Closed
Bug 1447954
Opened 7 years ago
Closed 7 years ago
Firefox address bar using RTL-IDNs-TLD
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 525831
People
(Reporter: xisigr, Unassigned)
Details
Attachments
(1 file)
125.21 KB,
image/png
|
Details |
Firefox address bar using RTL-IDNs-TLD on Windows/macOS.
1.Access RLT-IDN-TLD.html.
2.Click on the "gmail.com" button.
3.Address bar says www.gmail.com - this is not www.gmail.com.
RLT-IDN-TLD.html
<script>
function spoof(){
var link = document.createElement('a');
link.href = 'http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/%DB%B0.html';
link.target="aaaa";
document.body.appendChild(link);
link.click();
}
</script>
<a onclick="spoof();" href="javascript:void(0);">gmail.com</a>
Comment 1•7 years ago
|
||
The correct domain is highlighted here. Other browsers (Chrome, Edge) behave the same way. What do you think is the expected behaviour here?
Flags: needinfo?(xisigr)
Updated•7 years ago
|
Component: Security → Address Bar
Comment 2•7 years ago
|
||
Gijs, I think this falls under our discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1419391#c3 (and likely a dupe of that bug, even less compelling than the other report)
Firefox Rendered Results: http://www.gmail.com.۰/اماء.شبكة.html
Edge Rendered Results: http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/۰.html
In Firefox, although it isn't a perfect spoof,but for ordinary users who use Latin, maybe considered that www.gmail.com is the current domain name and ماء.شبكة.html is the pathname.
Flags: needinfo?(xisigr)
Comment 4•7 years ago
|
||
(In reply to xisigr from comment #3)
> Firefox Rendered Results: http://www.gmail.com.۰/اماء.شبكة.html
> Edge Rendered Results: http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/۰.html
I see the same result in Edge as in Firefox. I don't know why it's displaying punycode for you, but we've previously made it clear that we are very reluctant to just break (non-latin) IDN domains for all latin users (which I can only assume is what is going on in your Edge - I assume they're not just breaking *all* IDN domain names for *everyone* ?). This then also wouldn't help users of RTL languages who also consume LTR content / domains (like, say, gmail.com).
> In Firefox, although it isn't a perfect spoof,but for ordinary users who use
> Latin, maybe considered that www.gmail.com is the current domain name and
> ماء.شبكة.html is the pathname.
Yes, it's clear what the problem is, it's not clear what the solution would be short of what comment #2 suggests, which would involve only showing the domain and not the pathname (like what Safari does).
Gijs,
My test Edge Version: Windows 10.0.16299.309, Microsoft Edge 41.16299.248.0, Microsoft EdgeHTML 16.16299
It will displaying punycode.
Comment 6•7 years ago
|
||
Edge displays punycode or IDN depending on your OS language preferences. It's not consistent globally.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•2 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•