Fenix: Enable punycode by default
User Problem
By default fenix shows unicode domains and not the punycode domain, which is problematic due to phishing. Right now, there is no way to turn on punycode.
Example site: https://www.xn--80ak6aa92e.com
Acceptance Criteria
By default punycode should be turned on or at least there should be an option to turn it on.
Erroneuz
All 20 comments
Anyway to get some eyes on this? This is quite a huge oversight in Firefox Preview. In Firefox for desktop it can be adjusted with IDN_show_punycode = true
Erroneuz
on 2 Jun 2020
Please don't forget thes feature...
Can enable in about:config but is not for all users. We need this option implemented in Settings menu for more security in some countries.
JoGarWeb
on 8 Aug 2020
This seems more like a serious security vulnerability than a feature request. It should be prioritized.
Note that on chrome it shows the punycode by default
s-ankur
on 23 Aug 2020
People can easily craft malicious urls like www.mozillŠ°.org (its not really mozilla.org, you can see it in chrome or desktop firefox)
s-ankur
on 26 Aug 2020
Firefox desktop doesn't display punycode by default either. Some of the discussion that went into that decision is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1332714
The title of the bug suggests you want the default changed (seems unlikely given the above? unless there are new arguments or thinking changed), but the subsequent comments seem to imply you want a setting for it.
gcp
on 26 Aug 2020
People can easily craft malicious urls like www.mozillŠ°.org (its not really mozilla.org, you can see it in chrome or desktop firefox)
If you visit that link in Fenix, you get the punycode URL because it triggers the heuristics (if the URL has mixed scripts, which is unlikely to happen in normal use, we do switch to punycode). Is that not what you're seeing?
The apple.com one doesn't trigger them because it's a single language, so it's harder to tell whether this is a legitimate site (where we shouldn't mangle the URL just because it's not US-ASCII) or a phishing attempt.
gcp
on 26 Aug 2020
Note that on chrome it shows the punycode by default
I think it is more complicated than this, they don't default to punycode (which would be rather hostile to international users). They have a heuristic for popular websites, something similar to: https://bugzilla.mozilla.org/show_bug.cgi?id=1507582, and that triggers because apple.com is well known.
gcp
on 26 Aug 2020
If you visit that link in Fenix, you get the punycode URL because it triggers the heuristics
I actually dont see the punycode url. It redirects to some random site but at no point does firefox display punycode
this is not what happens on desktop
s-ankur
on 26 Aug 2020
On desktop, when I paste the link it immediately enters punycode. On fenix (latest nightly) it enters "mozilla.com". Maybe this is a different bug then?
s-ankur
on 26 Aug 2020
On fenix (latest nightly) it enters "mozilla.com".
Ah, I get what you are doing now. If you paste the URL in the address bar, it will say mozilla.org. If you actually (try to) visit it, you will get the punycode URL in the address bar.
gcp
on 26 Aug 2020
The pasting behavior is the same on desktop (Linux). We won't actually translate to punycode until you hit enter, but I think that's pretty much expected or the browser would be changing your input while you're still typing it.
So at least on Linux I don't see a difference in behavior here? (which is a different issue from not having a setting for it, or dealing with the apple.com example better...) Am I misunderstanding something?
gcp
on 26 Aug 2020
This is what chromium is doing
andreicristianpetcu
on 22 Oct 2020
This is what chromium is doing
You are actually hitting a special case, see previous comments: https://github.com/mozilla-mobile/fenix/issues/5640#issuecomment-680967535
gcp
on 22 Oct 2020
@gcp can Fenix include that special case?
andreicristianpetcu
on 22 Oct 2020
@gcp can Fenix include that special case?
See the linked Gecko bug, i.e. https://bugzilla.mozilla.org/show_bug.cgi?id=1507582
gcp
on 22 Oct 2020
I think the more relevant bug would be https://bugzilla.mozilla.org/show_bug.cgi?id=1332714, but that has been wontfixed long ago (with what appears to be rather flimsy reasoning, at least to me)
s-ankur
on 22 Oct 2020
I think the more relevant bug would be
It depends on whether you want to discuss the general policy, or what happens if you try popular sites such as "apple.com". As explained, the latter is handled separately as a class of special cases so using it to argue about this bug or parity with other browsers (which is what I replied to) does not work.
gcp
on 22 Oct 2020
i don't see why it shouldn't be possible to only enable punycode for hostnames that can appear to be written in different scripts
oakkitten
on 22 Oct 2020
i don't see why it shouldn't be possible to only enable punycode for hostnames that can appear to be written in different scripts
That's what Fenix already does: https://github.com/mozilla-mobile/fenix/issues/5640#issuecomment-680963521
gcp
on 22 Oct 2020
That's what Fenix already does: #5640 (comment)
i don't mean mixed scripts, i mean when when the hostname can appear to be written, as in case of this fake apple website, in either latin or cyrillics. i understand that it's not as simple as treating āaā and Ā«Š°Ā» as the same letter; ideally you'd have to account for different fonts and ligatures and stuff like that, but it seems doable?
oakkitten
on 23 Oct 2020
Related issues
AndiAJ
Ā·
3Comments
softvision-miralobontiu
Ā·
3Comments
abodea
Ā·
3Comments
bbinto
Ā·
3Comments
abodea
Ā·
3Comments
Most helpful comment
This seems more like a serious security vulnerability than a feature request. It should be prioritized.
Note that on chrome it shows the punycode by default