"browser.download.start_downloads_in_tmp_dir" should default to false to (at least partly) mitigate disk leak

"browser.download.start_downloads_in_tmp_dir" should default to false to (at least partly) mitigate disk leak

13.0 (based on Mozilla Firefox 115.4.0esr)

Sorry, I meaning default to False

see discussion in #42147 (closed)

cc: @pierov I think we can close this? yes?

Sorry, I meaning default to False

I have edited title and description to reflect this

changed the description

changed title from "browser.download.start_downloads_in_tmp_dir" should is default to True to (at least partly) mitigate disk leak to "browser.download.start_downloads_in_tmp_dir" should default to false to (at least partly) mitigate disk leak

I think having the downloads in temporary directory actually helps against disk leaks, for example on Linux, which often use ramdisks for temporary files.

Also, we delete them on exit, which helps (downloads shouldn't be done at all, if one needs to be protected from forensics analysis).

So, works for me to close.

closed

downloads shouldn't be done at all, if one needs to be protected from forensics analysis

Except that downloads happen without confirmation by default and start without confirmation even if user asks for the opposite. So, good luck not doing.

TB defaults to "ask" (two settings in the UI - filetypes, new filetypes) and there is a security delay for the dialog. And some file types are associated with the app. Users can then chose when they first save to always save without asking. What pierov is saying, is that this is OpSec - not that we should block all downloads, that's too much friction. Drive-by downloads should largely be mitigated in this day and age, but IANAE on that particular topic

Except that downloads happen without confirmation by default and start without confirmation even if user asks for the opposite.

That was set in 12.5, but it should be reverted in 13.0 by now.

Some files (e.g. PDF) are some Firefox nonsense, but if there are some prefs to flip I'm all in to do it (or review MRs).

fyi: pdfjs is controlled by RFP since FF100 or thereabouts

Yep, but at a certain point Firefox started downloading PDFs before opening them with pdf.js, so it's a disk leak...

I know, I was there :) that's why we enforce pdfViewerEnabled - I'm just pointing that out (that we bypass the "FF nonsense")

I still think it's nonsense . The same happens for webp and other files. Unless it's the server that forces you to download a file (IIRC there's a HTTP header for that, I wouldn't mind ignoring it).

maybe we, and by we I mean you, should open a file handling review ticket

Now, that's a great idea! Opened #42220.