Comment 44 for bug 1409142

As Tristan said, it's not responsible to disclose 0day without a patch and leave users unprotected, whatever the reason. I don't want to have that conversation with my customers who want to know why there's no patch, and I know none of you do either.

Fixing the issue in a backwards compatible way (defaulting the check to not running) is NOT functionally the same as publishing 0day without an available patch. Yes, administrators who apply the patch will have to reconfigure systems in order to gain full protection, but conscientious administrators will do that.

I agree with Tristan that for stable, a simple setting that indicates the required origin protocol is an appropriate backwards-compatible, easy to configure solution to the problem.