Skip to main content

Chrome's Killing 'WWW' in Address Bar — And That's Bad

[UPDATED Sept. 19 with news that Google no longer hides "www" or "m" in Chrome 69, but will hide "www" again beginning with Chrome 70.]

[UPDATED with clarification that domain names can't ever be registered by two different entities. That was our misunderstanding. It should have been obvious, and we apologize. Thanks to the commenters and tweeters who pointed it out.]

The latest version of the Google Chrome browser strips out "www" and "m" from web addresses. Google considers those URL elements, or subdomains, "trivial," but this change will might make it easier for fraudsters, thieves and malware to fool you with fake websites.

Credit: Evan Lorne/Shutterstock

(Image credit: Evan Lorne/Shutterstock)

"This is a dumb change. No part of a domain should be considered 'trivial,'" wrote one commenter to the official Chromium developers' bug forum. "As an ISP, we often have to go to great lengths to teach users that 'www.domain.com' and 'domain.com' are two different domains, and that they may not necessarily go to the same destination."

A bad guy could put up a phony website at "yourbank.com" with an identical look and feel to the legitimate website "www.yourbank.com". If you're using Chrome 69 or later, you wouldn't be able to tell the difference. [Correction: The bad guy would have to break into the YourBank.com servers to do anything like this.]

To take an extreme example cited in the forum, "www.m.www.m.example.com" displays as "example.com" in Chrome 69. It shouldn't.

You can still temporarily view the full URL in Chrome by clicking your mouse pointer inside the address bar, as if you were going to edit the URL. You can make the full URL display all the time by going to chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains and changing the default to "Disabled."

MORE: Best Antivirus Software and Apps

As you can guess, "www" stands for "World Wide Web" and was originally used to distinguish websites from other servers and services reachable via HTTP (Hypertext Transfer Protocol). "M" stands for mobile and sends users to mobile-optimized versions of websites — compare "www.facebook.com" and "m.facebook.com".

Neither element is necessary for a web address to work, but plenty of website operators use one or the other. A good website operator should make sure that "mydomain.com" and "www.mydomain.com" resolve to the same place, but that isn't always the case.

As one commenter on the Chromium bug forum pointed out, "www.citibank.com.sg" is a legitimate site, but "citibank.com.sg" goes nowhere. It could be snatched up by a criminal. (Commenters' names are partly obscured on the Chromium blog, which is why we're not trying to identify them here.) (Correction: Probably not, because citibank.com.sg is the root domain name, so to speak, and adding www to the beginning would just create a new subdomain.)

Chrome is not the first browser to hide "www." Apple's Safari browser has been doing this for some time, both on desktop and mobile, but few people have complained because Apple always does its own thing.

A Chromium developer responded to the complaints by stating that the subdomains "disappear in the steady-state display case because this isn't information that most users need to concern themselves with in most cases."

"I think this is an OK tradeoff even in the rare case when www.foo.com is not actually the same as foo.com," that Chromium developer added.

On the Hacker News forums, the suspicion was that Google's next step would be to remove the "amp" prefix from mobile-optimized news stories that are hosted on Google's own servers, such as https://amp.tomsguide.com/us/mac-adblock-data-swipe,news-28006.html.

The AMP, or Acclerated Mobile Pages, initiative is controversial because while it makes news stories load very quickly on smartphones, it generally gives traffic clicks to Google, not the news sites. (Links from within those stories do go to their original servers.)

"They are going to hide amp subdomain, so you don't know if you're looking at AMP or the actual destination," noted one commenter on Hacker News. "And then suddenly the whole world funnels through AMP."

However, at least part of the decision is already being reversed.

"The stripping of the 'm.' host/subdomain on desktop platforms was confusing and problematic, I agree," said one Chromium developer. "It was reported in bug 875669 and fixed for Chrome 70."

Chrome 70 is scheduled to become the default version in mid-October.

UPDATE: In a posting Sept. 11 to the official Chromium bug forum, Emily Schechter, product manager of Chrome security, announced that "we have decided to roll back these changes in M69 on Chrome for Desktop and Android."

But don't get too attached to seeing "www" back in your browser bar. It's disappearing again in Chrome 70.

"In M70, we plan to re-ship an adjusted version: we will elide 'www' but not 'm,'" Schechter added. "We are not going to elide 'm' in M70 because we found large sites that have a user-controlled 'm' subdomain."

In other words, users can add "m" to URLs to get a different version of a website.

"There is more community consensus that sites should not allow the 'www' subdomain to be user controlled," Schecher wrote.

Few of the dozens of replies to her announcement were supportive.

"What problem does this solve exactly?" wrote one commenter. "I haven't seen a good reason for any of this."

  • middlerun
    'A bad guy could put up a phony website at "yourbank.com" with an identical look and feel to the legitimate website "www.yourbank.com".'

    This is incorrect. If the bank registered yourbank.com, then they also control all subdomains including www from the same DNS. Subdomains can't be registered separately.
    Reply
  • shawndugout13
    Correct MIDDLERUN. Also, a bad guy COULD put a phony website..etc..you mean like now anyway.?? Not to mention any secure or authentication methods set up between user/device to vendor/site. I guess an inside job maybe to register subdomains? That would be or could be going on now anyway. Are we missing something here? I'm not that smart but I can't see a big issue here other than some simple retraining maybe? Thoughts?
    Reply
  • Paul Wagenseil
    You guys are right. It should have been obvious to me, but it wasn't. Thanks for the comments, and the story has been updated.
    Reply
  • ron_reynolds
    I work at a web development agency, and there is literally no reason to be upset/concerned about the removal of "www" and "m." because they ARE trivial. Most users don't type "www" anymore, and any developer worth their salt will set up a force redirect to send those users to the full TLD with the "www" at the beginning.

    Also, anyone saying that the same URL with/without the "www" is not the same site is straight-up wrong. (Having said that, if the above forced redirect isn't implemented, you might get a page not found error, but there's no way you're going to see two different sites.)

    Having said all of THAT, the only concern people are raising that MIGHT be worth discussion is if Google is indeed planning on sending everything through AMP - even if there are no indications that is forthcoming.
    Reply