Closed
Bug 1431192
Opened 6 years ago
Closed 6 years ago
Firefox fetches safe browsing information even if Deceptive Content and Dangerous Software Protection is off
Categories
(Toolkit :: Safe Browsing, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | wontfix |
firefox59 | --- | fixed |
firefox60 | --- | fixed |
People
(Reporter: etrapani, Assigned: francois)
References
Details
(Keywords: nightly-community, regression)
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
gcp
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details |
To reproduce: - download nightly and run it on a clean profile - run it and check the browser console, where the fetching of the safe browsing information from Google happens[1]. That is normal. - go to preferences and disable Deceptive Content and Dangerous Software Protection. The ones below will be greyed out. - set browser.safebrowsing.provider.google4.nextupdatetime to "1" - quit - start the browser and check the console. Now, even though browser.safebrowsing.malware.enabled and browser.safebrowsing.phishing.enabled are false, Firefox still fetches the resource[1] Expected behaviour: If "Deceptive Content and Dangerous Software Protection" is off, then there should be no network connection to the providers of those services. [1] https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch ...
Reporter | ||
Updated•6 years ago
|
Component: Foxfooding → General
Updated•6 years ago
|
Component: General → Safe Browsing
Product: Firefox → Toolkit
Comment 1•6 years ago
|
||
Hey Johann, I wanted to make sure someone in seceng looks at this while Francois is out.
Flags: needinfo?(jhofmann)
Comment 2•6 years ago
|
||
Thanks! So, uh, François is the expert on SafeBrowsing, but after a quick check it seems to me like setting browser.safebrowsing.provider.google4.nextupdatetime to 1 is intentionally forcing a table refresh, and we generally don't support users meddling with their about:config. Eduardo, can you confirm that without going into about:config, the request to SafeBrowsing is not made?
Flags: needinfo?(jhofmann) → needinfo?(etrapani)
Reporter | ||
Comment 3•6 years ago
|
||
Yes, I just confirmed it. A day later, without any changes (and Deceptive Content and Dangerous Software Protection off) I started Firefox and it refreshed the resource. Once I spotted this, I wanted a quick way to reproduce it for this report, that's why I set it to 1. Actually, it might be clearer to set browser.safebrowsing.provider.google.nextupdatetime = browser.safebrowsing.provider.google.lastupdatetime + x It feels less hackish, but the result is the same.
Flags: needinfo?(etrapani)
Assignee | ||
Comment 4•6 years ago
|
||
I think that this regression was introduced in bug 1388574. Eduardo, can you please try the following: 1. Leave "Block dangerous and deceptive content" enabled. 2. Uncheck "Block dangerous downloads". 3. Uncheck "Block dangerous and deceptive content". 4. Set browser.safebrowsing.provider.google4.nextupdatetime=1 Then restart Firefox and see if it still connects to the Google Safe Browsing server.
Assignee: nobody → francois
Blocks: 1388574
Status: NEW → ASSIGNED
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox60:
--- → affected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(etrapani)
Keywords: regression
Priority: -- → P1
Reporter | ||
Comment 5•6 years ago
|
||
> Eduardo, can you please try the following:
>
> 1. Leave "Block dangerous and deceptive content" enabled.
> 2. Uncheck "Block dangerous downloads".
> 3. Uncheck "Block dangerous and deceptive content".
> 4. Set browser.safebrowsing.provider.google4.nextupdatetime=1
>
> Then restart Firefox and see if it still connects to the Google Safe
> Browsing server.
If I follow those steps, Firefox no longer connects to the Google Safe Browsing server.
Flags: needinfo?(etrapani)
Comment hidden (mozreview-request) |
Comment 7•6 years ago
|
||
mozreview-review |
Comment on attachment 8946491 [details] Bug 1431192 - Only fetch download protection lists when Safe Browsing is enabled. https://reviewboard.mozilla.org/r/216422/#review222774
Attachment #8946491 -
Flags: review?(gpascutto) → review+
Pushed by fmarier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/79905d4e85ab Only fetch download protection lists when Safe Browsing is enabled. r=gcp
Comment 9•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/79905d4e85ab
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment 10•6 years ago
|
||
Please request Beta approval on this when you get a chance. It grafts cleanly as-landed.
Flags: needinfo?(francois)
Assignee | ||
Comment 11•6 years ago
|
||
Comment on attachment 8946491 [details] Bug 1431192 - Only fetch download protection lists when Safe Browsing is enabled. Approval Request Comment [Feature/Bug causing the regression]: 1388574 [User impact if declined]: Google servers pinged even when Safe Browsing is disabled. [Is this code covered by automated tests?]: No [Has the fix been verified in Nightly?]: Yes, manually. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None [Is the change risky?]: No. [Why is the change risky/not risky?]: It's very small. [String changes made/needed]: None
Flags: needinfo?(francois)
Attachment #8946491 -
Flags: approval-mozilla-beta?
Comment 12•6 years ago
|
||
Comment on attachment 8946491 [details] Bug 1431192 - Only fetch download protection lists when Safe Browsing is enabled. Simple patch and fixes a privacy issue. Let's get this in 59b7.
Attachment #8946491 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 13•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/7cefe9877e46
You need to log in
before you can comment on or make changes to this bug.
Description
•