Set displayed URL on an error page

887 views
Skip to first unread message

Xinghui Lu

unread,
Apr 17, 2024, 7:32:44 PM4/17/24
to navigation-dev
Hi navigation experts,

Safe Browsing recently encountered a bug (https://crbug.com/334988077) that the URL displayed on the error page is inaccurate if there is a redirect. For example, if URL1 redirects to URL2, and URL1 is flagged by Safe Browsing, the displayed URL on the error page should be URL1. However, since Safe Browsing doesn't block redirects, at the point when the error page is displayed, the redirect may already happen, causing the displayed URL to be URL2.

The Safe Browsing error page is triggered in SafeBrowsingNavigationThrottle::WillFailRequest. I see that NavigationEntry offers a SetVirtualURL function that can modify the displayed URL. However, the actual NavigationEntry for the error page is not yet created when WillFailRequest is called, so this approach doesn't work.

Right now I'm looking for somewhere within NavigationEntry that allows callers to set the displayed URL when committing an error page, similar to how it sets a customized error_page_content. Does anyone know any pointers to achieve that? If there is a better approach, please call that out too. Thanks for your help.

Nasko Oskov

unread,
May 8, 2024, 6:07:17 PM5/8/24
to Xinghui Lu, navigation-dev
Hey Xinghui,
Letting redirects continue after the point you need to block them is an interesting choice, but once you have let them proceed you have the navigation system in a state that has progressed further than you would like. Modifying the displayed URL when the error is somewhere else is something we would discourage, as it can lead to a long tail of issues, which are sometimes hard to discover or deal with appropriately. Every time in the past where we have decided to overwrite the URL we have almost universally come to regret it in the future.

There is currently no approach that we know of to get a different URL to show in the omnibox, besides the virtual URL mechanism, but it doesn't look like that's the right solution for your case. Have you considered a different approach? For example, since you are going to display an error page, isn't it more appropriate to include the violation URL in the body of the error page? This will leave the omnibox displaying the correct navigation state and in the body of the error page you can explain exactly what has happened - one of the intermediate redirects was to URL "foo" which is blocked due to safe browsing check.

Our recommendation would be to leave the navigation and omnibox state as is and surface the information to the user in some other shape. Alternatively, you can just block the navigation on the actual redirect that fails the safe browsing check.

Thanks!
Nasko

--
You received this message because you are subscribed to the Google Groups "navigation-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to navigation-de...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/navigation-dev/CACBBNWf3U8mr7HWOpEo7vsD4vOKsX_%2BMbY9QAO7f%2BGousG_YMw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages