Currently, we're using hardcoded pref values of browser.safebrowsing.provider.0.* for enhanced mode urls. This needs to be extended to allow multiple providers (e.g., provider.1.*) that users can change through the prefs UI (bug 337774).
Is it possible for the provider list to be downloaded from Mozilla? So on first run the browser would download the initial list, and would check daily for a new list as part of the existing update infrastructure. This would allow us to add new providers outside of a Firefox update release.
(In reply to comment #1) > Is it possible for the provider list to be downloaded from Mozilla? So on > first run the browser would download the initial list, and would check daily > for a new list as part of the existing update infrastructure. Sure, or we could do this as part of the usual maintenance update cycle (every 6-8 weeks). Depends on how often you really think we'll be adding providers.
I'd personally like for it to be more like search providers. You select them via a.m.o to install, and we bundle a few with each release. Reasons: 1. Most users won't check on a weekly basis "did I get a new antiphishing provider choices?". 2. Not worth a notification that a new one has been added (most don't care, they just want to be safe). I don't think we'll be adding them very often either. Right now there aren't to many.
I'm hesitant to move to this model for a couple of reasons. First (and perhaps foremost) I don't think we're going to see a multitude of legitimate providers jumping up. It's a non-trivial cost to provide the backend for this, and there's a large liability concern for labeling a site as a phishing site when, in fact, it isn't. Second, there's a user experience / security concern here. Unlike search, the anti-phishing function is run against every single page the user comes across. I don't like the idea of making it fairly simple to convince a user to install a malicious "anti-phishing provider" which then ends up actually phishing the user.
Created attachment 224169 [details] [diff] [review] v1: multiple remote providers Most of the data provider specific values are in globalstore.js. So I converted the global store object to PROT_DataProvider which stores all the information specific to a data provider. Other values in global store have been moved to global variables. Also changed how links are handled in the popup bubble. Rather than calling a command, just use an href tag. SetStatus/ClearStatus have been removed; it's being tracked by bug 340029 which should be cleaner. Removed some unused commands (stuff specific to a pref window that was in the extension).
Attachment #224169 - Flags: review?(provos)
Via email, Niels asks, "why all the functionality to submit to white/balcklists has been removed and does not reappear." This issue is being tracked on bug 337484 so I'm going to remove the code for now. The code could go in different places depending on the resolution and I'd rather not have the unused code hanging around in the meantime.
Attachment #224169 - Flags: approval-branch-1.8.1?(bryner)
Attachment #224169 - Flags: approval-branch-1.8.1?(bryner) → approval-branch-1.8.1+
You should use 'cvs diff -up8 <files>' to generate patches, so bugzilla's patch-viewer doesn't hiccup. With this patch, it looks like the only patched file is firefox.js, and it doesn't link the files and line numbers.
Fixed on trunk and on branch. The pref to watch/change is browser.safebrowsing.dataProvider. I'll post more on bug 339258.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.