New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Search engine collection still sends requests #2659
Comments
@Devocub Have you attempted to reproduce this issue in the latest available version? Is this still an issue? |
@PF4Public just tried, still reporducible 124.0.6367.201 |
@Ahrotahn IIRC you did test ungoogled-chromium with wireshark and found no suspicious activity. Could this be something you missed? |
Can reproduce |
I'm actually not sure what codepath the request is taking. Only https://source.chromium.org/chromium/chromium/src/+/main:chrome/renderer/chrome_render_frame_observer.cc;l=259;drc=2246014e44711f62566fcbb784a6926b1ba5b980;bpv=1;bpt=1 looks relevant (which we already disable with the "disable-search-engine-collection" flag) |
yes but I don't see that being called (over IPC) by anyone else. Oh well, perhaps better to also patch that out |
Yup, y'all are on the right track. The search engine helper shouldn't be loaded at all with the disable-search-engine-collection flag set. I've pushed an update to the PR for 125 to fix this. Normally I'm checking for connections at startup and for external connections to Google when visiting pages. I wouldn't have thought to check for something like this before since it only makes sense that php.net would connect to php.net. |
OS/Platform
Windows
Installed
https://ungoogled-software.github.io/ungoogled-chromium-binaries/
Version
120.0.6099.129
Have you tested that this is not an upstream issue or an issue with your configuration?
--user-data-dir
command line argument and it could not be reproduced thereDescription
Request to collect search engine is made when collection is disabled
How to Reproduce?
Actual behaviour
I believe this line in source code of php.net page is for search engine collection
<link rel="search" type="application/opensearchdescription+xml" href="http://php.net/phpnetimprovedsearch.src" title="Add PHP.net search">
Even though "Always use secure connections" and search engine collection is disabled request still made, and over http (so some security risk).
It is not a bug to be precise because disabling collection doesn't mean disabling requests to this link (and not doing this request = more fingerprinting). And request over http is Chromium bug. But since that was surprising behaviour for me I decided to leave this feedback.
Expected behaviour
No requests.
Relevant log output
No response
Additional context
You can add "Disable serach engine collection requests" flag.
You can report issue about security stuff to Chromium.
You can close this issue immediately.
The text was updated successfully, but these errors were encountered: