Open Bug 1356182 Opened 3 years ago Updated 1 year ago
Custom tabs: cannot display long URL properly
If we navigate to long URL, the title-view or url-view doesn't wrap well. I only reproduce it on Nexus-5/Android 6.0.1. (navigate to https://www.google.com.tw) Not sure whether prior Android version will be effect or not.
We can set ellipse to the text view. Sebastian, do you think it might cause potential security bug?
(In reply to Julian Chu [:walkingice] from comment #1) > Created attachment 8857888 [details] > set ellipsize to text view > > We can set ellipse to the text view. > > Sebastian, do you think it might cause potential security bug? It's one of those things where someone could try to spoof the URL by pretending to be another page by moving the actual page domain out of the visible area. A naive way of doing this would be [wwwwwwwwwwwwwwwwwww.google.com].evil-site.com where only the part between  is visible. Chrome custom tabs seem to suffer from the same problem (see attached screenshot). This isn't even fully solved in Fennec - although you can at least click into the URL bar and the see everything. See bug 1236431 for some history. Back then we tried to solve this by only showing the *origin* part of the domain. We pulled this in bug 1268753 again. But this might still be a suitable approach for custom tabs - where we not want to show the full URL/domain necessarily. Also see bug 1271998 for a proposal to make this less problematic in Fennec.
[triage] P2 as not a sec-high. issue
Priority: -- → P2
Tried to wrap textview in HorizontalScrollView, likely it is close to the proposal. This attachment is running on Android 4.4.4 CyanogenMod.
this is likely the older implementation. does it still apply to 57 implementation? on a quick test, things look fine to me.
[triage] Potential spoofing so potentially critical - I'd suggest we consider Sebastian's approaches, in particular just showing the origin.
Assignee: walkingice0204 → nobody
Priority: P2 → P1
You need to log in before you can comment on or make changes to this bug.