sometimes the search term persists in the url bar
Categories
(Firefox :: Address Bar, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | 141+ | verified |
| firefox140 | --- | wontfix |
| firefox141 | --- | verified |
| firefox142 | --- | verified |
People
(Reporter: soeren.hentzschel, Assigned: jteow)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [sng][adv-main141+][adv-ESR140.1+])
Attachments
(3 files, 1 obsolete file)
|
62.34 KB,
image/png
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-esr140+
|
Details | Review |
|
154 bytes,
text/plain
|
Details |
screenshot
if you look at the screenshot, you can see that the Google logo and the search term are in the address bar, even though a Non-Google website is loaded (it was the result of a Google search). Normally this should not happen, especially since it can also be seen as a security issue if the URL of an arbitrary website is not visible.
In most cases, the described behavior does not happen. However, this has now happened to me for the second time within a few days (on different devices each time).
Firefox Nightly 141.0a1 (2025-06-06) on macOS 15.5.
|
||
Comment 1•9 months ago
|
||
This is pretty bad from a security standpoint. James, would you be able to take a look?
|
Assignee | |
Comment 2•9 months ago
|
||
Thanks for flagging, I'll prioritize investigating this first thing next week.
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
|
Assignee | |
Comment 3•9 months ago
|
||
Unable to reproduce the original issue, but adding a safeguard
to ensure search terms only persist when the current URI matches
the URI that was used to load the page.
|
|
Assignee | |
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
||
Comment 5•9 months ago
|
||
| bugherder | ||
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Comment 6•9 months ago
|
||
I managed to reproduce the issue once on a 2025-06-06 Firefox Nightly build, using the string from the screenshot in Comment 0. Reproduced on macOS 15.
Verified as fixed on Firefox Nightly 142.0a1 and Firefox 141.0b1 on Windows 10, Ubuntu 22, macOS 15.
|
|
Assignee | |
Comment 8•9 months ago
|
||
Comment on attachment 9495179 [details]
Bug 1970997 - Add origin validation check for persisted search terms - r?#urlbar-reviewers!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: It could be confusing for users for the search terms to persist on non-search engine results pages.
- User impact if declined: Intermittently, they might see the search terms persist in the address bar on a non search results page.
- Fix Landed on Version: 141
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It's limited to the address bar feature that operates on search engine results pages. There are also automated tests.
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Comment 9•8 months ago
|
||
For clarity, "status-firefox140: wontfix" means we don't want to ship a 140.0.x point release for this. We do still want the uplift to make "status-firefox-esr140" fixed (tracking "141+" means "the ESR release in the 141 cycle", that is, 140.1)
|
|
||
Updated•8 months ago
|
|
||
Updated•8 months ago
|
|
||
Comment 10•8 months ago
|
||
| uplift | ||
|
|
||
Updated•8 months ago
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Comment 11•8 months ago
|
||
|
|
||
Comment 12•8 months ago
|
||
Verified as fixed on Firefox 140.1esr on Windows 10, Ubuntu 22, macOS 13.
|
|
||
Comment 13•8 months ago
|
||
|
||
Updated•8 months ago
|
|
|
||
Updated•3 months ago
|
Description
•