[michaelmrose]

It is anglocentric and valid. I live in a country of over 300 million people almost all of which speak English. Almost half the people on the internet at present speak English and virtually all the content I could possibly want to consume is available in a non unicode domain.

For me and 300 million users avoiding malicious attempts at spoofing is important. Setting show punycode to true enables me to view pages in international domains in case I need to do this while preventing me from being exploited.

Its at present the best option for hundreds of millions of people.

Its not shortsighted or racist to acknowledge different populations of users have different needs.

Edit: In case people can't be bothered to read it should be obvious that I am advocating for shipping with show punycode true for the English US version of firefox.

[orf]

I think people are downvoting you because it seems like you are suggesting that because it's OK for you billions of internet users have their functionality downgraded.

If you feel like punycode is a security issue then you should disable it. Perhaps browsers could do this automatically for people like you. But that's on you - saying 'nobody wants it because i speak english' is not a great foot to stand on.

[michaelmrose]

People overwhelmingly use defaults. The default shouldn't be problematic. Since we already ship an us english version among many others THAT version should have this feature disabled or show the actual punycode in the url bar.

I'm honestly unsure how you can possibly make a browser that allows look alike characters secure against phishing but at least its a different sort of trade off when you are talking about populations of users that might actually encounter non phishing sites using these domains.