FTP login by URL broken
Reported by
i...@lyl-canbys.de,
Jul 3 2017
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Example URL: ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv Steps to reproduce the problem: 1. Paste URL in address field 2. Hit Enter 3. Authentication popup appears What is the expected behavior? File should be opened/downloaded without any need for extra login data What went wrong? Authentication popup for username and password appears Did this work before? N/A Chrome version: 59.0.3071.115 Channel: stable OS Version: 10.0 Flash Version:
,
Jul 5 2017
Download an login works without problems with: Internet Explorer 11 Opera 12 and wget 'ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv' curl 'ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv' -o a.mkv w3m 'ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv'
,
Jul 5 2017
Works with winscp ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv
,
Jul 5 2017
Opens without problems on these: Windows 10 x64 vlc.exe ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv ffprobe.exe ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv ffplay.exe ftp://test:tE5T!12345@labs.gwendragon.de/a.mkv Debian 8.8 x64 Konqueror 4.14.2 Firefox 52.2
,
Jul 5 2017
Hrm...We're correctly using the entered credentials, and getting the response body. If you go to other files on the site, it works fine (Like ftp://test:tE5T!12345@labs.gwendragon.de/a.html). So I think this is media playback + ftp URL with credentials in it. We issue a request, get the media mime type and response body, pass that to the media code, and then the media code issues another request without credentials. Media guys: You have any idea what happens to the credentials here?
,
Jul 5 2017
(And yes, I have verified the network stack sees two requests from the renderer, one with the credentials, and one without. We prompt for credentials in response to the credential-less URL)
,
Jul 5 2017
Hmm, I guess I didn't think ftp + video was a supported thing, but I see that other browsers support it.
,
Jul 10 2017
I thought these kind of credentials were handled similarly to cookies. By the time the media code gets the URL, the username/PW has been stripped off, or we would just send it back as is. My assumption is that the credentials gets associated with the WebFrame, but I don't know why they don't get added on to the request when we make it...
,
Jul 10 2017
When credentials are entered by the user, the network stack tracks and adds them to requests as needed. When they come from a URL, however, we don't.
,
Jul 10 2017
I consider this a pretty low priority feature (We don't even support FTP for subresources anymore), so may just be a WontFix. [+mkwst] who removed FTP for subresources, and may have thoughts on using FTP for anything other than downloads / directory listings.
,
Jul 10 2017
,
Jul 11 2017
Seems to be WAI: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp?rcl=5946acdc3a28c62847b18991fe06f86e631a40c1&l=1220 Not sure why though.
,
Jul 11 2017
Testing with other browsers, IE doesn't do anything. FireFox downloads it to a file, rather than playing it. FireFox still renders the HTML file, though, so can't just disable MIME sniffing for FTP entirely, unfortunately (Well, without breaking compat, at least).
,
Jul 11 2017
I've been working on the assumption that we'd eventually like to move FTP support out of Chrome, into some sort of helper. We're also looking skeptically at embedded username/passwords, which we're now blocking for subresource loads, and have been thinking about blocking for top-level navigations as well (the numbers are super low, but the folks who use the feature are vocal, so, it's tough to measure the actual impact). I suspect that this is both related to the code hubbe@ pointed to, and to our implementation of the media playing widget, which basically rewrites the MKV file into an HTML page that contains a `<video>` element which embeds the MKV file. It acts as a subresource, so it's affected by the subresource-blocking code mmenke@ mentioned above. I'd suggest that this is WAI, with the caveat that I'd be even happier if we just downloaded resources from FTP sites rather than rendering them as webby resources. Given the numbers for Navigation.MainFrameScheme and Navigation.MainFrameSchemeDifferentPage, FTP navigation is very uncommon (0.0013% of the former, 0.0028% of the latter over the last 28 days).
,
Jul 14 2017
This is not intended to work, and as such, I'm not going to fix it.
,
Jul 14 2017
Actually, no we should probably just make the file download, but how?
,
Jul 14 2017
Handing off to mkwest@ feel free to delegate further... :)
,
Jul 14 2017
We could either non-mime sniff FTP files, or only mime sniff them text/* or image/* formats (And if there are any other mime types we don't load as a subresource when they're navigated to, includes those as well). We currently don't have any scheme-specific mime sniffing logic, so that solution seems kinda funky.
,
Jul 16
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 19
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by sandeepkumars@chromium.org
, Jul 5 2017Labels: M-61 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
249 KB
249 KB View Download