[jlgreco]

My impression is that all the major browsers show these links as punycode for security reasons. What is the point of these then? Is punycode defaulted to "off" in some countries? Wouldn't that just create two classes of users, one more vulnerable to phishing than the other?

[Cushman]

It looks like if you add Arabic as a language in Chrome, domains aren't converted. (And actually it will change http://xn--ggblala6cyf.xn--wgbh1c/ to ستفتاء.مصر in the address bar.)

[TazeTSchnitzel]

Makes sense. If your language isn't Arabic, you may be unable to, for instance, write the website address down.

[mahmud]

I can confirm this. Arabic TLDs and hostnames stay Arabic for me.

[kijeda]

That is not correct. For example, Mozilla takes a white list approach where they add TLDs that have registration policies that limit the risk of phishing (which is most of them).

http://www.mozilla.org/projects/security/tld-idn-policy-list...

[ConstantineXVI]

Logically, one would think your native language's script would automatically get "whitelisted" and rendered properly, while everything else is punycoded as usual.