Hello. Just noticed that if I am using international domain name in link, this link does not work properly, unless you convert it to punycode. For example:
Correct, it isn’t clickable – because it isn’t a URL. The URL is the one with the punycode domain. User agents can, if they choose, make it more palatable to humans by interpreting the punycode into unicode code points, but as everyone keeps finding, that is a process fraught with security peril. Detecting homograph attacks is far from a solved problem, and I’m not entirely sure it can be solved, properly. My entirely personal opinion is that, absent a paying customer requesting this, it’s unlikely that this will make it into core any time soon. It’s also not a great candidate for pr-welcome, IMO, because of the ongoing security maintenance burden. Every time someone comes up with a new homograph attack, we’d immediately get another round of H1 reports to pay out on and fix.
@mpalmer thanks a lot for your answer! Definitely you got more technical skills.
I read about homograph attacks and it sounds to me a serious problem. But, I still can’t understand your point.
If this is not URL, than why, when I press share button, discourse gives me this non url link? And why, when I put this non url into my browser it works completely fine (checked firefox and chrome)?
Maybe there is a way to disable preview for this kind of links, and enable clickable feature? Maybe some related options in admin panel exists?
Btw: found some workaround. When I post link inside the same discourse site, then I can simply remove domain name and use relative link. It works fine, but still does not satisfies many users.
There is a talk like a pirate plugin that you might modify to replace the domain names you most care about. I don’t understand the security implications,so this could be a bad idea.
What in particular you propose to fix? Automatically convert to punycode when posting message? And what plugin you talking about? I need some starting point…