Windows News and info 15th Anniversary 2009-2024

Social Media - Search Engines - Browsers => Browsers: Google Chrome | Opera | Safari | Firefox => Topic started by: javajolt on September 10, 2018, 11:59:56 AM

Title: Chrome 69 Removing WWW and M subdomains From the Browser's Address Bar
Post by: javajolt on September 10, 2018, 11:59:56 AM
With the release of Chrome 69, Google has decided to strip the "www" and "m" subdomains from the URL displayed in Chrome's address bar. For example, when a user visits www.bleepingcomputer.com (http://www.bleepingcomputer.com), the www would be stripped and displayed as bleepingcomputer.com in the address bar.

(http://s22.postimg.cc/eukdgbekh/www-stripped.jpg)
www subdomain stripped from www.bleepingcomputer.com (http://www.bleepingcomputer.com)

When this was discovered, users and security experts expressed concerns that this new behavior will cause confusion for users who may think that they are going to a particular site but may actually be going to a completely different one. Furthermore, due to bugs in this implementation, the "www" string could be stripped incorrectly and thus display an incorrect URL in the address bar.

(http://s22.postimg.cc/ifg8z4izl/Capture.png)

As stated (http://bugs.chromium.org/p/chromium/issues/detail?id=881410#c18) by a Chromium developer in the behavior's bug report (http://bugs.chromium.org/p/chromium/issues/detail?id=881410), the www and m (for mobile) subdomains are being classified by Google as "trivial" subdomains because they feel most people do not need to be concerned with the information they represent.

Quote
"The subdomains reappear when editing the URL so people type the correct one.  They disappear in the steady-state display case because this isn't information that most users need to concern themselves with in most cases.  I think this is an OK tradeoff even in the rare case when www.foo.com (http://www.foo.com) is not actually the same as foo.com.  (Side note: like it or not, almost no real-world users will use such a thing correctly; configuring your server like this seems like a Bad Move even if it's technically legal, because people are going to access the wrong thing, and that has been true for some time and irrespective of Chrome's UI changes.)

There are multiple real bugs here though:

www.2ld.tld (http://www.[url=http://www.2ld.tld)]www.www.2ld.tld (http://www.2ld.tld)[/url] should become www.2ld.tld (http://www.2ld.tld), not 2ld.tld (we should strip at most one m. and www.)
subdomain.www.domain.com (http://www.domain.com) should be left as-is, not subdomain.domain.com (should only strip prefixes)"
To many users, though, this logic doesn't make sense (http://bugs.chromium.org/p/chromium/issues/detail?id=881410#c2) as domain.com does not always go to the same site as www.domain.com (http://www.domain.com) and will just confuse users.

Quote
"This is a dumb change. No part of a domain should be considered "trivial". As an ISP, we often have to go to great lengths to teach users that "www.domain.com" and "domain.com" are two different domains, and that they may not necessarily go to the same destination. The marketing world has done a lot of damage convincing people that "www" is both ubiquitous and non-essential, when in fact, for some domains, the use or lack of it can be quite important to getting to the correct location."
Another example (http://bugs.chromium.org/p/chromium/issues/detail?id=881410#c3) given in the bug report was that the address www.pool.ntp.org (http://www.pool.ntp.org) is a website, while the stripped URL would appear in Chrome as pool.ntp.org, which is a random NTP server.

Quote
"How will you distinguish http://www.pool.ntp.org (http://www.pool.ntp.org) vs http://pool.ntp.org (http://pool.ntp.org) ?

One takes you to the website about the project, the other goes to a random ntp server."
Finally, another commenter (http://bugs.chromium.org/p/chromium/issues/detail?id=881410#c27) shows how the "www" string may be stripped incorrectly and thus show an incorrect URL due to bugs in the implementation.

Quote
"Enter into the address bar:

www.example.com]http://www.example.[url=http://www.example.com]www.example.com (http://www.example.[url=http://www.example.com)[/url]

It shortens it:

example.example.com

WTF? How does www.example.com (http://www.example.[url=http://www.example.com)]www.example.www.example.com (http://www.example.com)[/url] === example.example.com?"
How Chrome 69 decides to strip a subdomain

From the Chromium source code (http://github.com/chromium/chromium/blob/master/courgette/label_manager_unittest.cc), Chrome 69 has a function called IsTrivialSubdomain() that checks whether a subdomain is "www" or "m". If the subdomain is "www" then the function returns true, and if Chrome is being used on Android or iOS, will return true for the "m" subdomain.

If the function returns true, Chrome will strip the subdomain from the URL when it is displayed in the address bar.

Quote
private:
  static bool IsTrivialSubdomain(base::StringPiece subdomain) {
    if (subdomain == "www")
      return true;

#if defined(OS_ANDROID) || defined(OS_IOS)
    // Eliding the "m" subdomain on Desktop can be confusing, since users would
    // generally want to know if they are unintentionally on the mobile site.
    if (subdomain == "m")
      return true;
#endif

    return false;
  }
How to stop the stripping of trivial subdomains

Due to the confusion and possible security risks of this new feature, it is suggested that users disable the stripping of trivial subdomains. To disable the removal of trivial subdomains you can follow these steps:

1. Open the Chrome browser and enter chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains into the address bar. Then press Enter.

2. Chrome will open a page that shows the "Omnibox UI Hide Steady-State URL Scheme and Trivial Subdomains" setting. Change this settings to Disabled.

(http://s22.postimg.cc/wysfxp869/disable-stripping-of-trivial-subdomains.jpg)

3. The browser will then display a prompt that you need to relaunch the browser for the setting to take effect. Click on the "Relaunch Now" button and the browser will restart.

(http://s22.postimg.cc/q8byod86p/image.jpg)

4. Now that the setting is disabled, you will see the full addresses for the site you are visiting in the address bar as shown below.

(http://s22.postimg.cc/otadztmkx/setting-disabled.jpg)
Full addresses showing again in the Chrome 69 address bar

(http://www.bleepingcomputer.com/news/google/chrome-69-removing-www-and-m-subdomains-from-the-browsers-address-bar/[/url)