michel_ouba/FF_arkenfox_user.js
michel_ouba
/
FF_arkenfox_user.js
1
0
Fork 0
Code Releases Activity

2672 punycode tweak #368

This commit is contained in:
Thorin-Oakenpants 2018-05-06 16:57:00 +00:00 committed by GitHub
parent 772fa4e06e
commit 6e6a993494
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
user.js
View File

@ -1284,17 +1284,16 @@ user_pref("devtools.chrome.enabled", false);
* including youtube player controls. Best left for "hardened" or specific profiles.
* [1] https://bugzilla.mozilla.org/1216893 ***/
// user_pref("svg.disabled", true);
/* 2672: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing security risk
* Firefox has *some* protections to mitigate the risk, but it is better to be safe
* than sorry. The downside: it will also display legitimate IDN's punycoded, which
* might be undesirable for users from countries with non-latin alphabets
/* 2672: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
* Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also
* display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
* [1] http://kb.mozillazine.org/Network.IDN_show_punycode
* [2] https://wiki.mozilla.org/IDN_Display_Algorithm
* [3] https://en.wikipedia.org/wiki/IDN_homograph_attack
* [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
* [1] https://wiki.mozilla.org/IDN_Display_Algorithm
* [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
* [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
user_pref("network.IDN_show_punycode", true);
/** DOWNLOADS ***/
/* 2640: discourage downloading to desktop (0=desktop 1=downloads 2=last used)
* [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
@ -1311,6 +1310,7 @@ user_pref("browser.download.hide_plugins_without_extensions", false);
* [SETUP] This may interfere with some users' workflow or methods
* [1] https://bugzilla.mozilla.org/1281959 ***/
user_pref("browser.download.forbid_open_with", true);
/** EXTENSIONS ***/
/* 2650: lock down allowed extension directories
* [WARNING] This will break extensions that do not use the default XPI directories
@ -1331,6 +1331,7 @@ user_pref("extensions.webextensions.keepUuidOnUninstall", false);
* [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons
* [SETTING-ESR52] Security>General>Warn me when sites try to install add-ons ***/
user_pref("xpinstall.whitelist.required", true); // default: true
/** SECURITY ***/
/* 2681: enable CSP (Content Security Policy)
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/