-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for non-roman characters in usernames #1121
Comments
Appreciated, but with the current problems people are having with punycode domains faking real domains with similar /looking/ domains in alternative unicode chars, I say this needs to be done VERY carefully, or maybe even not at all. |
Whether or not to support Punycode domains isn't really up to us imo since instances can and will be set up on existing Internationalized Domain Names (eg Punycode (as opposed to just Unicode) support for usernames is not required unless I am grossly misunderstanding something about the Mastodon specification; Unicode is allowed in its raw form in URLs (parsers will just percent-encode it, see the URL spec) and Punycode only exists iirc because ASCII is a requirement for DNS domain name resolution. Unless Mastodon needs to be able to include usernames in domain names somehow this shouldn't be an issue. With respect to security issues, Mozilla's IDN Display Algorithm sets forth some good guidelines on which usernames to allow; see also the referenced Unicode Technical Standard. In general, it would be a sufficient first step to simply implement Unicode but forbid mixed-script usernames, and this policy could be relaxed in the future with scripts where there is little risk of confusion. As Mozilla mentions, this does nothing when the same "word" can be written entirely in two separate scripts (Latin (For clarification, "forbid mixed-script usernames" also means forbidding usernames which don't belong to a script, eg emoji.) |
What I meant was, that malicious websites were already created with unicode characters replacing latin ones creating a name looking legit visually, fooling the users, for either phishing or a POC for phishing. do we need to support a feature that will cause people to accidentally send private messages to a user who pretends to be someone else on the same server, by using an identically looking username? |
I forgot to update this issue but I got feedback from Japanese users and unanimously people prefer ASCII-only for usernames, not only because of the phishing dangers, but also because it will be a lot harder for anyone to type in anyone else's username if UTF8 characters are allowed. So this can be closed. |
Merge upstream changes
From https://mastodon.cx/users/saqeram/updates/6117
To better support users from non-roman languages (Arabic, Japanese, Korean, Hebrew Chinese being big examples) it would be wise to find a way to better support those characters in usernames and domains, as well as improve RTL support
The text was updated successfully, but these errors were encountered: