Closed Bug 1079687 Opened 10 years ago Closed 10 years ago

Lock sign in path/query/fragment shown

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 808234

People

(Reporter: zcorpan, Unassigned)

Details

Hmm. Bugzilla ate my comment. :-( Trying again: http://example.org/<U+1F512> shows a lock in the address bar without being secure. Unicode has a "lock" character: http://www.fileformat.info/info/unicode/char/1f512/index.htm U+1F512 (plus a few others: U+1F513 U+1F510 U+1F50F) This can be used the in path or query or fragment of the URL and be shown in the address bar. This seems like it could confuse users into thinking the site is secure. (Probably this happens on all platforms if there is a glyph for the character.)
Example URI: http://www.fileformat.info/info/unicode/char/1f512/index.htm?%F0%9F%94%92 I really don't know that we try to protect the URL bar from site-generated content, as long as the eTLD+1 is visible and not spoofable. Gavin, who should make a decision about this?
Flags: needinfo?(gavin.sharp)
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(gavin.sharp)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.