring them
https://martok.github.io/palefill/
Mozilla Public License 2.0
79 stars 9 forks source link

[Left-]Clicking GitHub download links results in blank page... #41

Closed Vangelis66 closed 2 years ago

Vangelis66 commented 2 years ago

Specifics:

Browser: Serpent 52.9.0 (2022-08-05) (32-bit) Extension version: 1.19 (latest stable)

STR

  1. Say you arrive in a GitHub Releases page, e.g. https://github.com/Feodor2/Mypal68/releases

  2. In the Assets area, (left-)click the *.zip download link: mypal-68.12.5.en-US.win32.zip

Expected behaviour:

This is dependent on a browser setting, e.g. in my case I have it as

Preferences -> General -> Downloads: Always ask me where to save files

so the default in my user case is to be presented with a "File Save" pop-up/window.

Actual behaviour:

The currently open (Releases) tab is being redirected to an empty (blank) tab, the URL bar now holds the actual download link:

GH1

Web Console tells this is CSP related... 😞

Disabling palefill, reloading the Releases page and (left-)clicking anew the download link restores the default behaviour:

GH2

No CSP errors in Web Console this time... πŸ˜‰

Currently, one workaround is to right-click the download link and from the generated context menu select Save Link As...; but I'm accustomed to left-clicking, most of the times...

martok commented 2 years ago

What the hell is this, rejecting the request is technically correct (the best kind of correct).

The redirect goes to https://objects.githubusercontent.com/ and the only similar policy in the CSP in the connect-src header is for https://objects-origin.githubusercontent.com. Source zip downloads come from https://codeload.github.com/, which is not in the allowed domains at all. This should not work in any browser that loaded the scripts. The reason why it works with disabled Palefill is because then so much breaks that the link is loaded "old-school", not with fetch().

The workaround is obviously simple, but... :confused: ?

Vangelis66 commented 2 years ago

rejecting the request is technically correct (the best kind of correct). (snipped) This should not work in any browser that loaded the scripts.

FWIW, before submitting this issue, I checked how Chromium (v87-based fork) handles this; NB that Ch87 has full support for the current GitHub incarnation, no additional polyfills are required...

As in my Serpent 52.9.0 copy, the setting in Ch87 for "downloads" is as below:

ch87-2

i.e. "Display a question regarding the saving location of each file before the actual download"

With that setting enforced, left-clicking the mypal-68.12.5.en-US.win32.zip asset referenced in my opening comment produces, as I expect, a "Save As" OS window/dialog :wink: :

ch87

The request isn't rejected, the Console however notes the below message:

ch87-3

Full text: 

Resource interpreted as Document but transferred with MIME type application/octet-stream: 
"https://objects.githubusercontent.com/github-production-release-asset-2e65be/478824817/7fbfc7d0-6f33-4111-9247-791c0ba7372f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220811%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220811T235830Z&X-Amz-Expires=300&X-Amz-Signature=a28ce5268acb25bb543f397693892e20417b51067e530a99eb98f1ef1539681d&X-Amz-SignedHeaders=host&actor_id=9669492&key_id=0&repo_id=478824817&response-content-disposition=attachment%3B%20filename%3Dmypal-68.12.5.en-US.win32.zip&response-content-type=application%2Foctet-stream".

In any case, many thanks for your attention to the filed issue and its subsequent resolution! :+1:

Kindest regards/best wishes :heart: