New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

USB notification bubble: RTL text gets intermingled with URL.

Project Member Reported by lgar...@chromium.org, Oct 10 2017

Issue description

Chrome 63.0.3218.0
macOS 10.12.6

What steps will reproduce the problem?
(1) Start Chrome in Hebrew
(2) Plug in a WebLight, or add a device at chrome://usb-internals/ with the URL https://sowbug.github.io/weblight.

What is the expected result?
A notification bubble that shows a URL correctly.

What happens instead?
"/sowbug.github.io [Hebrew text] weblight."

(Only tested on Mac so far.)

Most security surfaces show origins instead of URLs (thanks for you work on that, palmer@!), which means that they don't face this issue.

Conservatively filing as a security bug due to possible spoofing avenues.
 
Summary: USB notification bubble: RTL text gets intermingled with URL. (was: USB notification bubble text gets intermingled with URL.)
Screen Shot 2017-10-09 at 18.29.27.png
77.1 KB View Download
This is not normal security UX. This is a suggestion to navigate to a URL. I think it's an open question whether, if we are suggesting the user navigate to a URL, we display the whole URL or just the origin. For brevity we already elide the scheme since it will always be https.

I'm not completely familiar with RTL conventions and the design for notifications in RTL languages but it seems odd to me that the text remains left-justified.

Comment 4 by wfh@chromium.org, Oct 10 2017

Labels: Security_Impact-Stable Security_Severity-Low OS-Chrome OS-Linux OS-Windows
Status: Available (was: Untriaged)

Comment 5 by palmer@chromium.org, Oct 10 2017

Cc: -palmer@chromium.org
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 11 2017

Labels: -Pri-3 Pri-2
> I think it's an open question whether, if we are suggesting the user navigate to a URL, we display the whole URL or just the origin. For brevity we already elide the scheme since it will always be https.

Our standard advice for a surface like this is to use FormatUrlForSecurityDisplay: https://cs.chromium.org/chromium/src/components/url_formatter/elide_url.h?l=108&rcl=544d6a4291ce7f16b43051a7ed5d174413caf154
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/85797cdfc0d98309f920ae29f7f6f21321895ba8

commit 85797cdfc0d98309f920ae29f7f6f21321895ba8
Author: Reilly Grant <reillyg@chromium.org>
Date: Mon Oct 16 18:10:12 2017

Use FormatUrlForSecurityDisplay in WebUSB notification

This patch switches from using GURL::GetContext() to
url_formatter::FormatUrlForSecurityDisplay(OMIT_CRYPTOGRAPHIC) when
formatting the landing page URL for display in the WebUSB notification.
This means the path will no longer be displayed. For the time being we
believe this will be less confusing for users.

Bug:  773161 
Change-Id: Ic32f2483b7316af21d3ec2521dd2483d4b00fd11
Reviewed-on: https://chromium-review.googlesource.com/720248
Reviewed-by: Lucas Garron <lgarron@chromium.org>
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509108}
[modify] https://crrev.com/85797cdfc0d98309f920ae29f7f6f21321895ba8/chrome/browser/usb/web_usb_detector.cc
[modify] https://crrev.com/85797cdfc0d98309f920ae29f7f6f21321895ba8/chrome/browser/usb/web_usb_detector_unittest.cc

Status: Fixed (was: Available)
Closing this issue as the displayed URL should no longer be wrapped in a way that could be confusing. The remaining question of whether the text in the notification should be right- or left-justified is tracked in issue 774746.
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 17 2017

Labels: Restrict-View-SecurityNotify
Labels: M-64
Labels: Release-0-M64
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 23 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Mar 27

Labels: -M-64 M-65

Sign in to add a comment