Update 'user.js'

2021-08-19 09:28:17 +00:00 · 2021-08-19 09:28:17 +00:00 · 7cfeeed3cd
parent 3873fec8aa
commit 7cfeeed3cd
1 changed files with 58 additions and 70 deletions
--- a/user.js
+++ b/user.js
@ -19,10 +19,7 @@
 // STARTUP
 // >>>>>>>>>>>>>>>>>>>>>
 // Disable about:config warning
-// FF71-72: chrome://global/content/config.xul
-// FF73+: chrome://global/content/config.xhtml
-user_pref("general.warnOnAboutConfig", false); // XHTML version
-user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+]
+user_pref("browser.aboutConfig.showWarning", false);
 // -------------------------------------
 // Disable separate about:welcome page
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1617783
@ -90,7 +87,7 @@ user_pref("browser.newtabpage.activity-stream.default.sites", "");
 // GEOLOCATION
 // >>>>>>>>>>>>>>>>>>>>>
 // Disable Location-Aware Browsing
-// [NOTE] Best left at default "true", fingerprintable, already behind a prompt
+// [WARNING] The API state is fingerprintable. Permission is already behind a prompt
 // https://www.mozilla.org/firefox/geolocation/
 user_pref("geo.enabled", false);
 user_pref("browser.search.geoip.url", ""); // [HIDDEN PREF]
@ -102,7 +99,7 @@ user_pref("browser.search.geoip.url", ""); // [HIDDEN PREF]
 // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings
 // user_pref("permissions.default.geo", 2);
 // -------------------------------------
-// Use Mozilla geolocation service instead of Google when geolocation is enabled [FF74+]
+// Use Mozilla geolocation service instead of Google if geolocation is granted [FF74+]
 // Optionally enable logging to the console (defaults to false)
 user_pref("geo.provider.network.url", "");
 // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF]
@ -151,8 +148,8 @@ user_pref("extensions.getAddons.browseAddons", "https://addons.mozilla.org/en-US
 user_pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=en-US"); // [URL SANITIZED]
 user_pref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/en-US/android/search?q=%TERMS%&platform=%OS%&appver=%VERSION%"); // [URL SANITIZED]
 // -------------------------------------
-// Disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+]
-// [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed
+// Disable auto-INSTALLING Firefox updates [NON-WINDOWS]
+// [NOTE] You will still get prompts to update, and should do so in a timely manner
 // [SETTING] General>Firefox Updates>Check for updates but let you choose to install them
 user_pref("app.update.auto", false);
 user_pref("app.update.staging.enabled", false);
@ -445,7 +442,7 @@ user_pref("browser.safebrowsing.features.trackingProtection.update", false);
 // SYSTEM ADD-ONS / EXPERIMENTS
 // >>>>>>>>>>>>>>>>>>>>>
 // Disable Normandy/Shield [FF60+]
-// Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
+// Shield is a telemetry system that can push and test "recipes"
 // https://mozilla.github.io/normandy/
 user_pref("app.normandy.enabled", false);
 user_pref("app.normandy.api_url", "");
@ -527,7 +524,7 @@ user_pref("network.dns.disableIPv6", true);
 // [STATS] ~46% of sites (July 2021)
 // https://http2.github.io/faq/
 // https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
-// https://http2.github.io/http2-spec/#rfc.section.10.8
+// https://datatracker.ietf.org/doc/html/rfc7540#section-10.8
 // https://queue.acm.org/detail.cfm?id=2716278
 // https://w3techs.com/technologies/details/ce-http2/all/all
 // user_pref("network.http.spdy.enabled", false);
@ -653,7 +650,7 @@ user_pref("browser.urlbar.autoFill", false);
 user_pref("browser.formfill.enable", false);
 // -------------------------------------
 // Disable browsing and download history
-// [NOTE] We also clear history and downloads on exiting Firefox
+// [NOTE] We also clear history and downloads on exit
 // [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history
 user_pref("places.history.enabled", false);
 // -------------------------------------
@ -686,8 +683,7 @@ user_pref("signon.management.page.breachAlertUrl", "");
 user_pref("security.ask_for_password", 2);
 // -------------------------------------
 // Set how often in minutes Firefox should ask for the primary password
-// in minutes, default is 30
-user_pref("security.password_lifetime", 5);
+user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
 // -------------------------------------
 // Disable auto-filling username & password form fields
 // can leak in cross-site forms *and* be spoofed
@ -717,7 +713,7 @@ user_pref("network.http.windows-sso.enabled", false);
 // Disable disk cache
 // [SETUP-PERF] If you think disk cache may help (heavy tab user, high-res video),
 // or you use a hardened Temporary Containers, then feel free to override this
-// [NOTE] We also clear cache on exiting Firefox
+// [NOTE] We also clear cache on exit
 user_pref("browser.cache.disk.enable", false);
 // -------------------------------------
 // Disable memory cache
@ -935,7 +931,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false);
 // user_pref("dom.securecontext.whitelist_onions", true);
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-// CIPHERS [WARNING: do not meddle with your cipher suite]
+// CIPHERS 
+// [WARNING] DO NO USE
 // >>>>>>>>>>>>>>>>>>>>>
 // Disable 3DES (effective key size < 128 and no PFS)
 // https://en.wikipedia.org/wiki/3des#Security
@ -983,18 +980,6 @@ user_pref("security.insecure_connection_text.pbmode.enabled", true);
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // FONTS
 // >>>>>>>>>>>>>>>>>>>>>
-// Disable websites choosing fonts (0=block, 1=allow)
-// This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector
-// [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis
-// [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose...
-user_pref("browser.display.use_document_fonts", 0);
-// -------------------------------------
-// Disable icon fonts (glyphs) and local fallback rendering
-// https://bugzilla.mozilla.org/789788
-// https://gitlab.torproject.org/legacy/trac/-/issues/8455
-// user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
-// user_pref("gfx.downloadable_fonts.fallback_delay", -1);
-// -------------------------------------
 // Disable rendering of SVG OpenType fonts
 // https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this
 user_pref("gfx.font_rendering.opentype_svg.enabled", false);
@ -1005,11 +990,18 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
 // https://en.wikipedia.org/wiki/Graphite_(SIL)
 user_pref("gfx.font_rendering.graphite.enabled", false);
 // -------------------------------------
-// Limit system font exposure to a whitelist [FF52+] [RESTART]
-// If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed
-// [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis
-// https://bugzilla.mozilla.org/1121643
-// user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
+// Limit font visibility (Windows, Mac, some Linux) [FF79+]
+// [NOTE] IN FF8)+ RFP ignores the pref and uses value 1
+// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, bundled fonts are auto-allowed
+// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
+// https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
+// user_pref("layout.css.font-visibility.level", 1);
+// -------------------------------------
+// Disable icon fonts (glyphs) and local fallback rendering
+// https://bugzilla.mozilla.org/789788
+// https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/
+// user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
+// user_pref("gfx.downloadable_fonts.fallback_delay", -1);
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // HEADERS / REFERERS
@ -1059,13 +1051,10 @@ user_pref("privacy.donottrackheader.enabled", false);
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // CONTAINERS
 // >>>>>>>>>>>>>>>>>>>>>
-// Enable Container Tabs setting in preferences [FF50+]
-// https://bugzilla.mozilla.org/1279029
-user_pref("privacy.userContext.ui.enabled", true);
-// -------------------------------------
-// Enable Container Tabs [FF50+]
+// Enable Container Tabs and it's UI setting [FF50+]
 // [SETTING] General>Tabs>Enable Container Tabs
 user_pref("privacy.userContext.enabled", true);
+user_pref("privacy.userContext.ui.enabled", true);
 // -------------------------------------
 // Set behaviour on "+ Tab" button to display container menu on left click [FF74+]
 // [NOTE] The menu is always shown on long press and right click
@ -1212,10 +1201,7 @@ user_pref("dom.vibrator.enabled", false);
 // -------------------------------------
 // Disable asm.js [FF22+] [SETUP-PERF]
 // http://asmjs.org/
-// https://www.mozilla.org/security/advisories/mfsa2015-29/
-// https://www.mozilla.org/security/advisories/mfsa2015-50/
-// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
-// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
+// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
 // https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
 user_pref("javascript.options.asmjs", false);
 // -------------------------------------
@ -1223,7 +1209,7 @@ user_pref("javascript.options.asmjs", false);
 // [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
 // hidden pref is enabled, then Ion can still be used by extensions (1599226)
 // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
-// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
+// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT
 user_pref("javascript.options.ion", false);
 user_pref("javascript.options.baselinejit", false);
 user_pref("javascript.options.native_regexp", false);
@ -1265,7 +1251,7 @@ user_pref("dom.battery.enabled", false);
 // user_pref("media.media-capabilities.enabled", false);
 // -------------------------------------
 // Disable virtual reality devices
-// [WARNING] The API state is fingerprintable
+// [WARNING] The API state is fingerprintable. Permission is already behind a prompt
 // https://developer.mozilla.org/docs/Web/API/WebVR_API
 user_pref("dom.vr.enabled", false);
 // -------------------------------------
@ -1500,11 +1486,11 @@ user_pref("network.cookie.lifetimePolicy", 2);
 // -------------------------------------
 // Disable offline cache (appCache)
 // [NOTE] In FF90+ the storage capability has been removed.
-// [WARNING] The API is easily fingerprinted, do not disable ***/
+// [WARNING] The API state is fingerprintable. Storage capability was removed in FF90+
 // user_pref("browser.cache.offline.enable", false);
 // -------------------------------------
 // Disable service worker cache and cache storage
-// [NOTE] We clear service worker cache on exiting Firefox
+// [NOTE] We clear service worker cache on exit
 // https://w3c.github.io/ServiceWorker/#privacy
 // user_pref("dom.caches.enabled", false);
 // -------------------------------------
@ -1655,9 +1641,17 @@ user_pref("browser.startup.blankWindow", false);
 user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF]
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-// RFP ALTERNATIVES
+// PERSONAL
 // >>>>>>>>>>>>>>>>>>>>>
-// Spoof number of CPU cores [FF48+]
+user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
+user_pref("startup.homepage_welcome_url", "");
+user_pref("startup.homepage_welcome_url.additional", "");
+user_pref("startup.homepage_override_url", ""); // What's New page after updates
+//
+// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+// DON'T BOTHER: NON-RFP
+// >>>>>>>>>>>>>>>>>>>>>
+// Spoof number of CPU cores [FF48+] ***/
 // user_pref("dom.maxHardwareConcurrency", 2);
 // -------------------------------------
 // Disable Resource Timing API
@ -1666,13 +1660,13 @@ user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF]
 // Disable Navigation Timing API
 // user_pref("dom.enable_performance", false);
 // -------------------------------------
-// Disable device sensor API
-user_pref("device.sensors.enabled", false);
+// Disable device Sensor APIs
+// user_pref("device.sensors.enabled", false);
 // -------------------------------------
 // Disable remembering site specific zoom
 // user_pref("browser.zoom.siteSpecific", false);
 // -------------------------------------
-// Disable gamepad API - USB device ID enumeration
+// Disable gamepad API to prevent USB device ID enumeration
 // user_pref("dom.gamepad.enabled", false);
 // -------------------------------------
 // Disable Network Information API [FF31+]
@ -1684,7 +1678,7 @@ user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android]
 // Disable video statistics to mitigate JS performance fingerprinting [FF25+]
 // user_pref("media.video_stats.enabled", false);
 // -------------------------------------
-// Disable touch events [FENNEC BUG]
+// Disable touch events: 0=disabled, 1=enabled, 2=autodetect [FENNEC BUG]
 user_pref("dom.w3c_touch_events.enabled", 1);
 // -------------------------------------
 // Disable media device enumeration [FF29+]
@ -1696,28 +1690,29 @@ user_pref("media.navigator.enabled", false);
 // Disable WebGL debug info being available to websites
 // user_pref("webgl.enable-debug-renderer-info", false);
 // -------------------------------------
-// Enforce prefers-reduced-motion as no-preference [FF63+] [RESTART]
-// 0=no-preference, 1=reduce
+// Enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART]
 // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF]
 // -------------------------------------
 // Disable exposure of system colors to CSS or canvas [FF44+]
 // user_pref("ui.use_standins_for_native_colors", true);
 // -------------------------------------
-// Enforce prefers-color-scheme as light [FF67+]
-// 0=light, 1=dark : This overrides your OS value
+// Enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+]
 // user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
 // -------------------------------------
 // Disable Web Audio API [FF51+]
 user_pref("dom.webaudio.enabled", false);
 // -------------------------------------
-// Limit font visibility (Windows, Mac, some Linux) [FF79+]
-// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
-// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
-// https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
-// user_pref("layout.css.font-visibility.level", 1);
+// Disable websites choosing fonts (0=block, 1=allow) ***/
+// user_pref("browser.display.use_document_fonts", 0);
+// -------------------------------------
+// Limit system font exposure to a whitelist [FF52+] [RESTART]
+// If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed
+// [NOTE] In FF81+ the whitelist overrides RFP and font visibility
+// https://bugzilla.mozilla.org/1121643
+// user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
 // -------------------------------------
 // Navigator DOM object overrides
-// [WARNING] NO NOT USE: these prefs are insufficient and leak
+// [WHY] These prefs are insufficient and leak
 // user_pref("general.appname.override", ""); // [HIDDEN PREF]
 // user_pref("general.appversion.override", ""); // [HIDDEN PREF]
 // user_pref("general.buildID.override", "20181001000000"); // [HIDDEN PREF]
@ -1726,14 +1721,6 @@ user_pref("dom.webaudio.enabled", false);
 // user_pref("general.useragent.override", "Mozilla/5.0 (Android 9; Mobile; rv:78.0) Gecko/78.0 Firefox/78.0"); // [HIDDEN PREF]
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-// PERSONAL
-// >>>>>>>>>>>>>>>>>>>>>
-user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
-user_pref("startup.homepage_welcome_url", "");
-user_pref("startup.homepage_welcome_url.additional", "");
-user_pref("startup.homepage_override_url", ""); // What's New page after updates
-//
-// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // WARNINGS
 // >>>>>>>>>>>>>>>>>>>>>
 user_pref("browser.tabs.warnOnClose", false);
@ -1798,6 +1785,7 @@ user_pref("default-browser-agent.enabled", false);
 // Test user.js in about:config
 user_pref("_config.applied", true);
 //
+
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // DEPRECATED / REMOVED / LEGACY / RENAMED
 // >>>>>>>>>>>>>>>>>>>>>
@ -1819,7 +1807,7 @@ user_pref("browser.search.geoSpecificDefaults.url", "");
 // -------------------------------------
 // FF86
 // Disable SSL Error Reporting
-// https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html
+// https://firefox-source-docs.mozilla.org/main/65.0/browser/base/sslerrorreport/preferences.html
 // https://bugzilla.mozilla.org/1681839
 user_pref("security.ssl.errorReporting.automatic", false);
 user_pref("security.ssl.errorReporting.enabled", false);