Firefox leaks single-word searches as DNS queries
Categories
(Firefox :: Address Bar, defect)
Tracking
()
People
(Reporter: tusharsingal, Unassigned)
Details
Attachments
(1 file)
|
1.12 MB,
image/png
|
Details |
leak.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Steps to reproduce:
Searched for 'testquery' using the omnibar
Actual results:
Firefox searched my search provider for 'testquery'.
Firefox asked me if I want to visit "http://testquery", I clicked no.
Before I even clicked no, Firefox leaked my search as a DNS query.
Expected results:
Firefox should not have made the DNS query - especially not before I clicked no.
Users expect searches to be secured over an HTTPS connection, to only their search provider and no one else. The search should under no circumstances be made visible to the DNS operator.
|
||
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Comment 2•3 years ago
|
||
Set browser.urlbar.dnsResolveSingleWordsAfterSearch to 0 and browser.fixup.dns_first_for_single_words to false in about:config if you want to turn it off. This "leak" is necessary for certain use-cases. Otherwise you get complaints like this. That's just tradeoff you make when you combine the urlbar with the search box.
|
||
Updated•3 years ago
|
That isn't reasonable default from a privacy perspective:
- A vanishingly small number of web users access an intranet like that.
- To satisfy them, Firefox has set a default that will compromise the privacy of most users when searching single words.
Firefox should absolutely not be sending a DNS query unless the user approves it - or changes a setting that allows this to happen by default.
|
|
||
Comment 4•3 years ago
|
||
(In reply to tusing from comment #3)
That isn't reasonable default from a privacy perspective:
- A vanishingly small number of web users access an intranet like that.
- To satisfy them, Firefox has set a default that will compromise the privacy of most users when searching single words.
Firefox should absolutely not be sending a DNS query unless the user approves it - or changes a setting that allows this to happen by default.
You underestimate the amount of people that need to access an Intranet. You're basically asking Mozilla to alienate enterprise users even more by forcing them to do even more cajoling to make it suitable for for their use.
Besides, doesn't the default google autocomplete compromise privacy even more? Combining the urlbar and searchbar basically requires sacrificing privacy for convenience. If you don't like it then you should go to about:preferences to enable the split URL / Search mode or change the prefs i mentioned above.
What you've discovered is not new. The multiple flaws of the "omnibar" have been known about for years. Users expect it so it remains the default. Privacy on the web is a balancing act and Firefox remains the only major browser that offers settings to plug the hole.
|
||
Comment 5•3 years ago
•
|
||
We support enterprise policies that should be used when setting up profiles to avoid any kind of "leak", when necessary. Those settings are effective from the first start if setup correctly. The defaults we use are what matters to the vast majority of users. But we offer options and choice to more advanced users.
There is Bug 1642623 with a discussion about potential future plans to better detect intranet usage, but please refrain from commenting on it unless you have useful techcnical insight to resolve the problem without affecting the current functionality.
Description
•