Web-bugs: www.archlinux.org - site is not usable ("Download from Mirror" feature broken, regression in [79.0 - 81.0] range)

Over at the archweb bug, Archweb maintainer Jelle van der Waa says:

"It seems like the issue might be Firefox nightly now disallows downloading / autoloading a link from https to http"

Can anyone here in webcompat confirm this hypothesis, and link to a spec / rollout plan?

Also, if confirmed, is a silent failure the final/intended UX? I'd understand a doorhanger warning or an error page, but a silent failure is confusing. Is there a bugzilla bug tracking improving that?

Thanks for the report, I was able to reproduce the issue.

Note: The issue is not reproducible on Chrome.

Mozregression:
Last good revision: 2c022fc5b638633885787aa94f1e46a7e6713956
First bad revision: 2b1b3a41c110c7480f299e97b5e13e15dbcff9bf
Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2c022fc5b638633885787aa94f1e46a7e6713956&tochange=2b1b3a41c110c7480f299e97b5e13e15dbcff9bf

Bugzilla issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1614969 Consider blocking mixed content downloads

Tested with:
Browser / Version: Firefox Nightly 81.0a1 (2020-08-16)
Operating System: Windows 10 Pro

Moving to Needsdiagnosis for further investigation.

Note that the problem will no longer be reproducible in Archweb, over at https://bugs.archlinux.org/task/67587 , Archweb maintainer Jelle says:

The issue should be fixed now, as a new version of the website has been deployed.

I asked there if the problem was in Archweb, or if Firefox misbehavior is still suspected.

This is caused by a change in Nightly to block mixed content downloads (blocking insecure http:// subresources on https:// pages) as @softvision-oana-arbuzov mentioned. Most likely "Download From Mirror" was pointing to a file located on an insecure "http://" page, which is now seems to be fixed by the site author, so I think we can close this as fixed.

Note that the problem still persists on other sites, the tracking bug for that is https://bugzilla.mozilla.org/show_bug.cgi?id=1654139. The main issue is that the download is being blocked without any notification to the user, but I think there is work in progress to improve this experience, see https://bugzilla.mozilla.org/show_bug.cgi?id=1614969#c20

Thanks for filing the bug on arcchlinux @ronjouch 👍

This is caused by a change in Nightly to block mixed content downloads (blocking insecure http:// subresources on https:// pages) as @softvision-oana-arbuzov mentioned. Most likely "Download From Mirror" was pointing to a file located on an insecure "http://" page, which is now seems to be fixed by the site author, so I think we can close this as fixed.

Note that the problem still persists on other sites, the tracking bug for that is https://bugzilla.mozilla.org/show_bug.cgi?id=1654139. The main issue is that the download is being blocked without any notification to the user, but I think there is work in progress to improve this experience, see https://bugzilla.mozilla.org/show_bug.cgi?id=1614969#c20

This was the issue! I was however missing feedback from Firefox to show me why it disallows prompting the save file as dialog.

I do like that Firefox is disallowing mixed content as a user expects that the content is loaded over https while it wasn't.

This is caused by a change in Nightly to block mixed content downloads (blocking insecure http:// subresources on https:// pages) as @softvision-oana-arbuzov mentioned. Most likely "Download From Mirror" was pointing to a file located on an insecure "http://" page, which is now seems to be fixed by the site author, so I think we can close this as fixed.
Note that the problem still persists on other sites, the tracking bug for that is https://bugzilla.mozilla.org/show_bug.cgi?id=1654139. The main issue is that the download is being blocked without any notification to the user, but I think there is work in progress to improve this experience, see https://bugzilla.mozilla.org/show_bug.cgi?id=1614969#c20

This was the issue! I was however missing feedback from Firefox to show me why it disallows prompting the save file as dialog.

I do like that Firefox is disallowing mixed content as a user expects that the content is loaded over https while it wasn't.

Fully agree with @jelly here, this is currently supremely confusing. I wrote above:

"is a silent failure the final/intended UX? I'd understand a doorhanger warning or an error page, but a silent failure is confusing. Is there a bugzilla bug tracking improving that?"

, but the good news is that https://bugzilla.mozilla.org/show_bug.cgi?id=1614969#c20 confirms Mozilla is aware of the issue:

Please note that the mixed content blocking of downloads is currently enabled in Nightly only. I personally would prefer not to back this patch out, but I agree that we have to improve the user experience before this is ready for release.

Basti is currently working on improving the experience for end users when Firefox blocks insecure downloads.

@Basti, can you link to the right bugs here as well please?

Hope they address this soon.