From 4d0e5825a27ca5a899cad8bb00e8bddd84650940 Mon Sep 17 00:00:00 2001
From: earthlng <earthlng@users.noreply.github.com>
Date: Tue, 21 Feb 2017 18:29:05 +0100
Subject: [PATCH] network.IDN_show_punycode

my draft for network.IDN_show_punycode
added under 2600 but it would maybe also fit under 0800 (?)
the title and that one line are quite long, feel free to improve the wording etc.
---
 user.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/user.js b/user.js
index 591540e..20e9382 100644
--- a/user.js
+++ b/user.js
@@ -1240,6 +1240,13 @@ user_pref("security.block_script_with_wrong_mime", true);
    // WARNING: SVG is fairly common (~15% of the top 10K sites), so will cause some breakage
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
 user_pref("svg.disabled", true);
+// 2672: eliminate possible spoofing security risk by forcing Punycode for Internationalized Domain Names - SECURITY
+   // Firefox has *some* protections to mitigate the risk, but better safe than sorry
+   // downside: will also display legitimate IDN's punycoded, which might be undesirable for users from countries with non-latin alphabets
+   // https://wiki.mozilla.org/IDN_Display_Algorithm
+   // https://en.wikipedia.org/wiki/IDN_homograph_attack
+   // CVE-2017-5383 -> https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
+user_pref("network.IDN_show_punycode", true); // default in FF51: false
 
 /*** 2698: FIRST PARTY ISOLATION (FPI) ***/
 // 2698a: enable first party isolation pref and OriginAttribute (FF51+)