Search Suggestions Enhancement #38137
Comments
|
So multiple questions and concerns from mobile side here related with Additionally section.
So this is very vague, user can add a character at any moment of search display before search is executed. To determine this, the only way I can think of is to compare the entry done in search bar and the entry after a new entry is performed is combination of existing text + what is in clipboard. So a question arise here when user copied a text we hid the search suggestions section but lets say user added a new character to the copied text should we redisplay search suggestion again. First of all this is not easy to detect and the execution of this will make search suggestions look janky and buggy in some circumstances. I am kinda questioning and struggling the to understand the reasoning behind this. And this should be mentioned in the security ticket open for this issue, it is not mentioned there.
First concern is we should not manipulate the text user copied for any reason on client. It is the user who is entering this text malicious or not. Our responsibility is to securely execute or block etc the query entered. This what we are doing already, for instance you cant execute a malicious script from url bar etc. Also the example code linked from Search Repo is not removing any PII or something from the query, it is doing some process related with copy pasting and doing it in a way first determining the query is copied if it is longer than certain number of characters and using a function ?! called isSuspiciousQuery or isSafeQueryURLs and returning a boolean after some algorithm we have no details bout here. And we also have no idea where is this result used. IMO both these options should not be implemented on client side. And if it will, they should be properly clarified and documented in addition this requirement should be mentioned in security ticket. |
|
For 1 just hide it when you paste, if you modify it then they can appear no matter if you edited back to the original contents or not. Overall I think this ticket can be split into few smaller ones. |
|
Totally agree we should be adding these additional parts into new tickets so we can discuss their relevance and also open new security tickets for them. For 1 I think we are on the same page, I really don not understand the reasoning behind it and we should carry over to a new issue and discuss it there. And for 2 it needs brand new ticket with proper requirements even to start and also security ticket for proposed changes which isnt so clear. |
|
I found more details in the spec, so it's not really up to us. I will work on it and I shared our concerns in that spec as well. |
|
Please note that there are other settings like #38688 (comment) that are at play here. Disabling Search Suggestions entirely should disable probably disable (#38688 (comment)) |
|
@Uni-verse @hffvld I went through brave/brave-core#24376 (comment) as we had uplifts into
|
Uni-verse
added
the
QA/In-Progress
|
Verified on Brave Default SE (US)
Brave Default SE (France)
Brave Not Default SE (Singapore)
Brave Not Default SE (South Africa)
|
|
Verified on Brave Default SE (US)
Brave Not Default SE (Sweden)
Brave Not Default Upgrade Case (Russia)
|
Uni-verse
added
QA Pass - iPad
and removed
QA/In-Progress
Description:
For context please search for Spec: Brave Search Suggestions Default On (2024) on GDrive
Security Review:https://github.com/brave/reviews/issues/1567
When Brave Search is set as the default search engine (Standard Tab), search suggestions will be enabled by default. Given this, for New Users of Brave who download the browser in countries where Brave Search is the default, please:
Additionally, for all users of Brave:
For Reference:
The 12 countries where Brave Search is currently set as default include: US, CA, GB, DE, FR, MX, BR, IN, ES, AR, AT, IT.
Additionally:
The text was updated successfully, but these errors were encountered: