Don't send any user's browser info upstream (Accept-Language header, etc) #648
Comments
But it doesn't. [
(
<function get at 0x7f008dee00c8>,
'https://www.google.com/search?q=this+is+my+query&start=0&gws_rd=cr&gbv=1&lr=&ei=x',
{
'headers': {
'Accept-Language': 'en',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86; rv:44.0) Gecko/20100101 Firefox/44.0'
},
'cookies': {},
'hooks': {
'response': <function process_callback at 0x7f008d369140>
},
'timeout': 2.0,
'verify': True
},
u'google'
),
(
<function get at 0x7f008dee00c8>,
'https://www.bing.com/search?q=this+is+my+query&setmkt=en-US&first=1',
{
'headers': {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86; rv:44.0) Gecko/20100101 Firefox/44.0'
},
'cookies': {'SRCHHPGUSR': 'NEWWND=0&NRSLT=-1&SRCHLANG=en'},
'hooks': {
'response': <function process_callback at 0x7f008d3692a8>
},
'timeout': 2.0,
'verify': True}
,
u'bing'
)
] The only outgoing request with an Accept-Language header here is for Google, which is set here (my actual browser's Accept-Language header is not en) based on the language parameter set here (self.lang is the language set on the cookie or in the query). |
@logouthere sorry, I was wrong, searx doesn't send this option to the services yet. It is just a planned feature |
Yep sorry for misinformation. Unlike @a01200356, I just don't have time to analyze source code at this moment.
Ok, but I hope searx never send User information(yes, anything) to upstream service like Google at all.
https://github.com/dillbyrne/random-agent-spoofer/blob/master/data/json/useragents.json
|
except search query, of couse. |
This highly depend on the engine and for instance Google engine doesn't send the Accept-Language header of the user but the language that the user chose to use. |
The developer said "Accept-Language header" is sent over to upsteam service when you use searx.
This is bad because the value is sometimes unique and it could be used to track/profiling user by upstream service such as Google.
Accept-Language Example:
en-US, en
en
en, en-US
en-GB etc...
Many combinations can be found in the wild.
It'll be nice if searx does NOT use browser's data at all, and just use "options" cookie instead.
(and if the user block cookie, return English result by default)
The text was updated successfully, but these errors were encountered: