International domain name link is not clickable


#1

Hello. Just noticed that if I am using international domain name in link, this link does not work properly, unless you convert it to punycode.

For example:

not clickable!:

clickable, with preview

This becomes a real headache if you running this kind of domain :frowning: Can you please help me to use international domain links?


(Matt Palmer) #2

Correct, it isn’t clickable – because it isn’t a URL. The URL is the one with the punycode domain. User agents can, if they choose, make it more palatable to humans by interpreting the punycode into unicode code points, but as everyone keeps finding, that is a process fraught with security peril. Detecting homograph attacks is far from a solved problem, and I’m not entirely sure it can be solved, properly. My entirely personal opinion is that, absent a paying customer requesting this, it’s unlikely that this will make it into core any time soon. It’s also not a great candidate for pr-welcome, IMO, because of the ongoing security maintenance burden. Every time someone comes up with a new homograph attack, we’d immediately get another round of H1 reports to pay out on and fix.


#3

@mpalmer thanks a lot for your answer! Definitely you got more technical skills.

I read about homograph attacks and it sounds to me a serious problem. But, I still can’t understand your point.

If this is not URL, than why, when I press share button, discourse gives me this non url link? And why, when I put this non url into my browser it works completely fine (checked firefox and chrome)?

Maybe there is a way to disable preview for this kind of links, and enable clickable feature? Maybe some related options in admin panel exists?

Btw: found some workaround. When I post link inside the same discourse site, then I can simply remove domain name and use relative link. It works fine, but still does not satisfies many users.

Regards :wink:


(Jay Pfaffman) #4

Are there many such URLs that you need to work, or just a few? If it’s not many, then you might create a plugin that fixes that url.


#5

It is not so many yet


(Jay Pfaffman) #6

There is a talk like a pirate plugin that you might modify to replace the domain names you most care about. I don’t understand the security implications,so this could be a bad idea.


#7

What in particular you propose to fix? Automatically convert to punycode when posting message? And what plugin you talking about? I need some starting point…

Regards


(Jay Pfaffman) #8

I think that you could have a plugin replace the URLs that don’t work with the ones that do.