Closed Bug 1772266 Opened 3 years ago Closed 3 years ago

"Show details" on the blocked site page uses a hostname, not a URL

Categories

(Toolkit :: Safe Browsing, enhancement)

Product:
Toolkit
Component:
Safe Browsing
Version:
Firefox 101
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: business, Assigned: business)

Details

Attachments

(1 file)

Bug 1772266 - Amend blockedSite.js i18n r=ckerschb
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

  1. Visit a page that has been detected as unsafe by Google's Safe Browsing, such as https://www.reddit.com/r/AdobeZii
  2. Click on the "Show details" button.

Actual results:

In the example, www.reddit.com is presented as "containing harmful software".

Expected results:

This URL is an isolated case from the www.reddit.com domain, and as such this wording is incorrect and should be amended. While, in most cases, the domain genuinely will be malicious, in a few select cases (seen mostly on websites with user-generated content) the domain isn't malicious, but rather the URL itself.

On the blocked site page for malicious URLs, clicking the "See details"
button shows a small portion of the URL (document.location.hostname).
This message can often be misleading; certain websites may allow users
to upload or share certain content that may trigger the warning, despite
the actual URL not being responsible for what the user does. This
results in the hostname being reported for potentially harmful software,
despite only the URL being reported.

Signed-off-by: Elijah Conners <business@elijahpepe.com>

Assignee: nobody → elijahpepe
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

I see the same block in Chrome and Firefox, which is consistent since the block is based on the same Safe Browsing data. If you click the "reported as containing harmful software" link (which contains the URL you're on) Google's safebrowsing site will tell you why it is blocked in (a little) more detail. Oddly, when I was logged out of reddit I could visit the subreddit just fine in Firefox, but was still blocked in Chrome. I can easily imagine being logged causes additional content loads that might trigger a block, but that doesn't explain differences between Firefox and Chrome. Maybe it's my tracking protection blocking in Firefox?

It's also not just the one URL, is it? It appears to be the entire https://www.reddit.com/r/AdobeZii/ subreddit, like https://www.reddit.com/r/AdobeZii/comments/v4rgfv/getting_annyoing_page_whenever_i_attempt_to_open/. So if we made a warning saying "this specific URL is dangerous" that would be an error in the opposite direction: not worrying people enough (not to mention leading to a less readable warning page).

Somehow I got switched back to the ugly reddit classic theme when I'm logged in and no longer get the warning. I bet it was some file being downloaded as part of the sub-reddit's theme. The "theme" is not just styled by different CSS -- the HTML itself is radically different. That makes it harder to identify the culprit.

Component: Untriaged → Safe Browsing
Product: Firefox → Toolkit

I got several details wrong, but they don't really change the end result:

  • My theme was still ugly because I had never upgraded to the "new" reddit UI with my old crufty account
  • when the page was blocked I couldn't see that I had the old UI, but I did
  • the block is on the main document URL--the simplest, obvious case. It was not some sub-resource that may only sometimes load as I was starting to guess. That was based on a bunch of bad assumptions.
  • my confusion was because once you've ignored the warning, that tab remembers you have whitelisted that specific URL. There's no real way to "undo" that and there's no way (or no obvious way) to see what URLs are whitelisted in that tab. I eventually figured out I needed to open new tabs to get back to the "blocked" state. The ability to load the page without clicking through the warning page had nothing to do with the settings I was fiddling with. (Incidentally, Chrome has a similar "need to open a new tab to be blocked once I've ignored the warning" behavior.)

The fact that specific URL showed up on the Safe Browsing site should have clued me in. I eventually used the about:url-classifier developer tool to confirm the block

I don't know if the Safe Browsing warning about that sub-reddit is accurate or not, but either way the sub-reddit mods/leaders will have to work this out with the Google Safe Browsing folks. If there is, in fact, software that has been reported buried in there somewhere they will need to delete it or convince Google that it's a false-positive detection. That needs to be resolved regardless of any Firefox UI changes. A tweaked message buried in a blocking interstitial page won't make the disruption any better for the sub-reddit users.

(In reply to Daniel Veditz [:dveditz] from comment #2)

Oddly, when I was logged out of reddit I could visit the subreddit just fine in Firefox, but was still blocked in Chrome. I can easily imagine being logged causes additional content loads that might trigger a block, but that doesn't explain differences between Firefox and Chrome. Maybe it's my tracking protection blocking in Firefox?

SafeBrowsing identifies www.reddit.com/r/AdobeZii/ as a malicious URL, so any URL under www.reddit.com/r/AdobeZii/ will be blocked. While I played the site around, I found in some scenarios they change the URL but don't load page/resources of that URL. In that case Safe Browsing won't recognize it.
For example

  1. Navigate to https://www.reddit.com/r/AdobeZii -> SafeBrowsing doesn't block because it is not https://www.reddit.com/r/AdobeZii/ (with trailing slash)
  2. Click one of the thread, URL changes to https://www.reddit.com/r/AdobeZii/comments/sdkt94/i_made_a_quick_tutorial_on_how_to_download_native/ -> SafeBrowsing doesn't block because no URL under https://www.reddit.com/r/AdobeZii/ is loaded
  3. Reload the page and SafeBrowsing blocks the load.

I'm not sure if this behavior is the reason why you saw different results between Chrome and Firefox sometimes.

So if we made a warning saying "this specific URL is dangerous" that would be an error in the opposite direction: not worrying people enough (not to mention leading to a less readable warning page).

I 100% agree. Although I think an alternative is that we show the URL fragment that is identified by SafeBrowsing (instead of hostname or URL) to be more accurate about "the URL" is actually being blocked, that might still confuse users (and doesn't guaramtee the URL will be more readable).
I understand we want to show information as detailed as possible, but I'd argue for ordinary users, hostname is something they can easily understand. A very complete but unreadable warning message may not help in most of the time.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: