New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 791563 link

Starred by 2 users
Status: WontFix
Owner:
dskaram@chromium.org
Last visit > 30 days ago
Closed: Dec 2017
Cc:
dkalin@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Feature



Sign in to add a comment

Search Suggest URL policy triggers captchas for large organizations

Project Member Reported by jayhlee@google.com, Dec 4 2017 
Background of the issue is in b/69473709. If customers use the DefaultSearchProviderSuggestURL policy and have it set to a URL like:

https://www.google.com/search?q={searchTerms}

then they are likely to get search captchas on a network with many users with this policy set (e.g. a large school).

Recommendation is to correct the policy URL to be:

{google:baseURL}complete/search?output=chrome&q={searchTerms}.

This bug is to track if we might be able to detect and "self-correct" this bad policy within Chrome browser client itself. We can prevent admins from setting this policy within our admin console but that does not solve for organizations who set policy via Active Directory, Linux or MacOS.

Can the browser itself detect these bad URLs and self-correct thus fixing the issue for all customers?

Andrew, assigning to you for prioritization.

Comment 1 by kkaluri@chromium.org, Dec 8 2017

Labels: -Type-Bug Type-Feature

Comment 2 by atwilson@chromium.org, Dec 8 2017

Cc: dkalin@google.com
Owner: dskaram@chromium.org
Over to dskaram to prioritize. My take is we should WontFix this - the whole point of this policy is to give admins fine-grained control over exactly what's sent up in that URL, so we shouldn't modify it with what we *think* it should be. We also already document the correct URL in our policy documentation, but maybe we should be more clear in cpanel UI?

Comment 3 by jayhlee@google.com, Dec 8 2017 

IMHO, we should block customers from setting policy in a way that causes them to effectively DoS us (the search captcha is essentially DoS protection on our end).

However we do it, I don't think Chrome should accept the google.com/search URL for this policy. Rewriting was one idea but simply rejecting the policy as invalid (client-side since admin console is not the only place this can be set) may be another.

Comment 4 by dskaram@google.com, Dec 9 2017

Status: WontFix (was: Unconfirmed)
Agreed that we shouldn't be messing with customer input. This can get real hairy with tons of caveats.

Jay, can we simply query for all domains doing this and reach out to them directly? We should also update the help center article to mention this caveat.


Where exactly are customers getting this URL from? They are probably copy pasting it from somewhere (stakc overflow?). We should find the source of this misinformation and correct it.

Sign in to add a comment