Issue metadata
Sign in to add a comment
|
Security: URL IDN spoofing
Reported by
chromium...@gmail.com,
Dec 3 2017
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 64.0.3282.5 Operating System: All REPRODUCTION CASE This http://xn--twtter-j8a.com/ should be blocked on Chrome because it's mixing Latin, and twitter.com is in the top 10k domains list. Also: http://xn--wndows-i8a.com/
,
Dec 3 2017
,
Dec 4 2017
This is a dupe of bug 791336 . It's already fixed in ToT.
,
Dec 4 2017
I'm still able to repro this with https://www.xn--doubleclckbygoogle-cxc.com and http://xn--wndows-i8a.com on ToT (65.0.3284.0), while I couldn't repro with http://xn--twtter-j8a.com.
,
Dec 4 2017
My fix has not made it to the latest canary build, yet.
,
Dec 4 2017
Sorry I misunderstood comment 6. The fix for top domains with 'w' must be included in 65.0.3284.0. > www.doubleclīckbygoogle.com doubleclickbygoogle.com is not in the top domain list. > wīndows.com Neither is windows.com. It's a known limitation that there's no easy way to tell which is legitimate and which is not for those cases on the *Chrome's end*.
,
Mar 12 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 19
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Dec 3 2017Components: UI>Browser>Omnibox UI>Internationalization
Status: Untriaged (was: Unconfirmed)