Bug 368106 - Query params sent when reporting a phishing site could contain sensitive info. r=gavin
authorMax Li <maxli@maxli.ca>
Mon, 06 May 2013 21:34:01 -0400
changeset 142035 8ef4542be8fdf58b6e0b1c292320323b2a208e33
parent 142034 db4714007b1f45ba79c0dbbeb663171d0e247c77
child 142036 06f0445a50abb89dcba39c82bd7bf07904d1edbe
push id2579
push userakeybl@mozilla.com
push dateMon, 24 Jun 2013 18:52:47 +0000
treeherdermozilla-beta@b69b7de8a05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgavin
bugs368106
milestone23.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 368106 - Query params sent when reporting a phishing site could contain sensitive info. r=gavin
browser/base/content/browser-safebrowsing.js
--- a/browser/base/content/browser-safebrowsing.js
+++ b/browser/base/content/browser-safebrowsing.js
@@ -34,15 +34,20 @@ var gSafeBrowsing = {
   /**
    * Used to report a phishing page or a false positive
    * @param name String One of "Phish", "Error", "Malware" or "MalwareError"
    * @return String the report phishing URL.
    */
   getReportURL: function(name) {
     var reportUrl = SafeBrowsing.getReportURL(name);
 
-    var pageUrl = gBrowser.currentURI.asciiSpec;
-    reportUrl += "&url=" + encodeURIComponent(pageUrl);
+    var pageUri = gBrowser.currentURI.clone();
+
+    // Remove the query to avoid including potentially sensitive data
+    if (pageUri instanceof Ci.nsIURL)
+      pageUri.query = '';
+
+    reportUrl += "&url=" + encodeURIComponent(pageUri.asciiSpec);
 
     return reportUrl;
   }
 }
 #endif