HackerOne report: URL obfuscation #4748
Comments
|
@neeklamy try the same thing in chrome |
|
I see, Google Chrome strips out the Safari’s handling makes me wonder, are
(From: What Every Developer Should Know About URLs) I don’t quite agree with HackerOne’s conclusion either, it doesn’t look like we’re at brave.com simply because when you mouse away, the title bar shows example.com – this is no different to anyone abusing the subdomain system to make it look like we are at an entirely different site… |
|
Doesn't the URL bar say https://brave.com@example.com/ ? |
|
moving to 0.12.7 for now, but please move back if you disagree. |
|
my understanding is that this is a perfectly valid URL structure, but there's not much point in showing the username/password part because the browser converts this to credentials in the standard HTTP "Authorization" header. we could strip it or grey it out to make it more obvious that it's not the hostname. |


https://hackerone.com/reports/175529
Verified on OS X 0.12.4
Steps to Reproduce
1 . go to https://brave.com@example.com/
2. urlbar makes it look like we are at brave.com when the page displayed is example.com
Expected behavior
urlbar should show the actual page location, which is https://example.com/
The text was updated successfully, but these errors were encountered: