Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Duplicate
Merged: issue 683314
Owner: ----
Closed: Feb 1
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security
Team-Security-UX

Blocked on:
issue 683314



Sign in to add a comment
xn--e1auc7f.com renders as a string resembling "espn.com" in the address bar
Reported by markbemb...@gmail.com, Jan 31 2017 Back to list
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36

Steps to reproduce the problem:
1. Enter http://xn--e1auc7f.net (or .com, etc.) in the address bar.
2. Be amazed as the URL in the address bar now resembles "espn.net" or "espn.com".
3. Refrain from registering your own "xn--e1auc7f" domain and starting a fake news site.

What is the expected behavior?
The address bar should show "xn--e1auc7f.net" or the domain should be otherwise marked as potentially malicious.

The ".com" version is currently hosting fake news:
http://xn--e1auc7f.com/mma/conor-mcgregor-denies-ped-accusations/?adid=174719919481&sxid=1e8vnzsnjf14&tid=6f503241494d556935794c41305746586856786b7858736b49332f4230596d62

What went wrong?
The domain renders as еѕрп.net (that's *not* an "n" before the dot) in the address bar instead of xn--e1auc7f.net, creating a large probability of confusion.

Did this work before? N/A 

Chrome version: 56.0.2924.76  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 24.0 r0

 
Blockedon: 683314
Components: UI>Browser>Omnibox UI>Security>UrlFormatting
This is a whole-script confusable string (all characters are Cyrillic);  Issue 683314 
Mergedinto: 683314
Status: Duplicate
Duplicated.

Thanks for reporting this bug. We are aware of this issue in  bug 683314 .
Project Member Comment 3 by sheriffbot@chromium.org, May 10
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment