Update 'user.js'

This commit is contained in:
Narsil 2021-09-01 09:01:14 +00:00
parent 7710653c36
commit d64e34e017
1 changed files with 28 additions and 39 deletions

67
user.js
View File

@ -464,30 +464,6 @@ user_pref("network.http.speculative-parallel-limit", 0);
// https://www.internetsociety.org/tag/ipv6-security/
user_pref("network.dns.disableIPv6", true);
// -------------------------------------
// Disable HTTP2
// HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
// enhance privacy, and opens up a number of server-side fingerprinting opportunities
// [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
// [STATS] ~46% of sites (July 2021)
// https://http2.github.io/faq/
// https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
// https://datatracker.ietf.org/doc/html/rfc7540#section-10.8
// https://queue.acm.org/detail.cfm?id=2716278
// https://w3techs.com/technologies/details/ce-http2/all/all ***/
// user_pref("network.http.spdy.enabled", false);
// user_pref("network.http.spdy.enabled.deps", false);
// user_pref("network.http.spdy.enabled.http2", false);
// user_pref("network.http.spdy.websockets", false); // [FF65+]
// -------------------------------------
// Disable HTTP Alternative Services [FF37+]
// [SETUP-PERF] Relax this if you have FPI enabled and you understand the
// consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
// and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
// https://tools.ietf.org/html/rfc7838#section-9
// https://www.mnot.net/blog/2016/03/09/alt-svc ***/
user_pref("network.http.altsvc.enabled", false);
user_pref("network.http.altsvc.oe", false);
// -------------------------------------
// Set the proxy server to do any DNS lookups when using SOCKS
// e.g. in Tor, this stops your local DNS server from knowing your Tor destination
// as a remote Tor node will handle the DNS request
@ -543,7 +519,7 @@ user_pref("browser.fixup.alternate.enabled", false);
// Display all parts of the url in the location bar ***/
user_pref("browser.urlbar.trimURLs", false);
// -------------------------------------
// Disable coloring of visited links - CSS history leak
// Disable coloring of visited links
// Bulk rapid history sniffing was mitigated in 2010. Slower and more expensive
// redraw timing attacks were largely mitigated in FF77+. Using RFP further hampers timing
// attacks. Don't forget clearing history on close. However, social engineering
@ -625,11 +601,11 @@ user_pref("signon.management.page.breachAlertUrl", "");
// There are no preferences for this. It is all handled internally
// [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password
// https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/
// Set how often Firefox should ask for the primary password
// Set when Firefox should prompt for the primary password
// 0=the first time (default), 1=every time it's needed, 2=every n minutes ***/
user_pref("security.ask_for_password", 2);
// -------------------------------------
// Set how often in minutes Firefox should ask for the primary password
// Set how long in minutes Firefox should remember the primary password
// in minutes, default is 30 ***/
user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
// -------------------------------------
@ -887,7 +863,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
// -------------------------------------
// Disable graphite
// Graphite has had many critical security issues in the past
// https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
// https://en.wikipedia.org/wiki/Graphite_(SIL) ***/
user_pref("gfx.font_rendering.graphite.enabled", false);
// -------------------------------------
@ -1068,7 +1044,7 @@ user_pref("javascript.options.asmjs", false);
// [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
// hidden pref is enabled, then Ion can still be used by extensions (1599226)
// [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
user_pref("javascript.options.ion", false);
user_pref("javascript.options.baselinejit", false);
user_pref("javascript.options.native_regexp", false);
@ -1161,16 +1137,6 @@ user_pref("devtools.remote.adb.extensionURL", ""); // [FF64+]
user_pref("devtools.remote.adb.extensionID", "");
user_pref("devtools.selfxss.count", 0);
// -------------------------------------
// Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
// [TEST] https://arkenfox.github.io/TZP/tzp.html#misc
// https://bugzilla.mozilla.org/1173199 ***/
user_pref("mathml.disabled", true);
// -------------------------------------
// Disable in-content SVG (Scalable Vector Graphics) [FF53+]
// [WARNING] Expect breakage including youtube player controls
// https://bugzilla.mozilla.org/1216893 ***/
// user_pref("svg.disabled", true);
// -------------------------------------
// Disable middle mouse click opening links from clipboard
// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/
user_pref("middlemouse.contentLoadURL", false);
@ -1546,6 +1512,29 @@ user_pref("permissions.default.xr", 0); // Virtual Reality
// [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy
// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+]
// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
// -------------------------------------
// Disable HTTP2
// [WHY] Passive fingerprinting. ~50% of sites use HTTP2
// https://w3techs.com/technologies/details/ce-http2/all/all
// user_pref("network.http.spdy.enabled", false);
// user_pref("network.http.spdy.enabled.deps", false);
// user_pref("network.http.spdy.enabled.http2", false);
// user_pref("network.http.spdy.websockets", false); // [FF65+]
// -------------------------------------
// Disable HTTP Alternative Services [FF37+]
// [WHY] Already isolated by network partitioning (FF85+) or FPI
// user_pref("network.http.altsvc.enabled", false);
// user_pref("network.http.altsvc.oe", false);
// -------------------------------------
// Disable MathML (Mathematical Markup Language) [FF51+]
// [WHY] Fingerprintable, breakage, threat model
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml
user_pref("mathml.disabled", true); //
// -------------------------------------
// Disable in-content SVG (Scalable Vector Graphics) [FF53+]
// [WHY] Fingerprintable, breakage, threat model
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg
// user_pref("svg.disabled", true); // 1216893
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// DON'T BOTHER: NON-RFP