New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 771849 link

Starred by 2 users
Status: WontFix
Owner:
js...@chromium.org
Closed: Oct 2017
Cc:
markda...@google.com
sffc@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: URL spoofing with U+1054 Myanmar letter

Reported by chromium...@gmail.com, Oct 5 2017 
VERSION
Chrome Version: 63.0.3232.0 (Official Build) canary (64-bit)
Operating System: Mac

REPRODUCTION CASE
Some examples: 

facၔbook.com
googlၔ.com


facၔbook.com U+0307 (ၔ) should be blocked in the fix https://chromium-review.googlesource.com/c/688825/ as on Firefox Nightly.
Screen Shot 2017-10-05 at 03.24.20.png
124 KB View Download

Comment 1 by elawrence@chromium.org, Oct 5 2017

Components: UI>Browser>Omnibox UI>Internationalization
Owner: js...@chromium.org
The CL referenced landed in 63.0.3233.0.

The POC URLs now show as Punycode as of 63.0.3233.0, so I assume this is working as expected?
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 5 2017

Status: Assigned (was: Unconfirmed)

Comment 3 by chromium...@gmail.com, Oct 5 2017 

Oops! sorry that was my mistake, that is working as expected on 63.0.3233.0.

Comment 4 by elawrence@chromium.org, Oct 5 2017

Status: WontFix (was: Assigned)

Comment 5 by js...@chromium.org, Oct 13 2017

Cc: markda...@google.com sffc@google.com
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 12 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment