Tests for address bar spoofing with a single UIWebView

Main page

Test case: data URL

This test case points to a data: URL. If address bar is not updated to data: URL, this means data: URLs are not tracked and can be potentially used for spoofing.

Run test case

Test case: data URL and filtered port

This test case utilizes data: URL and an iframe pointing to filtered port. If address bar is not updated to data: URL, this can be potentially used for spoofing in some scenarios.

Run test case

Test case: document.write to http://www.example.com

This test case calls native UIWebView window.open trying to spoof http://www.example.com.

If a browser fails this test (allows spoofing), it is probably caused by not updating address bar on didFailLoadWithError

Test case: document.write to https://www.apple.com

This test case calls native UIWebView window.open trying to spoof https://www.apple.com.

Test case: document.write to about:history

This test case verifies address bar behaviour on about: URL other than about:blank (in this case, about:history).

Test case: NXDOMAIN

This test case redirects to non-existent domain. If this page content still remains, but the address bar ends up being https://login.example.com, it may be used for spoofing.

Test case: Loading loop

This test case is redirecting to filtered port in a loop. If address bar is updated before navigation actually happens, this allows address bar spoofing.

In case of a mobile device, the user is likely to ignore the progress bar, if there is any.

The next part is about downloads