Closed Bug 984199 Opened 10 years ago Closed 9 years ago

Add support for industry-standard safe search

Categories

(Firefox :: Search, defect)

x86_64
Windows 8.1
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: jeffhughes88, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0; MS-RTC LM 8; InfoPath.3; rv:11.0) like Gecko

Steps to reproduce:

1. Install a family safety product 
2. Turn on 'safe search' in your family safety product
3. Use Firefox to go to the Google search site
4. Perform search



Actual results:

Search engine does not perform a safe search.
This same problem exists with other Search sites when HTTPS is in use.
Read more below to understand why this is a browser issue.



Expected results:

Prior to implementing HTTPS-by-default, family safety products were able to add a query parameter to the search URL to tell Google to turn on safe search for this user. When they did this, Google would perform a search with "safe search" enabled to protect the user from offensive content. This is commonly used to protect kids from harmful content, but is also used by adults. 
   With HTTPS enabled by default, it is no longer possible to append a safe search URL parameter because the URL string is encrypted. Thus, an industry standard has been proposed whereby browsers will insert a "Prefer: safe" HTTP header when they send requests to web servers. If the Web Site receiving this request implements a search capability, it will perform that search using a safe-search setting. I work at Microsoft. I'd like to talk to the Firefox team about implementing this industry-standard approach.
There seems to be a couple different questions packed into this bug:

* How would these family safety products inform Firefox to take any action at all (modify the URL query, add an HTTP header, whatever)
* Does this industry standard you're talking about have a public specification?
** Would it apply only to search engine fetches or all fetches?
** Do you expect Firefox to expose UI for it, or do it through an extension?

A Firefox extension can already implement this, and I'd think that would be the preferred method of doing it for now whether we're talking about an HTTP header or a new URL query string.

Why is this bug marked security-sensitive? Can we open it?
Component: Untriaged → Search
Flags: needinfo?(jeffhughes88)
Group: core-security
What "industry standard"? A quick google turns up http://tools.ietf.org/html/draft-nottingham-safe-hint-01, created 2 days ago, but that's not a standard.

I'm dubious about this even being the right approach. And it can already be done today by means of a browser addon or MITM proxy.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(jeffhughes88)
You need to log in before you can comment on or make changes to this bug.