Render mixed idn like invalid TLS
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Midori Web Browser |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
Albeit IDN is still not too common, I'd like to see a minimum of verification of URLs. Registrars are supposed to be doing this but evidently either don't care or get it wrong.
The following spoofed example domains should be regarded as invalid:
сitibank.com, googIe.com, pаypal.com, ցհոօզս, аpple.com
I sneaked a non-IDN case in there because the problem and proposed solution is very similar.
Valid domains for comparison:
johannkönig.com, 例え.テスト, ᚦ.com, しん.jp, مثال.آزمایشی
So spoofing usually is a mix of scripts. Since some languages genuinely use multiple scripts (e.g. Japanese) we should only consider Latin, Cyrillic and Greek, being most full of homographs.
- Any mix of latin, cyrillic and greek is invalid.
- URLs must be all-lowercase. "A.com" is valid but must be shown as "a.com".
We should do either of the following if a URL is invalid:
- Render as punycode
- Render as red like invalid TLS
- Show an infobar
| tags: | added: idn tls urlbar |
| Changed in midori: | |
| status: | New → Confirmed |
| importance: | Undecided → Low |
