Support for non-roman characters in usernames

[yiskah]

From https://mastodon.cx/users/saqeram/updates/6117

To better support users from non-roman languages (Arabic, Japanese, Korean, Hebrew Chinese being big examples) it would be wise to find a way to better support those characters in usernames and domains, as well as improve RTL support

---

• I searched or browsed the repo’s other issues to ensure this is not a duplicate.

[seefood]

Appreciated, but with the current problems people are having with punycode domains faking real domains with similar /looking/ domains in alternative unicode chars, I say this needs to be done VERY carefully, or maybe even not at all.
(And that's coming from a guy who toots mostly in Hebrew, but is also concerned with privacy, phishing and security).

[marrus-sh]

Whether or not to support Punycode domains isn't really up to us imo since instances can and will be set up on existing Internationalized Domain Names (eg .中國). Mastodon should resolve these to the same location regardless of whether they are inputted as a Punycode URL or as a Unicode IRI.

Punycode (as opposed to just Unicode) support for usernames is not required unless I am grossly misunderstanding something about the Mastodon specification; Unicode is allowed in its raw form in URLs (parsers will just percent-encode it, see the URL spec) and Punycode only exists iirc because ASCII is a requirement for DNS domain name resolution. Unless Mastodon needs to be able to include usernames in domain names somehow this shouldn't be an issue.

With respect to security issues, Mozilla's IDN Display Algorithm sets forth some good guidelines on which usernames to allow; see also the referenced Unicode Technical Standard. In general, it would be a sufficient first step to simply implement Unicode but forbid mixed-script usernames, and this policy could be relaxed in the future with scripts where there is little risk of confusion. As Mozilla mentions, this does nothing when the same "word" can be written entirely in two separate scripts (Latin scope vs Cyrillic ѕсоре); this is an edge case that IMO is best left to moderators (as would any other instance of impersonation).

(For clarification, "forbid mixed-script usernames" also means forbidding usernames which don't belong to a script, eg emoji.)

[seefood]

What I meant was, that malicious websites were already created with unicode characters replacing latin ones creating a name looking legit visually, fooling the users, for either phishing or a POC for phishing. do we need to support a feature that will cause people to accidentally send private messages to a user who pretends to be someone else on the same server, by using an identically looking username?

[Gargron]

I forgot to update this issue but I got feedback from Japanese users and unanimously people prefer ASCII-only for usernames, not only because of the phishing dangers, but also because it will be a lot harder for anyone to type in anyone else's username if UTF8 characters are allowed. So this can be closed.