Address bar, security windows show origin elided insecurely, allows URL spoofing
Categories
(Focus :: General, defect, P3)
Tracking
(Not tracked)
People
(Reporter: bugzilla-mozilla, Unassigned)
References
()
Details
(Keywords: csectype-spoof, sec-low)
Attachments
(8 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Steps to reproduce:
This report is for Firefox Desktop, Firefox for Android, and Firefox Focus for Android.
In all of the above, the address bar shows the beginning of the origin in the address bar. When a long origin is used, this can lead to origin spoofing.
In Firefox Focus, this is particularly bad since tapping the security indicator still does not show the full origin or the end of the origin.
In Firefox for Desktop and Firefox for Android, tapping the security indicator will show the full origin correctly.
In Firefox for Desktop, focusing the address bar keeps showing the beginning of the origin (unsafe).
In Firefox for Android and Firefox Focus for Android, focusing the address bar will show the end of the URL (unsafe). This is unsafe since a long path can also obscure the end of the origin.
This may be a partial duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1598175 (Firefox for Desktop) and https://github.com/mozilla-mobile/fenix/issues/6762 (Firefox for Android). I wasn't able to find a public report for Firefox Focus.
This was discovered/discussed publicly on Twitter: https://twitter.com/AlesandroOrtizR/status/1438675521555025922
- Go to https://badssl.com
- Navigate to any of their long origin examples
- Observe address bar and tap security indicator
Actual results:
Address bar in...
Firefox Desktop, Firefox for Android, and Firefox Focus for Android: Shows beginning of origin (https://subdomain...
) (unsafe)
When tapping security indicator in...
Firefox Desktop and Firefox for Android: Full origin is shown (safe)
Firefox Focus for Android: Beginning of origin is shown (unsafe)
When focusing address bar in...
Firefox Desktop: Beginning of origin is shown (unsafe)
Firefox for Android and Firefox Focus for Android: End of URL is shown (unsafe because long path can also hide origin)
Expected results:
Address bar in...
All identified products: Shows end of origin (https://...badssl.com
)
When tapping security indicator in...
All identified products: Full origin is shown; if elision is needed, show end of origin
When focusing address bar in...
All identified products: End of origin is shown (note: not end of URL)
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
Reporter | ||
Comment 3•3 years ago
|
||
Reporter | ||
Comment 4•3 years ago
|
||
Reporter | ||
Comment 5•3 years ago
|
||
Reporter | ||
Comment 6•3 years ago
|
||
Reporter | ||
Comment 7•3 years ago
|
||
Reporter | ||
Comment 8•3 years ago
|
||
Reporter | ||
Comment 9•3 years ago
|
||
Repro and attached screenshots from Firefox 92 on Windows 10, Firefox 92.1.1 on Android 11, and Firefox Focus 92.1.1 on Android 11.
Reporter | ||
Comment 10•3 years ago
|
||
For reference, Chromium has URL guidelines on how to elide URLs safely: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/url_display_guidelines/url_display_guidelines.md#Eliding-URLs
This is also part of the URL Standard: https://url.spec.whatwg.org/#url-rendering-elision
Comment 11•3 years ago
|
||
This should be split into at least a desktop issue and a mobile issue. We may want to further break this into Fenix and Focus issues as they have separate address bars.
Comment 12•3 years ago
|
||
(In reply to Kevin Brosnan [:kbrosnan] from comment #11)
This should be split into at least a desktop issue and a mobile issue. We may want to further break this into Fenix and Focus issues as they have separate address bars.
We already have a desktop issue (bug 1598175) and a fenix issue ( https://github.com/mozilla-mobile/fenix/issues/6762 ). I don't know about Focus.
Comment 13•3 years ago
|
||
Since we already have those other issues let's make this the "Focus" one.
These are known UI issues (e.g. we have ourselves contributed to badssl.com) so we don't need to hide this bug.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 14•2 years ago
|
||
This bug will require guidance from UX design.
Updated•1 year ago
|
Description
•