So, what happened? I can guess at some possibilities -- perhaps the specifications were not carefully consulted, or the implementors of the IDN feature were not aware of security considerations, or they were aware but decided it was not their responsibility to address. Were there communication problems between feature implementors and security people? Was security deprioritized? Maybe there are other possibilities I haven't thought of?
This is a good and reasonable question, to which I do not currently know the answer.
The discussion on IDN implementation took place in Bugzilla - here are some bug numbers:
Initial implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=42898
Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=237820
Case sensitivity: https://bugzilla.mozilla.org/show_bug.cgi?id=38998
A quick grep suggests that security wasn't considered that much, but a quick grep can miss things.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security