1848600 - [Security Issue] Deceptive site warning not triggering if the the request is made as an AJAX request

Status: RESOLVED DUPLICATE of bug 1195242

(Toolkit :: Safe Browsing, defect)

Description

[Mart Gil Robles]

Attachment: Screencast from 2023-08-14 17-45-36.webm

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

Steps to reproduce:

Hello Mozilla Security team,

Greetings! I would like to inform you about what I have thought about how the Mozilla browser handles deemed deceptive site and compared to how Google handles it that arises a security issue.

Descrption:
Visiting a deemed deceptive site in Firefox shows a common warning screen that is also available in Google chrome. It wont let user pass until they have decided to do so by clicking 'details' or 'see details' and continue visiting the deemed deceptive site.

Mozilla Firefox 116.0.3 (64-bit):
image.png

Google Chrome Version 115.0.5790.170 (Official Build) (64-bit)
image.png

The problem that is present in Mozilla Firefox 116.0.3 (64-bit) is that the deceptive site warning didn't show up or invoked when the deemed deceptive site is being accessed via GET in an AJAX request.

To verify that, visit the following link below which was the code:

https://jsfiddle.net/w650egqt/

var url = "https://fivestarpropertymgmt.com";

var request = new XMLHttpRequest();
request.open("GET", url, false);
request.send(null);

if (request.status === 200)
{
alert(request.statusText);
}

Best regards,
Mart

Actual results:

In Google Chrome browser, the deceptive site warning will appear even when the request is made in AJAX wherein in the Firefox browser, it just let the request to be successfully be made.

Please be aware that the site fivestarpropertymgmt.com does not have a CORS configured well but be keen and observant on how you test on Google browser. Google browser will not show the cors error meaning that the site will never be requested unless you have decided to completely want to continue connecting to the site. Wherein in the Firefox browser, the request/response will be completely made which will be confirmed by the cors error meaning it has been sent without letting the user know about the site being deemed deceptive site and not providing user an option to stop there for a moment just like what Google Browser does.

Expected results:

It should show a deceptive site warning also against site requested over AJAX requests.

Comment 1

[Mart Gil Robles]

Attachment: Screenshot from 2023-08-14 17-35-51.png

Comment 2

[Mart Gil Robles]

Attachment: Screenshot from 2023-08-14 17-36-31.png

Comment 3

[Dimi Lee [:dimi]]

Attachment: NetworkPanelandConsoleLog.png

The request is still being blocked, we just don't show the warning like Chrome does.
You can see that from the Network Panel and the Console Log (The resource at "The resource at “https://fivestarpropertymgmt.com/” was blocked by Safe Browsing.")

Comment 4

[Mart Gil Robles]

Ah yes. It was silently blocked in the background. Addition of warning is also helpful I think?

Comment 5

[Daniel Veditz [:dveditz]]

right, this is a known difference. Are we overblocking sites that we think no longer have bad things on them, or do we warn the user "we found one, there might be more we don't know about" which appears to be Chrome's philosophy. Can be seen in the safebrowsing test site:
https://testsafebrowsing.appspot.com/

I'm going to unhide this as a known issue; maybe it's a duplicate even. But worth discussing. I personally lean in the chrome direction on this, though it does seem kind of harsh.