Open Bug 1624457 Opened 5 years ago Updated 2 years ago

Requests for opensearch.xml don't send cookies

Categories

(Firefox :: Search, defect, P5)

Product:
Firefox
Component:
Search
Version:
76 Branch
Platform:
Desktop
Unspecified
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox78 --- fix-optional

People

(Reporter: tblodt, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

Steps to reproduce:

  • Find a search engine whose opensearch.xml file requires authentication
  • Try to add it to Firefox

Actual results:

An error popup appears that says "Invalid Format: Firefox could not install the search engine from: https://[redacted]/opensearch.xml"

Expected results:

The search engine should be installed

Does this issue still occur for you?
If yes, please give an example of a search engine that reproduces this issue so I can attempt reproduction as well and confirm it.
Also, we need the Firefox version used to reproduce it. Is it the latest Nightly?
Thank you for your contribution!

Flags: needinfo?(tblodt)

The search engine I used to reproduce this is not publicly available (hence the need for cookies). But yes, latest nightly. I'm happy to test patches or step through things in a debugger if you can point me in the right direction.

I tried to write a patch at one point that replaced SearchUtils.makeChannel in SearchEngine.jsm with ServiceRequest, and that fixed the problem. Does that help?

Flags: needinfo?(tblodt)

It may help the developer when attempting to troubleshoot the problem, but it doesn't help me to confirm it.
Hopefully, someone from the search will eventually have an opinion on your issue.

Component: Untriaged → Search
Hardware: Unspecified → Desktop

Low priority.

A work around would be for the web site to expose just the opensearch.xml file so that the engine could still be added. If the engine's contents are behind authentication, they would still be protected.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Severity: normal → S3

This seems to affect the intranet search at Google and Facebook. If I send a patch for this issue would it be accepted?

Flags: needinfo?(standard8)

(In reply to tbodt from comment #6)

This seems to affect the intranet search at Google and Facebook. If I send a patch for this issue would it be accepted?

Sorry for the delay. Out of interest, do you know what Chrome does here?

I need to check with a few people, but knowing that might help. My general thoughts are that we could potentially allow cookies for initial install, but not updates - since updates would mean pinging the server with cookies every time which is potentially not as privacy respecting.

Flags: needinfo?(standard8) → needinfo?(tblodt)

I don't know for sure, but if the update doesn't work without sending cookies, surely it's sending cookies every time. A privacy mitigation could be to only fetch updates when the user navigates to the page, since in that case the server has already seen the user's cookies and the update wouldn't expose more.

Flags: needinfo?(tblodt) → needinfo?(standard8)

Looks like cookies does not sent when performing autocomplete queries too.

Sorry, looks like I never got around to responding to this.

(In reply to tvaliiev from comment #9)

Looks like cookies does not sent when performing autocomplete queries too.

That's intentional, we do not want search engines directly identifying users when providing suggestions, that's not something we would change.

On the actually installing side of things, then it would be interesting to know what other browser engines do (e.g. Chrome/Edge/Safari). With that we could then ask the privacy team for opinions.

Flags: needinfo?(standard8)
You need to log in before you can comment on or make changes to this bug.