diff --git a/netwerk/dns/nsIDNService.cpp b/netwerk/dns/nsIDNService.cpp
index a05d63fdaaad..bd5690701055 100644
--- a/netwerk/dns/nsIDNService.cpp
+++ b/netwerk/dns/nsIDNService.cpp
@@ -751,6 +751,13 @@ bool nsIDNService::isLabelSafe(const nsAString& label, const nsAString& tld) {
       return false;
     }
 
+    // Disallow Icelandic confusables for domains outside Icelandic and Faroese
+    // ccTLD (.is, .fo)
+    if ((ch == 0xFE || ch == 0xF0) && !tld.EqualsLiteral("is") &&
+        !tld.EqualsLiteral("fo")) {
+      return false;
+    }
+
     // Check for mixed numbering systems
     auto genCat = GetGeneralCategory(ch);
     if (genCat == HB_UNICODE_GENERAL_CATEGORY_DECIMAL_NUMBER) {
diff --git a/netwerk/test/unit/test_idn_spoof.js b/netwerk/test/unit/test_idn_spoof.js
index 285de20d12cd..dd3415b525b4 100644
--- a/netwerk/test/unit/test_idn_spoof.js
+++ b/netwerk/test/unit/test_idn_spoof.js
@@ -416,7 +416,7 @@ let testCases = [
   // þħĸŧƅ.com
   ["xn--vda6f3b2kpf.com", "\u00fe\u0127\u0138\u0167\u0185.com", kUnsafe],
   // þhktb.com
-  ["xn--hktb-9ra.com", "\u00fehktb.com", kUnsafe, "DISABLED"],
+  ["xn--hktb-9ra.com", "\u00fehktb.com", kUnsafe],
   // pħktb.com
   ["xn--pktb-5xa.com", "p\u0127ktb.com", kUnsafe, "DISABLED"],
   // phĸtb.com
@@ -876,8 +876,8 @@ let testCases = [
   ["xn--ceba.com", "\u05d7\u05d7.com", kUnsafe, "DISABLED"],
 
   // U+00FE (þ) and U+00F0 (ð) are only allowed under the .is TLD.
-  ["xn--acdef-wva.com", "a\u00fecdef.com", kUnsafe, "DISABLED"],
-  ["xn--mnpqr-jta.com", "mn\u00f0pqr.com", kUnsafe, "DISABLED"],
+  ["xn--acdef-wva.com", "a\u00fecdef.com", kUnsafe],
+  ["xn--mnpqr-jta.com", "mn\u00f0pqr.com", kUnsafe],
   ["xn--acdef-wva.is", "a\u00fecdef.is", kSafe],
   ["xn--mnpqr-jta.is", "mn\u00f0pqr.is", kSafe],