New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 756226 link

Starred by 3 users

Issue metadata

Status: Fixed
Closed: Oct 2017
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 2
Type: Bug-Security

Blocked on:
issue 726950

Sign in to add a comment

Security: URL spoofing with Armenian characters

Reported by, Aug 16 2017

Issue description

Chrome Version: 62.0.3187.0 (Official Build) canary (64-bit)
Operating System: Mac


Some examples:
Repro on Windows.
38.6 KB View Download
Components: UI>Security>UrlFormatting UI>Internationalization
Summary: Security: URL spoofing with Armenian characters (was: Security: Near-Armenian confusable domain label spoofing)

Comment 3 by, Aug 17 2017

Labels: Security_Severity-Medium Security_Impact-Stable OS-Mac OS-Windows Pri-1
Status: Assigned (was: Unconfirmed)
Project Member

Comment 4 by, Aug 18 2017

Labels: M-61

Comment 5 by, Aug 21 2017

Labels: -Security_Severity-Medium Security_Severity-Low
Two example domains cannot be registered. See
Project Member

Comment 6 by, Aug 22 2017

Labels: -Pri-1 Pri-2

Comment 7 by, Aug 29 2017

Blockedon: 726950
Labels: -M-61
Project Member

Comment 8 by, Oct 4 2017

The following revision refers to this bug:

commit fd34ee82420c5e5cb04459d6e381944979d8e571
Author: Jungshik Shin <>
Date: Wed Oct 04 23:25:49 2017

Change the script mixing policy to highly restrictive

The current script mixing policy (moderately restricitive) allows
mixing of Latin-ASCII and one non-Latin script (unless the non-Latin
script is Cyrillic or Greek).

This CL tightens up the policy to block mixing of Latin-ASCII and
a non-Latin script unless the non-Latin script is Chinese (Hanzi,
Bopomofo), Japanese (Kanji, Hiragana, Katakana) or Korean (Hangul,

Major gTLDs (.net/.org/.com) do not allow the registration of
a domain that has both Latin and a non-Latin script. The only
exception is names with Latin + Chinese/Japanese/Korean scripts.
The same is true of ccTLDs with IDNs.

Given the above registration rules of major gTLDs and ccTLDs, allowing
mixing of Latin and non-Latin other than CJK has no practical effect. In
the meantime, domain names in TLDs with a laxer policy on script mixing
would be subject to a potential spoofing attempt with the current
moderately restrictive script mixing policy. To protect users from those
risks, there are a few ad-hoc rules in place.

By switching to highly restrictive those ad-hoc rules can be removed
simplifying the IDN display policy implementation a bit.

This is also coordinated with Mozilla. See .

BUG= 726950 ,  756226 ,  756456 ,  756735 ,  770465 
TEST=components_unittests --gtest_filter=*IDN*

Change-Id: Ib96d0d588f7fcda38ffa0ce59e98a5bd5b439116
Reviewed-by: Brett Wilson <>
Reviewed-by: Lucas Garron <>
Commit-Queue: Jungshik Shin <>
Cr-Commit-Position: refs/heads/master@{#506561}

Comment 9 by, Oct 4 2017

Status: Fixed (was: Assigned)

Comment 10 Deleted

Project Member

Comment 11 by, Oct 5 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Historically, we've ranked IDN spoofs at Severity Medium, although this one was partially mitigated by the fact that ".com" limits mixing with Armenian. The VRP should still take a look.

Comment 13 by, Oct 13 2017

Reported domains cannot be registered in com/net/org and ccTLDs accepting Armenian domains. 

Labels: -reward-topanel reward-0
I'm afraid the panel declined to award for this bug.
Labels: Release-0-M63 M-63
Labels: CVE-2017-15424
Project Member

Comment 17 by, Jan 11 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted
Labels: idn-spoof

Sign in to add a comment