Email or username:

Password:

Forgot your password?
All posts Ariadne Conill 🐰's posts Post Back to profile
Top-level
Joel LeBlanc

@ariadne This looks like a Chromium bug because unicode is not permitted in domain names. I believe any standards compliant browser will first resolve the string in “punycode” (real name) which breaks the chain of possible exploits before a page gets loaded (see RFC 3490).

Perhaps some DNS pre-caching trick could work? I don’t think DNS has the same transcoding requirement (see the toASCII requirement)

< release the standard nerds! 😈>

16 May 2023 at 23:31 | Wall-to-wall | Open on mastodon.social
1 comment
James Henstridge

@jwleblan @ariadne The domain name in the evil URL is plain ASCII. The non-ASCII characters are in the user name portion of the URL.

17 May 2023 at 3:19 | Open on aus.social
Go Up