Merge pull request #19 from ghacksuserjs/earthlng-patch-1 - user.js - Unnamed repository; edit this file 'description' to name the repository.

commit 1438b4ac4ff577c14ffeb1de0be15a4b96b86a30
parent 00e99d2b650d1eec6ceddd8ded73147db5ea6df3
Author: earthlng <earthlng@users.noreply.github.com>
Date:   Tue, 21 Feb 2017 20:06:58 +0100

Merge pull request #19 from ghacksuserjs/earthlng-patch-1

adding network.IDN_show_punycode;true
Diffstat:
M user.js  | 9 +++++++++

1 file changed, 9 insertions(+), 0 deletions(-)
diff --git a/user.js b/user.js
@@ -1240,6 +1240,15 @@ user_pref("security.block_script_with_wrong_mime", true);
    // WARNING: SVG is fairly common (~15% of the top 10K sites), so will cause some breakage
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
 user_pref("svg.disabled", true);
+// 2672: force Punycode for Internationalized Domain Names to eliminate possible spoofing security risk
+   // Firefox has *some* protections to mitigate the risk, but it is better to be safe than sorry.
+   // The downside: it will also display legitimate IDN's punycoded, which might be undesirable for
+   //               users from countries with non-latin alphabets
+   // http://kb.mozillazine.org/Network.IDN_show_punycode
+   // https://wiki.mozilla.org/IDN_Display_Algorithm
+   // https://en.wikipedia.org/wiki/IDN_homograph_attack
+   // CVE-2017-5383: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
+user_pref("network.IDN_show_punycode", true);
 
 /*** 2698: FIRST PARTY ISOLATION (FPI) ***/
 // 2698a: enable first party isolation pref and OriginAttribute (FF51+)

	user.js Unnamed repository; edit this file 'description' to name the repository.
	Log \| Files \| Refs \| README