Skip to content
Naked Security Naked Security

Chrome may bring back ‘www’ with option to show full URLs

Google's doing so grudgingly: it still thinks that showing too much will confuse users trying to assess a site's security.

Enough people must have griped about the loss of “www” and “https” in Chrome’s address bar to make Google rethink it: Chromium developers are testing a new Omnibox context menu that would give users the option to “Always Show Full URLs.”
You can see what the final rendition of the “Show Full URLs” menu might look like here.
Google’s doing this a bit grudgingly: it still thinks that showing what it’s called the “trivial subdomain” will distract users making security assessments.
The feature is currently available only in the experimental Chrome 83 Canary build. After users select the option in Chrome’s address bar – what Google likes to call the “Omnibox” – it will stay there permanently, always showing full web addresses, replete with their “https” and “www”.
On 17 March, Chromium developers outlined the plan for users to opt-out of URL snippage in a post on the bug tracker titled “Implement Omnibox context menu option to always show full URLs”.

The post’s author, Chromium software engineer Livvie Lin, had this to say in a design document:

The Omnibox context menu should provide an option that will prevent URL elisions for the entire Chrome profile.

We’re not sure that this won’t do more harm than good, Lin said:

Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage.

…but the risk is mitigated by the fact that Google expects that users who opt-in to the setting are “power users who understand URLs (and in such cases, potentially improve security),” Lin said.
Lin said that this will be for desktop only. It will apply across all desktop sessions (including Incognito sessions) on all devices, as it applies to Chrome profiles.
Google removed the “www” from Chrome 70 in 2018. The new setting doesn’t reverse that decision, in spite of it having been a controversial move that some said would actually make it easier for crooks to fool us with fake websites.
The feature is still experimental in Chrome 83. It can be enabled in that version by typing in chrome://flags/ and setting Context menu show full URLs.
It will be a quick way to permanently stop Chrome from making what it refers to as elisions in the Omnibox – if, in fact, the feature makes its way to the final Chrome 83 release.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


Good. I really hope this happens. The push to remove relevant information from the URL has never made any sense to me. There is no such thing as a “trivial subdomain” and whoever came up with that concept should be removed from the decision making process.


I used Firefox for years… I think the user could just use the HTTPS EVERYWHERE extension — problem solved .


Tidbit of additional information: Firefox has always had this as an about:config setting with browser.urlbar.trimURLs. The default of true looks like Chrome’s default, change it to false to see the full URL.


This makes as much sense as hiding the file extension by default like Windows does.
When you take information away from the user, you make them even more helpless and ripe for exploitation.


Thanks, James,
I was going to say the same thing about Firefox. For some reason, I thought all websites were going to do this, but that hasn’t happened. I admit sometimes it is frustrating to see NO HTTPS:// message flash on my screen when the site is not using a secure URL. I have had the experience of logging into a website that I use frequently without problems until one day I clicked on an item I wanted to see. The NO HTTPS:// came up. I contacted the company and I haven’t had that problem again.
I’m not a computer wizard, but if it makes my PC safer, I’m all for it.


Good, this was one of the stupidest things Google ever did, rates right up there with Microsoft not showing file extensions – talk about living within stupidity. Taking information away from users only trains them to not look for it in the first place, and that’s game over against the user in Privacy and Security.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!