Google-chrome – chromium: “stop loading this page” button erases URL from URL bar

browserchromiumgoogle-chrome

When I type URL into chromium URL bar, ie http://10.10.10.3:80 and the server is currently unreachable, when I wand chromium to stop trying to load, and I press the "stop loading this page" button, the URL disappears. This is evil!

Lets say, I have the port wrong, so I want to try again with another port. I have to type the whole URL again.

When I press the "stop loading this page" button, the URL should stay there as I typed it, so that I can correct it.

Instead, it is replaced by the "last successful URL" that was there before.

is there a way to fix this evil feature?

Best Answer

This behavior is by design and a few years ago the developers of all browsers made a big effort to make it impossible to have a page displayed with the wrong URL. This was actually possible before, until this technique started being used by malware.

The behavior you are asking for is a security hole. If it was possible to display a page with the wrong URL, an attacker could display the URL of your bank together with his own page, this way getting you to type in your account number and password, then emptying all your accounts. This did actually happen, until this loophole was closed.

Showing a wrong URL is only possible on the new-tab page, where it happens automatically. The reason it works here is that there is no real page being displayed, so there is no security reason not to display the entered (wrong) URL.

This behavior is not particular to Chromium. Every browser I have encountered does exactly the same, as this is the secure thing to do.

In addition, browser developers even made it impossible for a thrown dialog to obscure the address bar, since this technique was immediately used by attackers when it became impossible to modify the URL itself, to mimic a false address bar.

The only solution I can offer is to copy a long typed URL before hitting Enter, and this is what I already do. You should get into the habit of doing CtrlA and CtrlC before, just in case.

Here is how an attacker can use the option you ask for to get your bank login:

  • The attacker's add-on or JavaScript script throws up his own website attacker.com/exploit which looks exactly like your bank, except that the address bar gives it away.
  • The attacker would like to have your bank's URL or something very similar in the address bar, but can't, since all APIs that do so were carefully weeded out by the developers.
  • The attacker then invokes a website with a URL that is very similar, or that whose name is displayed exactly the same (Unicode tricks), as your bank's URL.
  • This website does not exist, but the wrong URL will stay in the address bar. Together with the displayed page, this would look like you are really in your bank's site.
  • You do the login, and a few seconds later, all your bank accounts have been emptied out. Bye bye all your savings. The bank rightfully claims that this is your fault and returns nothing.
Related Question