Open Bug 1203635 Opened 8 years ago Updated 4 months ago

Safe Browsing should not check public suffixes

Categories

(Toolkit :: Safe Browsing, defect, P2)

defect

Tracking

()

People

(Reporter: francois, Unassigned)

References

Details

(Keywords: good-first-bug)

The Safe Browsing simplified regex lookup (https://developers.google.com/safe-browsing/developers_guide_v2#RegexLookup) says that we can skip top-level domains: "up to 4 hostnames formed by starting with the last 5 components and successively removing the leading component. The top-level domain can be skipped"

I noticed from the logs posted in bug 1164518 that we don't do this:

    Checking fragment tokyo-ame.jwa.or.jp/ja/
    Checking fragment tokyo-ame.jwa.or.jp/ja/images/
    Checking fragment tokyo-ame.jwa.or.jp/ja/images/button/
    Checking fragment tokyo-ame.jwa.or.jp/ja/images/button/headmenu/home_on.gif
    Checking fragment tokyo-ame.jwa.or.jp/
    Checking fragment or.jp/ja/
    Checking fragment or.jp/ja/images/
    Checking fragment or.jp/ja/images/button/
    Checking fragment or.jp/ja/images/button/headmenu/home_on.gif
    Checking fragment or.jp/
    Checking fragment jwa.or.jp/ja/
    Checking fragment jwa.or.jp/ja/images/
    Checking fragment jwa.or.jp/ja/images/button/
    Checking fragment jwa.or.jp/ja/images/button/headmenu/home_on.gif
    Checking fragment jwa.or.jp/

where "or.jp" is a TLD (http://jprs.co.jp/en/jpdomain.html).

I suggest we exclude all public suffixes from our checks to prevent accidental things like ".co.uk", ".com" or ".geek.nz" getting a partial hit since that would increase latency for a lot of websites.
Priority: -- → P2
Keywords: good-first-bug
Priority: P2 → P3
Priority: P3 → P2

I would like to work on this bug.

Please let me know If I am looking at the wrong code.
https://searchfox.org/mozilla-central/source/toolkit/components/url-classifier/LookupCache.cpp#326-380

Flags: needinfo?(senglehardt)
Assignee: nobody → 1991manish.kumar

Hi Manish, Thank you for helping!

(In reply to Manish [:manishkk] from comment #2)

I would like to work on this bug.

Please let me know If I am looking at the wrong code.
https://searchfox.org/mozilla-central/source/toolkit/components/url-classifier/LookupCache.cpp#326-380
This is for Path, Host[1] should be the one you are looking for.

[1] https://searchfox.org/mozilla-central/rev/c035ee7d3a5cd6913e7143e1bce549ffb4a566ff/toolkit/components/url-classifier/LookupCache.cpp#298-324

Status: NEW → ASSIGNED
Flags: needinfo?(senglehardt)

Inactive for more than half a year, reset the assignee

Assignee: 1991manish.kumar → nobody
Status: ASSIGNED → NEW
Assignee: nobody → dlee
Status: NEW → ASSIGNED

If we do fix this, I think we'll still want to check the suffix at least for private domains on the public suffix list (i.e., skip .com since this is a "proper" public suffix, but not a domain from the private entries section of the PSL, like apps.fbsbx.com). See [0] for a discussion of the potential attacks.

[0] https://github.com/mozilla-services/shavar-list-creation/issues/102

This good-first-bug hasn't had any activity for 6 months, it is automatically unassigned.
For more information, please visit auto_nag documentation.

Assignee: dlee → nobody
Status: ASSIGNED → NEW
Severity: normal → S3

Hello, I would like to work on this bug.
I am new and this is my first issue so please guide me in this.

You need to log in before you can comment on or make changes to this bug.