362854 - Need a way to determine if the page has passed safe browsing checks

Status: RESOLVED WONTFIX

(Toolkit :: Safe Browsing, defect)

Description

[Mike Connor [:mconnor]]

In order to help protect password manager users, we would like to be able to prefill only after the page has "passed" the safe browsing checks.  There isn't a way of actually knowing whether a page has passed, or rechecking a cached result (do we cache results in remote mode?)

Comment 1

[Mike Connor [:mconnor]]

would be great if this was branch-safe as well, btw.

Comment 2

[Tony Chang (Google)]

A couple notes:

- The anti-phishing check happens async (either by using a background thread to check a local db or by doing a remote http request).  Not sure if there are any time restrictions for notifying other services.

- I'm not sure what the right way to notify is.  Sending an nsIObserverService message is confusing because the result needs to be associated with a specific tab, but at the time of lookup, we haven't done the association yet. The check happens with the nsIRequest and if it's flagged as phishing, we try to find the tab associated with the request after the dom content has loaded.  Trying to associate every request with a tab might be slow since I think it's a linear scan of tabs and match by URL (with polling since dom content loading takes some time).

So it would probably be ok to do an extra local list lookup to check password manager pages, but I'm not sure about remote look ups.  Or we could do something more complicated like a cache of the last N look ups, but the async nature of a look up may be weird.

Comment 3

[Marco Bonardo [:mak]]

I assume this is unowned.

Comment 4

[François Marier [:francois]]

As far as I know, we block pages that fail the test before they're rendered, so the password manager shouldn't get into a situation where it's filling anything on a "bad" page.