Yahoo search is over https, which is great. Search results are sometimes https pages, which is also great. What's not great is yahoo search bounces the browser through an http host which redirects to the actual target, which leaks the destination to anyone who's listening in at the local coffee shop. STR: * run Wireshark (or equivalent packet capturing utility) (filter on port 80 or 443) * search for something that might have https results (e.g. 'github') * click the link to github The browser will first navigate to something like 'http://r.search.yahoo.com/_ylt=AwrTcd7HcKlVNGUALG4nnIlQ;_ylu=X3oDMTEzamsxbWY1BGNvbG8DZ3ExBHBvcwMxBHZ0aWQDRkZHRTAyXzEEc2VjA3Ny/RV=2/RE=1437196616/RO=10/RU=https%3a%2f%2fgithub.com%2f/RK=0/RS=uaXQDZKGnFD0CzrtZi8C8WYAtIk-' before being redirected to https://github.com Wireshark will see something like this (use "Follow TCP Stream" on the http traffic): GET /_ylt=A86.J7web6lVtyQAEucnnIlQ;_ylu=X3oDMTEzamsxbWY1BGNvbG8DZ3ExBHBvcwMxBHZ0aWQDRkZHRTAyXzEEc2VjA3Ny/RV=2/RE=1437196191/RO=10/RU=https%3a%2f%2fgithub.com%2f/RK=0/RS=7UWiwK0gQIhXesoxeWYLhFgJQFk- HTTP/1.1 Host: r.search.yahoo.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: <cookie> Connection: keep-alive HTTP/1.1 200 OK Date: Fri, 17 Jul 2015 21:10:02 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Cache-Control: private Content-Length: 247 Content-Type: text/html; charset="UTF-8" Age: 0 Connection: keep-alive Server: ATS <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head><script>window.opener=null;window.location.replace("https://github.com/");</script><noscript><META http-equiv="refresh" content="0;URL='https://github.com/'"></noscript></head></html>
Kev, if I recall correctly, you're the contact person for all things Yahoo search in Firefox. Can you raise this issue/get traction with the appropriate people?
Bouncer URL is not likely to change from HTTP to HTTPS at this point. We have looked at using sendbeacon to replace redirects, but it's not clear that our implementation will satisfy reporting requirements. Best to flag with Mike Connor, as it is still an issue.
I've sent this to Yahoo as an FYI. They are taking a look.
Dkeeler: can you retest and see if you are seeing the same results? We think Yahoo switched to sendBeacon.
On release this seems to be fixed, but I'm still seeing it on Nightly.
> On release this seems to be fixed, but I'm still seeing it on Nightly. I have no explanation for that.
Hi David, what would be the next steps to move this bug forward?
I imagine we need to reach out to Yahoo again and tell them we're still seeing this behavior on Nightly (at least, I am).
Mike, looks like you reached out in Comment #3 -- would it be possible to follow up here? Thanks!
I've reached out to Yahoo on this.
Yahoo just took a look: > Sure, I can take a look at it. I checked on nightly build of Firefox and did not see this issue for https outgoing links. Can you please help me in providing more details like which yahoo search URL and an example search result that was clicked. That will help us debug better Does anyone have a link/example of this that I can send Yahoo?
What I'm seeing now is https:// destinations are bounced through an https://r.search.yahoo.com redirect, so those aren't leaking the destination url any longer, and this appears to be fixed.