New issue
Advanced search Search tips

Issue 681098 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Feature



Sign in to add a comment

Change format of URL in location bar for data:text/html URLs?

Project Member Reported by rdsmith@chromium.org, Jan 13 2017 
There's apparently a phishing attack going around (see https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/ ) relying on making people think that URLs like "data:text/html;https://accounts.google.com/..." are valid account prompts.  I could imagine that changing the format with which data: URLs are presented (highlighting the data:text/html, downplaying the rest of the text) might help with this phishing attack.

Comment 1 by pkasting@chromium.org, Jan 13 2017

Status: WontFix (was: Untriaged)
I read the article, and I don't think we should take action on this specific issue.

The author suggests adding Yet More Security States, which we know from studies doesn't make users more secure.  I think the right long-term solution here is the work to badge non-HTTPS pages as insecure; it's just that that will take a while.

In the meantime, I don't think this is significantly different than putting "accounts.google.com" in some other part of your URL.  We can't stop someone from serving up http://data.text.html.com/accounts.google.com/phish.html, for example.

The data URL presented is already fairly uninviting, and it seems unlikely that making it more uninviting is going to make a meaningful difference in some way.  But, willing to reopen if a security person strongly disagrees.

Sign in to add a comment