Issue metadata
Sign in to add a comment
|
Security: Near homograph URL Spoofing with Tibetan U+0F35
Reported by
chromium...@gmail.com,
Sep 22 2017
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 63.0.3221.0 Operating System: Mac REPRODUCTION CASE This issue is similar to bug 729979 . PoC: http://xn--google-gsv.com/ (U+0F35 Tibetan)
,
Sep 22 2017
jshin: Is this another instance of Issue 703750 ? I'm not entirely sure (reading go/url-spoofs).
,
Sep 23 2017
,
Sep 23 2017
,
Sep 25 2017
.com and other Verisign controlled domains are not affected. This domain cannot be registered. This is yet another example of a Mac Tibetan font being broken. I thought we covered them all. Somehow U+0F35 is turned to blank. That is, this is bug 714196 resurrected ! Anyway, this should be blocked on all platforms regardless of the way "Latin + U+0F35" is rendered because U+0F35 (http://unicode.org/cldr/utility/character.jsp?a=0F35 ) is a combining mark for Tibetan. Base + Combining mark of unrelated scripts should not be allowed. see http://bugs.icu-project.org/trac/ticket/13328 .
,
Sep 25 2017
,
Jan 12 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 22 2017Components: UI>Browser>Omnibox UI>Internationalization
Status: Untriaged (was: Unconfirmed)