Closed Bug 1025358 Opened 10 years ago Closed 10 years ago

Safe Browsing makes requests when disabled

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Version:
29 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: grobinson, Unassigned)

References

Details

Found while attempting to reproduce Bug 1008706.

STR:

1. Create a new profile
2. Disable safe browsing (browser.safebrowsing.enable => false in about:config)
3. Visit facebook.com
4. In the browser console, you will see numerous requests made to SafeBrowsing URI's, e.g.

POST https://safebrowsing.google.com/safebrowsing/downloads
GET https://safebrowsing-cache.google.com/safebrowsing/rd/ChVnb29nLWJhZGJpbnVybC1zaGF2YXIQARjh6QEggOsBKhfwdAAA_____
...

Expected behavior:
No requests to any Safe Browsing domains are made when the feature is disabled.
Blocks: 1008706
Component: DOM: Security → Phishing Protection
Product: Core → Toolkit
There are 2 prefs to control Safebrowsing, one for phishing (which you found) and one for malware. You must also turn browser.safebrowsing.malware.enabled to false to disable malware checks. These are exposed in the UI as Prefs > Security > "Block reported attack sites" and "Block reported web forgeries".

Are you able to reproduce with both types of safebrowsing disabled?
Flags: needinfo?(grobinson)
I tried to reproduce just now with a fresh profile in FF Nightly:

1) Go to about:config and turn off browser.safebrowsing.enabled and browser.safebrowsing.malware.enabled
2) Go to facebook.com, turn on network developer tools, wait 30 minutes and see no safebrowsing traffic

So I think this is working as intended.
Depends on: 1025965
I think the naming of browser.safebrowsing.enabled isn't ideal given that it implies it is a superset of all enable/disable functionality within browser.safebrowsing.*

As such, I've filed bug 1025965 for renaming it to browser.safebrowsing.phishing.enabled, to avoid this confusion.
> Are you able to reproduce with both types of safebrowsing disabled?

I was unable to reproduce with both types of safebrowsing disabled. Sorry for not spotting that there were two different flags for the two types of safebrowsing!

I agree with Ed in Comment 3 - we should rename the pref to avoid this confusion in the future.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(grobinson)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.