Safe Browsing should not check public suffixes
Categories
(Toolkit :: Safe Browsing, defect, P3)
Tracking
()
People
(Reporter: francois, Unassigned)
References
Details
(Keywords: good-first-bug)
The Safe Browsing simplified regex lookup (https://developers.google.com/safe-browsing/developers_guide_v2#RegexLookup) says that we can skip top-level domains: "up to 4 hostnames formed by starting with the last 5 components and successively removing the leading component. The top-level domain can be skipped" I noticed from the logs posted in bug 1164518 that we don't do this: Checking fragment tokyo-ame.jwa.or.jp/ja/ Checking fragment tokyo-ame.jwa.or.jp/ja/images/ Checking fragment tokyo-ame.jwa.or.jp/ja/images/button/ Checking fragment tokyo-ame.jwa.or.jp/ja/images/button/headmenu/home_on.gif Checking fragment tokyo-ame.jwa.or.jp/ Checking fragment or.jp/ja/ Checking fragment or.jp/ja/images/ Checking fragment or.jp/ja/images/button/ Checking fragment or.jp/ja/images/button/headmenu/home_on.gif Checking fragment or.jp/ Checking fragment jwa.or.jp/ja/ Checking fragment jwa.or.jp/ja/images/ Checking fragment jwa.or.jp/ja/images/button/ Checking fragment jwa.or.jp/ja/images/button/headmenu/home_on.gif Checking fragment jwa.or.jp/ where "or.jp" is a TLD (http://jprs.co.jp/en/jpdomain.html). I suggest we exclude all public suffixes from our checks to prevent accidental things like ".co.uk", ".com" or ".geek.nz" getting a partial hit since that would increase latency for a lot of websites.
Reporter | ||
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Comment 1•6 years ago
|
||
We should update our python-based list parser when this bug is fixed. See: https://github.com/mozilla/trackingprotection-tools/blob/fef2141d37b8025c127ad8fa7546dad08c47b15e/DisconnectParser.py#L200-L229.
Updated•5 years ago
|
Comment 2•5 years ago
|
||
I would like to work on this bug.
Please let me know If I am looking at the wrong code.
https://searchfox.org/mozilla-central/source/toolkit/components/url-classifier/LookupCache.cpp#326-380
Updated•5 years ago
|
Comment 3•5 years ago
|
||
Hi Manish, Thank you for helping!
(In reply to Manish [:manishkk] from comment #2)
I would like to work on this bug.
Please let me know If I am looking at the wrong code.
https://searchfox.org/mozilla-central/source/toolkit/components/url-classifier/LookupCache.cpp#326-380
This is for Path, Host[1] should be the one you are looking for.
Comment 4•5 years ago
|
||
Inactive for more than half a year, reset the assignee
Updated•5 years ago
|
Comment 5•5 years ago
|
||
If we do fix this, I think we'll still want to check the suffix at least for private domains on the public suffix list (i.e., skip .com
since this is a "proper" public suffix, but not a domain from the private entries section of the PSL, like apps.fbsbx.com
). See [0] for a discussion of the potential attacks.
[0] https://github.com/mozilla-services/shavar-list-creation/issues/102
Comment 6•3 years ago
|
||
This good-first-bug hasn't had any activity for 6 months, it is automatically unassigned.
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Comment 7•1 year ago
|
||
Hello, I would like to work on this bug.
I am new and this is my first issue so please guide me in this.
Updated•17 days ago
|
Description
•