Skip to content

Warn users about installing search engines

There are a few ways to install custom search engines. Each has a risk of the search provider linking the user between sessions if the search URL is sufficiently unique. I think it would make sense to change the UI to warn users of the potential risk.

Install paths

1. Settings.

If the user goes to the "Search" settings, they can add their own search engine with "Add".

Seems low risk since the user is explicitly entering the search URL themselves, so would be in a good position to review it. Although this may take some technical knowledge.

2. Url bar switcher.

E.g. visit de.wikipedia.org and start typing a search in the url bar and select the "pick a search engine" button. Then "Wikipedia (de)" will appear in the list. Clicking this button will install and use the engine. Since it is now installed, it may appear in future search queries as a suggestion.

Seems medium risk. The button itself is not sufficiently clear about the permanent effect (I opened bugzilla bug 1984110 and offers no chance for the user to review the URL that is about to be saved. This is offset by the fact that the path to get here is a little awkward.

3. Url bar suggestion.

I suspect that this is currently broken due to #43525, but this is how it should work. Visit de.wikipedia.org and start typing a search in the url bar. You will get a suggestion to temporarily use the wikipedia search. If you use the feature again, and you are not in a private window, you will get a prompt asking you if you want to install the search engine:

Screenshot of a prompt to add the wikipedia (de) search engine.

Seems medium risk. This action is more encouraged by the browser itself. But it is offset by the non-private browsing requirement, and the behaviour being clearer than install path number 2.

4. Search forms.

E.g. go to https://wikipedia.org and open the context menu for the search input. Selecting "Add Search Engine" will add a custom search engine with the URL https://www.wikipedia.org/search-redirect.php?family=wikipedia&search=%s&language=en&go=Go. Even though a form is shown to the user, the URL itself is not visible.

Seems medium risk. Seems like a high risk of accidentally getting unique search urls, but requires some fairly explicit user actions.

Mitigation

I think all these paths are ok if they are accompanied by a warning to the user, similar to the downloads warning. And a means for the user to see the URL themselves.

Existing users

Since some of these paths existed prior to 140, we may want to warn existing users with custom search engines to one-off review them.

/cc @felicia @donuts @morgan @pierov @ma1

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information