Closed Devocub closed 5 months ago
@Devocub Have you attempted to reproduce this issue in the latest available version? Is this still an issue?
@PF4Public just tried, still reporducible 124.0.6367.201
@Ahrotahn IIRC you did test ungoogled-chromium with wireshark and found no suspicious activity. Could this be something you missed?
Can reproduce
I'm actually not sure what codepath the request is taking. Only https://source.chromium.org/chromium/chromium/src/+/main:chrome/renderer/chrome_render_frame_observer.cc;l=259;drc=2246014e44711f62566fcbb784a6926b1ba5b980;bpv=1;bpt=1 looks relevant (which we already disable with the "disable-search-engine-collection" flag)
yes but I don't see that being called (over IPC) by anyone else. Oh well, perhaps better to also patch that out
Yup, y'all are on the right track. The search engine helper shouldn't be loaded at all with the disable-search-engine-collection flag set. I've pushed an update to the PR for 125 to fix this.
Normally I'm checking for connections at startup and for external connections to Google when visiting pages. I wouldn't have thought to check for something like this before since it only makes sense that php.net would connect to php.net.
Addedndum:
css styles are fetched too. try this line (save as .html)
<link rel="stylesheet" href="http://eu.httpbin.org/flasgger_static/swagger-ui.css">
Will send HTTP requests even if this enabled: "Always use secure connections
Use HTTPS whenever possible and get warned before loading sites that don’t support it" but it will be blocked from use as DevTools says due to "mixed content". According to wireshark requests were sent and data was recieved (the data was not visible in devtools). I tested it on real https site.
http .js doesn't send any requests
Will send HTTP requests even if this enabled: "Always use secure connections
This could be a Chromium issue. Have you searched their bugtracker?
@PF4Public hello, no - ungoogled. I tried to check if I can submit a bug there https://issues.chromium.org/new it asks for google account and when I click Create account I have this And it is not worth submitting because pretty sure there are other ways to abuse this https protection (and other ways and protocols to transfer unencrypted/not protected data), for example extensions can do such requests, (I was able to send http requests from userscript inserted into https page).
OS/Platform
Windows
Installed
https://ungoogled-software.github.io/ungoogled-chromium-binaries/
Version
120.0.6099.129
Have you tested that this is not an upstream issue or an issue with your configuration?
--user-data-dir
command line argument and it could not be reproduced thereDescription
Request to collect search engine is made when collection is disabled
How to Reproduce?
Actual behaviour
I believe this line in source code of php.net page is for search engine collection
<link rel="search" type="application/opensearchdescription+xml" href="http://php.net/phpnetimprovedsearch.src" title="Add PHP.net search">
Even though "Always use secure connections" and search engine collection is disabled request still made, and over http (so some security risk). It is not a bug to be precise because disabling collection doesn't mean disabling requests to this link (and not doing this request = more fingerprinting). And request over http is Chromium bug. But since that was surprising behaviour for me I decided to leave this feedback.Expected behaviour
No requests.
Relevant log output
No response
Additional context
You can add "Disable serach engine collection requests" flag. You can report issue about security stuff to Chromium. You can close this issue immediately.