Chromium Docs

How Safe Browsing Lookup Interacts with Navigation

Overview

During navigation, Chrome checks the Safe Browsing reputation of each URL and decides whether to show a warning to the user. This document describes how Safe Browsing lookup interacts with navigation and how Safe Browsing lookups affect the speed of navigation.

Background

When a user navigates to a URL, Chrome checks the Safe Browsing reputation of the URL before the URL is loaded. If Safe Browsing believes that the URL is dangerous, Chrome shows a warning to the user:

warning page

Chrome can perform three types of Safe Browsing checks during navigation:

  • The hash-prefix database check (HPD).
  • The URL real-time check (URT).
  • The hash-prefix real-time check (HPRT).

Only the HPD check is on the blocking path of navigation. Before the check is completed, the navigation is not committed, the page body is not read by the renderer, and the user won’t see any page content in their browser.

Real-time checks (URT and HPRT) take longer than HPD checks. To ensure smooth user experience, they don't delay navigation. This means the navigation can proceed before the check is completed and the user may see the page before the warning is shown. When real-time checks are enabled, an additional HPD check is added to ensure users are still protected against threats like exploits against the browser.

NOTE: There is another type of Safe Browsing check called Client Side Phishing Detection (CSD). It also checks the reputation of the page. However, this check is performed after the navigation is committed and it doesn’t block the navigation, so it is out-of-scope for this doc.

Navigation Basics

Life of a Navigation gives a high level overview of a navigation from the time a URL is typed in the URL bar to the time the web page is completely loaded. It breaks down a frame navigation into two phases:

  • Navigation phase: From the time the network request is sent to the time the a navigation is committed. Note that at this point, nothing is rendered on the page.
    • Any of the three Safe Browsing checks above may be performed in this phase, depending on user consent. The URT check is only performed if the user has agreed to share URLs with Google. The HPRT check is used in most other scenarios, but in incognito mode or other cases when the real-time checks are unavailable, the HPD check will be performed instead.
  • Loading phase: Consists of reading the response body from the server, parsing it, rendering the document so it is visible to the user, executing any script, and loading any subresources (images, scripts, CSS files) specified by the document.
    • Safe Browsing doesn't check subresources, iframes or websocket connection.

Navigation Concepts covers a set of important topics to understand navigation, such as:

  • Same-document and cross-document navigation. Same-document navigation keeps the same document and changes states associated with it. Some examples of same-document navigation are fragment navigation (https://foo.com/1.html#fragment) and using the history.pushState API.
    • Same-document navigation can change the URL, but Safe Browsing doesn’t check these navigation. Same-document navigation doesn’t pose a security risk because no new content is loaded from the network.
  • Server redirects and client redirects. A server redirect happens when the browser receives a 300-level HTTP response code before the document commits, telling it to request a different URL, possibly cross-origin. A client redirect happens after a document has been committed, when the HTML in the document instructs the browser to request a new document (e.g., via meta tags or JavaScript).
    • Redirect URLs are all checked by Safe Browsing. Server redirects are checked in the navigation phase and client redirects are checked after a document is committed.

Workflow

workflow

As illustrated above, only the HPD check delays navigation in the navigation phase. It blocks the navigation before it is committed. The check needs to finish checking all URLs (including redirect URLs) before committing the navigation. If one of the URLs (initial URL or redirect URLs) is classified as dangerous, a warning page will be shown and the navigation will be canceled.

For URT and HPRT checks, they don't delay navigation. If they find any URL to be dangerous, a warning will be triggered immediately.

All three checks are initiated from the browser process.

Speed

Safe Browsing checks and network requests are performed in parallel. Performing a Safe Browsing check doesn’t block the start of network requests or the fetch of response header and body. It doesn’t block redirects either.

However, completion of the HPD check does block the browser from reading or parsing the response body. When the response header is received, the HPD check will block the navigation if the check is not completed.

HPD check won’t slow down the navigation if it is completed before the response header is received. If the HPD check is not completed at this point, the response body will still be fetched but the renderer won’t read or parse it.

SafeBrowsing.BrowserThrottle.TotalDelay2 is the metric to measure the speed of Safe Browsing checks. 0 means that the Safe Browsing check is completed before the response header is received -- it doesn't delay the navigation.

Real-time checks, on the other hand, don't affect the loading speed.

Implementation Details

Safe Browsing blocks navigation by implementing the URLLoaderThrottle interface. This interface provides several phases to defer URL loading:

  • WillStartRequest(request, defer)
  • WillRedirectRequest(request, defer)
  • WillProcessResponse(request, defer)

The throttle can mark defer as true if it wants to defer the navigation and can call Resume to resume the navigation.

The throttle class is BrowserUrlLoaderThrottle. The throttle only marks defer as true in WillProcessResponse.

Safe Browsing doesn’t defer navigation forever. The current timeout is set to 5 seconds. If the check is not completed in 5 seconds, the navigation will resume.