Disable FoxyProxy's proxy:// protocol handler
Originally created by @anonym on #7479 (Redmine)
FoxyProxy adds the proxy://
protocol handler, which can be used to
configure the proxy via an URI. A malicious exit node can inject some
JavaScript code to visit such and URI. FoxyProxy will not do such
configurations without user confirmation, but we definitely should
completely disable this ill-thought “feature” any way by setting
ignoreProxyScheme
to true
in
config/chroot_local-includes/etc/iceweasel/profile/foxyproxy.xml
.
Note: even if a user can be tricked to accept such a re-configuration which would, e.g. disable proxying completely, our firewall would block deanonymization. However, the proxy settings could be changed to side-step our stream isolation, which isn’t good.
See http://getfoxyproxy.org/developers/proxyprotocol.html for details.
Feature Branch: feature/7479-disable-proxy-protocol-handler