From 452c7e21721e65749e5029ee31ab60dc0e7d264e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 17 Dec 2018 10:01:16 +0000 Subject: [PATCH 1/2] 0912: HTTP Auth sub-resources --- user.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/user.js b/user.js index cca08424..894ed447 100644 --- a/user.js +++ b/user.js @@ -645,6 +645,13 @@ user_pref("signon.formlessCapture.enabled", false); * [2] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 ***/ user_pref("signon.autofillForms.http", false); user_pref("security.insecure_field_warning.contextual.enabled", true); +/* 0912: limit (1) or disable (0) sub-resources HTTP-authentication [FF41+] + * hardens against potential credentials phishing + * 0=don't allow sub-resources to open HTTP authentication credentials dialogs + * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs + * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) + * [1] https://www.fxsitecompat.com/en-CA/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ***/ +user_pref("network.auth.subresource-http-auth-allow", 1); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS [SETUP-CHROME] ETAG [1] and other [2][3] cache tracking/fingerprinting techniques can be averted by From 0832d6eeec102f531bd6ae88cfc6364fdbca70df Mon Sep 17 00:00:00 2001 From: earthlng Date: Mon, 17 Dec 2018 12:35:15 +0000 Subject: [PATCH 2/2] Update user.js --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 894ed447..a4542528 100644 --- a/user.js +++ b/user.js @@ -645,7 +645,7 @@ user_pref("signon.formlessCapture.enabled", false); * [2] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 ***/ user_pref("signon.autofillForms.http", false); user_pref("security.insecure_field_warning.contextual.enabled", true); -/* 0912: limit (1) or disable (0) sub-resources HTTP-authentication [FF41+] +/* 0912: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+] * hardens against potential credentials phishing * 0=don't allow sub-resources to open HTTP authentication credentials dialogs * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs