Found while attempting to reproduce Bug 1008706. STR: 1. Create a new profile 2. Disable safe browsing (browser.safebrowsing.enable => false in about:config) 3. Visit facebook.com 4. In the browser console, you will see numerous requests made to SafeBrowsing URI's, e.g. POST https://safebrowsing.google.com/safebrowsing/downloads GET https://safebrowsing-cache.google.com/safebrowsing/rd/ChVnb29nLWJhZGJpbnVybC1zaGF2YXIQARjh6QEggOsBKhfwdAAA_____ ... Expected behavior: No requests to any Safe Browsing domains are made when the feature is disabled.
4 years ago
There are 2 prefs to control Safebrowsing, one for phishing (which you found) and one for malware. You must also turn browser.safebrowsing.malware.enabled to false to disable malware checks. These are exposed in the UI as Prefs > Security > "Block reported attack sites" and "Block reported web forgeries". Are you able to reproduce with both types of safebrowsing disabled?
I tried to reproduce just now with a fresh profile in FF Nightly: 1) Go to about:config and turn off browser.safebrowsing.enabled and browser.safebrowsing.malware.enabled 2) Go to facebook.com, turn on network developer tools, wait 30 minutes and see no safebrowsing traffic So I think this is working as intended.
I think the naming of browser.safebrowsing.enabled isn't ideal given that it implies it is a superset of all enable/disable functionality within browser.safebrowsing.* As such, I've filed bug 1025965 for renaming it to browser.safebrowsing.phishing.enabled, to avoid this confusion.
> Are you able to reproduce with both types of safebrowsing disabled? I was unable to reproduce with both types of safebrowsing disabled. Sorry for not spotting that there were two different flags for the two types of safebrowsing! I agree with Ed in Comment 3 - we should rename the pref to avoid this confusion in the future.