"cdn.fbsbx" domain is opened in a normal tab when downloading a file from Messenger

SoftVision-CarmenFat commented 6 years ago

[Affected versions]:

Firefox 59.0.2 and above

[Affected Platforms]:

All Windows
All Mac
All Linux

[Prerequisites]:

Latest Firefox Container is installed (v.1.3.0).
Be logged into a valid Messenger account.
A .gif file was posted in a conversation.

[Steps to reproduce]:

Open the browser with the profile from prerequisites.
Navigate to www.messenger.com website.
Select the conversation where the .gif file is displayed.
Click the .gif file.
Click the "Download" button and observe what happens next.

[Expected result]:

"cdn.fbsbx" domain is opened in the same Facebook container tab. OR
"cdn.fbsbx" domain is opened in a new Facebook container tab.

[Actual result]:

Messenger container tab is automatically closed while "cdn.fbsbx" domain is opened in a normal tab.

[Notes]:

Beside .gif, this issue is also reproducible when downloading .txt, .mp3, .xpi, .crw, or .nef files. But, unlike the scenario where the .gif file is used, the other files mentioned before don't close the messenger container tab.
This issue is also reproducible when clicking the files from "Shared Files" section on the right side of the screen.
This issue is also reproducible when downloading files through Facebook Messenger.
Here is a screen recording of the issue:

download files

ryanfeeley commented 6 years ago

Seems like we should be mainaining a curated like like Disconnect, but for Facebook properties and CDNs. Users should not have to think about this one the add-on is installed (unless it is breaking something).

TanviHacks commented 6 years ago

What else is this cdn used for? Given it’s breaking a bunch of messenger functionality around downloads, It would be a good candidate to add today, but not without at least a little more information on what else this domain does.

TanviHacks commented 6 years ago

googling this, I don't know what it is and there are all these references to malware and viruses. Not 1.3.0, unless Ryan you can tell us what this domain is about.

@ryanfeeley

TanviHacks commented 6 years ago

Does the download fail?

TanviHacks commented 6 years ago

Is this an issue with jpgs or pngs?

SoftVision-CarmenFat commented 6 years ago

Does the download fail?

The download doesn't fail. The issue here is that Facebook's related domain (cdn.fbsbx) opens in a normal tab, so the user's downloads can be easily tracked.

Is this an issue with jpgs or pngs?

This issue is not reproducible when downloading .jpg, .png or .mp4 files. Before downloading these files, they are opened in Facebook's (or Messenger's) image/video built-in viewer, therefore, there isn't any newly opened tab.

groovecoder commented 6 years ago

Thanks for being so diligent in finding these issues @SoftVision-CarmenFat, @SoftVision-PaulOiegas, and team!

I will feel better if we punt this to 1.3.1 release and make our 1.3.0 release with these known issues that we can fix later.

ryanfeeley commented 6 years ago

I'm not sure I understand the harm is erring on the side of adding too many sites to the FB container. I think it's a better user experience as it reduces breakage.

groovecoder commented 6 years ago

The only risk is that we find additional buggy behavior on the same day as the release. I'll add more domains and bug-fixes for 1.3.1 so it can go thru more testing before release.

pdehaan commented 6 years ago

Unable to repro in 1.3.1 using an embedded GIF. Interestingly, when I posted an imgur link to a GIF and it embedded, it never seemed to hit the FB CDN, and would just redirect immediately to imgur instead of giving me a download prompt. But when I used the GIF button in the Messenger conversation to embed a GIF, I was able to see the Download option, and the image downloaded without opening new tabs to the CDN or anything weird or unexpected.