2675: block top level data: URIs

note: I changed `data://` to `data:` in section 4000's 1300671 description
2024-06-26 14:32:30 +00:00 · 2017-09-29 03:06:22 +13:00 · 2017-09-29 03:06:22 +13:00 · 0912b03f62
commit 0912b03f62
parent 12f80bdf65
1 changed files with 6 additions and 1 deletions
--- a/user.js
+++ b/user.js
@ -1421,6 +1421,11 @@ user_pref("security.csp.enable", true);
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=855326
 * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=883975 ***/
 user_pref("security.csp.experimentalEnabled", true);
+/* 2675: block top level window data: URIs (FF56+)
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1331351
+ * [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
+ * [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/
+user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);

 /*** 2700: COOKIES & DOM STORAGE ***/
 user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
@ -1526,7 +1531,7 @@ user_pref("privacy.sanitize.timeSpan", 0);
 ** 1334693 - isolate SPDY/HTTP2 (FF55+)
 ** 1337893 - isolate DNS cache (FF55+)
 ** 1344170 - isolate blob: URI (FF55+)
- ** 1300671 - isolate data://, about: URLs (FF55+)
+ ** 1300671 - isolate data:, about: URLs (FF55+)
 ***/
 user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
 /* 4001: enable First Party Isolation (FF51+)