jshin I wonder if you could take a look at this bug?

See also bug 727092 

I'm not able to see the issues ( bug 750239  or bug 727092) mentioned above, but AFAICT the change that was applied in https://chromium-review.googlesource.com/c/chromium/src/+/709919 and references  bug 750239  is only addressing the use of U+0307 COMBINING DOT ABOVE to spoof a plain letter "i". It did not resolve the issue for accented letters; a sequence like U+0131,U+0308 can still be used to spoof the letter ï (i-dieresis, U+00EF).

> It did not resolve the issue for accented letters; a sequence like U+0131,U+0308

Which is why I de-duped this bug from  bug 750239 . The crbug.com UI is confusing/misleading in that de-duping does not drop 'Merged' field while status is changed back to Assigned/Unconfirmed/Untriaged, etc. 

I'll block dotless-i from being followed by a combining mark for now. 

BTW, compared with  bug 750239 , this one will affect far fewer number of domains (for now) because this is a spoofing against IDN domains. 

A CL is up at https://chromium-review.googlesource.com/c/chromium/src/+/767888 . 

This is a sub-issue of bug 727092. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a30f64b4ae13255535a4947616fce484c54207df

commit a30f64b4ae13255535a4947616fce484c54207df
Author: Jungshik Shin <jshin@chromium.org>
Date: Fri Nov 17 23:34:48 2017

Block dotless-i / j + a combining mark

U+0131 (doltess i) and U+0237 (dotless j) are blocked from being
followed by a combining mark in U+0300 block.

Bug:  774842 
Test: See the bug
Change-Id: I92aac0e97233184864d060fd0f137a90b042c679
Reviewed-on: https://chromium-review.googlesource.com/767888
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517605}
[modify] https://crrev.com/a30f64b4ae13255535a4947616fce484c54207df/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/a30f64b4ae13255535a4947616fce484c54207df/components/url_formatter/url_formatter_unittest.cc

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Nice one! The Chrome VRP panel decided to award $500 for this report. A member of our finance team will be in touch to arrange for payment. Also, how would you like to be credited in our release notes?

Thanks, much appreciated!

FYI regarding disclosure, the Firefox equivalent of this issue was reported to Mozilla at the same time as the Chromium report here (October 15th); it was fixed in the recent Firefox 57 release, though as of now the bug report has not yet been made public.

As for release notes, I'm not sure what kind of details you need... I'm "Jonathan Kew <jfkthame@gmail.com>", or whatever equivalent form you typically present things in.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot