Closed
Bug 1391421
Opened 7 years ago
Closed 7 years ago
Fix unicode domain support regressions
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(fennec+, firefox55 unaffected, firefox56 unaffected, firefox57 verified)
VERIFIED
FIXED
Firefox 57
Tracking | Status | |
---|---|---|
fennec | + | --- |
firefox55 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | --- | verified |
People
(Reporter: mcomella, Assigned: JanH)
References
Details
(Keywords: regression)
Attachments
(9 files, 1 obsolete file)
59 bytes,
text/x-review-board-request
|
esawin
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
baku
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
esawin
:
review+
jwu
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
mikedeboer
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
jwu
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
jwu
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
jwu
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
jwu
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
gbrown
:
review+
|
Details |
STR: 0) With photon fennec 1) visit http://faß.de Expected: url bar displays ^ Actual: url bar displays "xn--fa-hia.de" In Firefox Beta, this works as expected. We should consider adding some tests so this support doesn't regress again in the future.
Reporter | ||
Comment 1•7 years ago
|
||
This looks like it might be a change in gecko: see bug 1391422 comment 9 (that bug is for unicode domains appearing as punycode in top sites).
Comment 2•7 years ago
|
||
Hi Jing Wei Please help take a look. Thanks!
Reporter | ||
Comment 3•7 years ago
|
||
FYI: I'm trying to get help from snorp in bug 1391422 so unless someone here is already experienced with gecko, it may not be worth duplicating our efforts.
Comment 4•7 years ago
|
||
we should prioritize this one in 57.3, added to tomorrow's planning doc.
Flags: needinfo?(wehuang)
Reporter | ||
Comment 5•7 years ago
|
||
FYI: the related bug 1391422 is low priority against the other AS bugs so I've unassigned. This seems to have been caused by gecko changes and the next recommended step is to identify a regression window. Kevin, could someone determine a regression window on this bug? It might be related to the photon changes but it might not be (as determined in bug 1391422).
Flags: needinfo?(kbrosnan)
Keywords: regressionwindow-wanted
Updated•7 years ago
|
Whiteboard: [FNC][SPT57.3][BL]
Reporter | ||
Comment 6•7 years ago
|
||
Bogdan, if you don't have too much on your plate, could you determine the regression window from comment 5? It's related to AS (as bug 1391422) but it's the lowest possible priority to finish by the 57 merge so focus on other things first! :)
Flags: needinfo?(bogdan.surd)
Comment 7•7 years ago
|
||
Hello, Here is that regression-window: Last Known Good Build: 2017-08-09 First Known Bad Build: 2017-08-10 Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4c5fbf49376351679dcc49f4cff26c3c2e055ccc&tochange=4d54ac07b8c97f0e6713dab2ba694023b5b2f3b5
Flags: needinfo?(bogdan.surd)
Keywords: regressionwindow-wanted
Looks like this change was made intentionally as part of 1380617. I guess Firefox displays unicode by accessing uri.displaySpec instead of .spec. Jing Wei, you should be able to make a similar change in browser.js if you want similar behavior.
Reporter | ||
Updated•7 years ago
|
Flags: needinfo?(kbrosnan)
Reporter | ||
Comment 9•7 years ago
|
||
FYI: I'm not sure what the proper way to handle this is because bug 1397842 was filed and describes the case where: - www.аррӏе.com/ could be a scam site - www.apple.com/ is the real Apple but they look identical here and in the url bar on desktop. How do we do this on desktop and why? Is it the right approach? --- Affected/unaffected flags set based on the fact that bug 1380617, the regressing bug, landed in Firefox 57.
status-firefox56:
--- → unaffected
status-firefox57:
--- → affected
See Also: → 1397842
Summary: Photon url bar has regressed support for unicode domains → URL bar has regressed support for unicode domains
Reporter | ||
Comment 10•7 years ago
|
||
(In reply to Michael Comella (:mcomella) from comment #9) > but they look identical here and in the url bar on desktop. How do we do > this on desktop and why? Is it the right approach? The scam apple.com links to a blog post about this issue [1], which links to bug 1332714 where it was discussed on desktop. The blog post quotes the bug: (In reply to Gervase Markham [:gerv] from bug 1332714 comment #5) > (In reply to Simon Montagu :smontagu from comment #4) > > https://www.аррӏе.com/ is an example of a whole-script homograph, which our > > IDN display code is not designed to protect against -- for example > > https://www.асе.com/ spoofs https://www.ace.com/ > > Indeed. Our IDN threat model specifically excludes whole-script homographs, > because they can't be detected programmatically and our "TLD whitelist" > approach didn't scale in the face of a large number of new TLDs. If you are > buying a domain in a registry which does not have proper anti-spoofing > protections (like .com), it is sadly the responsibility of domain owners to > check for whole-script homographs and register them. > > We can't go blacklisting standard Cyrillic letters. Which is unfortunate because end users are still vulnerable. I wonder if we can do better here? [1]: https://www.xudongz.com/blog/2017/idn-phishing/
Comment 12•7 years ago
|
||
Joe, I think we'll need a direction from Product for this. Should we 1. simply fix this bug mentioned in comment 0 with the concern pointed out by comment 9, which is the same as Desktop's today? 2. have overall design including UX consideration to lower the risk of Phishing URL. (maybe need to align w/ Desktop's solution, once they have) Maybe to adapt (1) for now, and monitoring 1332714 to make a mobile-version solution in the future?
Flags: needinfo?(jcheng)
Comment 13•7 years ago
|
||
agree with your assessment on comment 12 but let's make sure we have a follow up bug to track point #2
Flags: needinfo?(jcheng)
Comment hidden (mozreview-request) |
Comment 15•7 years ago
|
||
The patch only converts the URL content from ASCII Compatible Encoding (ACE) to Unicode, and the idea is based on 2 factors: 1. I would like to keep the patch as simple as possible because we might need some visual redesign on URL bar in near future to prevent IDN Phishing discussed in bug 1332714. 2. I'm not familiar with the logic in browser.js, I don't know if there is any side effect from replacing `uri.spec` with `uri.displaySpec`.
Flags: needinfo?(topwu.tw)
Assignee | ||
Comment 16•7 years ago
|
||
mozreview-review |
Comment on attachment 8907438 [details] Bug 1391421 - Translates URL from ASCII Compatible Encoding (ACE) to Unicode. https://reviewboard.mozilla.org/r/179130/#review184254 There are more places where we're handling URLs than just the URL bar. Won't this mean that e.g. we're now still storing punycode domains into our history/bookmarks/... DB tables, whereas previously we stored the Unicode URL? This also e.g. leaves our "Switch to tab" functionality broken. I haven't looked how that works, but it probably takes the URL bar user input as it and then searches through all open tabs, which won't work if those store their URL as Punycode. As a quick fix, I think we should rather override ["network.standard-url.punycode-host"](https://dxr.mozilla.org/mozilla-central/rev/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/modules/libpref/init/all.js#2102) to `false` to restore the previous behaviour for now and then think this through carefully which places need the `spec` and which ones the `displaySpec`
Attachment #8907438 -
Flags: review-
Comment 17•7 years ago
|
||
(In reply to Jan Henning [:JanH] from comment #16) > Comment on attachment 8907438 [details] > Bug 1391421 - Translates URL from ASCII Compatible Encoding (ACE) to Unicode. > > https://reviewboard.mozilla.org/r/179130/#review184254 > > There are more places where we're handling URLs than just the URL bar. > Won't this mean that e.g. we're now still storing punycode domains into our > history/bookmarks/... DB tables, whereas previously we stored the Unicode > URL? > This also e.g. leaves our "Switch to tab" functionality broken. I haven't > looked how that works, but it probably takes the URL bar user input as it > and then searches through all open tabs, which won't work if those store > their URL as Punycode. > > As a quick fix, I think we should rather override > ["network.standard-url.punycode-host"](https://dxr.mozilla.org/mozilla- > central/rev/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/modules/libpref/init/ > all.js#2102) to `false` to restore the previous behaviour for now and then > think this through carefully which places need the `spec` and which ones the > `displaySpec` This behaviour is web-observable. Flipping the pref would mean Firefox on desktop and android behave differently. That doesn't seem desirable to me... See also bug 1380617 where we fixed the desktop UI to deal with this.
Comment 18•7 years ago
|
||
Actually, the regression started when we flipped the pref in bug 1380617. (In reply to Jan Henning [:JanH] from comment #16) > As a quick fix, I think we should rather override > ["network.standard-url.punycode-host"](https://dxr.mozilla.org/mozilla- > central/rev/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/modules/libpref/init/ > all.js#2102) to `false` to restore the previous behaviour for now and then > think this through carefully which places need the `spec` and which ones the > `displaySpec` This would negate the web-compat benefits we get from bug 1380617. The correct fix would be to use displaySpec. I also suggest adding unit tests to make sure we don't regress this.
Updated•7 years ago
|
Assignee | ||
Comment 19•7 years ago
|
||
(In reply to :Gijs from comment #17) > This behaviour is web-observable. Flipping the pref would mean Firefox on > desktop and android behave differently. That doesn't seem desirable to me... > See also bug 1380617 where we fixed the desktop UI to deal with this. Yes, I didn't mean that as a long-term solution, just that if we absolutely want a super-quick fix for our UI, temporarily flipping that pref back for mobile for one release is in my opinion still better than an incomplete workaround in our Java UI code. But if we can get the spec/displaySpec situation sorted out in our JS code in time for 57 then that's of course the better solution.
Comment 20•7 years ago
|
||
mozreview-review |
Comment on attachment 8907438 [details] Bug 1391421 - Translates URL from ASCII Compatible Encoding (ACE) to Unicode. https://reviewboard.mozilla.org/r/179130/#review184276
Attachment #8907438 -
Flags: review?(cnevinchen) → review+
Comment 21•7 years ago
|
||
mozreview-review |
Comment on attachment 8907438 [details] Bug 1391421 - Translates URL from ASCII Compatible Encoding (ACE) to Unicode. https://reviewboard.mozilla.org/r/179130/#review184278
Attachment #8907438 -
Flags: review+
Updated•7 years ago
|
Attachment #8907438 -
Flags: review?(s.kaspari)
Assignee | ||
Comment 22•7 years ago
|
||
Stealing this from you - I need to check one or two edge cases, but other than that, I've looked through our usage of uri.spec
Assignee: topwu.tw → jh+bugzilla
Updated•7 years ago
|
Attachment #8907438 -
Attachment is obsolete: true
Assignee | ||
Comment 23•7 years ago
|
||
(In reply to Jan Henning [:JanH] from comment #22) > I need to check one or two edge cases Such a statement is of course tempting fate, because after actually building and running my initial patch, a number of additional locations where Punycode usage or not matters have promptly come up. But I'm working my way through them...
Summary: URL bar has regressed support for unicode domains → Fix unicode domain support regressions
Version: unspecified → 57 Branch
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 33•7 years ago
|
||
mozreview-review |
Comment on attachment 8909414 [details] Bug 1391421 - Part 1 - Switch nsAndroidHistory to Unicode domains. https://reviewboard.mozilla.org/r/180576/#review186108
Attachment #8909414 -
Flags: review?(esawin) → review+
Comment 34•7 years ago
|
||
mozreview-review |
Comment on attachment 8909416 [details] Bug 1391421 - Part 3 - Switch various places that can end up being user-visible to use Unicode domains. https://reviewboard.mozilla.org/r/180590/#review186116 LGTM, although I'm missing some context here, what are the remaining use cases for .spec? ::: mobile/android/chrome/content/browser.js:3586 (Diff revision 1) > // Only set tab uri if uri is valid > let uri = null; > + let uriSpec = null; > let title = aParams.title || aURL; > try { > - uri = Services.io.newURI(aURL).spec; > + uri = Services.io.newURI(aURL); Do we need uri and uriSpec? Why adding the new variable?
Attachment #8909416 -
Flags: review?(esawin) → review+
Assignee | ||
Comment 35•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8909416 [details] Bug 1391421 - Part 3 - Switch various places that can end up being user-visible to use Unicode domains. https://reviewboard.mozilla.org/r/180590/#review186116 > Do we need uri and uriSpec? Why adding the new variable? Hmm yes, that probably only makes sense in conjunction with [Part 5](https://reviewboard.mozilla.org/r/180586/diff/1#index_header). Although that in turn is debatable as well, since I guess I could equally settle on normalising the stored appOrigin as Unicode (i.e. with displaySpec). Since that would be the only use of spec here (and therefore the only reason to keep the parsed Uri around), I guess I should change that bit, too.
Assignee | ||
Comment 36•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8909416 [details] Bug 1391421 - Part 3 - Switch various places that can end up being user-visible to use Unicode domains. https://reviewboard.mozilla.org/r/180590/#review186116 I guess either if you explicitly want Punycode, or else probably mostly a case of not touching things if not necessary because - as far as I could tell - they don't end up in the UI, because we're e.g. just getting the spec to check whether it looks like a reader-mode url, starts with "about:", etc., or we're just taking the hosts of two URIs and comparing them with each other and things like that.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 44•7 years ago
|
||
mozreview-review |
Comment on attachment 8909415 [details] Bug 1391421 - Part 2 - Make script dialogues use the Unicode domain as title. https://reviewboard.mozilla.org/r/180578/#review186210
Attachment #8909415 -
Flags: review?(amarchesini) → review+
Comment 45•7 years ago
|
||
mozreview-review |
Comment on attachment 8909416 [details] Bug 1391421 - Part 3 - Switch various places that can end up being user-visible to use Unicode domains. https://reviewboard.mozilla.org/r/180590/#review186294
Attachment #8909416 -
Flags: review?(topwu.tw) → review+
Comment 46•7 years ago
|
||
mozreview-review |
Comment on attachment 8909418 [details] Bug 1391421 - Part 5 - Normalise the saved "appOrigin" to Unicode. https://reviewboard.mozilla.org/r/180586/#review186304
Attachment #8909418 -
Flags: review?(topwu.tw) → review+
Comment 47•7 years ago
|
||
mozreview-review |
Comment on attachment 8909419 [details] Bug 1391421 - Part 6 - Switch context menus to Unicode domains. https://reviewboard.mozilla.org/r/180588/#review186306
Attachment #8909419 -
Flags: review?(topwu.tw) → review+
Comment 48•7 years ago
|
||
mozreview-review |
Comment on attachment 8909420 [details] Bug 1391421 - Part 7 - Switch addon/theme install prompts to Unicode domains. https://reviewboard.mozilla.org/r/180594/#review186308
Attachment #8909420 -
Flags: review?(topwu.tw) → review+
Comment 49•7 years ago
|
||
mozreview-review |
Comment on attachment 8909421 [details] Bug 1391421 - Part 8 - Fix site identity handling. https://reviewboard.mozilla.org/r/180596/#review186310
Attachment #8909421 -
Flags: review?(topwu.tw) → review+
Comment 50•7 years ago
|
||
mozreview-review |
Comment on attachment 8909417 [details] Bug 1391421 - Part 4 - Switch Session Store to save the "display" URL. https://reviewboard.mozilla.org/r/180580/#review186470
Attachment #8909417 -
Flags: review?(mdeboer) → review+
Updated•7 years ago
|
Whiteboard: [FNC][SPT57.3][BL]
Comment 51•7 years ago
|
||
mozreview-review |
Comment on attachment 8909422 [details] Bug 1391421 - Part 9 - Add a basic Robocop test for IDN domain support. https://reviewboard.mozilla.org/r/180598/#review187154 ::: mobile/android/tests/browser/robocop/src/org/mozilla/gecko/tests/testIdnSupport.java:10 (Diff revision 2) > + > +public class testIdnSupport extends UITest { > + public void testToolbarIdnSupport() { > + GeckoHelper.blockForReady(); > + > + mBaseHostnameUrl = "http://exämple.test/tests"; Won't this hit the non-local-connections assertion when run in automation? Do you have results from try?
Comment 52•7 years ago
|
||
(In reply to Geoff Brown [:gbrown] from comment #51) > Comment on attachment 8909422 [details] > Bug 1391421 - Part 9 - Add a basic Robocop test for IDN domain support. > > https://reviewboard.mozilla.org/r/180598/#review187154 > > ::: > mobile/android/tests/browser/robocop/src/org/mozilla/gecko/tests/ > testIdnSupport.java:10 > (Diff revision 2) > > + > > +public class testIdnSupport extends UITest { > > + public void testToolbarIdnSupport() { > > + GeckoHelper.blockForReady(); > > + > > + mBaseHostnameUrl = "http://exämple.test/tests"; > > Won't this hit the non-local-connections assertion when run in automation? exämple.test should be OK http://searchfox.org/mozilla-central/rev/d08b24e613cac8c9c5a4131452459241010701e0/build/pgo/server-locations.txt#135
Comment 53•7 years ago
|
||
mozreview-review |
Comment on attachment 8909422 [details] Bug 1391421 - Part 9 - Add a basic Robocop test for IDN domain support. https://reviewboard.mozilla.org/r/180598/#review187178 ::: mobile/android/tests/browser/robocop/src/org/mozilla/gecko/tests/testIdnSupport.java:10 (Diff revision 2) > + > +public class testIdnSupport extends UITest { > + public void testToolbarIdnSupport() { > + GeckoHelper.blockForReady(); > + > + mBaseHostnameUrl = "http://exämple.test/tests"; From irc: <JanH|mobile> gbrown: I've picked the names from there [list of allowed server aliases], and yes, it works on Try
Attachment #8909422 -
Flags: review?(gbrown) → review+
Comment 54•7 years ago
|
||
Pushed by mozilla@buttercookie.de: https://hg.mozilla.org/integration/autoland/rev/c9bfc364426e Part 1 - Switch nsAndroidHistory to Unicode domains. r=esawin https://hg.mozilla.org/integration/autoland/rev/2394625be483 Part 2 - Make script dialogues use the Unicode domain as title. r=baku https://hg.mozilla.org/integration/autoland/rev/458c41e00670 Part 3 - Switch various places that can end up being user-visible to use Unicode domains. r=esawin,jwu https://hg.mozilla.org/integration/autoland/rev/89aa265c6be9 Part 4 - Switch Session Store to save the "display" URL. r=mikedeboer https://hg.mozilla.org/integration/autoland/rev/0f3603bb2045 Part 5 - Normalise the saved "appOrigin" to Unicode. r=jwu https://hg.mozilla.org/integration/autoland/rev/7707e5ec573c Part 6 - Switch context menus to Unicode domains. r=jwu https://hg.mozilla.org/integration/autoland/rev/77084cd51869 Part 7 - Switch addon/theme install prompts to Unicode domains. r=jwu https://hg.mozilla.org/integration/autoland/rev/3cb0b289475c Part 8 - Fix site identity handling. r=jwu https://hg.mozilla.org/integration/autoland/rev/65537efd1f72 Part 9 - Add a basic Robocop test for IDN domain support. r=gbrown
Comment 55•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c9bfc364426e https://hg.mozilla.org/mozilla-central/rev/2394625be483 https://hg.mozilla.org/mozilla-central/rev/458c41e00670 https://hg.mozilla.org/mozilla-central/rev/89aa265c6be9 https://hg.mozilla.org/mozilla-central/rev/0f3603bb2045 https://hg.mozilla.org/mozilla-central/rev/7707e5ec573c https://hg.mozilla.org/mozilla-central/rev/77084cd51869 https://hg.mozilla.org/mozilla-central/rev/3cb0b289475c https://hg.mozilla.org/mozilla-central/rev/65537efd1f72
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 57
Updated•7 years ago
|
status-firefox55:
--- → unaffected
Comment 56•7 years ago
|
||
Verified in 57.0b3 the url bar displays http://faß.de.
Status: RESOLVED → VERIFIED
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•