From Firefox Bug 368106: > However, Firefox is sending the full URL of the reported site -- including the > query string (http://foo.com/foo?querystring). To avoid privacy problems, the > browser probably shouldn't be sending the query part at all. Stripping out the > query values might also be an option (so that ...?user=me&pw=secret is > submitted as ...?user=&pw=). > > It seems like just the hostname and URL path should be enough to identify a > phishing site.
Created attachment 748818 [details] [diff] [review] Patch v1.0 Strip query params. > + // XXX: .clone() or cloneIgnoringRef() ? > + var pageUri = getBrowser().currentURI.cloneIgnoringRef(); Firefox uses .clone(). Would cloneIgnoringRef() be better?
(In reply to Philip Chee from comment #1) > Firefox uses .clone(). Would cloneIgnoringRef() be better? Makes sense.
Comment on attachment 748818 [details] [diff] [review] Patch v1.0 Strip query params. Seems reasonable (but without the XXX of course).
Comment on attachment 748818 [details] [diff] [review] Patch v1.0 Strip query params. Note: Firefox Bug 368106 landed on Firefox23 [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 477718 - Implement Phishing Protection (a.k.a. Safe Browsing) support in SeaMonkey User impact if declined: Sensitive privacy information could leak. Testing completed (on m-c, etc.): I've been running with this patch for about a fortnight and the Firefox changeset has been in m-c since 2013-05-07. Risk to taking this patch (and alternatives if risky): Risk is low but since this problem is hypothetical it could ride the trains instead. String or IDL/UUID changes made by this patch: None
Pushed to comm-aurora: http://hg.mozilla.org/releases/comm-aurora/rev/8d0d26c68023