406322 - (BIDI-in-Statusbar) MUST remove bidi-marks before displaying url in the status bar

Status: RESOLVED DUPLICATE of bug 388372

(Core :: Networking, defect)

Description

[Behnam Esfahbod [:zwnj]]

Attachment: A page that fakes link to EXAMPLE.IRAN as a link to EXAMPLE.TEST

How to reproduce:
* network.IDN.whitelist.xn--mgba3a4f16a = true
* make sure network.IDN.whitelist.xn--hgbk6aj7f53bba = true
* open the attachment and hover 3rd and 4th links
* open both links in new tab

As you can see, not removing bidi-marks (even in paths, link samples 2 and 4) allows changing how the URL looks like in the status-bar, and allows faking sites.

Here are the translation of links:
1. http://EXAMPLE.TEXT/EXAMPLE.IRAN
2. http://EXAMPLE.IRAN/EXAMPLE.TEXT
3. http://EXAMPLE.TEXT/EXAMPLE.IRAN
4. http://EXAMPLE.IRAN/EXAMPLE.TEXT

Text of all links are EXAMPLE.IRAN, which because of another (yet open) bug you see punycode of the first two, but unicode of the second ones, which is the security issue here.

As fx2.0 always displays the punycode in the status-bar (right?), it doesn't have any security problem, but it's better to fix it too.

Comment 1

[Behnam Esfahbod [:zwnj]]

(In reply to comment #0)
> 1. http://EXAMPLE.TEXT/EXAMPLE.IRAN
> 2. http://EXAMPLE.IRAN/EXAMPLE.TEXT
> 3. http://EXAMPLE.TEXT/EXAMPLE.IRAN
> 4. http://EXAMPLE.IRAN/EXAMPLE.TEXT

s/TEXT/TEST/

Comment 2

[Behnam Esfahbod [:zwnj]]

Attachment: A page that fakes link to zwnj.org as a link to mozilla.org

As you can see in this english example, i can fake mozilla.org in status-bar and even in address-bar!

Maybe this case is not a security issue as i cannot do config needed the DNS, but the previous one, which doesn't have any bidi-mark in the host part is.