New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only debounce Google URLs when SafeBrowsing is disabled #20084
Comments
Thanks very much @ryanbr ! @pilgrim-brave , previously we discussed only debouncing Google URLs like these when SafeBrowsing is disabled. Let's use this issue to track that project. I'll assign now, but let's discuss whenever is convenient where in the priority queue this slots. |
Noting that this was discussed during the privacy meeting on 2022-06-07 and we were not able to find a way to debounce the URLs coming from Apple Mail without affecting outgoing links from GMail (web UI) or Google Docs. The security team's opinion is that disabling this security-relevant bouncer for people without Safe Browsing is not a good tradeoff since users without Safe Browsing are even more vulnerable to phishing/malware links. Perhaps we should close this issue until we can think of another way to address this? |
after thinking this through again, i do not think we came to the right conclusion. I don't think we should keep applying (effectively) Google's safebrowsing to users who have opted out of Google's safe browsing. I appreciate that the security team thinks that its unwise for users to disable safebrowsing, but if thats the case we should remove the ability for users to opt out of safebrowsing (note, i do not think we should do this). But, continuing to apply safebrowsing (i.e. the google redirect) sometimes because we think the user shouldn't have disabled it at all seems both confusing and unkind to our users. I appreciate others don't agree, but please leave this open until we can discuss at the next privacy confab then |
I played with the Google bouncer, and it’s effectively an internal/interstitial bouncer, not an external one. Test examples:
Plus, Google can inspect any on-click handler to deanon click if you are in a Google document. IMHO, there is no point at all in debouncing internal bouncers, since in all the cases they can check for both on-click events and Referer, or even add a specific tracking parameter/cross-site cookie Effectively debouncing (bouncer^-1) we are removing protections without real user benefits. |
CleanShot.2022-07-07.at.08.21.36.mp4The video shows that the |
This is not correct. As discussed in slack and in privacy confab this bouncer is used to modify links in gmail accounts when those gmail accounts are accessed through 3p software (mail.app, thunderbird, etc)
… On Jul 7, 2022, at 01:25, Andrea Brancaleoni ***@***.***> wrote:
https://user-images.githubusercontent.com/581115/177705756-253d279c-4aed-430e-badf-6c41d0d1118a.mp4
The video shows that the ping URL is never hit to redirect the user when they click on the link.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were assigned.
|
Description
Debounce embedded google urls without targeting safebrowsing urls.
Steps to Reproduce
https://www.google.com/url?q=https://t.17track.net/%23nums%3D2222062731&source=gmail&ust=2239542218716022&usg=A12Vaw22aVcgCnimxpL3T22Gs--w
Miscellaneous Information:
Original PR: brave/adblock-lists#728 (And reverted brave/adblock-lists#729)
The text was updated successfully, but these errors were encountered: