Closed Bug 1447954 Opened 6 years ago Closed 6 years ago

Firefox address bar using RTL-IDNs-TLD

Categories

(Firefox :: Address Bar, defect)

59 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 525831

People

(Reporter: xisigr, Unassigned)

Details

Attachments

(1 file)

Attached image firefox spoof.png
Firefox address bar using RTL-IDNs-TLD on Windows/macOS.

1.Access RLT-IDN-TLD.html.
2.Click on the "gmail.com" button.
3.Address bar says www.gmail.com - this is not www.gmail.com.
 
RLT-IDN-TLD.html

<script>
function spoof(){
    var link = document.createElement('a');
    link.href = 'http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/%DB%B0.html';
    link.target="aaaa";
    document.body.appendChild(link);
    link.click();
}
</script>

<a onclick="spoof();" href="javascript:void(0);">gmail.com</a>
The correct domain is highlighted here. Other browsers (Chrome, Edge) behave the same way. What do you think is the expected behaviour here?
Flags: needinfo?(xisigr)
Component: Security → Address Bar
Gijs, I think this falls under our discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1419391#c3 (and likely a dupe of that bug, even less compelling than the other report)
Firefox Rendered Results: http://www.gmail.com.۰/اماء.شبكة.html
Edge Rendered Results: http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/۰.html

In Firefox, although it isn't a perfect spoof,but for ordinary users who use Latin, maybe considered that www.gmail.com is the current domain name and ماء.شبكة.html is the pathname.
Flags: needinfo?(xisigr)
(In reply to xisigr from comment #3)
> Firefox Rendered Results: http://www.gmail.com.۰/اماء.شبكة.html
> Edge Rendered Results: http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/۰.html

I see the same result in Edge as in Firefox. I don't know why it's displaying punycode for you, but we've previously made it clear that we are very reluctant to just break (non-latin) IDN domains for all latin users (which I can only assume is what is going on in your Edge - I assume they're not just breaking *all* IDN domain names for *everyone* ?). This then also wouldn't help users of RTL languages who also consume LTR content / domains (like, say, gmail.com).

> In Firefox, although it isn't a perfect spoof,but for ordinary users who use
> Latin, maybe considered that www.gmail.com is the current domain name and
> ماء.شبكة.html is the pathname.

Yes, it's clear what the problem is, it's not clear what the solution would be short of what comment #2 suggests, which would involve only showing the domain and not the pathname (like what Safari does).
Gijs,
My test Edge Version: Windows 10.0.16299.309, Microsoft Edge 41.16299.248.0, Microsoft EdgeHTML 16.16299
It will displaying punycode.
Edge displays punycode or IDN depending on your OS language preferences. It's not consistent globally.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.