Mozilla’s first response to the threat of this type of spoofing was to disable IDN support and instead display the more verbose form of IDN URLs—punycode. (Punycode bears little resemblance to the intended appearance of an IDN, removing the risk of spoofing.)
Later, it was decided that some IDN addresses would be shown as intended—but only if the domain’s registrar had a public anti-spoofing policy. (Another preference keeps track of which top-level domains are displayed as intended.)
About the same time, developers realized that certain Unicode characters were too dangerous to ever be shown inside an IDN domain name. Initially, these just included characters that looked similar to a forward slash (U+2044 and U+2215). However, eventualy the list grew to include spaces (U+2006, U+2007), dots (U+06D4), fractions (U+2154), and other various characters. As a result of this realization, a blacklist of characters was created: if any IDN contained any of the specified characters, it would instead be shown in its punycode form.
As of 2009-02-24, the complete list of (107) blacklisted characters is as follows. (Depending on your browser, platform, and installed fonts, the example characters may not display as intended. Some of them aren’t intended for display in the normal sense of the word.)
Possible values and their effects
This string preference interprets every character in the value as an entry in the blacklist. The default value is a string containing the characters in the table above.
First checked in
Has an effect in
- Deer Park Alpha 2
- Mozilla Firefox 1.5 (all versions since Beta 1)
- SeaMonkey (all versions)
- Bug 283016 - Make it possible to blacklist characters in domain names
- Bug 301694 - Create IDN blacklist that include ‘DIVISION SLASH’(U+2215) and ‘FRACTION SLASH’(U+2044)
- Bug 309311 - Add yet more characters to the IDN blacklist
- Bug 479336 - IDN blacklist needs to include box-drawing characters