Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Medium findings>Address bar not updated after failed navigation
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)Cross-site scripting via `postMessage`Address bar not updated after failed navigationCallback address bar not updated after navigationLack of WebView `postMessage` origin validationLack of TLS ALPN validation
Low (6)
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Address bar not updated after failed navigation

Medium Severity
Medium Impact
Medium Likelihood

Description

After a top-frame navigation fails (such as due to a TLS error), the address bar displayed above the WebView component in the Reclaim app displays the origin of the failed navigation rather than the origin of the currently displayed page.

This issue occurs in reclaim-app/src/components/DevToolWebview/index.tsx:

const DevToolWebView: React.FC<DevTollWebViewProps> = forwardRef(
  // ...
  return (
    <WebView
    // ...
    onNavigationStateChange={({ url }) => {
      ref.current?.injectJavaScript(INJECTION)
      urlInputUpdate(url)
    }}
    onLoadEnd={({ nativeEvent }) => {
      urlInputUpdate(nativeEvent.url)

Impact

Malicious pages may trigger a failed navigation to disguise themselves as a trusted origin. This can convince the user to enter their credentials or reveal other sensitive information to the attacker's website.

Recommendations

The WebView component should properly account for failed navigations and always set the address-bar text to the origin of the displayed page.

Remediation

Zellic © 2025Back to top ↑