Can you please update this bug with the Punycoded URLs (just copy/paste from the address bar to get them). Unfortunately, the bug tracker doesn't work well with Unicode characters.

As far as I understand things, this is presently by-design, as described in  Issue 683314 . "Block a label made entirely of Latin-look-alike Cyrillic letters when the TLD is not an IDN (i.e. this check is ON only for TLDs like 'com', 'net', 'uk', but not applied for IDN TLDs like рф."

https://xn--80aa0cbo65f.xn--p1a/ --> Is this okay? 
When copied/pasted the same URL (https://раураӏ.р) in firefox(iOS), Safari, IE(windows); All browsers convert the URL into punnycode however, I didn't find Chrome to convert this which is relatively unusual. 

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

#1: I don't think so the check is on as you described: 
> https://xn--80aa0cbo65f.xn--l1adi/

The above URL is: раураӏ.сом (look alike of .com)

Re #4: You'd only see the Punycoding introduced in the fix for  Issue 683314  if the TLD is ".com". In contrast, neither "р" nor "сом" would demonstrate that encoding behavior (nor is "сом" a ICANN-registered TLD at this point in time).

However, there are other rules that would cause Chrome to render a given URL in Punycode, including use of "forbidden" characters, or certain mixing of scripts within a single label. See https://www.chromium.org/developers/design-documents/idn-in-google-chrome

Oh'okay. I actually misunderstood your comment #1. I got it now. Well, Don't you think chrome should also implement the same behavior as other browsers? Tho, at this time "сом" is not registered TLD but there are some other Cyrillic registered TLD. Who knows this or some other 'look alike' TLDs could be a registered in future. At-least chrome would be secured from its own side (just like other browsers). (Otherwise, It's obviously up to security team to decide whether to implement this thing or not)

Hence, URL Spoofing with Cyrillic TLD is possible so another (new) fix is required here.

This is by design. 

I suspect that other browsers are punycoding it simply because you don't have Russian set as a language (whereas Chrome currently does not use the language setting for this).

As per the fix for  Issue 683314  (r459226), we deliberately only punycode domains that are whole-script confusable Cyrillic characters on an ASCII TLD.

We are essentially betting that IANA will not issue a top-level domain that is a lookalike spoof for an ASCII TLD. At this stage, that is a trade-off we are willing to make (because we don't want to block out potentially valid combinations of Cyrillic letters on a Cyrillic TLD).

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot