|
@@ -1240,6 +1240,15 @@ user_pref("security.block_script_with_wrong_mime", true);
|
|
|
// WARNING: SVG is fairly common (~15% of the top 10K sites), so will cause some breakage
|
|
// WARNING: SVG is fairly common (~15% of the top 10K sites), so will cause some breakage
|
|
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
|
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
|
|
|
user_pref("svg.disabled", true);
|
|
user_pref("svg.disabled", true);
|
|
|
|
|
+// 2672: force Punycode for Internationalized Domain Names to eliminate possible spoofing security risk
|
|
|
|
|
+ // Firefox has *some* protections to mitigate the risk, but it is better to be safe than sorry.
|
|
|
|
|
+ // The downside: it will also display legitimate IDN's punycoded, which might be undesirable for
|
|
|
|
|
+ // users from countries with non-latin alphabets
|
|
|
|
|
+ // http://kb.mozillazine.org/Network.IDN_show_punycode
|
|
|
|
|
+ // https://wiki.mozilla.org/IDN_Display_Algorithm
|
|
|
|
|
+ // https://en.wikipedia.org/wiki/IDN_homograph_attack
|
|
|
|
|
+ // CVE-2017-5383: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
|
|
|
|
|
+user_pref("network.IDN_show_punycode", true);
|
|
|
|
|
|
|
|
/*** 2698: FIRST PARTY ISOLATION (FPI) ***/
|
|
/*** 2698: FIRST PARTY ISOLATION (FPI) ***/
|
|
|
// 2698a: enable first party isolation pref and OriginAttribute (FF51+)
|
|
// 2698a: enable first party isolation pref and OriginAttribute (FF51+)
|
earthlng