From 4d0e5825a27ca5a899cad8bb00e8bddd84650940 Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 21 Feb 2017 18:29:05 +0100 Subject: [PATCH 1/3] network.IDN_show_punycode my draft for network.IDN_show_punycode added under 2600 but it would maybe also fit under 0800 (?) the title and that one line are quite long, feel free to improve the wording etc. --- user.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/user.js b/user.js index 591540e..20e9382 100644 --- a/user.js +++ b/user.js @@ -1240,6 +1240,13 @@ user_pref("security.block_script_with_wrong_mime", true); // WARNING: SVG is fairly common (~15% of the top 10K sites), so will cause some breakage // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 user_pref("svg.disabled", true); +// 2672: eliminate possible spoofing security risk by forcing Punycode for Internationalized Domain Names - SECURITY + // Firefox has *some* protections to mitigate the risk, but better safe than sorry + // downside: will also display legitimate IDN's punycoded, which might be undesirable for users from countries with non-latin alphabets + // https://wiki.mozilla.org/IDN_Display_Algorithm + // https://en.wikipedia.org/wiki/IDN_homograph_attack + // CVE-2017-5383 -> https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ +user_pref("network.IDN_show_punycode", true); // default in FF51: false /*** 2698: FIRST PARTY ISOLATION (FPI) ***/ // 2698a: enable first party isolation pref and OriginAttribute (FF51+) From 069d8214137df14338a0371b52da6bd6a12918ad Mon Sep 17 00:00:00 2001 From: Roman-Nopantski Date: Wed, 22 Feb 2017 07:32:52 +1300 Subject: [PATCH 2/3] mods to earthlng patch #19 shortened and evened out lines, added that extra link. I changed "Internationalized Domain Names" to IDNs to save space and then realized the kb and wiki articles don;t even say what IDN stands for, so I put it back. Also swapped the order and wording of the pref to make it consistent with the action. Instead of - "2672: eliminate possible .. show_punycode", true)" - "2672: force Punycode .. show_punycode", true)" --- user.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 20e9382..cf925fa 100644 --- a/user.js +++ b/user.js @@ -1240,13 +1240,15 @@ user_pref("security.block_script_with_wrong_mime", true); // WARNING: SVG is fairly common (~15% of the top 10K sites), so will cause some breakage // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 user_pref("svg.disabled", true); -// 2672: eliminate possible spoofing security risk by forcing Punycode for Internationalized Domain Names - SECURITY - // Firefox has *some* protections to mitigate the risk, but better safe than sorry - // downside: will also display legitimate IDN's punycoded, which might be undesirable for users from countries with non-latin alphabets +// 2672: force Punycode for Internationalized Domain Names to eliminate possible spoofing security risk. + // Firefox has *some* protections to mitigate the risk, but it is better to be safe than sorry. + // The downside: it will also display legitimate IDN's punycoded, which might be undesirable for + // users from countries with non-latin alphabets + // http://kb.mozillazine.org/Network.IDN_show_punycode // https://wiki.mozilla.org/IDN_Display_Algorithm // https://en.wikipedia.org/wiki/IDN_homograph_attack - // CVE-2017-5383 -> https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ -user_pref("network.IDN_show_punycode", true); // default in FF51: false + // CVE-2017-5383: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ +user_pref("network.IDN_show_punycode", true); /*** 2698: FIRST PARTY ISOLATION (FPI) ***/ // 2698a: enable first party isolation pref and OriginAttribute (FF51+) From e00a80fd8b8c704cad1decb91ecb731900e4f73d Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 21 Feb 2017 19:54:25 +0100 Subject: [PATCH 3/3] network.IDN_show_punycode removed the 'period' at the end of the pref description (we usually don't have one there) and aligned the 2nd line of the downside a bit nicer. --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index cf925fa..74ec1ea 100644 --- a/user.js +++ b/user.js @@ -1240,10 +1240,10 @@ user_pref("security.block_script_with_wrong_mime", true); // WARNING: SVG is fairly common (~15% of the top 10K sites), so will cause some breakage // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 user_pref("svg.disabled", true); -// 2672: force Punycode for Internationalized Domain Names to eliminate possible spoofing security risk. +// 2672: force Punycode for Internationalized Domain Names to eliminate possible spoofing security risk // Firefox has *some* protections to mitigate the risk, but it is better to be safe than sorry. // The downside: it will also display legitimate IDN's punycoded, which might be undesirable for - // users from countries with non-latin alphabets + // users from countries with non-latin alphabets // http://kb.mozillazine.org/Network.IDN_show_punycode // https://wiki.mozilla.org/IDN_Display_Algorithm // https://en.wikipedia.org/wiki/IDN_homograph_attack