fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
in fact this could be a novel attack vector. replace fonts on victims devices to hide the true address of a website. the fix then would have to be to not display any ligatures at all in website addresses, which in my opinion would be a smart change.
Disabling ligature rendering in the omnibox seems significantly more sane and safe than this (why wouldn't you do that already?! URLs need to be displayed clearly - not be "aesthetically pleasing").
> fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
Fixing the code doesn't help users that downloaded code and don't get the new version either.
Malicious code that can replace a font can replace a lot more too.
I can imagine a group of excited guys coming up with that idea as something cool, and then the whole thing slowly evolving into a yet another branding tool.
Gotta love that the patch isn't fixing the font, but adding a rule for domain names which contains a substring similar to the ligature name...