Please think twice before creating a precedent of a browser completely
blackholing a technically valid (albeit devious) site.
If the site is devious, what possible benefit is there in allowing the user access to it?
If someone came up with a valid use for this character in IDNs, that would be different.
My initial list includes the homographs of ":", ".", "/" and probably "\" too, plus all the space characters.
I imagine you'd want all the characters that could immediately follow the host name in a URI, so add "?" and "#" to that list.
Yes. It is looking a bit like "all punctuation", isn't it? But then, I bet there are some characters which look like punctuation. The Chinese character for the number 1 looks fairly like a hyphen.
P.S. Of course, the slash homograph attack wouldn't fool the Firefox SSL domain security indicator anyway, which would still display the entire domain, fake slashes and all.
Yes, but do users understand what that indicator means? If they see foo.com/bar.baz.xx in the indicator, do they understand that it is unrelated to foo.com?
Well, it would certainly be different to all the other times they'd visited mybank.com, so hopefully that would give them some pause.
Gerv
