International domain name link is not clickable

Hello. Just noticed that if I am using international domain name in link, this link does not work properly, unless you convert it to punycode. For example:

not clickable!

http://межречье.com/t/kak-zagruzhat-foto/135

clickable, with preview

http://xn--e1aaac2a0a4czb.com/t/kak-zagruzhat-foto/135

This becomes a real headache if you running this kind of domain :frowning: Can you please help me to use international domain links?

3 Likes

Correct, it isn’t clickable – because it isn’t a URL. The URL is the one with the punycode domain. User agents can, if they choose, make it more palatable to humans by interpreting the punycode into unicode code points, but as everyone keeps finding, that is a process fraught with security peril. Detecting homograph attacks is far from a solved problem, and I’m not entirely sure it can be solved, properly. My entirely personal opinion is that, absent a paying customer requesting this, it’s unlikely that this will make it into core any time soon. It’s also not a great candidate for pr-welcome, IMO, because of the ongoing security maintenance burden. Every time someone comes up with a new homograph attack, we’d immediately get another round of H1 reports to pay out on and fix.

4 Likes

@mpalmer thanks a lot for your answer! Definitely you got more technical skills.

I read about homograph attacks and it sounds to me a serious problem. But, I still can’t understand your point.

If this is not URL, than why, when I press share button, discourse gives me this non url link? And why, when I put this non url into my browser it works completely fine (checked firefox and chrome)?

Maybe there is a way to disable preview for this kind of links, and enable clickable feature? Maybe some related options in admin panel exists?

Btw: found some workaround. When I post link inside the same discourse site, then I can simply remove domain name and use relative link. It works fine, but still does not satisfies many users.

Regards :wink:

Are there many such URLs that you need to work, or just a few? If it’s not many, then you might create a plugin that fixes that url.

1 Like

It is not so many yet

There is a talk like a pirate plugin that you might modify to replace the domain names you most care about. I don’t understand the security implications,so this could be a bad idea.

1 Like

What in particular you propose to fix? Automatically convert to punycode when posting message? And what plugin you talking about? I need some starting point…

Regards

I think that you could have a plugin replace the URLs that don’t work with the ones that do.

1 Like

These both seem rather clickable to me now?

2 Likes

yep, huge thanks!

2 Likes