User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release) Build ID: 20131202182626 Steps to reproduce: when you open a small popup window with a big URL , you can't view the totality of the url. if you use an illegal address like http://www.google.complice.alternativ-testing.fr on the small opup window. only www.google.com is visible. Actual results: URL into the location bar is spoofed by the start of the web address. Expected results: you view only the start of the url.

This isn't so much spoofing as impersonating, and AFAIK it's an incredibly old problem for every browser without a good UI fix. Currently when you hover over the url field you get a notification of the full URL. This being an old and quite known problem leads me to think this is sec-low.