Read your address bar carefully
Internet addresses are no longer stuck with ASCII and English. If you're Greek, you can have a Greek domain name; if you're Japanese you can have a Japanese domain name. To make international characters work on the existing ASCII system, you encode the address in Punycode:As an example of how IDNA works, suppose the domain to be encoded isBücher.ch(“Bücher” is German for “books”, and .ch is the country domain for Switzerland). This has two labels,Bücherandch. The second label is pure ASCII, and so is left unchanged. The first label is processed by Nameprep to give bücher, and then by Punycode to givebcher-kva, and then hasxn--prepended to givexn--bcher-kva. The final domain suitable for use with the DNS is thereforexn--bcher-kva.ch.
To avoid spoofing addresses, browsers render the ugly Punycode version whenever there's an ambiguous character. This is necessary to differentiate
pаypal.com (where the first a is replaced by a Cyrillic а) from paypal.com.http://com丿asp.com
I registered
xn--comasp-yz7i.com, the Punycoded form of com丿asp.com. The fourth character isn't a slash /, but the curlier Japanese character 丿. On current versions of Safari, this character lends itself to fun domain spoofing.
This probably isn't good enough to fool a seasoned software developer. But could it fool your mom?
PS: I've already reported the bug to Apple. If your app displays URLs to users, this is something you may need to consider as well.
