X
Nhấn vào đây để đến phiên bản di động của trang web.

Diễn đàn trợ giúp

Can't download Firefox Add-ons manually with 'Save Link as...' because "Firefox prevented this site () from asking you to install software on your computer"

Được đăng

Hi Guys,

since Firefox Version 38.0 (ESR) it is not possible to download Firefox Add-ons manually ( ...from the site addons.mozilla.org (!) ) with 'Save Link as...' (...from the Right-Click Context-Menu).

All of the Add-Ons for Firefox (signed or un-signed) have a size of '0 kb' after trying to 'Save Link as...' to a local directory. If I'm choosing there (...in the 'Mozilla Add-On Store') a Thunderbird Add-On everything works fine with the 'Save as...'-alternative.

I have tested this with all of the ESR versions 38.0 to 38.6.1 and also with the new 'public' version 44.0.2 (= no ESR), ...also with new and clean Profiles. Everywhere the same effect. 31.8 ESR is the last one where I can download and save Add-Ons with 'Save Link as...' to a local directory.

(I know that it is possible to choose the Button '+Add to Firefox' with Left-Click. In this case the Add-On Download starts without any problems promptly ...and the installation process starts directly.)

Is there a Pref available which I can set in the about:config page or another option to download Add-On files manually?

Hi Guys, since Firefox Version 38.0 (ESR) it is not possible to download Firefox Add-ons manually ( ...from the site addons.mozilla.org (!) ) with 'Save Link as...' (...from the Right-Click Context-Menu). All of the Add-Ons for Firefox (signed or un-signed) have a size of '0 kb' after trying to 'Save Link as...' to a local directory. If I'm choosing there (...in the 'Mozilla Add-On Store') a Thunderbird Add-On everything works fine with the 'Save as...'-alternative. I have tested this with all of the ESR versions 38.0 to 38.6.1 and also with the new 'public' version 44.0.2 (= no ESR), ...also with new and clean Profiles. Everywhere the same effect. 31.8 ESR is the last one where I can download and save Add-Ons with 'Save Link as...' to a local directory. (I know that it is possible to choose the Button '+Add to Firefox' with Left-Click. In this case the Add-On Download starts without any problems promptly ...and the installation process starts directly.) Is there a Pref available which I can set in the about:config page or another option to download Add-On files manually?

Được chỉnh sửa bởi JanetM. vào

Giải pháp được chọn

I see this CSP data in HTTP response headers of the main page using Live Http Headers:

Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

Note that this data may come from CloudFront servers.

X-Cache: Hit from cloudfront
Via: 1.1 3d95c075cc2e7532826e1d3de1a75b2e.cloudfront.net (CloudFront)
Đọc câu trả lời này trong ngữ cảnh 0

Chi tiết hệ thống bổ sung

Ứng dụng

  • Chuỗi đại diện người dùng: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

Thông tin chi tiết

John99 971 giải pháp 13138 câu trả lời
Được đăng

I have not actually tested this on ESR myself yet. But have you tried from the secure link. Instead of http://addons.mozilla.org/ Try https://addons.mozilla.org/ Normally once you have used a https link for a site you will get that in preference to a http link

I have not actually tested this on ESR myself yet. But have you tried from the secure link. Instead of http://addons.mozilla.org/ Try https://addons.mozilla.org/ Normally once you have used a https link for a site you will get that in preference to a http link

Người tạo câu hỏi

Hello John,

it doesn't matter if it is a 'normal' version or an ESR version. It is always the same in this case.

It's always the 'https://addons.mozilla.org' site.

(Can't use 'http' for this site in the address bar, because after 'Enter' it is always 'https').

My way:

1. Write down the Url in the adress bar = addons.mozilla.org (...or use a bookmark as form me with https://addons.mozilla.org )

2. The presented site is always the secured site with 'https' =

    https://addons.mozilla.org/

3. Search - for example - for "Download Status Bar" (...it's a signed Add-On) or for example "NoScript"

4. A very short sequence I can see the Blue Button = 'Download for Windows' and 10 millisecond later there is always the Green Button with ' + Add to Firefox'.

So far so good:

5. Right Click (=Context Menu) to the Green Button 'Add to Firefox', then 'Save Link as...' -> choose a directory of your choice -> Save.

Consequence:

All of the 'downloaded files' have a size of 0 kb. There isn't a download ;-).


Exactly this way I can use up to version 31.8 (ESR) without any problems. Above this version (...the next one is 38.0.1) = no chance.

Yesterday I was trying also the newest 'official' version 44.0.2. = the same effect -> no possibility to download the xpi-file manually with 'Save Link as...'.

Hello John, it doesn't matter if it is a 'normal' version or an ESR version. It is always the same in this case. It's always the 'https://addons.mozilla.org' site. (Can't use 'http' for this site in the address bar, because after 'Enter' it is always 'https'). My way: 1. Write down the Url in the adress bar = addons.mozilla.org (...or use a bookmark as form me with https://addons.mozilla.org ) 2. The presented site is always the secured site with 'https' = https://addons.mozilla.org/ 3. Search - for example - for "Download Status Bar" (...it's a signed Add-On) or for example "NoScript" 4. A very short sequence I can see the Blue Button = 'Download for Windows' and 10 millisecond later there is always the Green Button with ' + Add to Firefox'. So far so good: 5. Right Click (=Context Menu) to the Green Button 'Add to Firefox', then 'Save Link as...' -> choose a directory of your choice -> Save. Consequence: All of the 'downloaded files' have a size of 0 kb. There isn't a download ;-). Exactly this way I can use up to version 31.8 (ESR) without any problems. Above this version (...the next one is 38.0.1) = no chance. Yesterday I was trying also the newest 'official' version 44.0.2. = the same effect -> no possibility to download the xpi-file manually with 'Save Link as...'.

Được chỉnh sửa bởi JanetM. vào

jscher2000
  • Top 10 Contributor
8703 giải pháp 71122 câu trả lời
Được đăng

When I check the download list after using Save Link As, I see this URL:

https://addons.cdn.mozilla.net/user-media/addons/12021/form_history_control-1.4.0.4-sm+fx.xpi?filehash=sha256%3Aae421ade4005e5b12aa7c53cdc9f61cb53f61dfe3dd0e21cb64a1dd3a6c0d9c5

Some users have encountered errors when extension downloads are redirected to a different server, but I think this is the first time I've heard of an error with the official site.

But... do you want to try adding an "Allow" software download permission for that site? If so:

(1) Select and copy the following protocol and host name

https://addons.cdn.mozilla.net

(2) Open the Exceptions list here:

"3-bar" menu button (or Tools menu) > Options

In the left column, click Security. Then on the right side, click the Exceptions button to the right of "Warn me when sites try to install add-ons".

In the dialog box that appears, you can past the URL and click the Allow button to add an exception.

Does that let you download and save extensions?

When I check the download list after using Save Link As, I see this URL: https://addons.cdn.mozilla.net/user-media/addons/12021/form_history_control-1.4.0.4-sm+fx.xpi?filehash=sha256%3Aae421ade4005e5b12aa7c53cdc9f61cb53f61dfe3dd0e21cb64a1dd3a6c0d9c5 Some users have encountered errors when extension downloads are redirected to a different server, but I think this is the first time I've heard of an error with the official site. But... do you want to try adding an "Allow" software download permission for that site? If so: (1) Select and copy the following protocol and host name https://addons.cdn.mozilla''.''net (2) Open the Exceptions list here: "3-bar" menu button (or Tools menu) > Options In the left column, click Security. Then on the right side, click the Exceptions button to the right of "Warn me when sites try to install add-ons". In the dialog box that appears, you can past the URL and click the Allow button to add an exception. Does that let you download and save extensions?

Người tạo câu hỏi

Hello jscher2000,

what are the file size of the file 'form_history_control-1.4.0.4-sm+fx.xpi' after downloading this per Context-Menu 'Save Link as...'?

Hello jscher2000, what are the file size of the file 'form_history_control-1.4.0.4-sm+fx.xpi' after downloading this per Context-Menu 'Save Link as...'?

Được chỉnh sửa bởi JanetM. vào

jscher2000
  • Top 10 Contributor
8703 giải pháp 71122 câu trả lời
Được đăng

Hi JanetM., Windows shows me 489 KB as the file size.

Hi JanetM., Windows shows me 489 KB as the file size.

Người tạo câu hỏi

Hello Jefferson,

thank you for your reply.

After 24 hours of installing and reinstalling different versions from 31 to 38 (ESR) and 44 i have found out with a header inspector that the Guys from the Firefox-Project have the sites '*.mozilla.org' -> CSP protected with newer versions of Firefox.

Therefore it's not possible to make a xpi download manually from the Mozilla Add-On "Store" in order to install these files later from a local directory.

I suppose it's not desired to showcase at this place "how to fix it" this feature .

Fortunately i was able to disable this ... thing.

Over the month i have to install numerous Workstations and don't have enough time to install required Add-Ons (...in the most recent version) with direct downloads over the Add-On "Store" on every machine separately .

Sure, it could be used the Sync-Account, but i hate cloud-based solutions, ... because no one knows the real owner of the infrastructure.

Thanks again for your efforts.

Hello Jefferson, thank you for your reply. After 24 hours of installing and reinstalling different versions from 31 to 38 (ESR) and 44 i have found out with a header inspector that the Guys from the Firefox-Project have the sites '*.mozilla.org' -> CSP protected with newer versions of Firefox. Therefore it's not possible to make a xpi download manually from the Mozilla Add-On "Store" in order to install these files later from a local directory. I suppose it's not desired to showcase at this place "how to fix it" this feature . Fortunately i was able to disable this ... thing. Over the month i have to install numerous Workstations and don't have enough time to install required Add-Ons (...in the most recent version) with direct downloads over the Add-On "Store" on every machine separately . Sure, it could be used the Sync-Account, but i hate cloud-based solutions, ... because no one knows the real owner of the infrastructure. Thanks again for your efforts.
jscher2000
  • Top 10 Contributor
8703 giải pháp 71122 câu trả lời
Được đăng

I don't understand why it isn't working for you, or why you think the CSPs are relevant to downloads. What am I missing here? If you want to send the information by private message, you can click my username next to a post.

I don't understand why it isn't working for you, or why you think the CSPs are relevant to downloads. What am I missing here? If you want to send the information by private message, you can click my username next to a post.
John99 971 giải pháp 13138 câu trả lời
Được đăng

Jefferson

Ok I had not tried to check this earlier, and did not expect problems with Release and pre release, but I can reproduce something similar and it does not help setting an exception.

I do see zero kb results. Not sure what's happening am I only getting the hash from AMO. Presumably the exception only helps when trying to install an addon, but not when attempting to download an xpi.

Whereas from github I can download an .xpi with no problem e.g.

https://github.com/philipp-sumo/sumo_live_helper/raw/master/sumo_live_helper.xpi

With no need to try setting an exception.

STR Testing with Fx46.0a. Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy. I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install ... Using about:preferences#security and setting an exception for https://addons.cdn.mozilla.net does not help. If I try https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi with the network console I do see https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb


Janet, It is probably worth noting addons are now signed. That may not affect ESR as yet for installation. Personally I do not understand the new installation method. But the blogs and help article are

install numerous Workstations

No idea if it will help but have you tried or considered using CCK2. That was previously hosted on addons.mozilla and apparently is still available free from its developers website

'''Jefferson''' Ok I had not tried to check this earlier, and did not expect problems with Release and pre release, but I can reproduce something similar and it does not help setting an exception. I do see zero kb results. Not sure what's happening am I only getting the hash from AMO. Presumably the exception only helps when trying to install an addon, but not when attempting to download an xpi. Whereas from github I can download an .xpi with no problem e.g. https://github.com/philipp-sumo/sumo_live_helper/raw/master/sumo_live_helper.xpi With no need to try setting an exception. STR Testing with Fx46.0a. Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy. I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install ... Using ''about:preferences#security'' and setting an exception for ''https://addons.cdn.mozilla.net'' does not help. If I try https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi with the network console I do see https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb ----------- '''Janet''', It is probably worth noting addons are now signed. That may not affect ESR as yet for installation. Personally I do not understand the new installation method. But the blogs and help article are * https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/ * https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/ * [[Add-on signing in Firefox]] === install numerous Workstations === No idea if it will help but have you tried or considered using CCK2. That was previously hosted on addons.mozilla and apparently is still available free from its developers website * https://mike.kaply.com/cck2/ * & other blogs including the older: ''[https://mike.kaply.com/2012/04/13/customizing-firefox-extensions-and-the-cck-wizard/#more-1541 Customizing Firefox – Extensions and the CCK Wizard]''

Người tạo câu hỏi

Hi John,

exactly, this is the effect.

I don't know if it is allowed to post the solution here. What works for me -> in a personal message.

Hi John, exactly, this is the effect. I don't know if it is allowed to post the solution here. What works for me -> in a personal message.
cor-el
  • Top 10 Contributor
  • Moderator
17483 giải pháp 158000 câu trả lời
Được đăng

What security software do you have?

It is possible that security software (anti-virus, firewall) is causing the problem. Try to disable security software temporarily to see if that makes a difference.

What security software do you have? It is possible that security software (anti-virus, firewall) is causing the problem. Try to disable security software temporarily to see if that makes a difference.
John99 971 giải pháp 13138 câu trả lời
Được đăng

Hi Janet, OK thanks. Not yet sure the intended purpose of the pref you mentioned in the PM. So not sure about any other consequences of toggling it, Jefferson will probably figure that out before I can.

We do not usually keep prefs secret, but sometimes do not shout out about the possibilities. It is not even official policy to promote ESR to ordinary users.

Hi Janet, OK thanks. Not yet sure the intended purpose of the pref you mentioned in the PM. So not sure about any other consequences of toggling it, Jefferson will probably figure that out before I can. We do not usually keep prefs secret, but sometimes do not shout out about the possibilities. It is not even official policy to promote ESR to ordinary users.
jscher2000
  • Top 10 Contributor
8703 giải pháp 71122 câu trả lời
Được đăng

John99 said

STR
Testing with Fx46.0a.
Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin
Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy.
I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install

Yes, opening an XPI from AMO in a tab is blocked for some reason. But right-click > Save Link As on the green button works for me. Does that work for you?

''John99 [[#answer-851020|said]]'' <blockquote> STR<br> Testing with Fx46.0a.<br> Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin <br> Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy.<br> I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install </blockquote> Yes, opening an XPI from AMO in a tab is blocked for some reason. But right-click > Save Link As on the green button works for me. Does that work for you?
John99 971 giải pháp 13138 câu trả lời
Được đăng

Yes it does actually when I try.

I right click and copy link location the url I get

https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary

However if I right click and use save link as I get file (I am using Linux)

ublock_origin-1.6.2-an+fx+sm+tb.xpi
(Size:  1.5 MB (1,452,499 bytes) )

I presume that will install, the option to install does show when I open the file with Firefox DE

'''Yes it does actually when I try.''' I right click and copy link location the url I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary However if I right click and use ''save link as'' I get file (I am using Linux) ublock_origin-1.6.2-an+fx+sm+tb.xpi (Size: 1.5 MB (1,452,499 bytes) ) I presume that will install, the option to install does show when I open the file with Firefox DE
jscher2000
  • Top 10 Contributor
8703 giải pháp 71122 câu trả lời
Được đăng

Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?).

Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?).
cor-el
  • Top 10 Contributor
  • Moderator
17483 giải pháp 158000 câu trả lời
Được đăng

Giải pháp được chọn

I see this CSP data in HTTP response headers of the main page using Live Http Headers:

Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

Note that this data may come from CloudFront servers.

X-Cache: Hit from cloudfront
Via: 1.1 3d95c075cc2e7532826e1d3de1a75b2e.cloudfront.net (CloudFront)
I see this CSP data in HTTP response headers of the main page using Live Http Headers: <pre><nowiki>Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__</nowiki></pre> Downloading an XPI file shows this for me: <pre><nowiki>Content-Security-Policy: default-src 'none'; report-uri /__cspreport__ </nowiki></pre> Note that this data may come from CloudFront servers. <pre><nowiki>X-Cache: Hit from cloudfront Via: 1.1 3d95c075cc2e7532826e1d3de1a75b2e.cloudfront.net (CloudFront)</nowiki></pre>
John99 971 giải pháp 13138 câu trả lời
Được đăng

jscher2000 said

Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?).

Both ESR eqivalent Iceweasel & DE using Network Console there is a small icon top right appears show request details that has tab options including Headers & Security

Browser console similar

''jscher2000 [[#answer-851077|said]]'' <blockquote> Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?). </blockquote> Both ESR eqivalent Iceweasel & DE using Network Console there is a small icon top right appears ''show request details'' that has tab options including Headers & Security * https://developer.mozilla.org/docs/Tools/Network_Monitor#Headers Browser console similar * https://developer.mozilla.org/docs/Tools/Browser_Toolbox
John99 971 giải pháp 13138 câu trả lời
Được đăng

Further to last post. Browser console at least in iceweasel is needing right click to display headers

e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__ Content-Length: 0 Connection: keep-alive

Further to last post. Browser console at least in iceweasel is needing right click to display headers e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__ Content-Length: 0 Connection: keep-alive

Người tạo câu hỏi

cor-el said

I see this CSP data in HTTP response headers of the main page using Live Http Headers:
Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

...

Hi cor-el, yes, this is exactly what happens.

''cor-el [[#answer-851081|said]]'' <blockquote> I see this CSP data in HTTP response headers of the main page using Live Http Headers: <pre><nowiki>Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__</nowiki></pre> Downloading an XPI file shows this for me: <pre><nowiki>Content-Security-Policy: default-src 'none'; report-uri /__cspreport__ </nowiki></pre> ... </blockquote> Hi cor-el, yes, this is exactly what happens.

Được chỉnh sửa bởi JanetM. vào

Câu trả lời hữu ích

John99 said

Further to last post. Browser console at least in iceweasel is needing right click to display headers e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e747... X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e747... Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org; ... report-uri /__cspreport__ ...

Hi John,

yes, this was in my case the reason, why i can't download nowhere at the addons.(cdn.)mozilla site .xpi with the 'Save Link as...' method above versions 31.8.

Is this an intended effect or a special constellation from a server where the files are provided ?

''John99 [[#answer-851113|said]]'' <blockquote> Further to last post. Browser console at least in iceweasel is needing right click to display headers e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e747... X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e747... Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org; ... report-uri /__cspreport__ ... </blockquote> Hi John, yes, this was in my case the reason, why i can't download nowhere at the addons.(cdn.)mozilla site .xpi with the 'Save Link as...' method above versions 31.8. Is this an intended effect or a special constellation from a server where the files are provided ?

Được chỉnh sửa bởi JanetM. vào