From 541e50a04788ab6a4e2f27b160dd2ceaaff1627d Mon Sep 17 00:00:00 2001 From: Narsil Date: Sun, 4 Apr 2021 13:52:59 -0400 Subject: [PATCH] Update 'user.js' --- user.js | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index e6666c2..cd525a1 100644 --- a/user.js +++ b/user.js @@ -857,6 +857,11 @@ user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] // This is done to avoid waiting for a timeout which takes 90 seconds // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); +// ------------------------------------- +// Treat .onion as a secure context [FF60+] [TOR] +// [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser +// https://bugzilla.mozilla.org/1382359 ***/ +// user_pref("dom.securecontext.whitelist_onions", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // CIPHERS [WARNING: do not meddle with your cipher suite] @@ -967,9 +972,8 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] // ------------------------------------- -// Hide (not spoof) referrer when leaving a .onion domain [FF54+] -// [NOTE] Firefox cannot access .onion sites by default. We recommend you use -// the Tor Browser which is specifically designed for hidden services +// Hide (not spoof) referrer when leaving a .onion domain [FF54+] [TOR] +// [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser // https://bugzilla.mozilla.org/1305144 ***/ // user_pref("network.http.referer.hideOnionSource", true); // ------------------------------------- @@ -1019,6 +1023,7 @@ user_pref("media.gmp-manager.url.override", ""); // Disable all DRM content (EME: Encryption Media Extension) // [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV // [SETTING] General>DRM Content>Play DRM-controlled content +// [TEST] https://bitmovin.com/demos/drm // https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ user_pref("media.eme.enabled", false); // @@ -1163,8 +1168,8 @@ user_pref("dom.push.userAgentID", ""); // Disable website access to clipboard events/content [SETUP-HARDEN] // [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress // This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website -// [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one -// is default false) then enabling this pref can leak clipboard content +// [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and +// 'general.autoScroll' are true (at least one is default false) then the clipboard can leak // https://bugzilla.mozilla.org/1528289 user_pref("dom.event.clipboardevents.enabled", false); // ------------------------------------- @@ -1418,12 +1423,18 @@ user_pref("security.dialog_enable_delay", 700); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // PERSISTENT STORAGE // >>>>>>>>>>>>>>>>>>>>> -// Disable 3rd-party cookies and site-data [SETUP-WEB] -// 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, -// 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) -// [NOTE] You can set exceptions under site permissions or use an extension +// Disable or isolate 3rd-party cookies and site-data [SETUP-WEB] +// 0 = Accept cookies and site data +// 1 = (Block) All third-party cookies +// 2 = (Block) All cookies +// 3 = (Block) Cookies from unvisited websites +// 4 = (Block) Cross-site tracking cookies (default) +// 5 = (Isolate All) Cross-site cookies (TCP: Total Cookie Protection / dFPI: dynamic FPI) [1] (FF86+) +// Option 5 with FPI enabled is ignored and not shown, and option 4 used instead +// [NOTE] You can set cookie exceptions under site permissions or use an extension // [NOTE] Enforcing category to custom ensures ETP related prefs are always honored -// [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ +// [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies +// https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ user_pref("network.cookie.cookieBehavior", 1); user_pref("browser.contentblocking.category", "custom"); // -------------------------------------