Closed Bug 1447954 Opened 7 years ago Closed 7 years ago

Firefox address bar using RTL-IDNs-TLD

Categories

(Firefox :: Address Bar, defect)

59 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 525831

People

(Reporter: xisigr, Unassigned)

Details

Attachments

(1 file)

Attached image firefox spoof.png
Firefox address bar using RTL-IDNs-TLD on Windows/macOS. 1.Access RLT-IDN-TLD.html. 2.Click on the "gmail.com" button. 3.Address bar says www.gmail.com - this is not www.gmail.com. RLT-IDN-TLD.html <script> function spoof(){ var link = document.createElement('a'); link.href = 'http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/%DB%B0.html'; link.target="aaaa"; document.body.appendChild(link); link.click(); } </script> <a onclick="spoof();" href="javascript:void(0);">gmail.com</a>
The correct domain is highlighted here. Other browsers (Chrome, Edge) behave the same way. What do you think is the expected behaviour here?
Flags: needinfo?(xisigr)
Component: Security → Address Bar
Gijs, I think this falls under our discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1419391#c3 (and likely a dupe of that bug, even less compelling than the other report)
Firefox Rendered Results: http://www.gmail.com.۰/اماء.شبكة.html Edge Rendered Results: http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/۰.html In Firefox, although it isn't a perfect spoof,but for ordinary users who use Latin, maybe considered that www.gmail.com is the current domain name and ماء.شبكة.html is the pathname.
Flags: needinfo?(xisigr)
(In reply to xisigr from comment #3) > Firefox Rendered Results: http://www.gmail.com.۰/اماء.شبكة.html > Edge Rendered Results: http://www.gmail.com.xn--ggbla3j.xn--ngbc5azd/۰.html I see the same result in Edge as in Firefox. I don't know why it's displaying punycode for you, but we've previously made it clear that we are very reluctant to just break (non-latin) IDN domains for all latin users (which I can only assume is what is going on in your Edge - I assume they're not just breaking *all* IDN domain names for *everyone* ?). This then also wouldn't help users of RTL languages who also consume LTR content / domains (like, say, gmail.com). > In Firefox, although it isn't a perfect spoof,but for ordinary users who use > Latin, maybe considered that www.gmail.com is the current domain name and > ماء.شبكة.html is the pathname. Yes, it's clear what the problem is, it's not clear what the solution would be short of what comment #2 suggests, which would involve only showing the domain and not the pathname (like what Safari does).
Gijs, My test Edge Version: Windows 10.0.16299.309, Microsoft Edge 41.16299.248.0, Microsoft EdgeHTML 16.16299 It will displaying punycode.
Edge displays punycode or IDN depending on your OS language preferences. It's not consistent globally.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: