If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0)

RESOLVED FIXED in Firefox 49

Status

()

Toolkit
Safe Browsing
P5
normal
RESOLVED FIXED
3 years ago
a year ago

People

(Reporter: William Jimenes, Assigned: allstars)

Tracking

({privacy})

32 Branch
mozilla49
privacy
Points:
---

Firefox Tracking Flags

(firefox49 fixed)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0

Steps to reproduce:

I observed the http requests associated with Google Safe Browsing and noticed that the full Firefox version is sent with the POST request, for example:
https://safebrowsing.google.com/safebrowsing/downloads?client=navclient-auto-ffox&appver=32.0.2&pver=2.2&key=no-google-api-key

There isn't a compelling reason to provide this level of detail, as it should make no functional difference. There are various reason to reduce the level of detail, such as to reduce fingerprintability.

The patch level has already been removed from the user agent string, per https://bugzilla.mozilla.org/show_bug.cgi?id=728831


Actual results:

the firefox patch level is sent to the Google Safe Browsing servers


Expected results:

the patch level should not be sent
(Reporter)

Updated

3 years ago
Keywords: privacy
OS: Linux → All
Hardware: x86_64 → All
Component: Untriaged → Phishing Protection
Product: Firefox → Toolkit
We should do this for all of these endpoints:

browser.safebrowsing.provider.google.gethashURL
browser.safebrowsing.provider.google.updateURL
browser.safebrowsing.provider.mozilla.gethashURL
browser.safebrowsing.provider.mozilla.updateURL
Blocks: 1149867
Whiteboard: [tpe-seceng]
Summary: don't expose Firefox patch level (32.0.x) in Google Safe Browsing POST requests, only show the major version (32.0) → Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0)
Yoshi, here's another easy Safe Browsing bug you could take.
Priority: -- → P5
Whiteboard: [tpe-seceng]
(Assignee)

Comment 3

a year ago
\O/
Assignee: nobody → allstars.chh
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 4

a year ago
Created attachment 8747013 [details] [diff] [review]
WIP - Patch

WIP, still trying to write a test for this.
(Assignee)

Comment 5

a year ago
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f35e4eb5c0a6
(Assignee)

Comment 6

a year ago
Created attachment 8747422 [details] [diff] [review]
Patch

added test
Attachment #8747013 - Attachment is obsolete: true
Attachment #8747422 - Flags: review?(francois)
Comment on attachment 8747422 [details] [diff] [review]
Patch

Review of attachment 8747422 [details] [diff] [review]:
-----------------------------------------------------------------

The test looks great, thanks Yoshi!
Attachment #8747422 - Flags: review?(francois) → review+
(Assignee)

Updated

a year ago
Status: NEW → ASSIGNED

Comment 8

a year ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/5ff6c2371439

Comment 9

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/5ff6c2371439
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.