Issue metadata
Sign in to add a comment
|
Security: Address bar spoofing with U+FE70 on iOS
Reported by
chromium...@gmail.com,
Jul 19 2016
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 51.0.2704.104 Operating System: iOS REPRODUCTION CASE 1. Navigate to http://tinyurl.com/pnsp55f 2. Address bar shows google.com but the page's hostname is http://127.0.0.1
,
Jul 20 2016
The bug being reported appears to be that the long URL gets truncated in the address bar, and the user only sees "www.google.com." Let me see who can look at this on the iOS side.
,
Jul 21 2016
Rohit, can you take a look at this? We need to figure out if we can reasonably avoid this problem.
,
Jul 21 2016
,
Jul 22 2016
Able to reproduce the bug on Android (also iOS) with http://xn--nebl.xn--9dbq2a/example.com Omnibox shows: "example.com/רע.קום"
,
Jul 22 2016
,
Jul 22 2016
,
Jul 22 2016
,
Jul 22 2016
,
Jul 22 2016
CCing me on iOS bugs probably does not make sense since I have no knowledge of iOS or the omnibox implementation there.
,
Jul 22 2016
Ok, the original URL "http://tinyurl.com/pnsp55f" reproduces on iOS but not Android for me. The other URL, "http://xn--nebl.xn--9dbq2a/example.com" reproduces on both iOS and Android.
,
Jul 23 2016
Is that means they're two different issues?
,
Jul 23 2016
We need to triage this and debug further to find out. It could still be the same issue.
,
Jul 23 2016
,
Jul 23 2016
,
Aug 2 2016
I can't repro in the latest canary, so I think this is the same underlying bug as Issue 624214 .
,
Aug 2 2016
,
Aug 3 2016
,
Nov 9 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Jul 19 2016