URL spoofing using 'very-long-hostname' URL
Categories
(Firefox :: Address Bar, defect, P3)
Tracking
()
People
(Reporter: rayyanh12, Unassigned)
References
Details
(Keywords: csectype-spoof, sec-low)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Steps to reproduce:
Copy and paste this URL:
Actual results:
attack.com should be shown
Expected results:
First part of the URL i.e subdomains are shown hiding the real domain.
Updated•4 years ago
|
Comment 1•4 years ago
|
||
We've got other bugs somewhere on this or things like this (especially on mobile where space is more limited). One proposal is to do what Safari does and not show the URL at all, just show the hostname and lock. Then it's easy to elide from the "front" (though still sometimes problematic in RTL scripts).
Just in case for you to notice that there's a case for Desktop too. Fixture for iOS should be on priority basis as chrome has already fixed that.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
This should not have been marked a duplicate of the iOS bug. It's the same idea, but the implementation of the browser UI and the people working on them are completely separate. Fixing one does not fix the other so they are not duplicates. (In contrast, a rendering bug on Desktop and our Android browser might be duplicates since such a bug is likely in the shared Gecko engine.)
Updated•4 years ago
|
Updated•8 months ago
|
Description
•