This is courtesy of the IPV4 and URL specs, where
new URL("http://1.1.1/") behaves this way (ie the
.href of that URL is
http://184.108.40.206/) - the same thing happens in Chrome with the URL constructor.
It looks like the choice for the address bar was a deliberate decision in bug 1067168, where Olli and I preferred this (standardized) behaviour over the suggestion that users would typo things like this and expect a search. At the time, Chrome also loaded an IP address (cf. bug 1067168 comment 11). It seems Chrome has changed their approach since then.
(In reply to paratripper from comment #0)
http://101.78.146 will go to IP address 220.127.116.11 which has been previously listed as a malicious IP
FWIW, I don't see a safebrowsing warning for either the partial or full IP.
In any case, I don't see why this is a security issue. If an attacker convinces a user to type an IP address in the location bar, they might as well tell the user to put in the full 4 groups of octets. Am I missing something? Why do you think Firefox's behaviour is a security vulnerability?
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Navigation
Product: Firefox → Core