Downloading website source lets you bypass set content restrictions

[SimonBasca]

Logged via: https://bugzilla.mozilla.org/show_bug.cgi?id=1597647

Steps to reproduce:

Go to your iPhone’s Settings > Screen Time > Content & Privacy Restrictions > Content Restrictions > Limit Adult Websites. Add “github.com” to the blacklist (for easier and SFW testing)
Open the Firefox browser and google out “GitHub”
Try tapping the link to GitHub’s main page. If you did the first step correctly, it should show you a message about the website being blocked
Go back to the Google search results
Tap and hold the link you previously tried opening and pick “Download Link” option from the context menu
Tap “Download Now”. Once the download finishes tap “Downloads” button which should appear in the bottom right corner
Tap the “github.com.html” file to open it.

Actual results:

Doing the above lets you see the contents of a blocked website.

Expected results:

When the user taps “Dowload Now”, the website source code should be downloaded and saved only if loading that website complies with existing Content Restriction policy.

┆Issue is synchronized with this Jira Task

[garvankeeley]

WKWebView implements Limit Adult Websites internally, and URLSession that we use to download has no integration with Limit Adult Websites. I suppose to fix this we could try to navigate to the downloaded url in a hidden webview, and then try to see if the page loaded, and if so then download. Seems like a fragile approach.

[Pietruszek]

Hi! Why was this issue closed? Is there a fix in the upcoming Firefox version?

I’m the original Bugzilla reporter and 2 years later I’m still patiently waiting for a this issue to be resolved…

[dnarcese]

@Pietruszek I am working on clearing up our backlog of things that are not top priority right now. I can re-open if this is still a concern for you.

[Pietruszek]

Ok, thanks for reopening the issue!

[MincDev]

I am not sure if this is currently possible. I have played around with this, but it seems even Safari can be bypassed like this. The only place I am able to detect whether a page is blocked is in the webView(webView:didFailProvisionalNavigation:error) delegate method - Error "The URL was blocked by a content filter", but that is not being triggered when the user long presses a link for a preview, because it does not actually try to navigate to that page. There also does not seem to be any delegate methods that can be tapped into if the preview fails that are similar to the didFailProvisionalNavigation.

Hoping someone can prove me wrong though.