Strange site behaviour: unsolicited automatic download of linked MP4

In lieu of a ‘bugs and issues’ topic:

The (entirely innocent) reply above mine in Our so-called president appears to trigger an unsolicited, no-confirmation-needed download of the linked file to my device’s download folder simply by scrolling to that reply.

Refreshing the page in the browser triggers an attempt to re-download, repeatably.

There’s a suspiciously onebox-sized gap in the post, but no actual onebox. The post in question is absolutely in good faith, but even if an mp4 file were directly linked to, I’m as surprised that Discourse allowed arbitrary drive-by file download without requiring confirmation, as I am that Chrome did.

Mobile interface, (but not the Discourse app), Chrome on Android M, Confirmed by at least one other in the topic.

Screenshot of re-download attempt upon webpage reload:

Capture _2017-07-11-23-54-29.png1440×2392 335 KB

Update: The affected post has now been edited to remove the link to the file. How that worked in the first place is still a question.

FYI / FWIW: I was using the Samsung Internet browser, it it automatically downloaded.

And @garymon and @Lucy_Gothro, both. And at least one of those was on a PC.

I was on my PC.

I’m on a PC as well. I clicked cancel. I didn’t get prompted this time on page load.

Lucy’s been a responsible mutant and removed the link.
(How the hell it happened in the first place, and what else will download like that, however…)

Can you PM me the URL? I’ll try to see if it’s a known issue or if I can report it.

Can confirm it’s an issue. At least Firefox prompts.

EDIT:
haven’t checked Known Issues

his name is jeff

Here’s where we are:

I can try to update tonight. I’l make an announcement before I do, to manage expectations during the interruption.

Upgrade complete. Does not address the issue.

Has anyone seen behavior like this with any other video embed, or just from this getyarn.io site?

I missed it, but I looked at getyarn.io and it is serving up videos with Content-Type “application/mp4” instead of Content-Type “video/mp4”, which could make a difference. Most likely to be caused by either Content-Type or Content-Disposition headers. Might make a difference whether it got pulled in as an IFRAME, an EMBED, or a VIDEO element.

I ended up starting a PM with discobot to test the URL. The content-type seems like the likely culprit. I’m not sure if Discourse can do anything about it. Maybe it would be a better issue to take up with getyarn.io?

First of all, thanks for all the hard work and experimentation, there - sincerely, so.

From a technical, side, isn’t Discourse [already] doing somewhat involved parsing of the URI and related data as part of the decision to Onebox links and/or ‘magic’ functionality like locally cached media from links?

I accept it’s not us, but I’d really kinda hope Discourse themselves would want to squash such a nice little way to throw unsolicited files at a user, either way? It may be the first time someone’s seen this party trick, but I’d hope the discourse peeps would want to close it.

_{(Can you imagine being able to drop js or advertising or offensive/illegal media (as per http://www.bash.org/?202477, say ) from a .ru site to people’s own systems using a burner account - To settle scores, or worse?)}

Sadly, this is why good people are losing the hearts and minds war: we’re not that evil. Some folks on the other hand…

There’s a similar bug report at https://meta.discourse.org/t/google-drive-video-link-causes-swf-download/59719 , and there was one commit in onebox a few days ago labeled "Some types are video.movie not video/movie", so it looks like other people are seeing similar issues and working on those. They may not have seen this particular variation though.

Had a brief exchange, Jeff says to open a ticket/issue post on Meta.

My sincere thanks.