Search engine collection still sends requests

Devocub commented 10 months ago

OS/Platform

Windows

Installed

https://ungoogled-software.github.io/ungoogled-chromium-binaries/

Version

120.0.6099.129

Have you tested that this is not an upstream issue or an issue with your configuration?

[ ] I have tried reproducing this issue in Chrome and it could not be reproduced there
[ ] I have tried reproducing this issue in vanilla Chromium and it could not be reproduced there
[ ] I have tried reproducing this issue in ungoogled-chromium with a new and empty profile using --user-data-dir command line argument and it could not be reproduced there

Description

Request to collect search engine is made when collection is disabled

How to Reproduce?

Enable this chrome://flags/#disable-search-engine-collection
chrome://settings/security Enable "Always use secure connections"
Turn on Wireshark (or alternative)
Go to https://php.net and you should see in Wireshark http request (details below) been made. This request is not visible in browsers DevTools.

Actual behaviour

I believe this line in source code of php.net page is for search engine collection
<link rel="search" type="application/opensearchdescription+xml" href="http://php.net/phpnetimprovedsearch.src" title="Add PHP.net search"> Even though "Always use secure connections" and search engine collection is disabled request still made, and over http (so some security risk). It is not a bug to be precise because disabling collection doesn't mean disabling requests to this link (and not doing this request = more fingerprinting). And request over http is Chromium bug. But since that was surprising behaviour for me I decided to leave this feedback.

Expected behaviour

No requests.

Relevant log output

No response

Additional context

You can add "Disable serach engine collection requests" flag. You can report issue about security stuff to Chromium. You can close this issue immediately.

PF4Public commented 6 months ago

@Devocub Have you attempted to reproduce this issue in the latest available version? Is this still an issue?

Devocub commented 6 months ago

@PF4Public just tried, still reporducible 124.0.6367.201

PF4Public commented 6 months ago

@Ahrotahn IIRC you did test ungoogled-chromium with wireshark and found no suspicious activity. Could this be something you missed?

networkException commented 6 months ago

Can reproduce

networkException commented 6 months ago

I'm actually not sure what codepath the request is taking. Only https://source.chromium.org/chromium/chromium/src/+/main:chrome/renderer/chrome_render_frame_observer.cc;l=259;drc=2246014e44711f62566fcbb784a6926b1ba5b980;bpv=1;bpt=1 looks relevant (which we already disable with the "disable-search-engine-collection" flag)

rany2 commented 6 months ago

@networkException https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ui/search_engines/search_engine_tab_helper.cc;l=156;drc=317f05fb6ad55aae99ecbf909b233b07198eda3f

networkException commented 6 months ago

yes but I don't see that being called (over IPC) by anyone else. Oh well, perhaps better to also patch that out

Ahrotahn commented 6 months ago

Yup, y'all are on the right track. The search engine helper shouldn't be loaded at all with the disable-search-engine-collection flag set. I've pushed an update to the PR for 125 to fix this.

Normally I'm checking for connections at startup and for external connections to Google when visiting pages. I wouldn't have thought to check for something like this before since it only makes sense that php.net would connect to php.net.

Devocub commented 5 months ago

Addedndum: css styles are fetched too. try this line (save as .html) <link rel="stylesheet" href="http://eu.httpbin.org/flasgger_static/swagger-ui.css"> Will send HTTP requests even if this enabled: "Always use secure connections Use HTTPS whenever possible and get warned before loading sites that don’t support it" but it will be blocked from use as DevTools says due to "mixed content". According to wireshark requests were sent and data was recieved (the data was not visible in devtools). I tested it on real https site.

http .js doesn't send any requests

PF4Public commented 5 months ago

Will send HTTP requests even if this enabled: "Always use secure connections

This could be a Chromium issue. Have you searched their bugtracker?

Devocub commented 5 months ago

@PF4Public hello, no - ungoogled. I tried to check if I can submit a bug there https://issues.chromium.org/new it asks for google account and when I click Create account I have this And it is not worth submitting because pretty sure there are other ways to abuse this https protection (and other ways and protocols to transfer unencrypted/not protected data), for example extensions can do such requests, (I was able to send http requests from userscript inserted into https page).

ungoogled-software / ungoogled-chromium