1 files changed, 10 insertions, 8 deletions

diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js
index 6265f95..52059c2 100644
--- a/firefox/user-overrides.js
+++ b/firefox/user-overrides.js
@@ -29,14 +29,16 @@ user_pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/%VERSI
 /** Network **/
 user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled
 
-/** Loopback callbacks (VPN/SSO clients like snx-rs, Forticlient) **/
-// snx-rs and similar VPN clients land SAML callbacks on http://127.0.0.1:<port>/<token>.
-// LibreWolf hardens beyond arkenfox by force-upgrading loopback to HTTPS and enabling
-// LNA blocking; both break the plain-HTTP loopback handoff. Restoring stock Firefox /
-// arkenfox behaviour for loopback only. arkenfox 1245 deliberately leaves upgrade_local
-// commented out and does not touch network.lna.*. See LibreWolf issues #2954, #2962.
-user_pref("dom.security.https_only_mode.upgrade_local", false);
-user_pref("network.lna.local-network-to-localhost.skip-checks", true);
+// NOTE on snx-rs SAML loopback callbacks (Check Point VPN):
+// LibreWolf force-upgrades http://127.0.0.1:<port>/<token> to HTTPS and
+// enables LNA blocking, which both break the snx-rs SAML handoff.
+// `dom.security.https_only_mode.upgrade_local = false` and
+// `network.lna.local-network-to-localhost.skip-checks = true` were tried
+// here and did NOT actually fix the SAML flow — left disabled. The
+// working fix is the wrapper script ~/.local/bin/snxctl-chromium, which
+// routes snx-rs's xdg-open through flatpak ungoogled-chromium via a
+// systemd --user drop-in. See dot_local/share/snx-rs/bin/xdg-open and
+// dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf.
 
 /** Resist Fingerprinting **/
 user_pref("privacy.resistFingerprinting.testGranularityMask", 4);