User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Steps to reproduce: I observed the http requests associated with Google Safe Browsing and noticed that the full Firefox version is sent with the POST request, for example: https://safebrowsing.google.com/safebrowsing/downloads?client=navclient-auto-ffox&appver=32.0.2&pver=2.2&key=no-google-api-key There isn't a compelling reason to provide this level of detail, as it should make no functional difference. There are various reason to reduce the level of detail, such as to reduce fingerprintability. The patch level has already been removed from the user agent string, per https://bugzilla.mozilla.org/show_bug.cgi?id=728831 Actual results: the firefox patch level is sent to the Google Safe Browsing servers Expected results: the patch level should not be sent
OS: Linux → All
Hardware: x86_64 → All
Component: Untriaged → Phishing Protection
Product: Firefox → Toolkit
We should do this for all of these endpoints: browser.safebrowsing.provider.google.gethashURL browser.safebrowsing.provider.google.updateURL browser.safebrowsing.provider.mozilla.gethashURL browser.safebrowsing.provider.mozilla.updateURL
Summary: don't expose Firefox patch level (32.0.x) in Google Safe Browsing POST requests, only show the major version (32.0) → Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0)
Yoshi, here's another easy Safe Browsing bug you could take.
Priority: -- → P5
Assignee: nobody → allstars.chh
Status: UNCONFIRMED → NEW
Ever confirmed: true
WIP, still trying to write a test for this.
Comment on attachment 8747422 [details] [diff] [review] Patch Review of attachment 8747422 [details] [diff] [review]: ----------------------------------------------------------------- The test looks great, thanks Yoshi!
Attachment #8747422 - Flags: review?(francois) → review+
3 years ago
Status: NEW → ASSIGNED
You need to log in before you can comment on or make changes to this bug.