diff --git a/user.js b/user.js index bc1788b..bbdac34 100644 --- a/user.js +++ b/user.js @@ -19,10 +19,7 @@ // STARTUP // >>>>>>>>>>>>>>>>>>>>> // Disable about:config warning -// FF71-72: chrome://global/content/config.xul -// FF73+: chrome://global/content/config.xhtml -user_pref("general.warnOnAboutConfig", false); // XHTML version -user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+] +user_pref("browser.aboutConfig.showWarning", false); // ------------------------------------- // Disable separate about:welcome page // https://bugzilla.mozilla.org/show_bug.cgi?id=1617783 @@ -90,7 +87,7 @@ user_pref("browser.newtabpage.activity-stream.default.sites", ""); // GEOLOCATION // >>>>>>>>>>>>>>>>>>>>> // Disable Location-Aware Browsing -// [NOTE] Best left at default "true", fingerprintable, already behind a prompt +// [WARNING] The API state is fingerprintable. Permission is already behind a prompt // https://www.mozilla.org/firefox/geolocation/ user_pref("geo.enabled", false); user_pref("browser.search.geoip.url", ""); // [HIDDEN PREF] @@ -102,7 +99,7 @@ user_pref("browser.search.geoip.url", ""); // [HIDDEN PREF] // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings // user_pref("permissions.default.geo", 2); // ------------------------------------- -// Use Mozilla geolocation service instead of Google when geolocation is enabled [FF74+] +// Use Mozilla geolocation service instead of Google if geolocation is granted [FF74+] // Optionally enable logging to the console (defaults to false) user_pref("geo.provider.network.url", ""); // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] @@ -151,8 +148,8 @@ user_pref("extensions.getAddons.browseAddons", "https://addons.mozilla.org/en-US user_pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=en-US"); // [URL SANITIZED] user_pref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/en-US/android/search?q=%TERMS%&platform=%OS%&appver=%VERSION%"); // [URL SANITIZED] // ------------------------------------- -// Disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] -// [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed +// Disable auto-INSTALLING Firefox updates [NON-WINDOWS] +// [NOTE] You will still get prompts to update, and should do so in a timely manner // [SETTING] General>Firefox Updates>Check for updates but let you choose to install them user_pref("app.update.auto", false); user_pref("app.update.staging.enabled", false); @@ -445,7 +442,7 @@ user_pref("browser.safebrowsing.features.trackingProtection.update", false); // SYSTEM ADD-ONS / EXPERIMENTS // >>>>>>>>>>>>>>>>>>>>> // Disable Normandy/Shield [FF60+] -// Shield is an telemetry system (including Heartbeat) that can also push and test "recipes" +// Shield is a telemetry system that can push and test "recipes" // https://mozilla.github.io/normandy/ user_pref("app.normandy.enabled", false); user_pref("app.normandy.api_url", ""); @@ -527,7 +524,7 @@ user_pref("network.dns.disableIPv6", true); // [STATS] ~46% of sites (July 2021) // https://http2.github.io/faq/ // https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html -// https://http2.github.io/http2-spec/#rfc.section.10.8 +// https://datatracker.ietf.org/doc/html/rfc7540#section-10.8 // https://queue.acm.org/detail.cfm?id=2716278 // https://w3techs.com/technologies/details/ce-http2/all/all // user_pref("network.http.spdy.enabled", false); @@ -653,7 +650,7 @@ user_pref("browser.urlbar.autoFill", false); user_pref("browser.formfill.enable", false); // ------------------------------------- // Disable browsing and download history -// [NOTE] We also clear history and downloads on exiting Firefox +// [NOTE] We also clear history and downloads on exit // [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history user_pref("places.history.enabled", false); // ------------------------------------- @@ -686,8 +683,7 @@ user_pref("signon.management.page.breachAlertUrl", ""); user_pref("security.ask_for_password", 2); // ------------------------------------- // Set how often in minutes Firefox should ask for the primary password -// in minutes, default is 30 -user_pref("security.password_lifetime", 5); +user_pref("security.password_lifetime", 5); // [DEFAULT: 30] // ------------------------------------- // Disable auto-filling username & password form fields // can leak in cross-site forms *and* be spoofed @@ -717,7 +713,7 @@ user_pref("network.http.windows-sso.enabled", false); // Disable disk cache // [SETUP-PERF] If you think disk cache may help (heavy tab user, high-res video), // or you use a hardened Temporary Containers, then feel free to override this -// [NOTE] We also clear cache on exiting Firefox +// [NOTE] We also clear cache on exit user_pref("browser.cache.disk.enable", false); // ------------------------------------- // Disable memory cache @@ -935,7 +931,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); // user_pref("dom.securecontext.whitelist_onions", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// CIPHERS [WARNING: do not meddle with your cipher suite] +// CIPHERS +// [WARNING] DO NO USE // >>>>>>>>>>>>>>>>>>>>> // Disable 3DES (effective key size < 128 and no PFS) // https://en.wikipedia.org/wiki/3des#Security @@ -983,18 +980,6 @@ user_pref("security.insecure_connection_text.pbmode.enabled", true); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // FONTS // >>>>>>>>>>>>>>>>>>>>> -// Disable websites choosing fonts (0=block, 1=allow) -// This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector -// [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis -// [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... -user_pref("browser.display.use_document_fonts", 0); -// ------------------------------------- -// Disable icon fonts (glyphs) and local fallback rendering -// https://bugzilla.mozilla.org/789788 -// https://gitlab.torproject.org/legacy/trac/-/issues/8455 -// user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] -// user_pref("gfx.downloadable_fonts.fallback_delay", -1); -// ------------------------------------- // Disable rendering of SVG OpenType fonts // https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this user_pref("gfx.font_rendering.opentype_svg.enabled", false); @@ -1005,11 +990,18 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); // https://en.wikipedia.org/wiki/Graphite_(SIL) user_pref("gfx.font_rendering.graphite.enabled", false); // ------------------------------------- -// Limit system font exposure to a whitelist [FF52+] [RESTART] -// If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed -// [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis -// https://bugzilla.mozilla.org/1121643 -// user_pref("font.system.whitelist", ""); // [HIDDEN PREF] +// Limit font visibility (Windows, Mac, some Linux) [FF79+] +// [NOTE] IN FF8)+ RFP ignores the pref and uses value 1 +// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, bundled fonts are auto-allowed +// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts +// https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ +// user_pref("layout.css.font-visibility.level", 1); +// ------------------------------------- +// Disable icon fonts (glyphs) and local fallback rendering +// https://bugzilla.mozilla.org/789788 +// https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ +// user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] +// user_pref("gfx.downloadable_fonts.fallback_delay", -1); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // HEADERS / REFERERS @@ -1059,13 +1051,10 @@ user_pref("privacy.donottrackheader.enabled", false); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // CONTAINERS // >>>>>>>>>>>>>>>>>>>>> -// Enable Container Tabs setting in preferences [FF50+] -// https://bugzilla.mozilla.org/1279029 -user_pref("privacy.userContext.ui.enabled", true); -// ------------------------------------- -// Enable Container Tabs [FF50+] +// Enable Container Tabs and it's UI setting [FF50+] // [SETTING] General>Tabs>Enable Container Tabs user_pref("privacy.userContext.enabled", true); +user_pref("privacy.userContext.ui.enabled", true); // ------------------------------------- // Set behaviour on "+ Tab" button to display container menu on left click [FF74+] // [NOTE] The menu is always shown on long press and right click @@ -1212,10 +1201,7 @@ user_pref("dom.vibrator.enabled", false); // ------------------------------------- // Disable asm.js [FF22+] [SETUP-PERF] // http://asmjs.org/ -// https://www.mozilla.org/security/advisories/mfsa2015-29/ -// https://www.mozilla.org/security/advisories/mfsa2015-50/ -// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 -// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js // https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ user_pref("javascript.options.asmjs", false); // ------------------------------------- @@ -1223,7 +1209,7 @@ user_pref("javascript.options.asmjs", false); // [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new // hidden pref is enabled, then Ion can still be used by extensions (1599226) // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss -// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT user_pref("javascript.options.ion", false); user_pref("javascript.options.baselinejit", false); user_pref("javascript.options.native_regexp", false); @@ -1265,7 +1251,7 @@ user_pref("dom.battery.enabled", false); // user_pref("media.media-capabilities.enabled", false); // ------------------------------------- // Disable virtual reality devices -// [WARNING] The API state is fingerprintable +// [WARNING] The API state is fingerprintable. Permission is already behind a prompt // https://developer.mozilla.org/docs/Web/API/WebVR_API user_pref("dom.vr.enabled", false); // ------------------------------------- @@ -1500,11 +1486,11 @@ user_pref("network.cookie.lifetimePolicy", 2); // ------------------------------------- // Disable offline cache (appCache) // [NOTE] In FF90+ the storage capability has been removed. -// [WARNING] The API is easily fingerprinted, do not disable ***/ +// [WARNING] The API state is fingerprintable. Storage capability was removed in FF90+ // user_pref("browser.cache.offline.enable", false); // ------------------------------------- // Disable service worker cache and cache storage -// [NOTE] We clear service worker cache on exiting Firefox +// [NOTE] We clear service worker cache on exit // https://w3c.github.io/ServiceWorker/#privacy // user_pref("dom.caches.enabled", false); // ------------------------------------- @@ -1655,9 +1641,17 @@ user_pref("browser.startup.blankWindow", false); user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// RFP ALTERNATIVES +// PERSONAL // >>>>>>>>>>>>>>>>>>>>> -// Spoof number of CPU cores [FF48+] +user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch +user_pref("startup.homepage_welcome_url", ""); +user_pref("startup.homepage_welcome_url.additional", ""); +user_pref("startup.homepage_override_url", ""); // What's New page after updates +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// DON'T BOTHER: NON-RFP +// >>>>>>>>>>>>>>>>>>>>> +// Spoof number of CPU cores [FF48+] ***/ // user_pref("dom.maxHardwareConcurrency", 2); // ------------------------------------- // Disable Resource Timing API @@ -1666,13 +1660,13 @@ user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] // Disable Navigation Timing API // user_pref("dom.enable_performance", false); // ------------------------------------- -// Disable device sensor API -user_pref("device.sensors.enabled", false); +// Disable device Sensor APIs +// user_pref("device.sensors.enabled", false); // ------------------------------------- // Disable remembering site specific zoom // user_pref("browser.zoom.siteSpecific", false); // ------------------------------------- -// Disable gamepad API - USB device ID enumeration +// Disable gamepad API to prevent USB device ID enumeration // user_pref("dom.gamepad.enabled", false); // ------------------------------------- // Disable Network Information API [FF31+] @@ -1684,7 +1678,7 @@ user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] // Disable video statistics to mitigate JS performance fingerprinting [FF25+] // user_pref("media.video_stats.enabled", false); // ------------------------------------- -// Disable touch events [FENNEC BUG] +// Disable touch events: 0=disabled, 1=enabled, 2=autodetect [FENNEC BUG] user_pref("dom.w3c_touch_events.enabled", 1); // ------------------------------------- // Disable media device enumeration [FF29+] @@ -1696,28 +1690,29 @@ user_pref("media.navigator.enabled", false); // Disable WebGL debug info being available to websites // user_pref("webgl.enable-debug-renderer-info", false); // ------------------------------------- -// Enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] -// 0=no-preference, 1=reduce +// Enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART] // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // ------------------------------------- // Disable exposure of system colors to CSS or canvas [FF44+] // user_pref("ui.use_standins_for_native_colors", true); // ------------------------------------- -// Enforce prefers-color-scheme as light [FF67+] -// 0=light, 1=dark : This overrides your OS value +// Enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+] // user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // ------------------------------------- // Disable Web Audio API [FF51+] user_pref("dom.webaudio.enabled", false); // ------------------------------------- -// Limit font visibility (Windows, Mac, some Linux) [FF79+] -// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed -// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts -// https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ -// user_pref("layout.css.font-visibility.level", 1); +// Disable websites choosing fonts (0=block, 1=allow) ***/ +// user_pref("browser.display.use_document_fonts", 0); +// ------------------------------------- +// Limit system font exposure to a whitelist [FF52+] [RESTART] +// If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed +// [NOTE] In FF81+ the whitelist overrides RFP and font visibility +// https://bugzilla.mozilla.org/1121643 +// user_pref("font.system.whitelist", ""); // [HIDDEN PREF] // ------------------------------------- // Navigator DOM object overrides -// [WARNING] NO NOT USE: these prefs are insufficient and leak +// [WHY] These prefs are insufficient and leak // user_pref("general.appname.override", ""); // [HIDDEN PREF] // user_pref("general.appversion.override", ""); // [HIDDEN PREF] // user_pref("general.buildID.override", "20181001000000"); // [HIDDEN PREF] @@ -1726,14 +1721,6 @@ user_pref("dom.webaudio.enabled", false); // user_pref("general.useragent.override", "Mozilla/5.0 (Android 9; Mobile; rv:78.0) Gecko/78.0 Firefox/78.0"); // [HIDDEN PREF] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// PERSONAL -// >>>>>>>>>>>>>>>>>>>>> -user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch -user_pref("startup.homepage_welcome_url", ""); -user_pref("startup.homepage_welcome_url.additional", ""); -user_pref("startup.homepage_override_url", ""); // What's New page after updates -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // WARNINGS // >>>>>>>>>>>>>>>>>>>>> user_pref("browser.tabs.warnOnClose", false); @@ -1798,6 +1785,7 @@ user_pref("default-browser-agent.enabled", false); // Test user.js in about:config user_pref("_config.applied", true); // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // DEPRECATED / REMOVED / LEGACY / RENAMED // >>>>>>>>>>>>>>>>>>>>> @@ -1819,7 +1807,7 @@ user_pref("browser.search.geoSpecificDefaults.url", ""); // ------------------------------------- // FF86 // Disable SSL Error Reporting -// https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html +// https://firefox-source-docs.mozilla.org/main/65.0/browser/base/sslerrorreport/preferences.html // https://bugzilla.mozilla.org/1681839 user_pref("security.ssl.errorReporting.automatic", false); user_pref("security.ssl.errorReporting.enabled", false);