Bug 796324 – Safe browsing is broken

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 796324 - Safe browsing is broken


Summary:	Safe browsing is broken


Status:	RESOLVED FIXED

Product:	epiphany
Classification:	Core
Component:	General
Version:	git master
Hardware:	Other Linux

Importance:	High major
Target Milestone:	---
Assigned To:	Epiphany Maintainers
QA Contact:	Epiphany Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2018-05-22 05:14 UTC by Michael Catanzaro
Modified:	2018-06-13 19:41 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Michael Catanzaro 2018-05-22 05:14:20 UTC

Epiphany is creating a 45 kB gsb-threats.db instead of the full one. There aren't any changes to the code that could possibly have broken this, so I assume something has changed on Google's end. sqlitebrowser indicates nothing is present in the database.

I'd like to check if we've used up our API quota, do we have a way to investigate this?

I'm disabling the gsb test so that I can release. When we've fixed this, we'll need to reenable it.

Comment 1 Michael Catanzaro 2018-05-22 16:15:39 UTC

We're hitting our "other requests" safe browsing API quota. We have unlimited quota for the update API, but a 10,000 requests/day limit for "other requests."

Gabriel says:

I believe this is the request that is considered as "other": https://developers.google.com/safe-browsing/v4/reference/rest/v4/threatLists/list
Epiphany uses only three requests: threatLists.list, threatListUpdates.fetch, fullHashes.find. The last two are listed as part of the Update API (https://developers.google.com/safe-browsing/v4/lists) for which we have unlimited quota.

Comment 2 Tomas Popela 2018-05-23 06:35:40 UTC

We probably have to again use this form https://docs.google.com/forms/d/e/1FAIpQLScMx4B_Q_bEPy7fjM866uqHmizlH1sUdrqJs12KOwyXjj912w/viewform. But I miss the "other requests" API type. Maybe we can ask for help on antiphish-malware-cap-req at google.com as it's written in the form.

Comment 3 Michael Catanzaro 2018-05-23 17:41:14 UTC

(In reply to Tomas Popela from comment #2)
> We probably have to again use this form
> https://docs.google.com/forms/d/e/
> 1FAIpQLScMx4B_Q_bEPy7fjM866uqHmizlH1sUdrqJs12KOwyXjj912w/viewform. But I
> miss the "other requests" API type. Maybe we can ask for help on
> antiphish-malware-cap-req at google.com as it's written in the form.

I've submitted a request using the form:

"""
Hi, the open source GNOME web browser (Epiphany) already has unlimited quota for the Update API (thank you for that!) but we are hitting the 10,000 request quota for "other requests" because of the threatLists.list request, which is counted for the "other requests" quota rather than the Update API quota. Since you've already kindly granted us the unlimited Update API quota, perhaps we could have that for "other requests" as well? Thanks a bunch! (Reference: https://bugzilla.gnome.org/show_bug.cgi?id=796324 and https://bugzilla.gnome.org/show_bug.cgi?id=796364.)
"""

I assume it will be handled by a human, so hopefully it will work. If I don't hear back by next Wednesday, I'll mail antiphish-malware-cap-req@.

Comment 4 Michael Catanzaro 2018-06-03 02:14:30 UTC

Almost forgot about this. They never replied. So we need to mail antiphish-malware-cap-req@ and hope a human is watching that.

Gabriel, would you like to handle this? If not, I can certainly send the mail.

Comment 5 Michael Catanzaro 2018-06-08 01:33:12 UTC

Um, forgot about this again. OK. Mailing the list now.

Comment 6 Michael Catanzaro 2018-06-13 19:41:06 UTC

Fixed now. We got our quota increase from Google, and also learned that we were not supposed to be calling this method anyway. Gabriel has removed its use now.