Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data leakage when loading favicons #157

Open
Noir- opened this issue May 25, 2024 · 3 comments
Open

Data leakage when loading favicons #157

Noir- opened this issue May 25, 2024 · 3 comments

Comments

@Noir-
Copy link

Noir- commented May 25, 2024

It seems like this extension is trying to fetch the favicons from remote hosts every time a site is loaded. It is possible that the response is loaded from cache but it depends on many other factors.

The request also includes the referrer. This has implications on the users privacy because it basically leaks a part of the browsing history of a user to the hosts. Despite that, this behaviour is not very efficient. I'd suggest that the icons are only downloaded once when the search engine is added.

image
@Pitmairen
Copy link
Owner

This was solved in earlier versions of the extension by downloading the icons in the background page of the extension, and then serving the icons from the background page.

The problem now with the extension manifest V3 (that will soon be required for the extension to work), is that there is no longer a permanent background process running, the background process is stopped and started as needed by the browser.

So keeping the icons in memory in the background process no longer works. It is possible to save some data in some data storage, but the available storage is limited.

We could maybe fetch the icons every time the background process starts, but then the icons will sometimes be missing if the menu is opened before all the icons have finished downloading.

To prevent the referrer from getting sent, it should be possible to set the referrerpolicy on the image. This should fix the privacy issue. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#referrerpolicy

Moving the icon download to the background is harder to solve, I don't have a good solution for that at the moment.

@Pitmairen
Copy link
Owner

I think I have found a solution for this, that will bring back the old behavior where the icons was loaded in the background process.

There are some limits to the amount of data that can be kept in the background, so it could break for some users with a lot of search engines, or users using very large custom icons. But I think for most users it should work just fine.

It still needs some testing and some small tweaks, but hopefully I should be able to get this out soon.

@Pitmairen
Copy link
Owner

In version 0.9.2, which should be available shortly, the icons are downloaded and cached in the background worker, similar to how it used to be in the 0.8.* versions.

This should make the icons load faster and also not leak any information as the icons are no longer loaded inline in each pages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Pitmairen @Noir-