lock icon in URL leading to Spoof-able lock.
Categories
(Firefox :: Address Bar, defect, P1)
Tracking
()
People
(Reporter: rayyanh12, Assigned: mak)
References
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36
Steps to reproduce:
Actual results:
lock icon shown as it.
Expected results:
lock icon should be encoded since Spoofing due to RTL Mishandling is really a messy area.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
it looks like another case from the same root problem of weak domain, and likely another set of chars we may evaluate to not decode.
I seem to recall a quite old bug about these lock icons in the urlbar by memory, but bug search doesn't help me.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
I think we already avoid those in idn domains, also see https://bugzilla.mozilla.org/show_bug.cgi?id=1629506#c3
Everything in 1F50F, 1F510, 1F512, 1F513 is confusable with a lock.
It's probably time we update the list of confusables in losslessDecodeURI as safety precaution, even if after the fix for bug 1623888 it will just be in the path.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Apart from locks: U+1F50F, U+1F510, U+1F512, U+1F513
I'd also evaluate adding shield, because of our UI: U+1F6E1
Additionally, comparing our list of ignorable chars in losslessDecodeURI with http://www.unicode.org/L2/L2002/02368-default-ignorable.pdf we are missing: 06DD, 070F, 180E, FFF9, FFFA, FFFB. I'd be prone to add them unless there's reasons not to.
Chrome additionally also considers ignorable these chars: 0600-0605, 08E2, 110BD, 110CD, 13430-13438, 1BCA0-1BCA3. I couldn't find a reference in unicode stating these should be ignored, thud I'd be prone to not add them for now.
Jonathan, wdyt?
Comment 4•4 years ago
|
||
U+06DD is a control that's supposed to combine specially with (Arabic) digits, but is unlikely to render well in any except specialized fonts. Trying to render it in a URL is probably not going to end well, so encoding it seems fine.
Similarly, U+070F needs special font handling, and without that, it may not render usefully.
U+180E is likely to be invisible; I see we already list U+180B..180D, so makes sense to include this as well.
I'm not sure anyone actually uses/supports U+FFF9..FFFB in any useful way.
So yes, I'd agree with encoding all these.
As for the Chrome additions: they seem to be all controls (category Cf) that would require advanced font support of some kind in order to render usefully. It's unlikely they'll work "correctly" in a default system UI font such as we expect to see in the URL bar, and they might fail to render at all if unsupported. So it's probably sensible to encode these as well, rather than just leaving it up to the system font to do whatever it can with them.
(Is it basically a case of encoding all characters with General Category = Cf?)
Assignee | ||
Comment 5•4 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #4)
(Is it basically a case of encoding all characters with General Category = Cf?)
That's apparently what Chrome is doing, though we already made exceptions for U+200C and U+200D in the path per bug 582186.
Assignee | ||
Comment 6•4 years ago
|
||
Comment 7•4 years ago
|
||
I tried to make bug 1629506 into the general case, pointing out the lock-ish characters--and others!--in bug 1629506 comment 2 links to the Chrome list.
Assignee | ||
Comment 8•4 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #7)
I tried to make bug 1629506 into the general case, pointing out the lock-ish characters--and others!--in bug 1629506 comment 2 links to the Chrome list.
That is where I started investigating the general support, so thanks!
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 9•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/554dcd35c9e0d2f43b8050415afb283da34dde8c
https://hg.mozilla.org/mozilla-central/rev/554dcd35c9e0
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 11•4 years ago
|
||
I verified this issue using Fx 77.0b7, on Windows 10 x64, macOS 10.13.6 and Ubuntu 18.04 LTS,
Comment 12•4 years ago
|
||
Bounty combined with bug 1623888 since that's required to make this at all plausible.
Updated•3 years ago
|
Description
•