Closed Bug 1519691 Opened 2 years ago Closed 2 years ago

Tab title does not change when calling location.replace, for pages opened in new tab

Categories

(Firefox :: Tabbed Browser, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1401091
Tracking Status
firefox64 --- wontfix
firefox65 --- fix-optional
firefox66 --- affected

People

(Reporter: yigitcnyilmaz, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: csectype-spoof, sec-low)

Attachments

(2 files)

Attached video firefoxSpoof.mp4

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce:

1- Open this webpage : http://yigittestman.000webhostapp.com/spf
2- Open link in new tab
3- Click "clickme"

Tested on 64.0.2 (64 bit)

Steps to reproduce video:
firefoxSpoof.mp4

Actual results:

Firefox URL Spoofing in Omnibox. Firefox show url as http://ടഠ.com
If you look at the Tab title, tab title showing as other table title (https://i.hizliresim.com/26jA6v.png)

Expected results:

firefox should be show url as http://xn--lwcc.com

This doesn't seem to be a bug to me. Note you don't need the STR above - just loading http://xn--lwcc.com in Firefox, and Firefox will display http://ടഠ.com. As far as I know, this is in line with our IDN policy[1] which boils down to if your URL doesn't mix scripts and doesn't use blacklisted characters, we will display the internationalised domain name. In your URL, both characters (U+0D1F and U+0D20) are from the Malayalam script, so we treat it as a valid IDN domain name.

As such I don't think this is a bug.

[1] https://wiki.mozilla.org/IDN_Display_Algorithm

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID

Hello,
Thank you for your answer. Please a look at the picture(https://i.hizliresim.com/26jA6v.png) . Please look at the tab title. You can see different tab title. tab title should be seen as "ടഠ.com" .

Flags: needinfo?(ptheriault)
Attached image Capture.PNG
Flags: needinfo?(ptheriault)

That picture isn't accessible, re-opening to verify.
Attached in the previous comment is what I see when following the STR.

So I think the point you are making is that the tab title is xisigr.com.... where as the URL is ടഠ.com.
Is that your concern here?

FWIW, I think the page has complete control of the tab title (can someone confirm?) , but if we are showing the wrong URL by default that might be a bug.

Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---

Yes, that's what i mean. This is an example of a spoof. This problem should be fixed. Will you work on this?

Best Regards,
Yiğit

Flags: needinfo?(ptheriault)

(In reply to Paul Theriault [:pauljt] from comment #4)

So I think the point you are making is that the tab title is xisigr.com.... where as the URL is ടഠ.com.
Is that your concern here?

FWIW, I think the page has complete control of the tab title (can someone confirm?) , but if we are showing the wrong URL by default that might be a bug.

Yes, the tab title is fully under the control of the page (<title></title> or through the DOM).

Group: firefox-core-security
Component: Untriaged → Address Bar
Depends on: 1332714
Summary: Firefox Omnibox Spoof → Firefox Omnibox Spoof with whole-script Malayim characters

This Bug ID is public. Please hide

(In reply to Yiğit Can YILMAZ from comment #6)

Yes, that's what i mean. This is an example of a spoof. This problem should be fixed. Will you work on this?

Best Regards,
Yiğit

(In reply to Yiğit Can YILMAZ from comment #6)

Ah OK I see the bug here. It turns out that if you call location.replace() for on a page which been opened in a new tab, we don't set the title correctly. This is not a security issue, as the title is not trusted - any page can set the title to anything it wants, but note the PoC reported in comment 0 does not actively set the title.

Alternate STR:

  1. Open http://cats.misuse.co/link.html
  2. Middle-click link to open http://dogs.misuse.co/replace.html
  3. Click "go" which calls location.replace('http://misuse.co')

Result:
Title of the second window remains as http://dogs.misuse.co/replace.html

Expected:
The title should update? Note that if you don't "open in new tab" in step 2, the title changes as expected.

I'm not sure what the correct behavior is but not changing seems like a bug. It's not a security bug though, as the tab title is not trusted security data - the web page can set it to whatever it wants, without any trickery.

Moving component to try to get some eyes on this.

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Component: Address Bar → Tabbed Browser
Flags: needinfo?(ptheriault)
Resolution: --- → INVALID
Summary: Firefox Omnibox Spoof with whole-script Malayim characters → Tab title does not change when calling location.replace, for pages opened in new tab

Didnt mean to close

Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1401091
You need to log in before you can comment on or make changes to this bug.