WebURLSpoofChecking
A proof-of-concept WebURL.Domain
renderer which uses a port of Chromium's IDN spoof-checking logic (Overview, Implementation) to protect against confusable domains. It implements most of Chromium's logic, with the exception of:
- Step 10, which checks single-script labels for whole-script confusables.
- Step 12, which checks mixed-script labels for a number of known dangerous patterns.
- Step 13, which checks mixed-script labels which look confusingly similar to a database of top domains.
// Non-spoofs are allowed.
// It doesn't just reject all Unicode 😅
WebURL.Domain("example.com")?.render(.checkedUnicodeString) // ✅ "example.com"
WebURL.Domain("a.أهلا.com")?.render(.checkedUnicodeString) // ✅ "a.أهلا.com"
WebURL.Domain("你好你好")?.render(.checkedUnicodeString) // ✅ "你好你好"
// But it does catch some actual spoofs, too.
// These are not the domains they might look like.
WebURL.Domain("раγpal.com")?.render(.checkedUnicodeString) // ✅ "xn--pal-vxc83d5c.com"
WebURL.Domain("аpple.com")?.render(.checkedUnicodeString) // ✅ "xn--pple-43d.com"
WebURL.Domain("16კ.com")?.render(.checkedUnicodeString) // ✅ "xn--16-1ik.com"
// Sometimes this includes specific rules for particular TLDs,
// such as only allowing "ə" (Latin Schwa, U+0259) in Azerbaijani domains
WebURL.Domain("əpple.com")?.render(.checkedUnicodeString) // ✅ "xn--pple-u6b.com"
WebURL.Domain("əpple.az")?.render(.checkedUnicodeString) // ✅ "əpple.az"