Closed Bug 1077874 Opened 10 years ago Closed 8 years ago

Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0)

Categories

(Toolkit :: Safe Browsing, defect, P5)

Product:
Toolkit
Component:
Safe Browsing
Version:
32 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox49 --- fixed

People

(Reporter: WilliamWJimenes, Assigned: allstars.chh)

References

Details

(Keywords: privacy)

Attachments

(1 file, 1 obsolete file)

Patch
7.52 KB, patch
francois
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0

Steps to reproduce:

I observed the http requests associated with Google Safe Browsing and noticed that the full Firefox version is sent with the POST request, for example:
https://safebrowsing.google.com/safebrowsing/downloads?client=navclient-auto-ffox&appver=32.0.2&pver=2.2&key=no-google-api-key

There isn't a compelling reason to provide this level of detail, as it should make no functional difference. There are various reason to reduce the level of detail, such as to reduce fingerprintability.

The patch level has already been removed from the user agent string, per https://bugzilla.mozilla.org/show_bug.cgi?id=728831


Actual results:

the firefox patch level is sent to the Google Safe Browsing servers


Expected results:

the patch level should not be sent
Keywords: privacy
OS: Linux → All
Hardware: x86_64 → All
Component: Untriaged → Phishing Protection
Product: Firefox → Toolkit
We should do this for all of these endpoints:

browser.safebrowsing.provider.google.gethashURL
browser.safebrowsing.provider.google.updateURL
browser.safebrowsing.provider.mozilla.gethashURL
browser.safebrowsing.provider.mozilla.updateURL
Blocks: 1149867
Whiteboard: [tpe-seceng]
Summary: don't expose Firefox patch level (32.0.x) in Google Safe Browsing POST requests, only show the major version (32.0) → Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0)
Yoshi, here's another easy Safe Browsing bug you could take.
Priority: -- → P5
Whiteboard: [tpe-seceng]
\O/
Assignee: nobody → allstars.chh
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch WIP - Patch (obsolete) — Splinter Review 
WIP, still trying to write a test for this.
Attached patch PatchSplinter Review 
added test
Attachment #8747013 - Attachment is obsolete: true
Attachment #8747422 - Flags: review?(francois)
Comment on attachment 8747422 [details] [diff] [review]
Patch

Review of attachment 8747422 [details] [diff] [review]:
-----------------------------------------------------------------

The test looks great, thanks Yoshi!
Attachment #8747422 - Flags: review?(francois) → review+
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/5ff6c2371439
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: