multibyte characters should be encoded

[luixxiul]

Describe the issue you encountered: multibyte characters should be encoded on the URL bar and the status bar, as well as in the site listed on about:preferences#payments.

the above is Brave, the below is Chrome.

• Platform (Win7, 8, 10? macOS? Linux distro?): OS X

• Brave Version: master branch

• Steps to reproduce:

  1. Hover the link http://はじめよう.みんな/
  2. Open the link http://はじめよう.みんな/

• Any related issues:

[luixxiul]

You cannot input Japanese characters in "Home Page" setting on about:preferences as well

[luixxiul]

On URL bar (macOS) multibyte characters are encoded well.

Maybe thanks to bloodhound update? #8824

CC @darkdh for confirmation with Chinese characters.

Edit:
Brave 0.19.0
rev c5968c5

[darkdh]

and your example will give me

I'm on 0.17.3 MacOS
cc @diracdeltas for opinions

[bsclifton]

Good call on cc'ing @diracdeltas; because unicode characters can be used to spoof popular sites, it's probably better that we show the raw ASCII name (ex: the punycode encoded domain name).

It would be nice though to either have an option (opt-in) to enable punycode decoding of the domain names (showing in the native unicode) OR for us to consider what type of UX would be needed to ensure users don't get spoofed (do we check against a list? etc)

[diracdeltas]

We display punycode-only to prevent homograph attacks, see for instance https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html. Google has some standards for what unicode characters should be displayed as punycode. https://www.chromium.org/developers/design-documents/idn-in-google-chrome

[luixxiul]

As long as we stick to the Chromium way, it looks good to me.

http://xn--p8j9a0d9c9a.xn--q9jyb4c/index.html looks just simply corrupted, and I think we should avoid that.

[diracdeltas]

chromium doesn't necessarily filter out all characters that can be used for phishing (which is why the recent IDN attacks affected Chrome but not Brave)

[kenorb]

Same for this URL:

• https://puzzling.stackexchange.com/questions/37444/%E1%9A%AB%E1%9B%84-%E1%9B%9F%E1%9B%8B%E1%9A%B1-%E1%9B%97%E1%9A%A3%E1%9B%9A%E1%9A%A9%E1%9A%BB-%E1%9A%A9%E1%9A%AB-%E1%9A%B3%E1%9A%A6%E1%9A%B7%E1%9A%B9-%E1%9A%B9%E1%9B%9A%E1%9A%AB-%E1%9B%89

• Actual result:

I see %E1%9A%AB... instead of the Unicode characters.

• Expected result:

I could see the URL similar as in Chrome or Firefox, e.g.

[bsclifton]

@diracdeltas this bug is fixed with brave-core- but you make a good case for showing the punycode encoded domain. Should we open an issue to also do this in brave-core?

[diracdeltas]

i think it'd be good to have a tracking issue for this though we may decide it's not worth implementing in brave-core

[bsclifton]

@diracdeltas created brave/brave-browser#1004 👍