Humans can't read URLs. How can we fix it? – HTTP 203

Humans can't read URLs. How can we fix it? – HTTP 203

In this episode, Jake makes the case that URLs are impossible for humans to interpret, especially when it comes to security. What are browsers doing today to overcome that? And, is there a better way?

Subscribe to Google Chrome Developers here →

Also, if you enjoyed this, you might like the HTTP203 podcast! →

Whoa, thanks for reading the description right to the end! Why not post a comment saying you spotted the easter egg in this episode. There isn’t one of course, but it’ll confuse everyone who didn’t read the description.


  1. Joris on October 26, 2021 at 10:07 am

    Google Chrome Developers
    404K subscribers

    I had a witty statement about this written down somewhere, but I can’t find it anymore.

  2. Profound Games on October 26, 2021 at 10:07 am

    I love the idea of the URL Chang. It’s WAY EASIER to explain to my parents

  3. YeYaTeTeTe on October 26, 2021 at 10:07 am

    I like your proposal at the end. I think you should include that as an option.

  4. C on October 26, 2021 at 10:08 am

    It’s Amazon, I recognize that weird `ref` part in the URL

  5. Waldemar Enns on October 26, 2021 at 10:08 am

    This was hell of an interesting episode! Thank you guys, we definetely have to keep non-tech users secure. I like Jakes approach of showing the etld in the secure space of the browser bar. Good episode :thumbsup:

  6. Robin Pokorny on October 26, 2021 at 10:08 am

    Cool, eTLD+1 is a great concept. I like how it puts focus on the authority or owner of that portal. The rest of the URL is just an identifier, it could be a UUID for what it’s worth. I’m surprised that so many people want to see it full.

  7. Joe Taber on October 26, 2021 at 10:10 am

    I like the proposal. Basically, all sites get the old EV treatment, except it displays the eTLD+1 in place of the company name instead. This highlights the root of authority of every url the user visits together with the status of TLS. This allows you to simplify the display of the url while preserving the most important parts, both for mobile and for desktop.

  8. Ryan Johnson on October 26, 2021 at 10:11 am

    Can’t read them, and copy/pasting them makes an ugly URL in a document or presentation.

  9. Karl Wagner on October 26, 2021 at 10:11 am

    I’m primarily a Safari user (but I find these videos interesting and enjoyable all the same).
    I’ve got to say – I really like how Safari displays URLs. Hiding the full URL doesn’t bother me at all. It’s just good design; why should you always show the user a garbled string that they’re not likely to understand?

  10. Nicolai Kamenzky on October 26, 2021 at 10:13 am

    I really like your solution! I am wondering though how secure the domain list is. Can people sneak an entry in there that in the end misguides people? Or just as simple as not having a domain like GitHub on the list that is subletting subdomains. I am no security expert by any means but by turning peoples attention more strongly towards the ETLD+1 part makes that list more of an attack vector. That said, maybe it is no big deal at all. It depends on how robust the submission process for that list is and how many domains that sublet subdomains ensure that they are on that list. What do you think?

  11. Joel Robert Justiawan on October 26, 2021 at 10:13 am

    This is your daily dose of Recommendation

    URL long

  12. Lawrence Dol on October 26, 2021 at 10:14 am

    Very good thoughts.

    What I think we need is for DNS registration where the domain, subdomain, and server name are NOT conflated. The manager of a domain has the authority to allocate subdomains but the origin needs to be reliably indicated. I would do this by registering names not as,, and, which is ambiguous, but as,, and Jake then has authority over, allowing him to register either (as a subdomain of *separate* from, or (as a subdomain *within*, but, importantly, NOT BOTH. This follows a similar design with IP division for subnet and node.

    For HTTP, I would enhance Jake’s example by using DNS records to change the user’s view in the bar to be [🔒 subdomain at subdomain at basedomain | /svgomg/] with a green lock, bold domain names, non-bold "at", and middle-gray path. Clicking in the URL field reverts to the full text URL. Examples:

    🔒 | /some/path

    🔒 jakearchibald at | /some/path
    🔒 mykids at jakearchibald at | /some/path

    (All notwithstanding existing reserved characters and meaning WRT to the selection of the server/network separator, possible confusion with IPV6, etc.)

  13. Victor Nascimento on October 26, 2021 at 10:14 am

    I would love to have a security warning for visiting the eTLD+1 for the first time. That way, even if malicious parties have an url that mimics a secure environment we would see a warning saying "you are visiting this for the first time". A simple badge, changing the color of the padlock etc would be awesome.

  14. Toool on October 26, 2021 at 10:16 am

    Honestly as a developer, I sometimes aim to distract via URLs, if it leads to sensitive info.
    I try my best to hide it tho and preserve a userfriendly access, but I don’t want anybody guessing it.

  15. Kevin Hagerty on October 26, 2021 at 10:16 am

    I guess they listened when you said "ship it"

  16. facundo leal on October 26, 2021 at 10:19 am

    paul lewis? o james priest! god bay god luky!

  17. DemiImp on October 26, 2021 at 10:21 am

    I like seeing the URL for multiple reasons. For example, seeing the URL all the time helps me know I’m on the right site and navigating the right PART of the website. There are a lot of context clues in the URL that help me know I’m doing the right thing. Also I specifically don’t fully trust websites themselves (even when it IS really truly the site I want to be on). Removing the URL path will give the opportunity for websites to try to trick users and be even more malicious. I don’t just care about the domain being right, seeing the whole URL is incredibly useful.

  18. David French on October 26, 2021 at 10:22 am

    IDEA: Just put a little toggle button to the left of the address bar that would toggle between ETLD+1 and full URL (rather than making it a Flag or Setting). That way I can use ETLD+1 most of the time, but quickly and easily switch to full URL if I’m doing development or something like that. Think of it as being kind of like "Comfortable, Relaxed, Compact" in Gmail. This is better than Safari’s click-to-view-full-URL, because it acts like a "setting" instead of a "click-once-to-view-once".

  19. superkrabban on October 26, 2021 at 10:22 am

    Bring back http:// and https:// !

  20. Robert Campbell on October 26, 2021 at 10:23 am

    This is a nice idea. I think that this or something similar could be really useful.

  21. cat -.- on October 26, 2021 at 10:24 am

    1) I’m, I fool people with
    2) I’m defeated by eTLD+1 highlighting, because browsers only show
    3) I register as an eTLD.
    4) Under eTLD+1 highlighting, users see

  22. Wynn Slater on October 26, 2021 at 10:24 am

    Now can you come up with a solution to fix selecting part of the url when the scheme is hidden?
    The current "solution" is brutal.

  23. Mr. Jacob Bloom on October 26, 2021 at 10:29 am

    I’d also be interested in seeing the same kind of highlighting the tld+1 in more places that display URLs, like the lil box that shows the url when you hover over a link, or in messaging services and email clients — a few messaging apps already show a title/preview for sent links and it’d be trivial to extend them to show the tld+1

  24. Kasper Guldmann on October 26, 2021 at 10:30 am

    Why haven’t you shipped it yet?

  25. Mr Sc1 on October 26, 2021 at 10:30 am

    security by obscurity only works for a day. Then on day 2 evil uses it to their advantage. Hopefully on day 3 the devs notice. I use those long ass url things all the time. Change search terms without having to load a page(back button duh). Make sure I’m on the correct page when something glitchy. Read if a site is actually legit. etc etc… Making something easier for Grandma is only that. I very very much need to choose when to wear beer goggles. lol, I literally haven’t used google search in a couple months. Guess ? Oh, the url’s disappeared. I was working. Didn’t have time to fiddle or reverse engineer something as silly as that.

  26. Apostou on October 26, 2021 at 10:31 am

    It’s perfect.. just make it so that it can be disabled through chrome flags.

  27. Marco Wettstein on October 26, 2021 at 10:33 am

    Kudos for svgomg! Love that tool

  28. أحمد محمد on October 26, 2021 at 10:34 am

    we fix it?

  29. Alex on October 26, 2021 at 10:34 am

    All these efforts are to mask the fact that some site are served through google amp, locking you into their ecosystem. This isn’t about ergonomics.

    It’s money.

  30. Patrick Nelson on October 26, 2021 at 10:36 am

    I totally get it. Personally, as a developer/power-user, I couldn’t stand the elision of proto + and request URI. But it was for work related reasons. I guess I’m spoiled, but I want immediate and instant access to it, since I’m dealing with it constantly and I need to see it immediately so I know where I’m at when I’m working. When I double click, it should immediately select the word instead of requiring a third click to see/select, etc. So, I’m very happy Chrome brought the option back via a simple right-click option.

  31. Slep on October 26, 2021 at 10:37 am

    As many have said make it the default. And allow people to configure it

  32. xdevs23 on October 26, 2021 at 10:39 am

    good idea

  33. rauru on October 26, 2021 at 10:40 am

    Just realized how URLs suck. This would be a much simpler problem if the pattern wasn’t that complicated

  34. atimholt on October 26, 2021 at 10:40 am

    Why not just use some less subtle means of highlighting the ETLD+1? You can still make it highly legible. For example: you could make the rest of the text noticeably smaller. You give it a different background-color brightness, making sure the transition is immediately noticeable—perhaps a vertical zig-zag, rather than a simple straight vertical boundary.

  35. Artemis on October 26, 2021 at 10:41 am

    No I’m pretty certain I can read a URL. It’s literally words.

  36. Topher on October 26, 2021 at 10:41 am

    I really like this idea

  37. LaPingvino on October 26, 2021 at 10:42 am

    The second link is Amazon Echo (3rd Gen) Smart Speaker with Alexa – Grey.

  38. Bruno Bronosky on October 26, 2021 at 10:42 am

    The term for ETLD+1 is "Apex Domain".

  39. andy low on October 26, 2021 at 10:42 am

    i can read u.r.l-s. but developers can "fix" that.

  40. adasjdaksjdlkasldjas on October 26, 2021 at 10:44 am

    URL’s makes it possible to link to any document or resource on any computer anywhere in the world.

  41. Cookie Wookie on October 26, 2021 at 10:44 am

    I love the Easter egg

  42. Oblivion on October 26, 2021 at 10:45 am

    I really like it

  43. Luiz Felipe on October 26, 2021 at 10:49 am

    I loved it, I want it now.

  44. Lunaside Games on October 26, 2021 at 10:51 am

    All-new Amazon Echo (3rd generation) | Smart speaker with Alexa, Heather Grey Fabric is the product

  45. sasho648 on October 26, 2021 at 10:51 am

    Guys use regex omg

  46. Rusl1Rusl on October 26, 2021 at 10:52 am

    It’s not only a padlock in Firefox it also shows warning wnenever you click on log-in form on such sites

  47. Yorgarazgreece on October 26, 2021 at 10:53 am

    pls ship it

  48. Wynn Slater on October 26, 2021 at 10:56 am

    In case you’re wondering, the power users aren’t "fine" with Safari’s url bar.

  49. Koussay Haj Kacem on October 26, 2021 at 10:58 am

    @jake @sumra
    What did Chrome HQ say about the proposal?

  50. NuncNuncNuncNunc on October 26, 2021 at 11:00 am

    We can fix URLs by not rendering them as text. A URL is structured data so I think we can do better than showing the toString of what is essentially an object. Early URLs were frequently file path analogs and reading out a URL made sense. Additionally, content was generally from a single site. This is no longer the case so what matters the most to users has changed. In my opinion, knowing the source of all the content on the page is vital, so my preference would be to see the host name/ETLD+1, verification that it is authentic, and easy access to see all other hosts on the page. The full path is secondary and needed mostly only for copying.