user.js

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README
commit 8abe26083c2fcd0dc29d91d696e54695478184aa
parent c4bba2258ea7f7f2805cc1e650d4f2a98b1e048a
Author: Thorin-Oakenpants <Thorin-Oakenpants@users.noreply.github.com>
Date:   Sun, 28 May 2017 12:49:27 +1200

punycode test

and the PoC/article by Xudong Zheng that re-sparked the conversation early this year
Diffstat:

Muser.js | 4+++-


1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/user.js b/user.js
@@ -1313,10 +1313,12 @@ user_pref("security.block_script_with_wrong_mime", true);
  * Firefox has *some* protections to mitigate the risk, but it is better to be safe
  * than sorry. The downside: it will also display legitimate IDN's punycoded, which
  * might be undesirable for users from countries with non-latin alphabets
+ * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
  * [1] http://kb.mozillazine.org/Network.IDN_show_punycode
  * [2] https://wiki.mozilla.org/IDN_Display_Algorithm
  * [3] https://en.wikipedia.org/wiki/IDN_homograph_attack
- * [4] CVE-2017-5383: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ ***/
+ * [4] CVE-2017-5383: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
+ * [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
 user_pref("network.IDN_show_punycode", true);
 /* 2673: enable CSP (Content Security Policy) (default is true)
  * [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ***/