Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0)

RESOLVED FIXED in Firefox 49

Status

()

defect
P5
normal
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: WilliamWJimenes, Assigned: allstars.chh)

Tracking

({privacy})

32 Branch
mozilla49
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox49 fixed)

Details

Attachments

(1 attachment, 1 obsolete attachment)

Reporter

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0

Steps to reproduce:

I observed the http requests associated with Google Safe Browsing and noticed that the full Firefox version is sent with the POST request, for example:
https://safebrowsing.google.com/safebrowsing/downloads?client=navclient-auto-ffox&appver=32.0.2&pver=2.2&key=no-google-api-key

There isn't a compelling reason to provide this level of detail, as it should make no functional difference. There are various reason to reduce the level of detail, such as to reduce fingerprintability.

The patch level has already been removed from the user agent string, per https://bugzilla.mozilla.org/show_bug.cgi?id=728831


Actual results:

the firefox patch level is sent to the Google Safe Browsing servers


Expected results:

the patch level should not be sent
Reporter

Updated

5 years ago
Keywords: privacy
OS: Linux → All
Hardware: x86_64 → All
Component: Untriaged → Phishing Protection
Product: Firefox → Toolkit
We should do this for all of these endpoints:

browser.safebrowsing.provider.google.gethashURL
browser.safebrowsing.provider.google.updateURL
browser.safebrowsing.provider.mozilla.gethashURL
browser.safebrowsing.provider.mozilla.updateURL
Blocks: 1149867
Whiteboard: [tpe-seceng]
Summary: don't expose Firefox patch level (32.0.x) in Google Safe Browsing POST requests, only show the major version (32.0) → Don't expose Firefox patch level (32.0.x) in Safe Browsing requests, only the major version (32.0)
Yoshi, here's another easy Safe Browsing bug you could take.
Priority: -- → P5
Whiteboard: [tpe-seceng]
\O/
Assignee: nobody → allstars.chh
Status: UNCONFIRMED → NEW
Ever confirmed: true
Posted patch WIP - Patch (obsolete) — Splinter Review
WIP, still trying to write a test for this.
Posted patch PatchSplinter Review
added test
Attachment #8747013 - Attachment is obsolete: true
Attachment #8747422 - Flags: review?(francois)
Comment on attachment 8747422 [details] [diff] [review]
Patch

Review of attachment 8747422 [details] [diff] [review]:
-----------------------------------------------------------------

The test looks great, thanks Yoshi!
Attachment #8747422 - Flags: review?(francois) → review+
Status: NEW → ASSIGNED

Comment 9

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/5ff6c2371439
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.