# Safe Browsing & www-client/firefox-62.0.3

## vm666

Is Google Safe Browsing broken in the latest Firefox packages?

I enabled the function, but when I got to https://testsafebrowsing.appspot.com/ I get no alert.

Did I do something wrong?

Edit: same problem with www-client/chromium-69.0.3497.100. This only works with www-client/google-chrome-70.0.3538.67 or www-client/firefox-bin-62.0.3.

i.e. Safe Browsing works with the binary packages, but not with the source packages.Last edited by vm666 on Sat Oct 20, 2018 1:28 pm; edited 3 times in total

----------

## Muso

 *vm666 wrote:*   

> Is Google Safe Browsing broken in the latest Firefox packages?
> 
> I enabled the function, but when I got to https://testsafebrowsing.appspot.com/ I get no alert.
> 
> Did I do something wrong?

 

I get plenty : https://i.imgur.com/EfH2bLR.png

```
[ebuild   R    ] www-client/firefox-62.0.3
```

----------

## vm666

 *Muso wrote:*   

> I get plenty : https://i.imgur.com/EfH2bLR.png

 

You have to click on the links to check every alert.

----------

## Muso

 *vm666 wrote:*   

>  *Muso wrote:*   I get plenty : https://i.imgur.com/EfH2bLR.png 
> 
> You have to click on the links to check every alert.

 

All links lead to examples.

----------

## vm666

 *Muso wrote:*   

> All links lead to examples.

 

Do you have any alert? Safe browsing should block these pages.

----------

## vm666

Another test page:

https://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html

----------

## Fitzcarraldo

vm666,

I see the same behaviour as you. Google Safe Browsing is not working in Firefox 62.0.3 in my Gentoo installation.

----------

## vm666

 *Fitzcarraldo wrote:*   

> vm666,
> 
> I see the same behaviour as you. Google Safe Browsing is not working in Firefox 62.0.3 in my Gentoo installation.

 

I did another test.

Safe Browsing works with firefox-bin too. Said in another way, Safe Browsing works with the binary packages but appears to be disabled with Chromium or Firefox recompiled from the source packages.

Is this a licence problem?

----------

## vm666

Wouldn't it be a problem with GOOGLE_API_KEY?

If yes, where and how do I set this?

----------

## vm666

Should I open bugs for Firefox and Chromium?

----------

## Fitzcarraldo

vm666,

Have a look at https://wiki.mozilla.org/Security/Safe_Browsing

If you enter about:config in the Firefox address bar then safebrowsing in the search bar, you will see a list of Preferences that you can alter. Compare the Preferences in www-client/firefox-bin with the Preferences in www-client/firefox and you will likely find that some of the Safe Browsing preferences have been disabled in www-client/firefox. You could enable them to see if the behaviour becomes the same as with www-client/google-chrome and www-client/firefox-bin.

----------

## vm666

 *Fitzcarraldo wrote:*   

> If you enter about:config in the Firefox address bar then safebrowsing in the search bar, you will see a list of Preferences that you can alter. Compare the Preferences in www-client/firefox-bin with the Preferences in www-client/firefox

 

I already did that, I did not notice any difference. is there any way to export all this into text files to be able to run a diff on them?

 *Quote:*   

> and you will likely find that some of the Safe Browsing preferences have been disabled in www-client/firefox.

 

No. Everything is enabled.

----------

## Fitzcarraldo

 *vm666 wrote:*   

> is there any way to export all this into text files to be able to run a diff on them?

 

Not that I'm aware of. But I believe you can find if any have been changed from the defaults by using the following command:

```
$ grep safebrowsing ~/.mozilla/firefox/*.default*/prefs.js
```

----------

## vm666

 *Fitzcarraldo wrote:*   

>  *vm666 wrote:*   is there any way to export all this into text files to be able to run a diff on them? 
> 
> Not that I'm aware of. But I believe you can find if any have been changed from the defaults by using the following command:
> 
> ```
> ...

 

Actually, when I used the same profile first with firefox and then with firefox-bin, I got the same issue: safebrowsing KO with firefox, OK with the binary package. My hypothesis about the API Key is probably wrong (the SafeBrowsing  blacklist was correctly downloaded and could be used by firefox-bin) .

I'm recompiling the source package with different USE flags...

----------

## Fitzcarraldo

I've had a look at the www-client/firefox-62.0.3 ebuild and it appears to be missing the mozconfig option for Safe Browsing. I think the ebuild would need a line like the following in order to build Firefox for Safe Browsing:

```
mozconfig_annotate "Enable Safe Browsing" --enable-safe-browsing
```

or:

```
mozconfig_use_enable safe-browsing
```

I could be wrong, though, as I don't know if Mozilla has already included that option in the configuration files for Firefox. Anyway, you could try copying the ebuild and files to a local overlay on your machine, adding the above line to the ebuild, creating a new manifest and merging the package.

EDIT: Well, I tried the above myself, but couldn't get Firefox to build; an error message told me that the configure option is unknown:

```
mozbuild.configure.options.InvalidOptionError: Unknown option: --enable-safe-browsing
```

So I assume --enable-safe-browsing is no longer a valid option for Firefox 62.0.3. Actually, Safe Browsing works in Firefox 62.0.3 on my family's PC running Lubuntu, and about:buildconfig shows me that Firefox in Lubuntu does not have --enable-safe-browsing configured:

```
about:buildconfig

Source

Built from https://hg.mozilla.org/releases/mozilla-release/rev/c9ed11ae5c79df3dcb69075e1c9da0317d1ecb1b

Build platform

target

x86_64-pc-linux-gnu

Build tools

Compiler    Version    Compiler flags

/usr/bin/gcc -std=gnu99    7.3.0    -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wduplicated-cond -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wformat -Wformat-security -Wformat-overflow=2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe

/usr/bin/g++    7.3.0    -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++1z-compat -Wduplicated-cond -Wimplicit-fallthrough -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wformat -Wformat-security -Wformat-overflow=2 -fno-sized-deallocation -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -freorder-blocks -O2 -fomit-frame-pointer

Configure options

--host=x86_64-linux-gnu --enable-application=browser --enable-update-channel=release MOZILLA_OFFICIAL=1 --with-l10n-base=/build/firefox-IVlCbR/firefox-62.0.3+build1/./l10n --with-google-api-keyfile=/build/firefox-IVlCbR/firefox-62.0.3+build1/debian/ga --disable-elf-hack --with-unsigned-addon-scopes=app MAKE=/usr/bin/make --enable-crashreporter --disable-gconf --disable-install-strip --enable-official-branding --enable-startup-notification --disable-updater --prefix=/usr --with-distribution-id=com.ubuntu --with-ua-vendor=Ubuntu
```

On my main laptop running Gentoo amd64, Firefox 62.0.3 about:buildconfig does not show any --enable-safe-browsing option either, but, unlike Firefox 62.0.3 in Lubuntu, Safe Browsing does not work.

```
about:buildconfig

Build platform

target

x86_64-pc-linux-gnu

Build tools

Compiler    Version    Compiler flags

/usr/bin/x86_64-pc-linux-gnu-gcc -std=gnu99    7.3.0    -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wduplicated-cond -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wformat -Wformat-security -Wformat-overflow=2 -march=native -pipe -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe

/usr/bin/x86_64-pc-linux-gnu-g++    7.3.0    -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wc++1z-compat -Wduplicated-cond -Wimplicit-fallthrough -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wformat -Wformat-security -Wformat-overflow=2 -fno-sized-deallocation -march=native -pipe -fno-delete-null-pointer-checks -fno-lifetime-dse -fno-schedule-insns -fno-schedule-insns2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -O2 -fomit-frame-pointer

Configure options

PYTHON3=/usr/bin/python3.6 --host=x86_64-pc-linux-gnu --target=x86_64-pc-linux-gnu --enable-application=browser --disable-tests PKG_CONFIG=x86_64-pc-linux-gnu-pkg-config --enable-optimize=-O2 CC=x86_64-pc-linux-gnu-gcc LD=x86_64-pc-linux-gnu-ld CXX=x86_64-pc-linux-gnu-g++ HOST_CC=x86_64-pc-linux-gnu-gcc HOST_CXX=x86_64-pc-linux-gnu-g++ --disable-debug-symbols --enable-linker=bfd --enable-jack --enable-system-ffi --enable-default-toolkit=cairo-gtk3 --with-google-api-keyfile=/var/tmp/portage/www-client/firefox-62.0.3/work/firefox-62.0.3/google-api-key MAKE=/usr/bin/gmake XARGS=/usr/bin/xargs --disable-crashreporter --enable-dbus --enable-extensions=default --disable-gconf --disable-install-strip --enable-necko-wifi --enable-official-branding --enable-pie --enable-startup-notification --disable-strip --enable-system-pixman --disable-system-sqlite --disable-updater --libdir=/usr/lib64 --prefix=/usr --with-intl-api --with-nspr-prefix=/usr --with-nss-prefix=/usr --with-system-bz2 --without-system-icu --without-system-jpeg --without-system-libvpx --with-system-nspr --with-system-nss --with-system-png --with-system-zlib --x-includes=/usr/include --x-libraries=/usr/lib64

```

So I have run out of ideas.

----------

## Fitzcarraldo

I notice that Firefox 62.0.3 in Lubuntu -- where Safe Browsing works -- has the following under Firefox's 'Menu' > 'Preferences' > 'Privacy & Security':

 *Quote:*   

> Firefox Data Collection and Use
> 
> We strive to provide you with choices and collect only what we need to provide and improve
> 
> Firefox for everyone. We always ask permission before receiving personal information.
> ...

 

whereas Firefox 62.0.3 in Gentoo has the following:

 *Quote:*   

> Firefox Data Collection and Use
> 
> We strive to provide you with choices and collect only what we need to provide and improve
> 
> Firefox for everyone. We always ask permission before receiving personal information.
> ...

 

(The first option is greyed out.)

So I assume those options have been patched out by Gentoo developers. However, I have looked at the firefox-62.0.3 ebuild and the associated patch files:

```
$ grep -i patch /usr/portage/www-client/firefox/firefox-62.0.3.ebuild 

# Patch version

PATCH="${PN}-62.0-patches-01"

PATCH_URIS=( https://dev.gentoo.org/~{anarchy,axs,polynomial-c}/mozilla/patchsets/${PATCH}.tar.xz )

        ${PATCH_URIS[@]}"

        eapply "${FILESDIR}"/${PN}-60.0-blessings-TERM.patch # 654316

        eapply "${FILESDIR}"/${PN}-60.0-do-not-force-lld.patch

        eapply "${FILESDIR}"/${PN}-60.0-sandbox-lto.patch # 666580

        eapply "${FILESDIR}"/${PN}-60.0-missing-errno_h-in-SandboxOpenedFiles_cpp.patch

        # Allow user to apply any additional patches without modifing ebuild

$
```

```
$ ls /usr/portage/www-client/firefox/files/

bug_1461221.patch                    firefox-60.0-do-not-force-lld.patch                           firefox-60.0-sandbox-lto.patch            gentoo-default-prefs.js-2

firefox-52.9.0-blessings-TERM.patch  firefox-60.0-missing-errno_h-in-SandboxOpenedFiles_cpp.patch  firefox-60.0-update-cc-to-honor-CC.patch  gentoo-hwaccel-prefs.js-1

firefox-60.0-blessings-TERM.patch    firefox-60.0-rust-1.29-comp.patch                             gentoo-default-prefs.js-1                 icon

$
```

and I cannot see which variables and/or options and/or Preferences (gentoo-default-prefs.js-{1,2,3}) are used to disable Safe Browsing.

The Gentoo Wiki article on Firefox still mentions an old patch for Firefox 49.0 containing the variable MOZ_SAFE_BROWSING. However, I could not find MOZ_SAFE_BROWSING in the Firefox 62.0.3 source code, but a variable MOZ_SAFEBROWSING is mentioned in the Firefox 62.0.3 source code:

```
$ grep -r MOZ_SAFE-BROWSING firefox-62.0.3/*

$ grep -r MOZ_SAFEBROWSING firefox-62.0.3/*

firefox-62.0.3/toolkit/components/url-classifier/moz.build:    DEFINES['MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES'] = True

firefox-62.0.3/toolkit/components/url-classifier/ProtocolParser.cpp:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/ProtocolParser.h:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/ProtocolParser.h:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/ProtocolParser.h:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/nsUrlClassifierDBService.h:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/Classifier.cpp:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/Classifier.cpp:#endif // MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/tests/gtest/moz.build:# Required to have the same MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/tests/gtest/moz.build:    DEFINES['MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES'] = True

firefox-62.0.3/toolkit/components/url-classifier/Classifier.h:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

firefox-62.0.3/toolkit/components/url-classifier/Classifier.h:#ifdef MOZ_SAFEBROWSING_DUMP_FAILED_UPDATES

$
```

So I created a patch file firefox-62.0.3-safe-browsing.patch for an ebuild firefox-62.0.3-r1.ebuild in my local overlay. I set both MOZ_SAFE_BROWSING and MOZ_SAFEBROWSING in order to try and hit the correct variable required to enable Google Safe Browsing:

```
$ diff /usr/local/portage/www-client/firefox/firefox-62.0.3-r1.ebuild /usr/portage/www-client/firefox/firefox-62.0.3.ebuild

191d190

<       eapply "${FILESDIR}"/${PN}-62.0.3-safe-browsing.patch

$ cat /usr/local/portage/www-client/firefox/files/firefox-62.0.3-safe-browsing.patch 

diff -crB a/browser/confvars.sh b/browser/confvars.sh

*** a/browser/confvars.sh       2018-10-01 19:35:17.000000000 +0100

--- b/browser/confvars.sh       2018-10-21 23:07:54.233017628 +0100

***************

*** 37,42 ****

--- 37,45 ----

  # Enable building ./signmar and running libmar signature tests

  MOZ_ENABLE_SIGNMAR=1

  

+ MOZ_SAFE_BROWSING=1

+ MOZ_SAFEBROWSING=1

+ 

  MOZ_APP_VERSION=$FIREFOX_VERSION

  MOZ_APP_VERSION_DISPLAY=$FIREFOX_VERSION_DISPLAY

  # MOZ_APP_DISPLAYNAME will be set by branding/configure.sh

$
```

I generated a manifest and merged firefox-62.0.3-r1::local_overlay. But it made no difference.

So then I created a patch file firefox-62.0.3-safe-browsing-v2.patch for an ebuild firefox-62.0.3-r2.ebuild in my local overlay. I set MOZ_SAFE_BROWSING, MOZ_SAFEBROWSING, MOZ_DATA_REPORTING, MOZ_TELEMETRY_REPORTING, MOZ_CRASHREPORTER and MOZ_SERVICES_HEALTHREPORT in order to try and hit the correct variable required to enable Google Safe Browsing:

```
$ diff /usr/local/portage/www-client/firefox/firefox-62.0.3-r2.ebuild /usr/portage/www-client/firefox/firefox-62.0.3.ebuild191d190

<       eapply "${FILESDIR}"/${PN}-62.0.3-safe-browsing-v2.patch

$ cat /usr/local/portage/www-client/firefox/files/firefox-62.0.3-safe-browsing-v2.patch

diff -crB a/browser/confvars.sh b/browser/confvars.sh

*** firefox-62.0.3/browser/confvars.sh  2018-10-01 19:35:17.000000000 +0100

--- firefox-62.0.3-r2/browser/confvars.sh       2018-10-22 15:43:17.077257308 +0100

***************

*** 69,71 ****

--- 69,78 ----

  

  # Include the DevTools client, not just the server (which is the default)

  MOZ_DEVTOOLS=all

+ 

+ MOZ_SAFE_BROWSING=1

+ MOZ_SAFEBROWSING=1

+ MOZ_DATA_REPORTING=1

+ MOZ_TELEMETRY_REPORTING=1

+ MOZ_CRASHREPORTER=1

+ MOZ_SERVICES_HEALTHREPORT=1

$
```

I generated a manifest and merged firefox-62.0.3-r2::local_overlay. That changed the Firefox menu, which now shows:

 *Quote:*   

> Firefox Data Collection and Use
> 
> We strive to provide you with choices and collect only what we need to provide and improve
> 
> Firefox for everyone. We always ask permission before receiving personal information.
> ...

 

('Allow Firefox to send backlogged crash reports on your behalf' is not shown, though.)

I also used about:config to enable any disabled telemetry preferences. But the end result was the same, i.e. Safe Browsing does not work. Really annoying!

----------

