diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:42 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:42 +0100 |
| commit | 6c9641629be956399d2de24c578ebc6ca239d558 (patch) | |
| tree | 068cb99272889f896718353125e8a03605ade8cc | |
| parent | fd512ffcd1206260e8cf17e8bed0273c64658d30 (diff) | |
| download | dotfiles-6c9641629be956399d2de24c578ebc6ca239d558.tar.gz dotfiles-6c9641629be956399d2de24c578ebc6ca239d558.tar.bz2 dotfiles-6c9641629be956399d2de24c578ebc6ca239d558.zip | |
feat(firefox): allow plain-HTTP loopback for VPN SSO callbacks
LibreWolf 149+ hardens beyond arkenfox by force-upgrading loopback to HTTPS
(dom.security.https_only_mode.upgrade_local=true) and enabling LNA blocking
of public->loopback redirects. Both break snx-rs / Forticlient / generic
VPN SAML callbacks that land on http://127.0.0.1:<port>/<token>.
Restore stock Firefox / arkenfox loopback behaviour. arkenfox 1245 leaves
upgrade_local intentionally commented out and does not touch network.lna.*,
so this brings us in line with arkenfox rather than weaker than it.
Refs: LibreWolf issues #2954 (Forticlient SSO broken in 149), #2962
(HTTPS-Only Mode locked in 149.0.2-1, reverted in 149.0.2-2).
| -rw-r--r-- | firefox/user-overrides.js | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index c6d3bc8..dfc2abb 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -19,6 +19,15 @@ user_pref("browser.eme.ui.enabled", false); // hide DRM UI toggle /** Network **/ user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled +/** Loopback callbacks (VPN/SSO clients like snx-rs, Forticlient) **/ +// snx-rs and similar VPN clients land SAML callbacks on http://127.0.0.1:<port>/<token>. +// LibreWolf hardens beyond arkenfox by force-upgrading loopback to HTTPS and enabling +// LNA blocking; both break the plain-HTTP loopback handoff. Restoring stock Firefox / +// arkenfox behaviour for loopback only. arkenfox 1245 deliberately leaves upgrade_local +// commented out and does not touch network.lna.*. See LibreWolf issues #2954, #2962. +user_pref("dom.security.https_only_mode.upgrade_local", false); +user_pref("network.lna.local-network-to-localhost.skip-checks", true); + /** Resist Fingerprinting **/ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com,teams.microsoft.com"); |