Why you do not want to use the LOAD_ANONYMOUS flag · 2011-01-30 15:49 by Wladimir Palant

When you are creating a Firefox extension you don’t need to use browser’s default settings when downloading something, you can choose from a number of load flags defined on the nsIRequest interface instead. Some of them are really useful, e.g. the flags controlling caching. And then there is LOAD_ANONYMOUS flag that sounds like a good idea for downloads of public files — after all, why should you allow cookies and such? Making user tracking possible isn’t the point here.

Adblock Plus 1.3.2 added this flag for downloads of filter subscriptions, development build users didn’t notice any issues. Shortly after the release I had to revert this change and release Adblock Plus 1.3.3 however. Turned out that “no authorization tokens” included proxy authentication as well. So for users accessing the web through a proxy that requires authorization (e.g. NTLM authorization in some companies) the download would always fail with channel status NS_ERROR_PROXY_CONNECTION_REFUSED and HTTP response “407 Proxy Authentication Required”. Fewer than 0.1% of the users were affected, I must consider myself lucky to have found the problem so soon after the release. Other people might not be so lucky, hence this warning: LOAD_ANONYMOUS flag might be useful in some very special scenario, you probably don’t want to use it in your extension however.

Commenting is closed for this article.