-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Link click is blocked if the link target contains IDN #48
Comments
Thanks for reporting this and finding the exact problems (and providing solutions). I've been very busy the past two months but will be working more on !RequestPolicy again now. I'm going to try to review these issues and the suggested fixes within the next few weeks. |
Fixed in r303. Also fixed some other bugs with IDNs. Thanks again, emk, for bringing this to my attention and for also pointing out the solution. If you have any comments about the changes or find any bugs, please let me know. Note that the behavior of !RequestPolicy now is to want to deal with IDNs in the same format that Mozilla does for the given TLD. That is:
The above applies when manually adding whitelist entries through the preferences window, as well: if a user adds an IDN in the wrong format, !RequestPolicy will likely ignore the whitelist entry. I don't think this is too bad for usability (even without any warning about it currently) because the correct format will always be the same format the user sees in the address bar for the TLD. The list of Unicode-supported IDNs is here: http://www.mozilla.org/projects/security/tld-idn-policy-list.html Doing it this way not only simplified the changes to !RequestPolicy, but also keeps security decisions about IDNs and homographic characters in the hands of Mozilla. |
Reopening this because I'm getting different behavior of what shows in the menu now. I need to look into this more. That is, I'm now seeing the above .jp domain showing as ascii. I assume I broke this when fixing other bugs because it did seem to be working at the time of r303, or so I think. I noticed this in !RequestPolicy 0.5.13b1 (https://www.requestpolicy.com/releases/requestpolicy-0.5.13b1.xpi). |
Fixed in r312. I had apparently not tested with the strictness level of "Base Domain". |
For example, click http://総務省.jp/.
RequestPolicy will block the request to xn--lhr645fjve.jp.
I've found the following methods in nsIRequestPolicy broke the non-ascii chars.
11 void registerHistoryRequest(in ACString destinationUri);
12 void registerFormSubmitted(in ACString originUri, in ACString destinationUri);
13 void registerLinkClicked(in ACString originUri, in ACString destinationUri);
The parameter type should be AString rather than ACString. ACString will cripple the non-ascii chars from JavaScript caller.
In general, XPCOM components written in JavaScript should use AString because JavaScript strings are encoded as UTF-16.
The text was updated successfully, but these errors were encountered: