Issue metadata
Sign in to add a comment
|
Security: Hostname not elided securely (URL spoofing on iOS)
Reported by
chromium...@gmail.com,
Jan 1 2018
|
||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 63.0.3239,68 Operating System: iOS REPRODUCTION CASE From issue 758745 I expected Firefox will show The URL will show ....loginsgn.google.com.pk.bntk.pl as in Firefox Android. instead of showing: |http://...bntk.pl/| show: |http://manage-myaccount.paypal.com| PoC: http://manage-myaccount.paypal.com-webapps.bntk.pl
,
Jan 2 2018
Oops! I meant Chrome not Firefox sorry :).
,
Jan 2 2018
Weird. I think this used to behave correctly, based on the screenshots in Issue 454529
,
Jan 2 2018
Confirmed that this happens on Chrome 63 and Chrome 65 on iOS 11.
,
Jan 2 2018
chromium.khalil@ You can use the "Edit Description" to change your description. This doesn't look like a bug to me. The differences I can spot between the Android and iOS behaviors are: 1. iOS has less space for the URL than Android because of the back button (this can be reduced further when there is a forward button). 2. iOS uses an ellipses to show the user that the URL has been truncated whereas android does not. Neither of these seem like bugs to me. But maybe I'm missing something, chromium.khalil@, elawrence@, cthomp@ is your understanding of this different than mine?
,
Jan 2 2018
Re #5: In both of these cases, we should be showing the right-hand side of the hostname portion of the URL, eliding text from the left hand side. go/urldisplay
,
Jan 2 2018
On iOS 10.3.3 works as expected. Chrome shows .....bntk.pl not like on iOS 11
,
Jan 3 2018
Confirmed. pkl, are you a good person to look into this? If not, please feel free to pass it on to a better person on your team. Thanks! :)
,
Jan 3 2018
Ack. -> justincohen who can help look into the iOS 10.3 vs. iOS 11 differences. +cc a couple others.
,
Jan 3 2018
,
Jan 3 2018
,
Jan 3 2018
stk@ this looks like a dup of 749788, no?
,
Jan 3 2018
This is a dupe of 749788. The fix just landed on trunk today. Essentially the system API we used was broken and will not be fixed. The fix that we have is way too big to be cherry-picked, so unfortunately this is not going to be fixed in M64. Here's the fix: https://chromium-review.googlesource.com/c/chromium/src/+/844079
,
Jan 3 2018
So this will be fixed in Canary?
,
Jan 4 2018
Yes, I think so.
,
Jan 6 2018
Tested on latest canary (65.0.3313.0). The tail part of the domain "...bntk.pl" is shown in omnibox.
,
Jan 6 2018
,
Apr 15 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted