• United States



gregg keizer
Senior Reporter

Safari, Chrome push to mask URLs

Jun 06, 20145 mins
Data and Information SecurityOperating SystemsPrivacy

Apple's browser will truncate Web addresses to domain-only length in OS X Yosemite; Google's experimenting with a similar design

Safari on OS X Yosemite will mask most of a URL in its top-of-window address bar, following in the footsteps of Safari on iOS, and beating Google’s Chrome, which is experimenting with the same design, to the desktop.

While not strictly a trend, the decision by Apple to mask all but the domain — say, or — will bring a simmering discussion about the value of a full-string URL to the surface when customers first fire up Safari on Yosemite this fall.

Apple did not call out the change in its Worldwide Developers Conference (WWDC) keynote Monday, but eagle-eye observers noted that during a demonstration of Safari, only the domain appeared in the browser’s address bar.

As Safari was shown on the keynote’s giant screen poised at Wikipedia’s Ansel Adams article, the browser displayed rather than the full string of that would appear in other browsers, including Chrome, Firefox and Internet Explorer, not to mention Safari on OS X Mavericks.

It wasn’t a surprise that Apple dumped the rest of the URL; it did the same last year in Safari on iOS 7. On an iPhone or iPad, tapping the domain reveals the full URL. Safari on Yosemite behaves similarly: Clicking in the address bar or using Cmd-L — the keystroke combo to select the address bar’s contents — expands the domain to the full URL.

What’s Apple up to?

Apple’s not talking, but Google is. For several months, Chrome developers have been playing with something similar in pre-release versions of the browser, switching it on an off, seemingly at random, for some users running editions as solid as the beta builds.

Chrome dubs the feature “origin chip,” but the end result is the same: A truncated URL.

“URLs can be long and messy. By making the domain name of [the] site you’re visiting clearer, it’s easier to glance up at the Omnibox and know exactly where you are on the Web,” wrote Tim Caver, who implied that he was a Google employee, in a support forum last month. “It’s also easier to tell when a malicious website is purporting to be a different website (think”

The argument has some merit. Phishers sometimes try to fake out users with extremely long URLs that look legit in the finite space of the address bar but are actually pointers to a different domain.

In Chrome’s experiments, clicking on the option chip — the small rectangle at the far right of the browser’s Omnibox, Google’s name for its combined address and search field — reveals the full URL, as does the usual Ctrl-L (Windows) and Cmd-L (OS X) keystroke combos.

Not everyone liked what Google was up to.

“My personal opinion is that it’s a very bad change and runs antithetical to Chrome’s goals,” said Paul Irish, a developer advocate for Chrome, in an April discussion thread on Hacker News. “I hope the data backs that up as well.”

Others weighed in on the same discussion, as well as on Google’s support forum, mostly with negative comments, some with more than a dollop of hyperbole. “Should this become the default and not disable-able, then Chrome will die a fiery death,” predicted Ross Presser.

Some theorized that Google’s motivation wasn’t to improve security or clear up confusion, but rather to push the search aspect of the Omnibox by scrubbing the space of the URL.

Others predicted the death of the Web as the world knows it.

“There’s a dangerous slippery slope here,” contended Tristan Louis on the Hacker News thread. “If we’re OK with this happening, are we then OK with getting rid of that domain further down the line? The whole thing strikes me as creating a more locked-down Web.

“The problem with that approach is that it communicates that the Web is ‘hard’ instead of educating users in how to understand it and how to build on it,” added Louis, who was a co-founder of, among other companies, and has been involved with the Web for more than two decades.

A security firm joined the anti-origin chip discussion in May too. Chantilly, Va.-based PhishMe argued that extremely long URLs vanished, leaving the Omnibox blank, to illustrate how cyber criminals could circumvent the origin chip’s design.

Chrome users who encounter the option chip can eliminate it by typing chrome://flags in the address bar, searching for the setting labeled “Enable origin chip in Omnibox,” then selecting “Disabled.” Those who want to experiment with the feature can enable it using with the same setting in most Chrome builds.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg’s RSS feed. His email address is

See more by Gregg Keizer on

Read more about internet in Computerworld’s Internet Topic Center.