Remove auto-open downloads featurewip/autoopen

This is inherently unsafe because a webpage can download a malicious
file without user interaction, and trust it will open automatically in
a vulnerable application.

We will continue to download files automatically, despite the various
Chrome hacks from last year proving that this can be abused via tracker
and GNOME desktop thumbnailers. Tracker now mitigates this risk using
libseccomp, and GNOME desktop thumbnailers are now run under bubblewrap.

https://bugzilla.gnome.org/show_bug.cgi?id=794681

7 files changed, 4 insertions, 37 deletions

diff --git a/data/org.gnome.epiphany.gschema.xml b/data/org.gnome.epiphany.gschema.xml
index a8020999e..f1f3d275f 100644
--- a/data/org.gnome.epiphany.gschema.xml
+++ b/data/org.gnome.epiphany.gschema.xml
@@ -46,11 +46,6 @@
                           DEPRECATED: This key is deprecated and ignored. Use /org/gnome/epiphany/web/user-agent instead.
                         </description>
 		</key>
-		<key type="b" name="automatic-downloads">
-			<default>false</default>
-			<summary>Automatic downloads</summary>
-			<description>When files cannot be opened by the browser they are automatically downloaded to the download folder and opened with the appropriate application.</description>
-		</key>
 		<key type="b" name="new-windows-in-tabs">
 			<default>true</default>
 			<summary>Force new windows to be opened in tabs</summary>
diff --git a/embed/ephy-download.c b/embed/ephy-download.c
index d73d0444d..e10dabf05 100644
--- a/embed/ephy-download.c
+++ b/embed/ephy-download.c
@@ -451,10 +451,6 @@ ephy_download_do_download_action (EphyDownload          *download,
       LOG ("ephy_download_do_download_action: none");
       ret = TRUE;
       break;
-    case EPHY_DOWNLOAD_ACTION_DO_NOT_AUTO_OPEN:
-      LOG ("ephy_download_do_download_action: do_not_auto_open");
-      ret = TRUE;
-      break;
     default:
       g_assert_not_reached ();
   }
@@ -520,9 +516,8 @@ ephy_download_class_init (EphyDownloadClass *klass)
   /**
    * EphyDownload::action:
    *
-   * Action to take when the download finishes and "Automatically download and
-   * open files" is enabled, or when ephy_download_do_download_action () is
-   * called.
+   * Action to take when the download finishes or when
+   * ephy_download_do_download_action () is called.
    */
   obj_properties[PROP_ACTION] =
     g_param_spec_enum ("action",
@@ -726,11 +721,7 @@ download_finished_cb (WebKitDownload *wk_download,
 {
   download->finished = TRUE;
 
-  if (g_settings_get_boolean (EPHY_SETTINGS_MAIN, EPHY_PREFS_AUTO_DOWNLOADS) &&
-      download->action == EPHY_DOWNLOAD_ACTION_NONE)
-    ephy_download_do_download_action (download, EPHY_DOWNLOAD_ACTION_OPEN, download->start_time);
-  else
-    ephy_download_do_download_action (download, download->action, download->start_time);
+  ephy_download_do_download_action (download, download->action, download->start_time);
 
   if (download->show_notification)
     display_download_finished_notification (wk_download);
diff --git a/embed/ephy-download.h b/embed/ephy-download.h
index fff841bd8..d2435812f 100644
--- a/embed/ephy-download.h
+++ b/embed/ephy-download.h
@@ -33,8 +33,7 @@ typedef enum
 {
   EPHY_DOWNLOAD_ACTION_NONE,
   EPHY_DOWNLOAD_ACTION_BROWSE_TO,
-  EPHY_DOWNLOAD_ACTION_OPEN,
-  EPHY_DOWNLOAD_ACTION_DO_NOT_AUTO_OPEN
+  EPHY_DOWNLOAD_ACTION_OPEN
 } EphyDownloadActionType;
 
 EphyDownload *ephy_download_new                   (WebKitDownload *download);
diff --git a/embed/ephy-filters-manager.c b/embed/ephy-filters-manager.c
index 96697041f..7e4cebcef 100644
--- a/embed/ephy-filters-manager.c
+++ b/embed/ephy-filters-manager.c
@@ -148,7 +148,6 @@ start_retrieving_filter_file (EphyFiltersManager *manager,
   char *path;
 
   download = ephy_download_new_for_uri (filter_url);
-  ephy_download_set_action (download, EPHY_DOWNLOAD_ACTION_DO_NOT_AUTO_OPEN);
   path = g_file_get_uri (destination);
   ephy_download_set_destination_uri (download, path);
   ephy_download_disable_desktop_notification (download);
diff --git a/lib/ephy-prefs.h b/lib/ephy-prefs.h
index 84f2ff168..3f4ac1c19 100644
--- a/lib/ephy-prefs.h
+++ b/lib/ephy-prefs.h
@@ -133,7 +133,6 @@ static const char * const ephy_prefs_web_schema[] = {
 #define EPHY_PREFS_HOMEPAGE_URL                       "homepage-url"
 #define EPHY_PREFS_DEPRECATED_USER_AGENT              "user-agent"
 #define EPHY_PREFS_NEW_WINDOWS_IN_TABS                "new-windows-in-tabs"
-#define EPHY_PREFS_AUTO_DOWNLOADS                     "automatic-downloads"
 #define EPHY_PREFS_WARN_ON_CLOSE_UNSUBMITTED_DATA     "warn-on-close-unsubmitted-data"
 #define EPHY_PREFS_DEPRECATED_REMEMBER_PASSWORDS      "remember-passwords"
 #define EPHY_PREFS_KEYWORD_SEARCH_URL                 "keyword-search-url"
diff --git a/src/prefs-dialog.c b/src/prefs-dialog.c
index 1c9913fa8..90a6c50ae 100644
--- a/src/prefs-dialog.c
+++ b/src/prefs-dialog.c
@@ -76,7 +76,6 @@ struct _PrefsDialog {
   GtkWidget *custom_homepage_entry;
   GtkWidget *download_button_hbox;
   GtkWidget *download_button_label;
-  GtkWidget *automatic_downloads_checkbutton;
   GtkWidget *search_box;
   GtkWidget *session_box;
   GtkWidget *restore_session_checkbutton;
@@ -730,7 +729,6 @@ prefs_dialog_class_init (PrefsDialogClass *klass)
   gtk_widget_class_bind_template_child (widget_class, PrefsDialog, blank_homepage_radiobutton);
   gtk_widget_class_bind_template_child (widget_class, PrefsDialog, custom_homepage_radiobutton);
   gtk_widget_class_bind_template_child (widget_class, PrefsDialog, custom_homepage_entry);
-  gtk_widget_class_bind_template_child (widget_class, PrefsDialog, automatic_downloads_checkbutton);
   gtk_widget_class_bind_template_child (widget_class, PrefsDialog, search_box);
   gtk_widget_class_bind_template_child (widget_class, PrefsDialog, session_box);
   gtk_widget_class_bind_template_child (widget_class, PrefsDialog, restore_session_checkbutton);
@@ -1710,11 +1708,6 @@ setup_general_page (PrefsDialog *dialog)
                     G_CALLBACK (custom_homepage_entry_icon_released),
                     NULL);
 
-  g_settings_bind (settings,
-                   EPHY_PREFS_AUTO_DOWNLOADS,
-                   dialog->automatic_downloads_checkbutton,
-                   "active",
-                   G_SETTINGS_BIND_DEFAULT);
   g_settings_bind_with_mapping (settings,
                                 EPHY_PREFS_RESTORE_SESSION_POLICY,
                                 dialog->restore_session_checkbutton,
@@ -2007,8 +2000,6 @@ prefs_dialog_init (PrefsDialog *dialog)
                           mode != EPHY_EMBED_SHELL_MODE_APPLICATION);
   gtk_widget_set_visible (dialog->search_box,
                           mode != EPHY_EMBED_SHELL_MODE_APPLICATION);
-  gtk_widget_set_visible (dialog->automatic_downloads_checkbutton,
-                          mode != EPHY_EMBED_SHELL_MODE_APPLICATION);
   gtk_widget_set_visible (dialog->session_box,
                           mode != EPHY_EMBED_SHELL_MODE_APPLICATION);
   gtk_widget_set_visible (dialog->do_not_track_checkbutton,
diff --git a/src/resources/gtk/prefs-dialog.ui b/src/resources/gtk/prefs-dialog.ui
index e2584996a..8fdba6b7f 100644
--- a/src/resources/gtk/prefs-dialog.ui
+++ b/src/resources/gtk/prefs-dialog.ui
@@ -140,13 +140,6 @@
                                 </child>
                               </object>
                             </child>
-                            <child>
-                              <object class="GtkCheckButton" id="automatic_downloads_checkbutton">
-                                <property name="label" translatable="yes">A_utomatically open downloaded files</property>
-                                <property name="visible">False</property>
-                                <property name="use-underline">True</property>
-                              </object>
-                            </child>
                           </object>
                         </child>
                       </object>