New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 756735 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Oct 2017
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Blocked on:
issue 726950

Sign in to add a comment

Security: Gujarati character in domain names are not blacklisted

Reported by, Aug 18 2017

Issue description

chrome 60.0.3112.90

behave like  Issue 673971 
fake.jpg and fake2.jpg shows the indistinguishable character

Gujarati Sign Avagraha
ઽ U+0ABD
Gujarati Digit Zero
૦ U+0AE6

add them to the blacklist
2.9 KB View Download
3.5 KB View Download
Components: UI>Browser>Omnibox UI>Internationalization

Comment 2 Deleted

Comment 3 by, Aug 22 2017

Oriya Digit Zero ୦ U+0B66 also works
and here is a fake test on MAC OS
23.5 KB View Download
Components: -UI>Internationalization UI>Security>UrlFormatting

Comment 5 by, Aug 25 2017

Labels: Security_Severity-Medium Security_Impact-Stable OS-All
Status: Assigned (was: Unconfirmed)
It's similar to 673971. mgiuca@, could you take a look? Thank you.
Project Member

Comment 6 by, Aug 26 2017

Labels: M-61
Project Member

Comment 7 by, Aug 26 2017

Labels: Pri-1

Comment 8 by, Aug 28 2017

jshin deals with character blacklisting.

Comment 9 by, Aug 29 2017

Labels: -Pri-1 -Security_Severity-Medium -M-61 Security_Severity-Low Pri-2
Again, none of these domains in this bug can be registered in {com,org,net, etc}. 

Comment 10 by, Aug 29 2017

Blockedon: 726950
as a matter of fact, 
if use a same character set,then the domain could be registered
for example, (oriya charset) is registered
the for an other example, could be registered

Comment 12 Deleted

Comment 13 Deleted

Comment 14 Deleted is one of the biggest search engine in china (so.jpg)
here comes the fake one (fake.png)

and it could be registered because use the same charset(gujarati)

24.8 KB View Download
1.2 KB View Download
40.0 KB View Download
also Greek and Coptic could be used to spoof

here comes a fake (paypal.jpg)

and it could be registered

so i think total of them will be of Medium Security_Severity?
5.9 KB View Download
30.7 KB View Download
here is the fake paypal test on my local server (I'm too poor to regist it :(
also character "K W O" and etc could be used to spoof any other website.
156 KB View Download
re: comment 11

Anyway, there's no way to block a domain made of a single Oriya character just because that letter looks like 'o'. ( www.୦.com )

That's NOT the same issue as you originally reported. What I said is that mixed-script examples in your original report cannot be registered. 

As for, it has to be added to the top domain list in bug 722022. Even with that added, ઽ૦.com might not be regarded as a spoofing attempt against  

The same is true of www.ραγραί.com ( is already in the top domain list). 

re: ૭૦૦૭૮૬.com : what does this look like? 
does this top domain list solved spoof or in this stable version?
i'm not clear but seems it was not transformed into punycode.(since another spoof use Malayalam was registered by someone)
thanks for reply

Comment 20 by, Sep 14 2017

www.ραγραί.com is not shown in punycode because it's not regarded as look-alike of . 

If ί (U+03AF) were to be regarded as similar to 'l',  'i' (Latin smaller letter i) would be, too.  

Comment 21 by, Sep 14 2017

>  Even with that added, ઽ૦.com might not be regarded as a spoofing attempt against  

It'd not (see ). 
Project Member

Comment 22 by, Oct 4 2017

The following revision refers to this bug:

commit fd34ee82420c5e5cb04459d6e381944979d8e571
Author: Jungshik Shin <>
Date: Wed Oct 04 23:25:49 2017

Change the script mixing policy to highly restrictive

The current script mixing policy (moderately restricitive) allows
mixing of Latin-ASCII and one non-Latin script (unless the non-Latin
script is Cyrillic or Greek).

This CL tightens up the policy to block mixing of Latin-ASCII and
a non-Latin script unless the non-Latin script is Chinese (Hanzi,
Bopomofo), Japanese (Kanji, Hiragana, Katakana) or Korean (Hangul,

Major gTLDs (.net/.org/.com) do not allow the registration of
a domain that has both Latin and a non-Latin script. The only
exception is names with Latin + Chinese/Japanese/Korean scripts.
The same is true of ccTLDs with IDNs.

Given the above registration rules of major gTLDs and ccTLDs, allowing
mixing of Latin and non-Latin other than CJK has no practical effect. In
the meantime, domain names in TLDs with a laxer policy on script mixing
would be subject to a potential spoofing attempt with the current
moderately restrictive script mixing policy. To protect users from those
risks, there are a few ad-hoc rules in place.

By switching to highly restrictive those ad-hoc rules can be removed
simplifying the IDN display policy implementation a bit.

This is also coordinated with Mozilla. See .

BUG= 726950 ,  756226 ,  756456 ,  756735 ,  770465 
TEST=components_unittests --gtest_filter=*IDN*

Change-Id: Ib96d0d588f7fcda38ffa0ce59e98a5bd5b439116
Reviewed-by: Brett Wilson <>
Reviewed-by: Lucas Garron <>
Commit-Queue: Jungshik Shin <>
Cr-Commit-Position: refs/heads/master@{#506561}

Status: Fixed (was: Assigned)
Project Member

Comment 24 by, Oct 5 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-NA

Comment 26 Deleted

Labels: Release-0-M63 M-63
Labels: CVE-2017-15426
Project Member

Comment 29 by, Jan 11 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted
Labels: idn-spoof

Sign in to add a comment