New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 882933 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
ajha@chromium.org
jdeblasio@chromium.org
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

Encoded URLs are decoded which can result in spoofed URLs

Reported by vi...@vivan.me, Sep 11 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36

Steps to reproduce the problem:
1. Visit https://twitter.com/vivan%E2%80%8B%E2%80%8B
2. Look at the omnibox

What is the expected behavior?
The Omnibox should display the URL-encoded text

What went wrong?
The Omnibox renders the blank UTF-8 character rather than the full encoded URL.

Did this work before? N/A 

Chrome version: 69.0.3497.81  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:

Comment 1 by vi...@vivan.me, Sep 11 

This of course applies to all URL encoded strings - the above was just an example.

Comment 2 by krajshree@chromium.org, Sep 12

Labels: Needs-Triage-M69

Comment 3 by ajha@chromium.org, Sep 13

Cc: ajha@chromium.org
Components: -UI UI>Security>UrlFormatting
Labels: Target-71 M-71 FoundIn-71 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on the latest canary(71.0.3551.0) and on stable(69.0.3497.81) on Windows-10,Mac OS 10.13.6 and Linux Debian Rodete. Similar behavior is seen on older chrome version 60.0.3094.0 as well.

Shows the expected behavior on other browsers(IE,Firefox,Edge). Attaching the screenshot of the same.

Triaging this as non regression issue for inputs from the respective team. Tentatively adding UI>Security>UrlFormatting component, feel free to change if not the same.
882933.png
91.2 KB View Download

Comment 4 by carlosil@chromium.org, Oct 1

Owner: meacer@google.com
Status: Assigned (was: Untriaged)
meacer: A URL display issue that's a bit different from the usual confusables, can you take a look? Thanks.

Comment 5 by mgiuca@chromium.org, Oct 2 

Some info:

The string "%E2%80%8B%E2%80%8B" is percent-encoding of U+200B U+200B (ZERO WIDTH SPACE x2).

Generally, spoofing consideration in URLs is only given to the origin, since the path isn't considered a security-sensitive surface. However, I can see how in this case, it might be considered spoofing, since you could impersonate someone else's Twitter account.

The URL standard (https://url.spec.whatwg.org/#url-rendering) does say:

"Other parts of the URL should have their sequences of percent-encoded bytes replaced with code points resulting from percent decoding those sequences converted to bytes, unless that renders those sequences invisible."

So it would be correct to keep these invisible sequences encoded in the path component.

Comment 6 by jdeblasio@chromium.org, Oct 19

Cc: jdeblasio@chromium.org

Comment 7 by mea...@chromium.org, Nov 8

Owner: ----
Status: Available (was: Assigned)
I think non-host parts of the URL are handled by GURL, so I'm not the best owner for this.

Sign in to add a comment