Link click is blocked if the link target contains IDN

[jsamuel]

imported trac ticket
created: 2009-10-23 20:57:19
reporter: emk

For example, click http://総務省.jp/.
RequestPolicy will block the request to xn--lhr645fjve.jp.
I've found the following methods in nsIRequestPolicy broke the non-ascii chars.
11 void registerHistoryRequest(in ACString destinationUri);
12 void registerFormSubmitted(in ACString originUri, in ACString destinationUri);
13 void registerLinkClicked(in ACString originUri, in ACString destinationUri);
The parameter type should be AString rather than ACString. ACString will cripple the non-ascii chars from JavaScript caller.
In general, XPCOM components written in JavaScript should use AString because JavaScript strings are encoded as UTF-16.

[jsamuel]

imported trac comment
created: 2009-12-13 21:53:01
author: justin

Thanks for reporting this and finding the exact problems (and providing solutions). I've been very busy the past two months but will be working more on !RequestPolicy again now. I'm going to try to review these issues and the suggested fixes within the next few weeks.

[jsamuel]

imported trac comment
created: 2010-01-23 22:23:22
author: justin

Fixed in r303. Also fixed some other bugs with IDNs. Thanks again, emk, for bringing this to my attention and for also pointing out the solution. If you have any comments about the changes or find any bugs, please let me know.

Note that the behavior of !RequestPolicy now is to want to deal with IDNs in the same format that Mozilla does for the given TLD. That is:

• TLDs for which Unicode IDNs are supported have their whitelist entries stored and displayed in Unicode format.
• TLDs for which Unicode IDNs are not supported have their whitelist entries stored and displayed in ACE (ascii) format.

The above applies when manually adding whitelist entries through the preferences window, as well: if a user adds an IDN in the wrong format, !RequestPolicy will likely ignore the whitelist entry. I don't think this is too bad for usability (even without any warning about it currently) because the correct format will always be the same format the user sees in the address bar for the TLD.

The list of Unicode-supported IDNs is here: http://www.mozilla.org/projects/security/tld-idn-policy-list.html

Doing it this way not only simplified the changes to !RequestPolicy, but also keeps security decisions about IDNs and homographic characters in the hands of Mozilla.

[jsamuel]

imported trac comment
created: 2010-01-23 22:56:16
author: justin

Reopening this because I'm getting different behavior of what shows in the menu now. I need to look into this more. That is, I'm now seeing the above .jp domain showing as ascii. I assume I broke this when fixing other bugs because it did seem to be working at the time of r303, or so I think.

I noticed this in !RequestPolicy 0.5.13b1 (https://www.requestpolicy.com/releases/requestpolicy-0.5.13b1.xpi).

[jsamuel]

imported trac comment
created: 2010-01-24 10:14:12
author: justin

Fixed in r312. I had apparently not tested with the strictness level of "Base Domain".