Issue metadata
Sign in to add a comment
|
Chrome on iOS inconsistently renders the origin in the tab selector. |
||||||||||||||||||||||||
Issue descriptionOn iOS, loading http://xn--https-5w14d.cf/paypal.com/ displays the correct origin rendering in the omnibox, but renders the padlock emoji in the tab selector. Since we also render the favicon, it's not clear that there's actual security bug here, but it's worth ensuring that we render the origin consistently. See https://twitter.com/chronic/status/886978532508934144 for a screenshot. I can reproduce it locally as well. Erring on the side of filing this as a security bug, just in case there are URL spoofing opportunities here that are more concerning than the emoji rendering.
,
Jul 19 2017
(That said, I do think it would be good if we punycode the tab preview when we punycode the omnibox, for minimal confusion.)
,
Jul 19 2017
Looks like TabSwitcher bug.
,
Nov 10 2017
,
Feb 18 2018
,
Jun 15 2018
I think this is actually WAI. It looks like what we display in the tab switcher is the favicon and the website title, (which for that particular one is 🔒 paypal.com) not the origin. We don't punycode titles, do we? Also this seems no different than if we were showing google.com on the tab switcher for a site that has <title>google.com</title>.
,
Jun 18 2018
#6 correct. That's a title, not a URL, which is not a security indicator and can easily be spoofed. As long as the address bar shows the right thing, we're happy. I think it's safe to WontFix this. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by est...@chromium.org
, Jul 19 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam M-61 Pri-3 Type-Bug
Owner: eugene...@chromium.org
Status: Assigned (was: Untriaged)