IDN addresses have recently come under close scrutiny, mostly due to domain registrars failing to follow certain guidelines that help prevent a type of website spoofing attack.
Mozilla’s first response to the threat of this type of spoofing was to disable IDN support and instead display the more verbose form of IDN URLs—punycode. (Punycode bears little resemblance to the intended appearance of an IDN, removing the risk of spoofing.)
Later, it was decided that some IDN addresses would be shown as intended—but only if the domain’s registrar had a public anti-spoofing policy. These preferences keeps track of which top-level domains are displayed as intended.
This is a set of enumerated preferences. This means that Mozilla will look for all preference names beginning with “network.IDN.whitelist.” and examine each one. The name of the preference—specifically, the portion at the end, after the full stop—is as important as the preference’s value. By default, the following preferences are set (as of 2021):
- plus 33 "internationalized" TLDs all beginning with the 4-character string xn--
Possible values and their effects
If an IDN has the top-level domain specified in this preference name, it will be shown as intended.
If an IDN has the top-level domain specified in this preference name, it will be displayed in punycode.
- As this is a whitelist and not a blacklist, setting any of these preferences to false is the same as not setting the preference at all.
- IDN must be enabled for these preferences to have an effect.
- network.IDN_show_punycode must be false for these preferenes to have an effect.
- If any character in an IDN is found in network.IDN.blacklist_chars, it will be displayed in punycode regardless of its possible presence in this whitelist.
First checked in
Has an effect in
- Deer Park (Alpha 2)
- Mozilla Firefox (all versions since 1.5 RC1)
- SeaMonkey (all versions)
- Bug 279099 - Protect against homograph attacks (spoofing using punycode IDNs)
- Bug 286534 - Implement IDN punycode display by .tld
- Bug 299927 - Add .museum and .hu to list of TLDs for which IDN is permitted
- Bug 300132 - Add .lt, .info, .th, .ac, .io, .sh, .tm, .gr, .br to IDN whitelist
- Bug 304277 - Add further TLDs to IDN whitelist
- Bug 308334 - Enable IDN for more TLDs
- Bug 313490 - Enable IDN for .org
- Bug 322996 - Enable IDN for .is domain
- Bug 331099 - Add .cat to IDN TLD whitelist
- Bug 347321 - Add .biz to IDN TLD whitelist
- Bug 389600 - Add .pl to IDN whitelist
- Bug 404051 - Add .es to IDN TLD whitelist
- Bug 406314 - Add .ir to the IDN whitelist
- Bug 423974 - Add .pr (Puerto Rico) to IDN whitelist
- Bug 460517 - Add .ar to IDN TLD whitelist