Privatebin: Chrome 83.0.4103. download issue

Created on 10 Jun 2020  Â·  8Comments  Â·  Source: PrivateBin/PrivateBin

Steps to reproduce

  1. Update chrome
  2. Try to download attached file from privatebin

What happens

You will receive such error:

_Download is disallowed. The frame initiating or instantiating the download is sandboxed, but the flag ‘allow-downloads’ is not set. See https://www.chromestatus.com/feature/5706745674465280 for more details._

What should happen

Download should work.

Additional information

I have found such tread in google bug tracker:
https://issuetracker.google.com/issues/157368720

So there is no workaround right now.

Basic information

Server address: -
Server OS: Ubuntu 18.04
Webserver: nginx
Browser: Chrome 83.0.4103+
PrivateBin version: 1.3.4

I can reproduce this issue on https://privatebin.net: No (Because it doesn't support file upload)

Most helpful comment

TL;DR recommendations on instances with file upload:

  • for users: Use Firefox or switch to an instance that allows the attachment downloads.
  • for instance administrators: Append allow-downloads to the sandbox policies in the cspheader configuration option in the file cfg/conf.php and ensure the option is not commented. If you use the recommended defaults, it should end up looking like this:
cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" 

Further details:

  • the earliest affected PrivateBin version is 1.2 - changing the cspheader as described above will work there as well. Until 1.1 we did implement the attachment download as a data URL, which apparently isn't getting protected by the sandbox in Chrome 83.
  • allow-downloads isn't a documented, standardized or supported setting! Firefox warns in the developer console that the invalid sandbox setting couldn't be applied, Chrome seems to apply any sandbox settings that it supports for iframes.

Question for the other maintainers: As far as I can tell, adding the above setting doesn't have negative side effects except the warning in Firefox. Would you mind if I add it to the defaults in Configuration.php and the cfg/conf.sample.php, even though this isn't in any standard?

You can test the behaviour for yourselfs with the above suggested change to the CSP here with this sample image.

All 8 comments

Thank you very much for your report! I can reproduce this with various Chrome builds (Chrome, Chromium) on different environments (Linux, MacOS) with version 83.

As far as I can tell, we are affected because our recommended Content Security header includes the sandbox clause, which "enables a sandbox for the requested resource similar to the