Want to take a look Chris?

Yep.  Two things:

We might not be wrong.  We highlight schemes according to desktop's implementation, and sometimes, if Clank doesn't match, it's been a Clank bug.  I'll look into it.

Separately, I noticed that we're showing the (i) icon, which again, Clank does not, but desktop does.

Justin, do you have insight into why this mismatch exists, and whether one is incorrect?

Off the top of my head, the Android UI looks wrong. Even if we wanted to grey that out, it ought to be the entire protocol (including "://") not just the word "file".

+mariakhomenko to see if she knows whether the greyed-out "file" is intentional.

I believe this is intentional, see OmniboxUrlEmphasizer.java#emphasizeUrl for logic. We highlight all schemes that don't come from secure connections this way.

Interesting.  I guess the questions then becomes "should desktop and Clank converge on this?"

VR doesn't utilize any omnibox-related Java code - it's much more like desktop in that way.  However, the VR browser should be consistent with Clank where possible, as it runs on mobile.  So VR could go either way - we just need to know which way.

estark, emilyschechter: Android has a behavior where it greys out the "file" protocol because it's insecure (see first attachment on comment #1). Presumably http would be greyed out also, but we simply don't show it.

Can either of you comment on whether desktop and VR should try to do the same? To my eye, it's not really clear what the grey color is supposed to be communicating.

My understanding is that "file" does not touch the network, so it's not considered insecure -- so the grey color isn't supposed to communicate anything, it's more of an attempt to make URLs less confusing/confusable by "greying out" useless syntax. We have some research that this is not super effective as an anti-spoofing defense, though it still could be helpful for very technical users: https://docs.google.com/presentation/d/1j5Z5mBB6t0TOTWu88ZBnWDJHSmCvNnzFrFgd2px_dAI/edit

We should keep a consistent UI across all of these lesser known schemes (blob, etc). +elawrence/meacer can you remind me of current state? (Do we have a test for these?) 

If we think it is actually not secure, I would prefer to use the security chip. 

I think it's fine for WebVR to match Desktop here and show the URL in all black.

> "file" does not touch the network, so it's not considered insecure 

Yes, today we don't consider file non-secure. Notably, the file protocol *may* hit the network via the non-secure SMB protocol (this happens when the url is of the form 

  file://Just2SlashesBeforeHereMeansThisIsaHostname.com/path/folder

...However, because only pages loaded from file: may navigate to and load from file:, its usage in the scenarios that we typically worry about for "Not Secure" warnings is low.

Unfortunately, Chrome's emphasis behavior remains a bit all over the board for these more-obscure protocols.

For the data: scheme, we tried to emphasize the scheme itself (e.g. show "data:" in black and everything else in gray) as an anti-spoofing mechanism, but we quickly just disabled navigations to it entirely.

For the blob: scheme, today, Desktop just shows this in black.
For the about: scheme, today, Desktop shows this in gray.
Both are a bit weird because these URLs may be secure or may be insecure depended on the security context of their originating URLs. 

(I have various test URLs up at https://bayden.com/test/data.htm)

Thanks for this discussion, folks.

VR's omnibox uses more of desktop's code than Android's, so I'd prefer to continue following desktop in this case.

If Chrome's emphasis behavior converges to be more consistent across platforms, then VR would follow that direction.

There's very little code involved in Desktop and VR's URL emphasis currently, but if the complexity starts to grow, then I'd like to refactor Desktop View's implementation into something more abstract, that we can use to emphasize both desktop and VR URLs.  Then, VR would automatically pick up any changes to desktop's styling.

If there are strong feelings about doing this ASAP, I think I can slot that into M-69.