From MozillaZine Knowledge Base
IDN addresses have recently come under close scrutiny, mostly due to domain registrars failing to follow certain guidelines that help prevent a type of website spoofing attack.
Mozillaâ€™s first response to the threat of this type of spoofing was to disable IDN support and instead display the more verbose form of IDN URLsâ€”punycode. (Punycode bears little resemblance to the intended appearance of an IDN, removing the risk of spoofing.)
Later, it was decided that some IDN addresses would be shown as intendedâ€”but only if the domainâ€™s registrar had a public anti-spoofing policy. These preferences keeps track of which top-level domains are displayed as intended.
This is a set of enumerated preferences. This means that Mozilla will look for all preference names beginning with â€œnetwork.IDN.whitelist.â€ and examine each one. The name of the preferenceâ€”specifically, the portion at the end, after the full stopâ€”is as important as the preferenceâ€™s value. By default, the following preferences are set (as of 2021):
- plus 33 "internationalized" TLDs all beginning with the 4-character string xn--
Possible values and their effects
If an IDN has the top-level domain specified in this preference name, it will be shown as intended.
If an IDN has the top-level domain specified in this preference name, it will be displayed in punycode.
- As this is a whitelist and not a blacklist, setting any of these preferences to false is the same as not setting the preference at all.
- IDN must be enabled for these preferences to have an effect.
- network.IDN_show_punycode must be false for these preferenes to have an effect.
- If any character in an IDN is found in network.IDN.blacklist_chars, it will be displayed in punycode regardless of its possible presence in this whitelist.
First checked in
2005-06-19 by Jungshik Shin
Has an effect in
- Deer Park (Alpha 2)
- Mozilla Firefox (all versions since 1.5 RC1)
- SeaMonkey (all versions)