Enough people must have griped about the loss of “www” and “https” in Chrome’s address bar to make Google rethink it: Chromium developers are testing a new Omnibox context menu that would give users the option to “Always Show Full URLs.”
You can see what the final rendition of the “Show Full URLs” menu might look like here.
Google’s doing this a bit grudgingly: it still thinks that showing what it’s called the “trivial subdomain” will distract users making security assessments.
The feature is currently available only in the experimental Chrome 83 Canary build. After users select the option in Chrome’s address bar – what Google likes to call the “Omnibox” – it will stay there permanently, always showing full web addresses, replete with their “https” and “www”.
On 17 March, Chromium developers outlined the plan for users to opt-out of URL snippage in a post on the bug tracker titled “Implement Omnibox context menu option to always show full URLs”.
The post’s author, Chromium software engineer Livvie Lin, had this to say in a design document:
The Omnibox context menu should provide an option that will prevent URL elisions for the entire Chrome profile.
We’re not sure that this won’t do more harm than good, Lin said:
Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage.
…but the risk is mitigated by the fact that Google expects that users who opt-in to the setting are “power users who understand URLs (and in such cases, potentially improve security),” Lin said.
Lin said that this will be for desktop only. It will apply across all desktop sessions (including Incognito sessions) on all devices, as it applies to Chrome profiles.
Google removed the “www” from Chrome 70 in 2018. The new setting doesn’t reverse that decision, in spite of it having been a controversial move that some said would actually make it easier for crooks to fool us with fake websites.
The feature is still experimental in Chrome 83. It can be enabled in that version by typing in chrome://flags/ and setting Context menu show full URLs.
It will be a quick way to permanently stop Chrome from making what it refers to as elisions in the Omnibox – if, in fact, the feature makes its way to the final Chrome 83 release.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Ian
Good. I really hope this happens. The push to remove relevant information from the URL has never made any sense to me. There is no such thing as a “trivial subdomain” and whoever came up with that concept should be removed from the decision making process.
Jeff
I used Firefox for years… I think the user could just use the HTTPS EVERYWHERE extension — problem solved .
James
Tidbit of additional information: Firefox has always had this as an about:config setting with browser.urlbar.trimURLs. The default of true looks like Chrome’s default, change it to false to see the full URL.
V. Martin
This makes as much sense as hiding the file extension by default like Windows does.
When you take information away from the user, you make them even more helpless and ripe for exploitation.
Rhonda
Thanks, James,
I was going to say the same thing about Firefox. For some reason, I thought all websites were going to do this, but that hasn’t happened. I admit sometimes it is frustrating to see NO HTTPS:// message flash on my screen when the site is not using a secure URL. I have had the experience of logging into a website that I use frequently without problems until one day I clicked on an item I wanted to see. The NO HTTPS:// came up. I contacted the company and I haven’t had that problem again.
I’m not a computer wizard, but if it makes my PC safer, I’m all for it.
Spryte
As they should.
Users should always have the option to view full and complete URLs.
Steve
I agree… and disagree. I think the user should have a choice, but the full URL should be the default.
Chief
Good, this was one of the stupidest things Google ever did, rates right up there with Microsoft not showing file extensions – talk about living within stupidity. Taking information away from users only trains them to not look for it in the first place, and that’s game over against the user in Privacy and Security.