Incorrect domain and tld highlighting (urlbar.formatting)
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox-esr60 wontfix, firefox-esr68 verified, firefox68 wontfix, firefox69 verified, firefox70 verified)
People
(Reporter: m8r-x3rq311, Assigned: JanH)
Details
(Whiteboard: [fennec68.1])
Attachments
(2 files)
13.82 KB,
image/png
|
Details | |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Steps to reproduce:
Visit https://one.one.one.one/ on Android
Actual results:
The subdomains (The first 2 "one.one"'s) are highlighted as the domain and tld
Expected results:
The domain and tld (The last 2 "one.one"'s) should be highlighted
Comment 1•5 years ago
|
||
Does not need to be a security bug.
(In reply to Kevin Brosnan [:kbrosnan] from comment #1)
Does not need to be a security bug.
I (perhaps obviously) disagree as the intent of the feature is to prevent subdomain-style domain spoofing attacks - whereas this bug in the feature would actually highlight the domain being spoofed as the legitimate site(!)
Comment 3•5 years ago
|
||
This looks like a specific case of one site. Playing around with similar domains such as https://www.one.one or https://google.one.one are highlighted as expected.
Assignee | ||
Comment 4•5 years ago
|
||
Whoops, I guess https://dxr.mozilla.org/mozilla-central/rev/fd2778a2ce8ba1284cba867f4358f9fcaf795568/mobile/android/base/java/org/mozilla/gecko/toolbar/ToolbarDisplayLayout.java#335 actually needs to use lastIndexOf()
.
Comment 5•5 years ago
|
||
Reproducible also on 69.0a1 and 68 Fennec. I will set the flags to reflect the affected versions.
Tested with v41 (~2015) which was also affected. :sflorean did you mean to un-assign :JanH?
Comment 7•5 years ago
|
||
Sorry Jan, when I posted the comment I unassigned you. Thanks bugcon for the notice.
Assignee | ||
Comment 8•5 years ago
|
||
(In reply to Jan Henning [:JanH] from comment #4)
Whoops, I guess https://dxr.mozilla.org/mozilla-central/rev/fd2778a2ce8ba1284cba867f4358f9fcaf795568/mobile/android/base/java/org/mozilla/gecko/toolbar/ToolbarDisplayLayout.java#335 actually needs to use
lastIndexOf()
.
Actually not quite as simple, because otherwise we could mistakenly get matches in the path part of the domain.
Assignee | ||
Comment 9•5 years ago
|
||
Domain highlighting needs to find the last instance of the base domain within
the domain part of the URL. Otherwise, there's a chance we mistakenly highlight
(parts of) a subdomain if it matches the base domain, too.
Comment 10•5 years ago
|
||
Pushed by mozilla@buttercookie.de: https://hg.mozilla.org/integration/autoland/rev/67f71ec8a8a4 Fix erroneous base domain highlighting. r=VladBaicu
Assignee | ||
Comment 11•5 years ago
|
||
Comment on attachment 9076624 [details]
Bug 1563039 - Fix erroneous base domain highlighting. r?VladBaicu
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Bug fix for URL bar domain highlighting
- User impact if declined: If the base domain (eTLD + 1) appears within the subdomain as well, we mistakenly highlight (and scroll to) that part of the subdomain instead of the proper base domain.
- Fix Landed on Version: 70
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Only small change in the highlighting code required, so we correctly find the last appearance of the base domain inside the domain segment of the URL.
- String or UUID changes made by this patch: none
Comment 12•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Updated•5 years ago
|
Comment 13•5 years ago
|
||
Comment on attachment 9076624 [details]
Bug 1563039 - Fix erroneous base domain highlighting. r?VladBaicu
Fixes erroneous domain highlighting, approved for Fennec 68.1b2 (and Beta too just to cover bases).
Comment 14•5 years ago
|
||
bugherder uplift |
Comment 15•5 years ago
|
||
bugherder uplift |
Comment 16•5 years ago
|
||
Verified as fixed on Nightly 70.0a1 (2019-07-18), Beta 69.0b6 and Beta ESR 68.1b2.
Devices:
- Motorola Moto G6 (Android 8);
- Samsung Galaxy S8 (Android 9);
- Google Pixel (Android Q).
Updated•5 years ago
|
Updated•3 years ago
|
Description
•