Google: We'll test hiding the full URL in Chrome 86 to combat phishing

Google aims to find out if showing only a domain name in the address bar will help Chrome users spot scams.
Written by Liam Tung, Contributing Writer

Google will subject Chrome users to a large-scale test in the next version of its browser to discover how people respond to just seeing a site's domain name without the full URL for pages on that site. 

The test will be carried out on Chrome 86, which is due for a stable release at the end of this month. 

Chrome 86 is already known to include a feature that detects and unloads heavy ads and throttles JavaScript timers used on websites to deliver better battery life for end-user devices.

SEE: How to become a developer: A cheat sheet (TechRepublic)    

Google's new experiment will involve some "randomly assigned" users of Chrome 86. These users will have two choices when the full URL (Uniform Resource Locator) is concealed. Those in the experiment would, for example, only see en.wikipedia.org rather than the full address of the specific Wikipedia page.  

As a first step, users in the experiment can hover over the limited URL to display the full URL. The other option is to right-click on the URL, and choose 'Always show full URLs' in the context menu. This will make Chrome show the full URL for all future sites being visited.

The purpose of the experiment is to see whether this approach helps people spot phishing URLs.

As Google points out, there are a bunch of ways scammers and attackers can tweak a URL to trick users into thinking they're opening a legitimate and authentic page.  

Apple Safari is one browser that already only shows the domain name by default and like Chrome, no longer shows the HTTPS part of the URL. 

"In Chrome 86, we're likewise going to experiment with how URLs are shown in the address bar on desktop platforms. Our goal is to understand – through real-world usage – whether showing URLs this way helps users realize they're visiting a malicious website, and protects them from phishing and social-engineering attacks," the Chrome security team states. 

Chrome users can test the approach Google is exploring in the Chrome Canary and Dev channels. Users will need to open chrome://flags in Chrome 86 and enable several flags before relaunching Chrome. 

The flags include:  

  • #omnibox-ui-reveal-steady-state-url-path-query-and-ref-on-hover
  • #omnibox-ui-sometimes-elide-to-registrable-domain
  • Optionally, #omnibox-ui-hide-steady-state-url-path-query-and-ref-on-interaction to show the full URL on page load until you interact with the page.

Those in Google's Chrome 86 experiment would, for example, only see en.wikipedia.org rather than the full page address.  

Image: Google
Editorial standards