[IDN Spoofs] Check for digit lookalikes when the input label is same script

We currently treat an IDN label as safe if all its characters are
same script. However, the characters might still be digit lookalikes.
This CL adds an additional digit lookalike checks for these cases.

This change doesn't impact any real world domains with more than 10
monthly users.

Bug: 1100485
Change-Id: Ief3e136dbfd58ccc247fb94b2fab874189a095f0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274617
Commit-Queue: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#783813}

components/url_formatter/spoof_checks/idn_spoof_checker.cc

@@ -425,6 +425,10 @@ IDNSpoofChecker::Result IDNSpoofChecker::SafeToDisplayAsUnicode(
         return Result::kWholeScriptConfusable;
       }
     }
+    // Disallow domains that contain only numbers and number-spoofs.
+    if (IsDigitLookalike(label_string))
+      return Result::kDigitLookalikes;
+
     return Result::kSafe;
   }
 

components/url_formatter/spoof_checks/idn_spoof_checker_unittest.cc

@@ -153,6 +153,8 @@ const IDNTestCase kIdnCases[] = {
     {"xn--0-6ee.com", L"੨0.com", kUnsafe},
     // Block fully numeric lookalikes (৪੨.com using U+09EA and U+0A68).
     {"xn--47b6w.com", L"৪੨.com", kUnsafe},
+    // Block single script digit lookalikes (using three U+0A68 characters).
+    {"xn--qccaa.com", L"੨੨੨.com", kUnsafe},
 
     // URL test with mostly numbers and one confusable character
     // Georgian 'd' 4000.com