New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Closed: Feb 2018
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: IDN URL Spoofing with using ŋ (U+014B)

Reported by, Feb 2 2018

Issue description

Chrome Version: 66.0.3336.0 (Official Build) canary (64-bit)
Operating System: All


- Load

Similar to  bug 798892 .

This ŋ (U+014B) is regarded as similar to Latin small letter N, so it should be blocked, but I could be wrong.

Screen Shot 2018-02-02 at 04.18.31.png
94.1 KB View Download
Components: UI>Security>UrlFormatting UI>Internationalization
Labels: OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Labels: Security_Severity-Medium M-65 Security_Impact-Stable Pri-1
Status: Assigned (was: Untriaged)
Summary: Security: IDN URL Spoofing with using ŋ (U+014B) (was: Security: IDN URL Spoofing with using ŋ (U+014B))
Assigning to jshin per go/url-spoofs.

Comment 3 by, Feb 3 2018

> This ŋ (U+014B) is regarded as similar to Latin small letter N, 

Well, the current Unicode data does not. It has to be added to Chrome's
Supplementary list to be regarded as similar.

Comment 4 by, Feb 14 2018

Status: Started (was: Assigned)
Project Member

Comment 6 by, Feb 15 2018

The following revision refers to this bug:

commit 37747f4a4972e6d44d3f956f8d3a63255ef0941a
Author: Jungshik Shin <>
Date: Thu Feb 15 06:56:39 2018

Add more entries to the confusability mapping

U+014B (ŋ) => n
U+1004 (င) => c
U+100c (ဌ) => g
U+1042 (၂) => j
U+1054 (ၔ) => e

Bug:  811117 , 808316 
Test: components_unittests -gtest_filter=*IDN*
Change-Id: I29f73c48d665bd9070050bd7f0080563635b9c63
Reviewed-by: Peter Kasting <>
Commit-Queue: Jungshik Shin <>
Cr-Commit-Position: refs/heads/master@{#536955}

Verified on 66.0.3349.0. Thanks as ever!

Comment 8 by, Feb 19 2018

Labels: Merge-Request-65
Status: Verified (was: Started)
Verified in 66.0.3350 as well. Thank you for verifying.  is shown in punycode instead of iŋ . 

Requesting for merge to M-65 branch. 

The el recorded in comment 6 is simple (adding a few extra mapping entries) and safe. 

Project Member

Comment 9 by, Feb 19 2018

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: Less than 11 days to go before AppStore submit on M65
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot
Project Member

Comment 10 by, Feb 19 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
+ awhalley@ (Security TPM) for M65 merge review
Labels: reward-topanel
Labels: -M-65 -Merge-Review-65 M-66 Merge-Rejected-65
Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to award for this one. Thanks for the report, as ever :-)
Labels: Release-0-M66
Labels: CVE-2018-6107
Labels: CVE_description-missing
Project Member

Comment 18 by, May 28

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment