STR:

1. Go to https://mozilla.org.
2. Focus location bar.
3. Use arrow keys to highlight reddit.com top site.
4. Press escape key or click elsewhere without selecting.

Expected:

The location bar shows the current site or does not show site information icons.

Actual:

The highlighted reddit.com URL persists as if it is the current site with the padlock and site permissions of mozilla.org, making it visually indistinguishable from being on the site itself.

This could be exploited by someone with physical access to a computer to do phishing attacks.

Is not this how things always worked?

Select a url from the dropdown, then focus content. You can do the same in Chrome and most browsers.

If you change the URL any other way, the site information icons (padlock, shield and permissions) are hidden and replaced with a magnifying glass which persists when the location bar loses focus. This makes it clear that it is in a modified state and does not represent the current site. Chrome also hides the padlock icon if the URL has been modified.

That's a fair point, selecting Top Sites doesn't invalidate pageproxystate

https://hg.mozilla.org/integration/autoland/rev/e187ef437b760862a1dcc5285570cf3e5ae38adc
https://hg.mozilla.org/mozilla-central/rev/e187ef437b76

Comment on attachment 9141020 [details]
Bug 1628288. r=adw

Beta/Release Uplift Approval Request

• User impact if declined: When using Top Sites from the urlbar, sometimes we may be showing confusing security information that refer to a different origin
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: Load a secure page like https://www.mozilla.org/
  Click on the urlbar, so that Top Sites appear
  Move through Top Sites with the keyboard
  Check that there's no shield/Lock when doing that
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): It's a very simple code change hiding the security indicators when the urlbar value is set by selecting a result, the risk should be minimal.
• String changes made/needed:

Comment on attachment 9141020 [details]
Bug 1628288. r=adw

Fixes a minor sec issue with the new megabar design. Approved for 76.0b6.

https://hg.mozilla.org/releases/mozilla-beta/rev/e3f80cfc71c228248ddddc1bc898e25c5bc2efe4

Why did we land tests before making it to release?

I'm sorry, it's my fault, I thought the rule was for sec-approval (thus excluded sec-low).
In this case I don't think the test clarifies much of the issue it's mostly checking for an obscure attribute.
What do you think we should do now?

(In reply to Marco Bonardo [:mak] from comment #10)

What do you think we should do now?

There's little we can do for this bug. Please keep it in mind for future work.

Verified as fixed:

[Tested with:]

  Beta 76.0b7 (64-bit)
  Nightly 77.0a1 (2020-04-21)

[Tested on:]

  verified fixed - Windows 10
  verified fixed - Ubuntu 18.04
  verified fixed - Mac 10.13.6

Kestrel, if I understand it correctly, this is your first security report to Mozilla. Congratulations, you're going to be mentioned in our security advisories next week! Please let us know ASAP if you want to be credited differently than what we have in our draft right now (see advisory.txt attachment).