Issue metadata
Sign in to add a comment
|
Security: Whole-script confusable domain label spoofing
Reported by
chromium...@gmail.com,
May 18 2017
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: OS X Operating System: 60.0.3102.0 canary fåcebook.com In this issue I used A with a ring.
,
May 18 2017
jshin@chromium.org please take a look at this. Thanks.
,
May 18 2017
Not v8 specific
,
May 19 2017
This is the same general issue as Issue 703750 -- using a single Latin character that looks similar to an ASCII character. The A WITH RING is far easier to notice than many of the other more subtle ones. We don't need more reports like this. They are all the same issue and will have the same fix (if any). The Unicode Consortium supplies a list of confusables so we do not need individual bug reports of each look-alike character. We can't just blacklist these characters, since they are legitimate characters in their own right. We may need to work out how to avoid spoofs of popular sites. This is being discussed in Issue 703750 .
,
Aug 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 18 2017Components: UI>Security>UrlFormatting