From 7d0c33d89f71acebadb75c4bd3402154b0ed8403 Mon Sep 17 00:00:00 2001 From: Narsil Date: Wed, 1 Sep 2021 08:43:11 +0000 Subject: [PATCH] Update 'user.js' --- user.js | 255 ++++++++++++++++++++++++++------------------------------ 1 file changed, 119 insertions(+), 136 deletions(-) diff --git a/user.js b/user.js index 22e7706..9c04a1e 100644 --- a/user.js +++ b/user.js @@ -780,27 +780,9 @@ user_pref("browser.chrome.site_icons", false); // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 user_pref("security.ssl.require_safe_negotiation", true); // ------------------------------------- -// Control TLS versions with min and max -// 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 -// [WARNING] Leave these at default, otherwise you alter your TLS fingerprint -// https://www.ssllabs.com/ssl-pulse/ -// user_pref("security.tls.version.min", 3); // [DEFAULT: 3] -// user_pref("security.tls.version.max", 4); -// ------------------------------------- -// Enforce TLS 1.0 and 1.1 downgrades as session only ***/ +// Reset TLS 1.0 and 1.1 downgrades i.e. session only user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] // ------------------------------------- -// Disable SSL session tracking [FF36+] -// SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) -// These are not used in PB mode. In normal windows they are isolated when using FPI -// and/or containers. In FF85+ they are isolated by default (privacy.partition.network_state) -// [WARNING] There are perf and passive fingerprinting costs, for little to no gain. Preventing -// tracking via this method does not address IPs, nor handle any sanitizing of current identifiers -// https://tools.ietf.org/html/rfc5077 -// https://bugzilla.mozilla.org/967977 -// https://arxiv.org/abs/1810.07304 -user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] -// ------------------------------------- // Disable TLS1.3 0-RTT (round-trip time) [FF51+] // https://github.com/tlswg/tls13-spec/issues/1001 // https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ @@ -904,11 +886,6 @@ user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] // This is done to avoid waiting for a timeout which takes 90 seconds // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 user_pref("dom.security.https_only_mode_send_http_background_request", false); -// ------------------------------------- -// Treat .onion as a secure context [FF60+] [TOR] -// [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser -// https://bugzilla.mozilla.org/1382359 -// user_pref("dom.securecontext.whitelist_onions", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // UI (User Interface) @@ -966,47 +943,19 @@ user_pref("gfx.font_rendering.graphite.enabled", false); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // HEADERS / REFERERS // >>>>>>>>>>>>>>>>>>>>> -// Control when images/links send a referer -// 0=never, 1=send only when links are clicked, 2=for links and images (default) -// user_pref("network.http.sendRefererHeader", 2); -// ------------------------------------- -// Control the amount of information to send -// 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port -// user_pref("network.http.referer.trimmingPolicy", 0); -// ------------------------------------- -// Control when to send a referer +// Control when to send a cross origin referer // 0=always (default), 1=only if base domains match, 2=only if hosts match // [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram user_pref("network.http.referer.XOriginPolicy", 2); // ------------------------------------- -// Control the amount of information to send [FF52+] +// Control the amount of cross origin information to send [FF52+] // 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port user_pref("network.http.referer.XOriginTrimmingPolicy", 2); // ------------------------------------- -// Enforce no spoofing of referer -// Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) -// protections that some sites may rely on -user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] -// ------------------------------------- -// Set the default Referrer Policy [FF59+] -// 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade -// [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy -// https://www.w3.org/TR/referrer-policy/ -// https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy -// https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ -// https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/ -// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] -// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] -// ------------------------------------- -// Hide (not spoof) referrer when leaving a .onion domain [FF54+] [TOR] -// [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser -// https://bugzilla.mozilla.org/1305144 -// user_pref("network.http.referer.hideOnionSource", true); -// ------------------------------------- // Enable the DNT (Do Not Track) HTTP header -// [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref +// [NOTE] DNT is enforced with Enhanced Tracking Protection // [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... -user_pref("privacy.donottrackheader.enabled", false); +// user_pref("privacy.donottrackheader.enabled", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // CONTAINERS @@ -1355,21 +1304,6 @@ user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] // user_pref("extensions.webextensions.restrictedDomains", ""); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// SECURITY -// >>>>>>>>>>>>>>>>>>>>> -// Enforce CSP (Content Security Policy) -// [NOTE] CSP is a very important and widespread security feature. Don't disable it! -// https://developer.mozilla.org/docs/Web/HTTP/CSP -user_pref("security.csp.enable", true); // [DEFAULT: true] -// ------------------------------------- -// Enforce a security delay on some confirmation dialogs such as install, open/save -// https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ -user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] -// ------------------------------------- -// Enable Site Isolation -user_pref("fission.autostart", true); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // PERSISTENT STORAGE // >>>>>>>>>>>>>>>>>>>>> // Disable or isolate 3rd-party cookies and site-data [SETUP-WEB] @@ -1547,76 +1481,44 @@ user_pref("extensions.webextensions.identity.redirectDomain", ""); user_pref("browser.startup.blankWindow", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// WELCOME & WHAT'S NEW NOTICES +// OPTIONAL OPSEC // >>>>>>>>>>>>>>>>>>>>> -user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch -user_pref("startup.homepage_welcome_url", ""); -user_pref("startup.homepage_welcome_url.additional", ""); -user_pref("startup.homepage_override_url", ""); // What's New page after updates +// Enable Site Isolation +user_pref("fission.autostart", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// WARNINGS +// DON'T TOUCH // >>>>>>>>>>>>>>>>>>>>> -user_pref("browser.tabs.warnOnClose", false); -user_pref("browser.tabs.warnOnCloseOtherTabs", false); -user_pref("browser.tabs.warnOnOpen", false); -user_pref("full-screen-api.warning.delay", 0); -user_pref("full-screen-api.warning.timeout", 0); -user_pref("browser.warnOnQuit", false); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// APPEARANCE -// >>>>>>>>>>>>>>>>>>>>> -// user_pref("browser.download.autohideButton", false); // [FF57+] -// user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] -// 0=light, 1=dark: with RFP this only affects chrome -// user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent -// user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] -// 0=no-preference, 1=reduce: with RFP this only affects chrome -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// CONTENT BEHAVIOR -// >>>>>>>>>>>>>>>>>>>>> -user_pref("accessibility.typeaheadfind", false); // enable "Find As You Type" -user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] -user_pref("layout.spellcheckDefault", 0); // 0=none, 1-multi-line, 2=multi-line & single-line -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// UX BEHAVIOR -// >>>>>>>>>>>>>>>>>>>>> -// user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing -// user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] -// user_pref("browser.tabs.closeWindowWithLastTab", false); -// user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] -// user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] -// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] -// user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] -// user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// UX FEATURES: Disable and hide the icons and menus -// >>>>>>>>>>>>>>>>>>>>> -user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+] -user_pref("messaging-system.rsexperimentloader.enabled", false); -user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] -user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] -user_pref("reader.parse-on-load.enabled", false); // Reader View -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// OTHER -// >>>>>>>>>>>>>>>>>>>>> -// user_pref("browser.bookmarks.max_backups", 2); -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] -user_pref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" ""); -// [SETTING] General>Browsing>Recommend extensions as you browse -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] -// [SETTING] General>Browsing>Recommend features as you browse -user_pref("network.manage-offline-status", false); // see bugzilla 620472 -// user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) +// Enforce Firefox blocklist +// [WHY] It includes updates for "revoked certificates" +// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ +user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] +user_pref("extensions.blocklist.detailsURL", ""); +user_pref("extensions.blocklist.url", ""); +user_pref("services.blocklist.addons.collection", ""); +user_pref("services.blocklist.plugins.collection", ""); +user_pref("services.blocklist.pinning.collection", ""); +user_pref("services.blocklist.gfx.collection", ""); +user_pref("extensions.blocklist.itemURL", ""); +user_pref("services.settings.security.onecrl.bucket", ""); +user_pref("services.settings.security.onecrl.collection", ""); +user_pref("services.settings.security.onecrl.signer", ""); // ------------------------------------- -// Test user.js in about:config -user_pref("_config.applied", true); -// +// Enforce no referer spoofing +// [WHY] Spoofing can affect CSRF (Cross-Site Request Forgery) protections +user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] +// ------------------------------------- +// Enforce CSP (Content Security Policy) +// https://developer.mozilla.org/docs/Web/HTTP/CSP +user_pref("security.csp.enable", true); // [DEFAULT: true] +// ------------------------------------- +// Enforce a security delay on some confirmation dialogs such as install, open/save +// https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ +user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] +// ------------------------------------- +// Enforce no insecure active content on https pages +user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] +// // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // DON'T BOTHER // >>>>>>>>>>>>>>>>>>>>> @@ -1654,6 +1556,32 @@ user_pref("permissions.default.xr", 0); // Virtual Reality // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES +// ------------------------------------- +// Control TLS versions +// [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction +// user_pref("security.tls.version.min", 3); // [DEFAULT: 3] +// user_pref("security.tls.version.max", 4); +// ------------------------------------- +// Disable SSL session IDs [FF36+] +// [WHY] Passive fingerprinting and perf costs. These are session-only and isolated +// with network partitioning (FF85+) or when using FPI and/or containers +// user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] +// ------------------------------------- +// Onions +// [WHY] Firefox doesn't support hidden services. Use Tor Browser +// user_pref("dom.securecontext.whitelist_onions", true); // 1382359 +// user_pref("network.http.referer.hideOnionSource", true); // 1305144 +// ------------------------------------- +// Referers +// [WHY] Only cross origin referers (1600s) need control +// user_pref("network.http.sendRefererHeader", 2); +// user_pref("network.http.referer.trimmingPolicy", 0); +// ------------------------------------- +// Set the default Referrer Policy [FF59+] +// 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade +// [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy +// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] +// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2 // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // DON'T BOTHER: NON-RFP @@ -1690,6 +1618,61 @@ user_pref("dom.webaudio.enabled", false); // user_pref("ui.use_standins_for_native_colors", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// PERSONAL +// >>>>>>>>>>>>>>>>>>>>> +// WELCOME & WHAT'S NEW NOTICES +user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch +user_pref("startup.homepage_welcome_url", ""); +user_pref("startup.homepage_welcome_url.additional", ""); +user_pref("startup.homepage_override_url", ""); // What's New page after updates +// ------------------------------------- +// WARNINGS +user_pref("browser.tabs.warnOnClose", false); +user_pref("browser.tabs.warnOnCloseOtherTabs", false); +user_pref("browser.tabs.warnOnOpen", false); +user_pref("full-screen-api.warning.delay", 0); +user_pref("full-screen-api.warning.timeout", 0); +user_pref("browser.warnOnQuit", false); +// ------------------------------------- +// APPEARANCE +// user_pref("browser.download.autohideButton", false); // [FF57+] +// user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] +// 0=light, 1=dark: with RFP this only affects chrome +// user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent +// user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] +// 0=no-preference, 1=reduce: with RFP this only affects chrome +// ------------------------------------- +// CONTENT BEHAVIOR +user_pref("accessibility.typeaheadfind", false); // enable "Find As You Type" +user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] +user_pref("layout.spellcheckDefault", 0); // 0=none, 1-multi-line, 2=multi-line & single-line +// ------------------------------------- +// UX BEHAVIOR +// user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing +// user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] +// user_pref("browser.tabs.closeWindowWithLastTab", false); +// user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] +// user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] +// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] +// user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] +// user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] +// ------------------------------------- +// UX FEATURES: disable and hide the icons and menus +user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+] +// user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] +// user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] +user_pref("reader.parse-on-load.enabled", false); // Reader View +// ------------------------------------- +// OTHER +// user_pref("browser.bookmarks.max_backups", 2); +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] +// [SETTING] General>Browsing>Recommend extensions as you browse +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] +// [SETTING] General>Browsing>Recommend features as you browse +// user_pref("network.manage-offline-status", false); // see bugzilla 620472 +// user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // DEPRECATED / REMOVED / LEGACY / RENAMED // >>>>>>>>>>>>>>>>>>>>> // FF79