Thanks for the report. This is actually a fully specified and supported feature of the DNS system, called Internationalized Domain Names (IDN). See http://unicode.org/faq/idn.html. There is a 1-1 mapping between the punycoded ASCII domain and the domain with non-ASCII characters to allow DNS to continue to just be ASCII under the hood.

We cannot "refuse to resolve" such domains because they are entirely valid on the public internet. While IDN can be used to for phishing, we do a lot of work to try and combat that. For instance - displaying the full punycoded URL like you saw for easily-confused URLs. If you try entirely URLs that consist of less confusable characters (like Arabic script for instance), we often do not converted to ASCII because there is no phishing risk.

Additionally, the most effective form of phishing often involves no confusable characters at all - just something like secure-facebook.com.login is usually all you need. URLs are hard and we're investigating separate efforts to help humans understand them better.

It is a reality that the world has many more scripts than ASCII, and IDN allows users to register and use domain names in their native language - i.e. ensures that the web is not just US ASCII English only.

Oh.  Thanks, my mistake, I didn't know those were considered valid.

Still, couldn't Chrome display a message something like:
"You have attempted to access the website pòf.com.  You are being redirected to xn--pf-2ja.com.  If you did not expect this redirect, the website may be trying to trick you."

And then two buttons you can click before proceeding, which say:
- Do not display this warning in the future for pòf.com.
- Do not display this warning in the future for any website.

Apart from considerations of the work involved in implementing it, if you had to choose between this behavior and the current behavior, wouldn't this behavior be better?

(If you had to bet $100 one way or another, do you think that as phishers become more prolific, major browsers will allow the current behavior 5 years from now, with no warning at all?)

Is this still monitored, or do people stop posting responses after the bug is resolved "WontFix"?

(In particular, I still think my question in the last post was valid: "Apart from considerations of the work involved in implementing it, if you had to choose between [the proposed] behavior and the current behavior, wouldn't [the proposed] behavior be better?")

bennetthaselton: Due to the large amount of bugs, it's not always possible for us to respond to all bugs, especially those that are closed, sorry about that.

That said, I wanted to point out that we are working on an experimental mechanism (bug 843361) to help solve some of the challenges with internationalized domain names. The UX is still to be determined based on the metrics we see.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot