Update 'user.js'

This commit is contained in:
Narsil 2021-08-22 15:08:37 +00:00
parent a409696eee
commit b64a6e6237
1 changed files with 60 additions and 126 deletions

186
user.js
View File

@ -729,9 +729,6 @@ user_pref("browser.shell.shortcutFavicons", false);
// control that instead; e.g. disable history, clear history on close, use PB mode
// [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/
user_pref("browser.chrome.site_icons", false);
// -------------------------------------
// Disable favicons in web notifications ***/
user_pref("alerts.showFavicons", false); // [DEFAULT: false]
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
@ -853,13 +850,12 @@ user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: tru
// Disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/
user_pref("security.mixed_content.block_display_content", true);
// -------------------------------------
// Enable HTTPS-Only mode [FF76+]
// When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored
// [SETTING] to add site exceptions: Ctrl+I>HTTPS-Only mode>On/Off/Off temporarily
// [SETTING] Privacy & Security>HTTPS-Only Mode
// Enable HTTPS-Only mode in all windows [FF76+]
// When the top-level is HTTPS, insecure subresources are also upgraded (silent fail)
// [SETTING] to add site exceptions: Ctrl+I>HTTPS-Only mode>On (after "Continue to HTTP Site")
// [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions)
// [TEST] http://example.com [upgrade]
// [TEST] http://neverssl.org/ [no upgrade]
// https://bugzilla.mozilla.org/1613063 [META] ***/
// http://neverssl.com/ [no upgrade]
user_pref("dom.security.https_only_mode", true); // [FF76+]
user_pref("dom.security.https_only_mode_pbm", true); // [FF80+]
// -------------------------------------
@ -879,27 +875,7 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false);
// user_pref("dom.securecontext.whitelist_onions", true);
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// CIPHERS
// [WARNING: DO NOT USE
// >>>>>>>>>>>>>>>>>>>>>
// Disable 3DES (effective key size < 128 and no PFS)
// https://en.wikipedia.org/wiki/3des#Security
// https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
// https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/
// user_pref("security.ssl3.rsa_des_ede3_sha", false);
// -------------------------------------
// Disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
// user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS
// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// UI (User Interface) ***/
// UI (User Interface)
// >>>>>>>>>>>>>>>>>>>>>
// Display warning on the padlock for "broken security"
// Bug: warning padlock not indicated for subresources on a secure page!
@ -926,7 +902,7 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
user_pref("security.insecure_connection_text.pbmode.enabled", true);
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// FONTS ***/
// FONTS
// >>>>>>>>>>>>>>>>>>>>>
// Disable rendering of SVG OpenType fonts
// https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
@ -939,7 +915,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
user_pref("gfx.font_rendering.graphite.enabled", false);
// -------------------------------------
// Limit font visibility (Windows, Mac, some Linux) [FF79+]
// [NOTE] IN FF8)+ RFP ignores the pref and uses value 1
// [NOTE] IN FF80+ RFP ignores the pref and uses value 1
// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, bundled fonts are auto-allowed
// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
// https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
@ -1095,7 +1071,7 @@ user_pref("dom.push.serverURL", "");
user_pref("dom.push.userAgentID", "");
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/
// DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT
// >>>>>>>>>>>>>>>>>>>>>
// Disable website control over browser right-click context menu
// [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
@ -1160,7 +1136,7 @@ user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN
user_pref("javascript.options.wasm", false);
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// HARDWARE FINGERPRINTING ***/
// FINGERPRINTING
// >>>>>>>>>>>>>>>>>>>>>
// Disable Battery Status API
// Initially a Linux issue (high precision readout) that was fixed.
@ -1170,34 +1146,17 @@ user_pref("javascript.options.wasm", false);
// https://bugzilla.mozilla.org/1313580 ***/
user_pref("dom.battery.enabled", false);
// -------------------------------------
// Disable hardware acceleration [SETUP-HARDEN]
// WARNING] Affects rendering and performance
// and parts of Quantum that utilize the GPU will also be affected as they are rolled out
// [SETTING] General>Performance>Custom>Use hardware acceleration when available
// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/
// user_pref("gfx.direct2d.disabled", true);
// user_pref("layers.acceleration.disabled", true);
// -------------------------------------
// Disable Media Capabilities API [FF63+]
// [WARNING] The API state is fingerprintable and disabling may affect performance
// https://github.com/WICG/media-capabilities
// https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/
// user_pref("media.media-capabilities.enabled", false);
// -------------------------------------
// Disable WebGL (Web Graphics Library)
// [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy,
// especially with readPixels(). Some of the other entropy is lessened with RFP
// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/
user_pref("webgl.disabled", true);
user_pref("webgl.enable-webgl2", false);
// -------------------------------------
// Limit WebGL
// user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+]
// -------------------------------------
// Enforce no system colors
// [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false]
// -------------------------------------
// Enforce non-native widget theme
// Security: removes/reduces system API calls, e.g. win32k API
// Fingerprinting: provides a uniform look and feel across platforms
// https://bugzilla.mozilla.org/1381938
// https://bugzilla.mozilla.org/1411425
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+]
// -------------------------------------
// Open links targeting new windows in a new tab instead
// Stops malicious window sizes and some screen resolution leaks.
// You can still right-click a link and open in a new window
@ -1205,15 +1164,18 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false]
// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881
user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab
user_pref("browser.link.open_newwindow.restriction", 0);
// Enforce non-native widget theme
// Security: removes/reduces system API calls, e.g. win32k API
// Fingerprinting: provides a uniform look and feel across platforms
// https://bugzilla.mozilla.org/1381938
// https://bugzilla.mozilla.org/1411425
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+]
// -------------------------------------
// Disable/limit WebGL (Web Graphics Library)
// [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy,
// especially with readPixels(). Some of the other entropy is lessened with RFP (4501)
// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern
user_pref("webgl.disabled", true);
// user_pref("webgl.enable-webgl2", false);
// user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+]
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// MISCELLANEOUS ***/
// MISCELLANEOUS
// >>>>>>>>>>>>>>>>>>>>>
// Prevent accessibility services from accessing your browser [RESTART]
// [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)
@ -1547,10 +1509,6 @@ user_pref("extensions.webextensions.identity.redirectDomain", "");
// When default true this no longer masks the RFP chrome resizing activity
// https://bugzilla.mozilla.org/1448423 ***/
user_pref("browser.startup.blankWindow", false);
// -------------------------------------
// Disable chrome animations [FF77+] [RESTART]
// [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/
user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF]
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// WELCOME & WHAT'S NEW NOTICES
@ -1573,7 +1531,11 @@ user_pref("browser.warnOnQuit", false);
// APPEARANCE
// >>>>>>>>>>>>>>>>>>>>>
// user_pref("browser.download.autohideButton", false); // [FF57+]
// user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF]
// 0=light, 1=dark: with RFP this only affects chrome
// user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent
// user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF]
// 0=no-preference, 1=reduce: with RFP this only affects chrome
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// CONTENT BEHAVIOR
@ -1642,78 +1604,50 @@ user_pref("permissions.default.camera", 2);
user_pref("permissions.default.microphone", 2);
user_pref("permissions.default.desktop-notification", 2);
user_pref("permissions.default.xr", 0); // Virtual Reality
// -------------------------------------
// Disable non-modern cipher suites
// [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks
// https://browserleaks.com/ssl
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
// user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS
// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
// user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// DON'T BOTHER: NON-RFP
// >>>>>>>>>>>>>>>>>>>>>
// Spoof number of CPU cores [FF48+] ***/
// user_pref("dom.maxHardwareConcurrency", 2);
// -------------------------------------
// Disable Resource Timing API
// user_pref("dom.enable_resource_timing", false);
// -------------------------------------
// Disable Navigation Timing API
// user_pref("dom.enable_performance", false);
// -------------------------------------
// Disable device Sensor APIs
// Disable APIs
user_pref("device.sensors.enabled", false);
// -------------------------------------
// Disable remembering site specific zoom
// user_pref("browser.zoom.siteSpecific", false);
// -------------------------------------
// Disable gamepad API to prevent USB device ID enumeration
// user_pref("dom.enable_performance", false);
// user_pref("dom.enable_resource_timing", false);
// user_pref("dom.gamepad.enabled", false);
// -------------------------------------
// Disable Network Information API [FF31+]
user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android]
// -------------------------------------
// Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
// user_pref("media.webspeech.synth.enabled", false);
// -------------------------------------
// Disable video statistics to mitigate JS performance fingerprinting [FF25+]
// user_pref("media.video_stats.enabled", false);
// -------------------------------------
// Disable touch events: 0=disabled, 1=enabled, 2=autodetect [FENNEC BUG]
user_pref("dom.w3c_touch_events.enabled", 1);
// -------------------------------------
// Disable media device enumeration [FF29+]
user_pref("media.navigator.enabled", false);
// -------------------------------------
// Disable MediaDevices change detection [FF51+]
// user_pref("media.ondevicechange.enabled", false);
// -------------------------------------
// Disable WebGL debug info being available to websites
// user_pref("webgl.enable-debug-renderer-info", false);
// -------------------------------------
// Enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART]
// user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF]
// -------------------------------------
// Disable exposure of system colors to CSS or canvas [FF44+]
// user_pref("ui.use_standins_for_native_colors", true);
// -------------------------------------
// Enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+]
// user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
// -------------------------------------
// Disable Web Audio API [FF51+]
user_pref("dom.webaudio.enabled", false);
// -------------------------------------
// Disable websites choosing fonts (0=block, 1=allow) ***/
// Disable other
// user_pref("browser.display.use_document_fonts", 0);
// user_pref("browser.zoom.siteSpecific", false);
// user_pref("media.webspeech.synth.enabled", false);
user_pref("dom.w3c_touch_events.enabled", 0);
user_pref("media.navigator.enabled", false);
// user_pref("media.ondevicechange.enabled", false);
// user_pref("media.video_stats.enabled", false);
// user_pref("media.webspeech.synth.enabled", false);
// user_pref("webgl.enable-debug-renderer-info", false);
user_pref("dom.webaudio.enabled", false);
// -------------------------------------
// Limit system font exposure to a whitelist [FF52+] [RESTART]
// If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed
// [NOTE] In FF81+ the whitelist overrides RFP and font visibility
// https://bugzilla.mozilla.org/1121643
// user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
// -------------------------------------
// Navigator DOM object overrides
// [WHY] These prefs are insufficient and leak
// Spoof
// user_pref("general.appname.override", ""); // [HIDDEN PREF]
// user_pref("general.appversion.override", ""); // [HIDDEN PREF]
user_pref("general.buildID.override", "20181001000000"); // [HIDDEN PREF]
// user_pref("general.oscpu.override", ""); // [HIDDEN PREF]
// user_pref("general.platform.override", ""); // [HIDDEN PREF]
user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"); // [HIDDEN PREF]
// user_pref("ui.use_standins_for_native_colors", true);
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// DEPRECATED / REMOVED / LEGACY / RENAMED