Waterfox: URL automatically loading dropped text because of "security reasons" seriously impairs locationbar functionality.

Related:

• https://hg.mozilla.org/releases/mozilla-beta/rev/aa132747394e61e607ce2e3bea248c1e66011aea (2017-11-09)
• CVE - CVE-2018-5111 (2018-01-03)
• MFSA 2018-02 – Security vulnerabilities fixed in Firefox 58 — Mozilla (2018-01-23)
• https://www.reddit.com/r/waterfox/comments/7uvihq/-/dw814yj/?context=1

From https://www.mozilla.org/security/advisories/mfsa2018-02/#CVE-2018-5111:

CVE-2018-5111: URL spoofing in addressbar through drag and drop

…
When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site.

From Mozilla bug 1449881 - Text dropped in the urlbar is instanly resolved/searched, preventing the user from modifying it (RESOLVED INVALID):

… IIRC it was bug 1321619, it's still closed for security reasons.

@grahamperrin
So they "fixed" it by breaking the drag&drop feature...

This is terribly annoying. I even tried "Simplify Awesome Bar" to work around much of the issue. But stuff from text/input fields sometimes.

Does anyone know about addon writing: I wonder how hard would it be to steal the "stuff dropped action" from the browser to prevent anything other than the drop happening.

Doesn't anyone know of an addon that manipulates the functioning of the locationbar that might be used as a workaround, for this annoying "security fix"?

@mzso You could download the source code, revert the patch then compile a personal build of waterfox

First you need to setup the build environment (Visual studios, direct x, github, rust or other tools required) see https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions for more information on this for windows https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites

@PandaCodex commented on 2018. ápr. 11. 15:43 CEST:

@mzso You could download the source code, revert the patch then compile a personal build of waterfox

First you need to setup the build environment (Visual studios, direct x, github, rust or other tools required) see https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions for more information on this for windows https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites

If I could just do that I would, instead of just commenting about it.

… use dropped text for keyword searches and such …

Doesn't anyone know of an addon that manipulates the functioning of the locationbar …

No (sorry) but since you described your use case in Reddit, I _have_ begun using the search field for drag-and-drop searches: https://photos.app.goo.gl/jDTm6guVRbJLqO4U2

@mzso, I'll wrap this around a pref if you'd like?

@MrAlex94 commented on 2018. ápr. 12. 21:46 CEST:

@mzso, I'll wrap this around a pref if you'd like?

That'd be much appreciated.

Added it to the release check list :-)

On Thu, 12 Apr 2018 at 20:55, mzso notifications@github.com wrote:

@MrAlex94 https://github.com/MrAlex94 commented on 2018. ápr. 12.
21:46 CEST
https://github.com/MrAlex94/Waterfox/issues/499#issuecomment-380923027:

@mzso https://github.com/mzso, I'll wrap this around a pref if you'd
like?

That'd be much appreciated.

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
https://github.com/MrAlex94/Waterfox/issues/499#issuecomment-380925539,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEgoWGSeoSBoXCoXBl819-ARJgxrbZWXks5tn7EzgaJpZM4TAsab
.

@MrAlex94 commented on 2018. ápr. 16. 23:57 CEST:

Added it to the release check list :-)

Great!
By the way. Can you make that checklist public? I'd be interested in keeping an eye on it to know what to expect.

Added in https://github.com/MrAlex94/Waterfox/commit/137b2ab3e7e3b9ddce51c25d639bd0417bdc0a72, can be toggled with browser.urlbar.dragDropLoad being set to true.

After the next update, please re-open if you have issues.

@MrAlex94 commented on 2018. ápr. 25. 18:20 CEST:

Added in 137b2ab, can be toggled with browser.urlbar.dragDropLoad being set to true.

After the next update, please re-open if you have issues.

Great! Thanks!

@MrAlex94 commented on 2018. ápr. 25. 18:20 CEST:

Added in 137b2ab, can be toggled with browser.urlbar.dragDropLoad being set to true.

After the next update, please re-open if you have issues.

By the way. Does this restore the old behavior as it was? Because that was glitchy, and I can think of improvements.
It tried to load anything if it started with a seqeuence of alphanumeric characters with a ":" at the end, regardless whether it was a valid protocol or not.

One simple improvement would be to not load anything at all, if this new setting for loading is set to false.

Or it could have three states for this.