Safe Browsing makes requests when disabled

RESOLVED INVALID

Status

()

Toolkit
Safe Browsing
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: grobinson, Unassigned)

Tracking

29 Branch
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
Found while attempting to reproduce Bug 1008706.

STR:

1. Create a new profile
2. Disable safe browsing (browser.safebrowsing.enable => false in about:config)
3. Visit facebook.com
4. In the browser console, you will see numerous requests made to SafeBrowsing URI's, e.g.

POST https://safebrowsing.google.com/safebrowsing/downloads
GET https://safebrowsing-cache.google.com/safebrowsing/rd/ChVnb29nLWJhZGJpbnVybC1zaGF2YXIQARjh6QEggOsBKhfwdAAA_____
...

Expected behavior:
No requests to any Safe Browsing domains are made when the feature is disabled.
(Reporter)

Updated

4 years ago
Blocks: 1008706
Component: DOM: Security → Phishing Protection
Product: Core → Toolkit
There are 2 prefs to control Safebrowsing, one for phishing (which you found) and one for malware. You must also turn browser.safebrowsing.malware.enabled to false to disable malware checks. These are exposed in the UI as Prefs > Security > "Block reported attack sites" and "Block reported web forgeries".

Are you able to reproduce with both types of safebrowsing disabled?
Flags: needinfo?(grobinson)
I tried to reproduce just now with a fresh profile in FF Nightly:

1) Go to about:config and turn off browser.safebrowsing.enabled and browser.safebrowsing.malware.enabled
2) Go to facebook.com, turn on network developer tools, wait 30 minutes and see no safebrowsing traffic

So I think this is working as intended.

Updated

4 years ago
Depends on: 1025965

Comment 3

4 years ago
I think the naming of browser.safebrowsing.enabled isn't ideal given that it implies it is a superset of all enable/disable functionality within browser.safebrowsing.*

As such, I've filed bug 1025965 for renaming it to browser.safebrowsing.phishing.enabled, to avoid this confusion.
(Reporter)

Comment 4

4 years ago
> Are you able to reproduce with both types of safebrowsing disabled?

I was unable to reproduce with both types of safebrowsing disabled. Sorry for not spotting that there were two different flags for the two types of safebrowsing!

I agree with Ed in Comment 3 - we should rename the pref to avoid this confusion in the future.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(grobinson)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.