Some of these are more compelling than others, the one screenshotted is probably the best.

nick@, would you be the right person to fix this?

 Issue 756977  has been merged into this issue.

 Issue 756947  has been merged into this issue.

 Issue 756893  has been merged into this issue.

 Issue 757180  has been merged into this issue.

I think the summary should be changed to “URL spoofing using combining marks”. Then thai/lao/malayalam/mongoian/tibetan are not the only problematic script system, they seem like the tip of the iceberg.

Update a IDN spoofing in Malayalam using (U+0D1F)，(U+0D20) .

Real site:  https://www.so.com
spoof site:  https://www.ടഠ.com/

Deleted: spoof1.png 182 KB

	spoof1.png 182 KB View Download

Deleted: spoof2.png 126 KB

	spoof2.png 126 KB View Download

Deleted: real site.png 213 KB

	real site.png 213 KB View Download

 Issue 759995  has been merged into this issue.

nick: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

nick: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

nick, jshin: Ping. Can you please take a look or reassign? Thanks.

Not sure why this was assigned to nick@.  jshin@, can you take a look?

Fixed in  bug 726950 

re: comment 12

> Update a IDN spoofing in Malayalam using (U+0D1F)，(U+0D20) .

> Real site:  https://www.so.com
> spoof site:  https://www.ടഠ.com/

This has to be dealt with in a separate bug. There's no script mixing. U+0D1F and U+0D20 look like Latin 's' and 'o', respectively.   Unicode util web site is down at the moment and I haven't checked if U+0D1F and U+0D20 are considered confusable with 's' and 'o' (I guess they're). If they're and 'so.com' is in the top domain list, it'd be blocked. 

 bug 726950  took care of mixing Latin + a non-Latin script. 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot