securemepls The Status Bar in Orion is vulnerable to ASCII Smuggling. In Chrome and Safari/STP, the status bar correctly shows the attempt as ASCII Smuggling on this webpage: https://embracethered.com/blog/posts/2024/m365-copilot-prompt-injection-tool-invocation-and-data-exfil-using-ascii-smuggling/ Steps to reproduce: Enable the status bar (View -> Show Status Bar). Visit https://embracethered.com/blog/posts/2024/m365-copilot-prompt-injection-tool-invocation-and-data-exfil-using-ascii-smuggling/ Go to the "An Example Link With Hidden Data" section and hover over the https://wuzzi[.]net/ link. Orion cuts off the ACSII characters after https://wuzzi[.]net/ Contrasted with: Chrome 128: Safari/STP: Orion matches Firefox in how the hover is rendered, but it should instead match Chrome/Safari/STP. Version 0.99.128.2.1-rc (WebKit 619.1.11.111.2) Sonoma (14)
securemepls I guess it's more accurate to say the status bar doesn't render all Unicode tags. Makes my hover technique to check malicious URLs not effective.
