Recently when I was researching a completely different topic (which I will disclose in the near future), I came across a curious behaviour in Google Chrome. When visiting an URL longer than 32768 characters, the address bar would only display a fragment of the URL. What is displayed in the addressbar depends on the protocol of the URL.
These are the behaviors for some different protocols:
http://victim.com/#aaaa...aaaa ==> victim.com
https://victim.com/#aaaa...aaaa ==> https://victim.com/
data:text/html,aaaa...aaaa ==> data:
view-source:http://victim.com/#aaaa...aaaa ==> view-source:
Even though the characters are not correctly displayed in the address bar, they are correctly processed in the request. The issue is easily reproducible by creating a link longer than 32768 characters. Such as this: Click me in Chrome
The number 32768=32*1024=2^15, indicating that this could be an overflow of a 16-bit signed integer. I haven't dug deeper into this, but that is my intuition.
The issue was reported to the Chromium issue tracker, but is not considered as a security issue and won't be fixed. At least not until someone comes up with a scenario where this is a major problem. So, what do you think? Is this a problem or not?
