Leaving out scripts (Re: Unicode versions (Re: Criteria for exceptional characters))

Erik van der Poel erikv at google.com
Thu Dec 21 16:16:46 CET 2006


Firefox currently allows any scripts to be mixed in lower level labels
when the TLD is in the white list. It's great that you block certain
dangerous characters like the math slash look-alikes. But maybe
someone will eventually figure out how to create a tricky URL that
takes advantage of script mixing in lower level labels in Firefox in
countries where Firefox enjoys a significant market share. Firefox's
leaders trust the TLDs on the white list, but can you trust all the
individuals and organizations that register domains in those TLDs?

Erik

On 12/21/06, Gervase Markham <gerv at mozilla.org> wrote:
> There's one big difference between implementing the mix test in browsers
> and implementing it at the registry level. If you implement it in
> browsers, then decide that a loosening is necessary in a particular
> case, you need to update 1 billion+ installed bits of software before
> you can sell the new IDNs. That would probably take, based on past
> experience, about four or five years.
>
> If you implement it at a registry policy level, you can start immediately.


More information about the Idna-update mailing list