undefined | Better HN

0 pointssmallerize1y ago0 comments

There are conventions around that. https://chromium.googlesource.com/chromium/src/+/main/docs/i... Generally, if all the characters are from one script, then it is decoded. There are lots of exceptions detailed there, but it's harder to make a homoglyph attack work using only characters from one script to impersonate another.

0 comments

dmurray1y ago

That's not a convention, it's a specification for how Google Chrome does it.

And it's not even a full specification. Several of its 13 steps link to other documents that need to be read to implement the spec fully. Step 12 refers to a list of "dangerous patterns" which appears only to exist in the Chromium source. Step 5 refers vaguely to "any characters used in an unusual way".

It's not OK to say that because Chromium does it, it's some internet standard that random website maintainers should implement.

smallerizeOP1y ago

I think you're ignoring the conversation. There is a lot of discussion to be had, and we don't have to say that decoding punycode is a security risk and simply do without. I also said "conventions" specifically to avoid meaning that these are hard-and-fast rules. And Firefox does something pretty similar. https://wiki.mozilla.org/IDN_Display_Algorithm#Algorithm

j / k navigate · click thread line to collapse

0 pointssmallerize1y ago0 comments

0 comments

dmurray1y ago

That's not a convention, it's a specification for how Google Chrome does it.

It's not OK to say that because Chromium does it, it's some internet standard that random website maintainers should implement.

smallerizeOP1y ago

j / k navigate · click thread line to collapse