Suggestion - Fix punycode by default

Alex313031 / Mercury

Firefox fork with compiler optimizations and patches from Librewolf, Waterfox, and GNU IceCat.

https://thorium.rocks/mercury

Mozilla Public License 2.0

1.02k stars 26 forks source link

Suggestion - Fix punycode by default #149

Open win98se opened 3 months ago

win98se commented 3 months ago

Currently, https://www.xn--80ak6aa92e.com displays as https://www.аррӏе.com by default in the URL bar.

Nowadays, only Firefox and all of its derived browsers (all are latest versions) are affected by this loophole.

Details - https://www.xudongz.com/blog/2017/idn-phishing/

So I suggest to set network.IDN_show_punycode to true in the initial configs.

aaronliu0130 commented 3 months ago

Some Chinese websites utilize Punycode to make the link display properly. I'd say maybe expose it in preferences at most but keep it off by default. Most websites display links with xn-- anyways.

win98se commented 3 months ago

Some Chinese websites utilize Punycode to make the link display properly. I'd say maybe expose it in preferences at most but keep it off by default. Most websites display links with xn-- anyways.

I oppose against this. To be honest, how many websites use CJK characters as the domain name? Even if so, almost all of those sites have their primary domain names in ASCII alphabets.