Firefox's features of automatic keyword-searching and domain-guessing from the address bar are unwanted features by much of the user base, and cause a major privacy and security problem for users especially in corporate intranet environments. This guessing and searching transmit URLs with potentially-sensitive information to the user's default search engine or to incorrect and potentially-malicious websites. Currently, Firefox 24 is just as user-unfriendly as Microsoft Internet Explorer in disabling URL guessing and searching. Microsoft forces Internet Explorer users to go into Group Policy editor to an unintuitive, hard-to-find setting, to disable this functionality. Similarly, Firefox requires users go into the advanced "about:config" registry and disable two separate named preferences, "keyword.enabled" and "browser.fixup.alternate.enabled", to disable the searching and domain-name-guessing respectively. In either case, the user has to search online for the specific instructions of how to disable these unwanted features, rather than an intuitive user-friendly option being available, and this is only after the user is blindsided by unwanted URL guessing/searching. Here is an example of the problems this poses: Suppose that Bob, an employee using a corporate network, needs to access the intranet website "http://secret-server-name", which is supposed to be only internally known to employees of Bob's company and only works on the corporate LAN. Normally, Bob would enter "secret-server-name" into Firefox's location bar in order to access the intranet site. But, one day, the server "secret-server-name" goes down. Bob attempts to access the website as usual, but now Firefox instead does a Google search for "secret-server-name" against Bob's intentions, thus divulging "secret-server-name" to Google, which can keep a record of this and even associate the search history with Bob's Google account if he is logged in. Frustrated with this unwanted breach of sensitive information, Bob searches and figures out how to go into "about:config" to disable the "keyword:enabled" setting. Thinking that this has solved the problem, Bob now re-attempts to enter "secret-server-name", but this time Firefox redirects to "http://www.secret-server-name.com" on the public Internet. Suppose that it just so happens that "www.secret-server-name.com" is run by a domain squatter, Eve. Firefox has now divulged "secret-server-name" to Eve, who will have a record of the fact that an IP address at Bob's company attempted to use this name. The use of the name "secret-server-name" at Bob's company has now been leaked to both Google and to Eve. Only after both of these things happen does Bob find out about the second setting, "browser.fixup.alternate.enabled". It gets even worse when query strings are taken into account: Consider the same example above, except that this time, Bob is using a confidential intranet site with a query string containing sensitive information: "http://secret-server-name?secretName=secretValue". Now, sensitive information besides just an internal domain name will be leaked to Google and to Eve. Domain-name guessing and searching may be desired features for some users, but they are highly undesirable and a breach of IT security for other users. It is well-documented in older tickets here on Bugzilla, as well as elsewhere, that these features cause such problems. There needs to be a user-friendly setting in the Options dialog to easily enable/disable all "smart" features of the Location bar. For example, it could be a checkbox named "URL privacy" or "Enable smart searching/guessing in the Location bar". In addition, there is controversy among the Mozilla community over whether these features should be enabled or disabled by default, although this may not have yet been viewed in the light of security and privacy risks. Either the option should be disabled by default, or a good compromise would be to make a prompt similar to those for remembering passwords. The user could be prompted with a message saying that the server was not found, and be provided the option to run it as a search or to guess the domain name, or to decline any smart searching. There could be a checkbox for remembering the preference. This would be a much safer and desirable alternative to users than being blindsided with their sensitive information being divulged without their consent. Please make these feature changes to the Firefox web browser, especially for the IT security reasons described herein. Don't continue to be like Micro$oft and make this difficult for users.

(In reply to abcdzywx from comment #0) Adding a couple notes in early before any resolution: > Here is an example of the problems this poses: Suppose that Bob, an employee > using a corporate network Workarounds for deploying Firefox in a corporate workplace with changed default preferences are at http://mike.kaply.com/2012/03/15/customizing-firefox-default-preference-files/ and http://mike.kaply.com/2012/02/09/integrating-add-ons-into-firefox/ for finer-grained tuning. In my case I added the following two bookmarked URLs into the bookmarks toolbar appropriately named for users to understand: about:config?filter=keyword.enabled about:config?filter=browser.fixup.alternate.enabled

Thank you for sharing that, but this still is not a user-friendly option -- you still have to answer a warning about "voiding" your "warranty" / "I'll be careful, I promise!", and the way this option is presented is not user-friendly. A corporate environment is just one example; this issue also impacts everyday users who may not want their URL entries to be transformed and transmitted to unauthorized entities. How about this analogy: If you go to the supermarket and try to discreetly ask a clerk for something like wart remover, how would you feel if the clerk shouted out loud to his/her coworkers in front of everyone, "Hey! Does anyone know where the wart remover is?!!" Firefox is doing the same thing -- you are giving it "secret-server-name" or perhaps even a public Internet website that may happen to be down at the moment, and Firefox is automatically going out to the world without your consent and saying, "Hey world, does anyone know what this user's talking about? Google, do you know? www.secret-server-name.com, how about you, do you exist?" Before someone or something automatically shares your private information, it/he/she should have your consent. It should not be so complicated for people to make this core setting, and it should not have a problematic default.

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.