2672 punycode tweak #368

2025-11-04 07:45:26 +01:00 · 2018-05-06 16:57:00 +00:00
parent 772fa4e06e
commit 6e6a993494
1 changed files with 10 additions and 9 deletions
--- a/user.js
+++ b/user.js
@@ -1284,17 +1284,16 @@ user_pref("devtools.chrome.enabled", false);
 * including youtube player controls. Best left for "hardened" or specific profiles.
 * [1] https://bugzilla.mozilla.org/1216893 ***/
   // user_pref("svg.disabled", true);
-/* 2672: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing security risk
+/* 2672: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
- * Firefox has *some* protections to mitigate the risk, but it is better to be safe
+ * Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also
- * than sorry. The downside: it will also display legitimate IDN's punycoded, which
+ * display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets
 * might be undesirable for users from countries with non-latin alphabets
 * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
- * [1] http://kb.mozillazine.org/Network.IDN_show_punycode
+ * [1] https://wiki.mozilla.org/IDN_Display_Algorithm
- * [2] https://wiki.mozilla.org/IDN_Display_Algorithm
+ * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
- * [3] https://en.wikipedia.org/wiki/IDN_homograph_attack
+ * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
- * [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
+ * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
 * [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
 user_pref("network.IDN_show_punycode", true);
 /** DOWNLOADS ***/
 /* 2640: discourage downloading to desktop (0=desktop 1=downloads 2=last used)
 * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
@@ -1311,6 +1310,7 @@ user_pref("browser.download.hide_plugins_without_extensions", false);
 * [SETUP] This may interfere with some users' workflow or methods
 * [1] https://bugzilla.mozilla.org/1281959 ***/
 user_pref("browser.download.forbid_open_with", true);
 /** EXTENSIONS ***/
 /* 2650: lock down allowed extension directories
 * [WARNING] This will break extensions that do not use the default XPI directories
@@ -1331,6 +1331,7 @@ user_pref("extensions.webextensions.keepUuidOnUninstall", false);
 * [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons
 * [SETTING-ESR52] Security>General>Warn me when sites try to install add-ons ***/
 user_pref("xpinstall.whitelist.required", true); // default: true
 /** SECURITY ***/
 /* 2681: enable CSP (Content Security Policy)
 * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/