1
0

1408 graphite, closes #1408 and 2619 puncyode

This commit is contained in:
Thorin-Oakenpants 2019-12-18 07:46:44 +00:00 committed by GitHub
parent cd07641a9d
commit a1cdbc8324
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

11
user.js
View File

@ -789,9 +789,10 @@ user_pref("browser.display.use_document_fonts", 0);
/* 1404: disable rendering of SVG OpenType fonts /* 1404: disable rendering of SVG OpenType fonts
* [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/ * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.opentype_svg.enabled", false);
/* 1408: disable graphite which FF49 turned back on by default /* 1408: disable graphite
* In the past it had security issues. Update: This continues to be the case, see [1] * Graphite has had many critical security issues in the past, see [1]
* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/ * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
* [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/
user_pref("gfx.font_rendering.graphite.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false);
/* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
* If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed. * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
@ -1162,8 +1163,8 @@ user_pref("permissions.manager.defaultsUrl", "");
/* 2617: remove webchannel whitelist ***/ /* 2617: remove webchannel whitelist ***/
user_pref("webchannel.allowObject.urlWhitelist", ""); user_pref("webchannel.allowObject.urlWhitelist", "");
/* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing /* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
* Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also * Firefox has *some* protections, but it is better to be safe than sorry
* display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
* [1] https://wiki.mozilla.org/IDN_Display_Algorithm * [1] https://wiki.mozilla.org/IDN_Display_Algorithm
* [2] https://en.wikipedia.org/wiki/IDN_homograph_attack * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack