Mozilla Firefox android : Incorrect URL Eliding in Mozilla Firefox android
Categories
(Firefox :: Security, defect)
Tracking
()
People
(Reporter: yacine.moussaoui.m, Unassigned)
Details
(Keywords: csectype-spoof, reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
|
66.52 KB,
application/x-compressed
|
Details |
Reference: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/url_display_guidelines/url_display_guidelines.md#simplify
Summary:
In accordance with standard security guidelines followed by most browsers, URLs should be elided from the front when displayed in the user interface. This prevents URL spoofing and reduces confusion for users by emphasizing the actual domain name, especially when long domains or subdomains are used.
While Mozilla Firefox on desktop (Windows) correctly implements this behavior, the Android version (v130.0.1) does not. This can lead to potential URL confusion, as the main domain is not showed on Android, when the url is too long, whereas in other browsers like Chrome, the url is properly elided.
Products affected:
Firefox for Android: 130.0.1
Steps To Reproduce:
1- Open https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ in Firefox Browser (Android)
2- Notice that, the long URL is not elided from front properly (the registrable domain is not shown) in android which might lead to URL Confusion to the users, other famous browser's as chrome, have used elided properly this sam URL (Refer POC images in attachement files)
impact
The failure to elide long URL's on Firefox for Android will cause confusion and increases the risk of URL spoofing.
Similar reports
https://hackerone.com/reports/2501378
|
||
Updated•7 months ago
|
|
||
Updated•7 months ago
|
|
|
||
Updated•26 days ago
|
Description
•