Closed Bug 1385484 Opened 8 years ago Closed 8 years ago

Add the login reputation whitelist behind prefs

Categories

(Toolkit :: Safe Browsing, enhancement, P2)

Product:
Toolkit
Component:
Safe Browsing
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox57 --- fixed

People

(Reporter: francois, Assigned: francois)

References

(Blocks 1 open bug)

Details

(Whiteboard: pwphish-prep)

Attachments

(4 files)

Bug 1385484 - Cleanup Safe Browsing prefs and sync the download protection setting.
59 bytes, text/x-review-board-request
hchang
: review+
Details
Bug 1385484 - Remove obsolete prefs and add missing blockedURIs.
59 bytes, text/x-review-board-request
hchang
: review+
Details
Bug 1385484 - Add the login reputation whitelist behind a pref.
59 bytes, text/x-review-board-request
hchang
: review+
Details
Bug 1385484 - Ensure that login reputation checks are disabled in tests.
59 bytes, text/x-review-board-request
hchang
: review+
Details
The login reputation whitelist is the CSD_WHITELIST = 8 threat type: https://searchfox.org/mozilla-central/rev/09c065976fd4f18d4ad764d7cb4bbc684bf56714/toolkit/components/url-classifier/chromium/safebrowsing.proto#278 https://cs.chromium.org/chromium/src/components/safe_browsing_db/v4_protocol_manager_util.cc?l=123&rcl=e65ab0a11b73c8eea0139c0757005432d6dbb0b6 We'll need to create new prefs: - browser.safebrowsing.passwords.enabled = false - urlclassifier.passwordAllowTable = "goog-passwordwhite-proto" One thing to note is that it violates the protocol in that if we find a fullhash on that list, there’s no need to confirm the with server with a fullhash request. We can block things directly as if we didn't have a gethash URL configured (e.g. tracking protection list).
Assignee: nobody → francois
Status: NEW → ASSIGNED
Blocks: 1388938
Blocks: 1388574
Comment on attachment 8895155 [details] Bug 1385484 - Cleanup Safe Browsing prefs and sync the download protection setting. https://reviewboard.mozilla.org/r/166290/#review173262 The prefs move around looks good but I am uncertain about the expected change by turning on 'services.sync.prefs.sync.browser.safebrowsing.downloads.enabled'. ::: browser/app/profile/firefox.js:1168 (Diff revision 1) > pref("services.sync.prefs.sync.browser.newtabpage.enhanced", true); > pref("services.sync.prefs.sync.browser.newtabpage.pinned", true); > pref("services.sync.prefs.sync.browser.offline-apps.notify", true); > pref("services.sync.prefs.sync.browser.safebrowsing.phishing.enabled", true); > pref("services.sync.prefs.sync.browser.safebrowsing.malware.enabled", true); > +pref("services.sync.prefs.sync.browser.safebrowsing.downloads.enabled", true); Even though this pref isn't appeared and explicitly referenced, given that http://searchfox.org/mozilla-central/rev/6482c8a5fa5c7446e82ef187d1a1faff49e3379e/services/sync/modules/engines/prefs.js#92 will enumerate prefs prefixed by 'services.sync.prefs.sync.', this new pref might still enable something, shall it?
Attachment #8895155 - Flags: review?(hchang) → review+
Comment on attachment 8895156 [details] Bug 1385484 - Remove obsolete prefs and add missing blockedURIs. https://reviewboard.mozilla.org/r/166292/#review173270 Should the use of 'browser.safebrowsing.forbiddenURIs.enabled' in http://searchfox.org/mozilla-central/rev/6482c8a5fa5c7446e82ef187d1a1faff49e3379e/mobile/android/chrome/content/browser.js#494 also need to be removed?
Attachment #8895156 - Flags: review?(hchang) → review+
Comment on attachment 8895157 [details] Bug 1385484 - Add the login reputation whitelist behind a pref. https://reviewboard.mozilla.org/r/166294/#review173272
Attachment #8895157 - Flags: review?(hchang) → review+
Comment on attachment 8895158 [details] Bug 1385484 - Ensure that login reputation checks are disabled in tests. https://reviewboard.mozilla.org/r/166296/#review173342 I compared with where 'browser.safebrowsing.phishing.enabled' should be set to false http://searchfox.org/mozilla-central/search?q=browser.safebrowsing.phishing.enabled&case=false&regexp=false&path= and found 'browserElement_SecurityChange.js' MAY potentially require the same overriding as well. However, from what this test case would like to test, the value of 'browser.safebrowsing.passwords.enabled' doesn't seem to matter so we don't need to touch this test case at all. What do you think?
Attachment #8895158 - Flags: review?(hchang) → review+
(In reply to Henry Chang [:hchang] from comment #5) > Comment on attachment 8895155 [details] > Bug 1385484 - Cleanup Safe Browsing prefs and sync the download protection > setting. > > https://reviewboard.mozilla.org/r/166290/#review173262 > > The prefs move around looks good but I am uncertain about the expected > change by turning on > 'services.sync.prefs.sync.browser.safebrowsing.downloads.enabled'. That means that the value of browser.safebrowsing.downloads.enabled will be synced if Firefox Sync is enabled. (In reply to Henry Chang [:hchang] from comment #8) > and found 'browserElement_SecurityChange.js' MAY potentially require the > same overriding as well. > However, from what this test case would like to test, the value of > 'browser.safebrowsing.passwords.enabled' > doesn't seem to matter so we don't need to touch this test case at all. > What do you think? That test is looking for specific security indicators. I don't think we need to disable download protection or password phishing protection.
hg error in cmd: hg push -r tip ssh://hg.mozilla.org/integration/autoland: pushing to ssh://hg.mozilla.org/integration/autoland searching for changes remote: replication log not available; all writes disabled remote: pretxnopen.vcsreplicator hook failed abort: push failed on remote
Pushed by fmarier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/87ec064a3681 Cleanup Safe Browsing prefs and sync the download protection setting. r=hchang https://hg.mozilla.org/integration/autoland/rev/1a1c476a9aaa Remove obsolete prefs and add missing blockedURIs. r=hchang https://hg.mozilla.org/integration/autoland/rev/2ff443a0c744 Add the login reputation whitelist behind a pref. r=hchang https://hg.mozilla.org/integration/autoland/rev/401c2744f16b Ensure that login reputation checks are disabled in tests. r=hchang
Flags: needinfo?(francois)
Pushed by fmarier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/43594120d3e2 Cleanup Safe Browsing prefs and sync the download protection setting. r=hchang https://hg.mozilla.org/integration/autoland/rev/02fd2c335027 Remove obsolete prefs and add missing blockedURIs. r=hchang https://hg.mozilla.org/integration/autoland/rev/c3b2fd555480 Add the login reputation whitelist behind a pref. r=hchang https://hg.mozilla.org/integration/autoland/rev/bf49a4faa77d Ensure that login reputation checks are disabled in tests. r=hchang
Comment on attachment 8895156 [details] Bug 1385484 - Remove obsolete prefs and add missing blockedURIs. https://reviewboard.mozilla.org/r/166292/#review185050 ::: testing/geckodriver/src/prefs.rs (Diff revision 3) > ("browser.reader.detectedFirstArticle", Pref::new(true)), > > // Disable safebrowsing components > ("browser.safebrowsing.blockedURIs.enabled", Pref::new(false)), > ("browser.safebrowsing.downloads.enabled", Pref::new(false)), > - ("browser.safebrowsing.enabled", Pref::new(false)), Francois, with which version of Firefox those preferences are no longer in use? I'm worried that those were removed here, because the next version of geckodriver needs if possible backward compatibility back to version 55.
Flags: needinfo?(francois)
Comment on attachment 8895156 [details] Bug 1385484 - Remove obsolete prefs and add missing blockedURIs. https://reviewboard.mozilla.org/r/166292/#review185050 > Francois, with which version of Firefox those preferences are no longer in use? I'm worried that those were removed here, because the next version of geckodriver needs if possible backward compatibility back to version 55. That one was removed in Firefox 50 (see bug 1025965).
(In reply to Henrik Skupin (:whimboo) from comment #22) > I'm worried that those were removed here, because the next version of > geckodriver needs if possible backward compatibility back to version 55. They were all removed in Fx 50 or earlier. See this commit message for the bug links: https://hg.mozilla.org/mozilla-central/rev/02fd2c335027
Flags: needinfo?(francois)
Ok, that's fine then, and we do not cause a regression for our users. In the future maybe also ask for review from testing peers. Thanks.
(In reply to Henrik Skupin (:whimboo) from comment #25) > Ok, that's fine then, and we do not cause a regression for our users. In the > future maybe also ask for review from testing peers. Thanks. Will do. Sorry about that!
Whiteboard: pwphish-prep
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: