Read your address bar carefullyInternet addresses are no longer stuck with ASCII and English. If you're Greek, you can have a Greek domain name; if you're Japanese you can have a Japanese domain name. To make international characters work on the existing ASCII system, you encode the address in Punycode:
As an example of how IDNA works, suppose the domain to be encoded is
Bücher.ch(“Bücher” is German for “books”, and .ch is the country domain for Switzerland). This has two labels,
ch. The second label is pure ASCII, and so is left unchanged. The first label is processed by Nameprep to give bücher, and then by Punycode to give
bcher-kva, and then has
xn--prepended to give
xn--bcher-kva. The final domain suitable for use with the DNS is therefore
To avoid spoofing addresses, browsers render the ugly Punycode version whenever there's an ambiguous character. This is necessary to differentiate
pаypal.com(where the first
ais replaced by a Cyrillic
xn--comasp-yz7i.com, the Punycoded form of
com丿asp.com. The fourth character isn't a slash
/, but the curlier Japanese character
丿. On current versions of Safari, this character lends itself to fun domain spoofing.
This probably isn't good enough to fool a seasoned software developer. But could it fool your mom?
PS: I've already reported the bug to Apple. If your app displays URLs to users, this is something you may need to consider as well.