Style is everything

Image credit: Sashkin / Shutterstock / PortSwigger Ltd

Google is planning to let Chrome users set their browsers to display a website’s full URL in the address bar, in a move that attempts to find middle ground over previous aesthetic changes made by the tech giant.

Chromium developers have working on implementing a new setting that provides the option for users to set Chrome’s address bar (the so-called ‘omnibox’) to display the ‘https://’, ‘m’, and ‘www’ URL prefixes.

The option to display the full URL was recently rolled out in Chrome Canary 83 – the experimental preview build of Google’s flagship web browser.

Users can enable the feature through the omnibox content menu and by clicking ‘Always show full URLs’.

Back and forth

The move attempts to strike a happy compromise to what has been long-held contention between Mountain View and the cybersecurity community.

In July last year, Google took steps to remove the ‘www’ and ‘m’ subdomains from the address bar in Chrome 76.

At the time, Emily Schechter, product manager of Chrome Security, called the omnibox features “irrelevant to most Chrome users”, prompting debate over the need for URL simplification amid the absence of a standard approach to ensure ‘safe’ DNS settings.

The subdomains have previously been considered “trivial” by the tech giant, with some suggesting that Google’s plan is to eradicate URLs altogether in order to boost its ad revenue, The Daily Swig reported.

The same change was proposed for Chrome 69 in September 2018, but this was rolled back due to uproar caused by the cybersecurity community.

“Claiming that this is being done for security is plain wrong,” said one developer on the Chromium bug tracker at the time of the proposed changes.

“It doesn’t help prevent phishing attacks, in my experience it will create more confusion and make it more likely for a user to connect to the wrong site.”

Style over subdomains

Critics argue that simplification of the omnibox could cause accidental obfuscation and that a lack of standardization could lay the groundwork for ‘www’ and root domains to point to incorrect content.

In August, Josh Lemos, vice president of research and intelligence at BlackBerry Cylance, told The Daily Swig: “Other protocol schemas still display in the address bar. Also, the ‘www’ subdomain has long been extraneous; this would be a huge issue for phishing if it were used on all host subdomains, but that’s not what Google is doing with the new approach.”

While now working on providing the full display option to its users, Chrome has remained steadfast in its view on address bar security considerations.

In the Chrome Canary 83 design document, Livvie Lin, software engineer at Google, said: “Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage.

“However, this risk is mitigated in that we expect that the users who opt into this setting are power users who understand URLs (and in such cases, potentially improve security).”

Stable release migration

Users can try out the ‘Always show full URLs’ feature in Chrome Canary 83 now.

As news of the experimental feature began to surface, the Chromium team published a revised schedule for its stable browser release.

Amid the ongoing disruption caused by the coronavirus outbreak, Chrome 83 is now due to launch on May 19. The Daily Swig has asked Google to confirm that this stable release will include the URL-in-full feature for all users.

READ MORE Will the coronavirus pandemic impact browser security?