1629684 - URL spoofing using 'very-long-hostname' URL

Status: NEW

(Firefox :: Address Bar, defect, P3)

Description

[Anonymous]

Attachment: URL spoofing.jpg

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

Steps to reproduce:

Copy and paste this URL:

https://google.com.mail.accounts.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.fake.attack.com/

Actual results:

attack.com should be shown

Expected results:

First part of the URL i.e subdomains are shown hiding the real domain.

Comment 1

[Daniel Veditz [:dveditz]]

We've got other bugs somewhere on this or things like this (especially on mobile where space is more limited). One proposal is to do what Safari does and not show the URL at all, just show the hostname and lock. Then it's easy to elide from the "front" (though still sometimes problematic in RTL scripts).

Comment 2

[Anonymous]

Attachment: firefox iOS.jpg

Comment 3

[Anonymous]

https://bugzilla.mozilla.org/show_bug.cgi?id=1624616

Comment 4

[Anonymous]

Just in case for you to notice that there's a case for Desktop too. Fixture for iOS should be on priority basis as chrome has already fixed that.

Comment 5

[Daniel Veditz [:dveditz]]

This should not have been marked a duplicate of the iOS bug. It's the same idea, but the implementation of the browser UI and the people working on them are completely separate. Fixing one does not fix the other so they are not duplicates. (In contrast, a rendering bug on Desktop and our Android browser might be duplicates since such a bug is likely in the shared Gecko engine.)