From 6c9641629be956399d2de24c578ebc6ca239d558 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:42 +0100 Subject: feat(firefox): allow plain-HTTP loopback for VPN SSO callbacks LibreWolf 149+ hardens beyond arkenfox by force-upgrading loopback to HTTPS (dom.security.https_only_mode.upgrade_local=true) and enabling LNA blocking of public->loopback redirects. Both break snx-rs / Forticlient / generic VPN SAML callbacks that land on http://127.0.0.1:/. Restore stock Firefox / arkenfox loopback behaviour. arkenfox 1245 leaves upgrade_local intentionally commented out and does not touch network.lna.*, so this brings us in line with arkenfox rather than weaker than it. Refs: LibreWolf issues #2954 (Forticlient SSO broken in 149), #2962 (HTTPS-Only Mode locked in 149.0.2-1, reverted in 149.0.2-2). --- firefox/user-overrides.js | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'firefox') diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index c6d3bc8..dfc2abb 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -19,6 +19,15 @@ user_pref("browser.eme.ui.enabled", false); // hide DRM UI toggle /** Network **/ user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled +/** Loopback callbacks (VPN/SSO clients like snx-rs, Forticlient) **/ +// snx-rs and similar VPN clients land SAML callbacks on http://127.0.0.1:/. +// LibreWolf hardens beyond arkenfox by force-upgrading loopback to HTTPS and enabling +// LNA blocking; both break the plain-HTTP loopback handoff. Restoring stock Firefox / +// arkenfox behaviour for loopback only. arkenfox 1245 deliberately leaves upgrade_local +// commented out and does not touch network.lna.*. See LibreWolf issues #2954, #2962. +user_pref("dom.security.https_only_mode.upgrade_local", false); +user_pref("network.lna.local-network-to-localhost.skip-checks", true); + /** Resist Fingerprinting **/ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com,teams.microsoft.com"); -- cgit v1.3.1