Search.query() practically doesn't work, presumably due to CSP when sending POST request

I am very much not a developer, so please excuse and point out any silly stuff :slight_smile:

I use the HTML variant of DuckDuckGo available at https://html.duckduckgo.com/html/. I added the search engine by going to the aforementioned URL and right-clicking in the address bar and adding the search engine. As of the recent version 2.2.0 Vimium seems to be using search.query() to perform a search using the browser’s default search engine.

Interestingly, this broke the search functionality for me. I looked into it a bit and reported the issue on the Vimium issue tracker, where the kind GitHub user philg-dev took the time to investigate.

They came to the conclusion that what’s probably going on is that as the DuckDuckGo HTML and Lite variants specify POST as the request method in their OpenSearch description the “POST requests through Vimium result in failure due to the Content Security Policy, since Vimium’s Vomnibar sends an HTTP POST request with Origin: moz-extension://964d1f78-8013-445f-b3d0-4cace47a2eb4, which obviously doesn’t align with anything that is defined in DDG’s CSP.”

As I’ve mentioned I am no developer, so I’m very unsure, but I feel like perhaps this isn’t how it’s supposed to be? My impression is that search.query() is supposed to allow to perform a search just like the browser would. Of course, I might be very wrong!

Is there nothing that may be improved on the side of the browser? Is this just how it is and should be and the DuckDuckGo HTML and Lite variants should use GET requests if they want this use case to work?

Anyway, I’m very curious to hear any thoughts on this matter.

A workaround is to change/remove the Origin header with declarativeNetRequest.
But I don’t know if this is a clean solution - maybe there’s a better one.

Vimium doesn’t even have to do this itself.
It’s enough to install the attached extension.

It has two rules:

Firefox ignores the second rule, because it has a lower priority.
Just switch the priorities to enable the second rule.

Set Origin header for DDG.zip (1003 Bytes)

Tested on Firefox 137.0.2 with Vimium 2.2.1.

This strikes me as a Firefox bug. I double checked the OpenSearch declaration embeded on https://html.duckduckgo.com/html and verified that it explicitly declares it uses a POST method.

I dug around a bit in Firefox’s bug tracker and found a few related bugs (1615901 is especially close), but nothing that directly covers this issue.

I’ve taken the liberty of opening a bug report based on this thread.

2 Likes

Thank you so so much for taking the time, looking into it, and opening a bug report!

And, of course, thank you @hans_squared too for taking the time, looking into it, and proposing a workaround!