(Normally we'd rate this as High severity, but I think it's slightly mitigated by the fact that only the AMP cache can specify such a URL.)

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi Bernhard, just wanted to check in and see if this is still on track for M68. Thanks!

I have a CL in review (https://crrev.com/c/1017120), but there is a bit more work that needs to be done, and Gerrit didn't send me an email for Ted's last reply, so I didn't work on it yesterday :-/ And given that there is going to be the offsite, this might slip past branch point.

The CL is a not-completely-trivial-anymore refactoring of UrlBar data, so I'm a bit worried about cherry-picking it post-branch, but I guess if the CL doesn't land before branch, we can still decide what the best way is to proceed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c34f42f536db73e806108caa72f4b2fa0b7d2290

commit c34f42f536db73e806108caa72f4b2fa0b7d2290
Author: Bernhard Bauer <bauerb@chromium.org>
Date: Thu May 31 19:35:33 2018

Custom Tabs: Scroll publisher attribution text to end of TLD

The UrlBar used to attempt to parse the display text as a URL to figure
out the origin part of it. This fails with AMP publisher attribution,
as the display text is not a pure URL anymore. In order to avoid any
shenanigans with trying to parse the publisher attribution string,
change ToolbarDataProvider to return a UrlBarData object that contains
both the edit text and the display text, plus the start and end of the
origin in the latter. This makes it easier to avoid diverging behavior
for edit and display text, and moves the UrlBar closer to being a "dumb"
view.

Longer-term, the same mechanism could be used to identify the parts of
the URL that should be highlighted or deemphasized when returning them
from the ToolbarDataProvider, instead of UrlBar parsing the URL.

Because scrolling a TextView does not work with ellipsizing at the end,
undo the ellipsizing from https://crrev.com/549590.

Bug:  835317 
Change-Id: Id11c5e2d0a5fb83775eed098ea3ad2be4b07bc21
Reviewed-on: https://chromium-review.googlesource.com/1017120
Commit-Queue: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#563349}
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/omnibox/LocationBarLayout.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/omnibox/UrlBar.java
[add] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/omnibox/UrlBarData.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/searchwidget/SearchActivityLocationBarLayout.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/searchwidget/SearchBoxDataProvider.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/searchwidget/SearchWidgetProvider.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/toolbar/CustomTabToolbar.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/toolbar/ToolbarDataProvider.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/toolbar/ToolbarLayout.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/src/org/chromium/chrome/browser/toolbar/ToolbarModel.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java/strings/android_chrome_strings.grd
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/java_sources.gni
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/javatests/src/org/chromium/chrome/browser/omnibox/LocationBarLayoutTest.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/javatests/src/org/chromium/chrome/browser/omnibox/LocationBarVoiceRecognitionHandlerTest.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/javatests/src/org/chromium/chrome/browser/omnibox/OmniboxTest.java
[modify] https://crrev.com/c34f42f536db73e806108caa72f4b2fa0b7d2290/chrome/android/javatests/src/org/chromium/chrome/browser/toolbar/ToolbarModelTest.java

Requesting merge for r563349 into M68. The CL is rather on the large side, but has been on trunk for two weeks without any issues.

This bug requires manual review: There is .grd file changes and we are only 39 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

FWIW, the .grd file changes are only in the non-translatable parts of the string. Cherry-pick CL is at https://crrev.com/c/1101077 if someone wants to land it outside of my office hours.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58

commit 04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58
Author: Bernhard Bauer <bauerb@chromium.org>
Date: Fri Jun 15 08:40:56 2018

Custom Tabs: Scroll publisher attribution text to end of TLD

The UrlBar used to attempt to parse the display text as a URL to figure
out the origin part of it. This fails with AMP publisher attribution,
as the display text is not a pure URL anymore. In order to avoid any
shenanigans with trying to parse the publisher attribution string,
change ToolbarDataProvider to return a UrlBarData object that contains
both the edit text and the display text, plus the start and end of the
origin in the latter. This makes it easier to avoid diverging behavior
for edit and display text, and moves the UrlBar closer to being a "dumb"
view.

Longer-term, the same mechanism could be used to identify the parts of
the URL that should be highlighted or deemphasized when returning them
from the ToolbarDataProvider, instead of UrlBar parsing the URL.

Because scrolling a TextView does not work with ellipsizing at the end,
undo the ellipsizing from https://crrev.com/549590.

(cherry picked from commit c34f42f536db73e806108caa72f4b2fa0b7d2290)

Bug:  835317 
Change-Id: Id11c5e2d0a5fb83775eed098ea3ad2be4b07bc21
Reviewed-on: https://chromium-review.googlesource.com/1017120
Commit-Queue: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#563349}
Reviewed-on: https://chromium-review.googlesource.com/1101077
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#373}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/omnibox/LocationBarLayout.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/omnibox/UrlBar.java
[add] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/omnibox/UrlBarData.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/searchwidget/SearchActivityLocationBarLayout.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/searchwidget/SearchBoxDataProvider.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/searchwidget/SearchWidgetProvider.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/toolbar/CustomTabToolbar.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/toolbar/ToolbarDataProvider.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/toolbar/ToolbarLayout.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/src/org/chromium/chrome/browser/toolbar/ToolbarModel.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java/strings/android_chrome_strings.grd
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/java_sources.gni
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/javatests/src/org/chromium/chrome/browser/omnibox/LocationBarLayoutTest.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/javatests/src/org/chromium/chrome/browser/omnibox/LocationBarVoiceRecognitionHandlerTest.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/javatests/src/org/chromium/chrome/browser/omnibox/OmniboxTest.java
[modify] https://crrev.com/04287dfb13d1fb924dfeb436aa4ab3bfe4d07d58/chrome/android/javatests/src/org/chromium/chrome/browser/toolbar/ToolbarModelTest.java

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot