From 7e08eb29391ebdb0314bc509d1f29003b2c5b2e3 Mon Sep 17 00:00:00 2001 From: Narsil Date: Sun, 22 Aug 2021 14:49:58 +0000 Subject: [PATCH] Update 'user.js' --- user.js | 177 ++++++++++++++++++-------------------------------------- 1 file changed, 57 insertions(+), 120 deletions(-) diff --git a/user.js b/user.js index 00e4081..22e7706 100644 --- a/user.js +++ b/user.js @@ -765,9 +765,6 @@ user_pref("browser.shell.shortcutFavicons", false); // control that instead; e.g. disable history, clear history on close, use PB mode // [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session user_pref("browser.chrome.site_icons", false); -// ------------------------------------- -// Disable favicons in web notifications -user_pref("alerts.showFavicons", false); // [DEFAULT: false] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // SSL (Secure Sockets Layer) / TLS (Transport Layer Security) @@ -889,13 +886,12 @@ user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: tru // Disable insecure passive content (such as images) on https pages [SETUP-WEB] user_pref("security.mixed_content.block_display_content", true); // ------------------------------------- -// Enable HTTPS-Only mode [FF76+] -// When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored -// [SETTING] to add site exceptions: Ctrl+I>HTTPS-Only mode>On/Off/Off temporarily -// [SETTING] Privacy & Security>HTTPS-Only Mode +// Enable HTTPS-Only mode in all windows [FF76+] +// When the top-level is HTTPS, insecure subresources are also upgraded (silent fail) +// [SETTING] to add site exceptions: Ctrl+I>HTTPS-Only mode>On (after "Continue to HTTP Site") +// [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions) // [TEST] http://example.com [upgrade] -// [TEST] http://neverssl.org/ [no upgrade] -// https://bugzilla.mozilla.org/1613063 [META] +// http://neverssl.com/ [no upgrade] user_pref("dom.security.https_only_mode", true); // [FF76+] user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] // ------------------------------------- @@ -915,26 +911,6 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); // user_pref("dom.securecontext.whitelist_onions", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// CIPHERS -// [WARNING] DO NO USE -// >>>>>>>>>>>>>>>>>>>>> -// Disable 3DES (effective key size < 128 and no PFS) -// https://en.wikipedia.org/wiki/3des#Security -// https://en.wikipedia.org/wiki/Meet-in-the-middle_attack -// https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html -// user_pref("security.ssl3.rsa_des_ede3_sha", false); -// ------------------------------------- -// Disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) -// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); -// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); -// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); -// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); -// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS -// user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS -// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS -// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // UI (User Interface) // >>>>>>>>>>>>>>>>>>>>> // Display warning on the padlock for "broken security" @@ -975,7 +951,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); // ------------------------------------- // Limit font visibility (Windows, Mac, some Linux) [FF79+] -// [NOTE] IN FF8)+ RFP ignores the pref and uses value 1 +// [NOTE] IN FF80+ RFP ignores the pref and uses value 1 // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, bundled fonts are auto-allowed // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts // https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ @@ -1196,7 +1172,7 @@ user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN user_pref("javascript.options.wasm", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// HARDWARE FINGERPRINTING +// FINGERPRINTING // >>>>>>>>>>>>>>>>>>>>> // Disable Battery Status API // Initially a Linux issue (high precision readout) that was fixed. @@ -1206,34 +1182,17 @@ user_pref("javascript.options.wasm", false); // https://bugzilla.mozilla.org/1313580 user_pref("dom.battery.enabled", false); // ------------------------------------- -// Disable hardware acceleration [SETUP-HARDEN] -// WARNING] Affects rendering and performance -// and parts of Quantum that utilize the GPU will also be affected as they are rolled out -// [SETTING] General>Performance>Custom>Use hardware acceleration when available -// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration -// user_pref("gfx.direct2d.disabled", true); -// user_pref("layers.acceleration.disabled", true); -// ------------------------------------- -// Disable Media Capabilities API [FF63+] -// [WARNING] The API state is fingerprintable and disabling may affect performance -// https://github.com/WICG/media-capabilities -// https://wicg.github.io/media-capabilities/#security-privacy-considerations -// user_pref("media.media-capabilities.enabled", false); -// ------------------------------------- -// Disable WebGL (Web Graphics Library) -// [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy, -// especially with readPixels(). Some of the other entropy is lessened with RFP -// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ -// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern -user_pref("webgl.disabled", true); -user_pref("webgl.enable-webgl2", false); -// ------------------------------------- -// Limit WebGL -// user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] -// ------------------------------------- // Enforce no system colors // [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] +// ------------------------------------- +// Enforce non-native widget theme +// Security: removes/reduces system API calls, e.g. win32k API +// Fingerprinting: provides a uniform look and feel across platforms +// https://bugzilla.mozilla.org/1381938 +// https://bugzilla.mozilla.org/1411425 +user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] +// ------------------------------------- // Open links targeting new windows in a new tab instead // Stops malicious window sizes and some screen resolution leaks. // You can still right-click a link and open in a new window @@ -1241,12 +1200,15 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab user_pref("browser.link.open_newwindow.restriction", 0); -// Enforce non-native widget theme -// Security: removes/reduces system API calls, e.g. win32k API -// Fingerprinting: provides a uniform look and feel across platforms -// https://bugzilla.mozilla.org/1381938 -// https://bugzilla.mozilla.org/1411425 -user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] +// ------------------------------------- +// Disable/limit WebGL (Web Graphics Library) +// [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy, +// especially with readPixels(). Some of the other entropy is lessened with RFP (4501) +// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ +// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern +user_pref("webgl.disabled", true); +// user_pref("webgl.enable-webgl2", false); +// user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // MISCELLANEOUS @@ -1583,10 +1545,6 @@ user_pref("extensions.webextensions.identity.redirectDomain", ""); // When default true this no longer masks the RFP chrome resizing activity // https://bugzilla.mozilla.org/1448423 user_pref("browser.startup.blankWindow", false); -// ------------------------------------- -// Disable chrome animations [FF77+] [RESTART] -// [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content -user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // WELCOME & WHAT'S NEW NOTICES @@ -1610,7 +1568,11 @@ user_pref("browser.warnOnQuit", false); // APPEARANCE // >>>>>>>>>>>>>>>>>>>>> // user_pref("browser.download.autohideButton", false); // [FF57+] +// user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] +// 0=light, 1=dark: with RFP this only affects chrome // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent +// user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] +// 0=no-preference, 1=reduce: with RFP this only affects chrome // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // CONTENT BEHAVIOR @@ -1679,78 +1641,53 @@ user_pref("permissions.default.camera", 2); user_pref("permissions.default.microphone", 2); user_pref("permissions.default.desktop-notification", 2); user_pref("permissions.default.xr", 0); // Virtual Reality +// ------------------------------------- +// Disable non-modern cipher suites +// [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks +// https://browserleaks.com/ssl +// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); +// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); +// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); +// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); +// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS +// user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS +// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS +// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS +// user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // DON'T BOTHER: NON-RFP // >>>>>>>>>>>>>>>>>>>>> -// Spoof number of CPU cores [FF48+] ***/ -// user_pref("dom.maxHardwareConcurrency", 2); -// ------------------------------------- -// Disable Resource Timing API -// user_pref("dom.enable_resource_timing", false); -// ------------------------------------- -// Disable Navigation Timing API -// user_pref("dom.enable_performance", false); -// ------------------------------------- -// Disable device Sensor APIs +// Disable APIs user_pref("device.sensors.enabled", false); -// ------------------------------------- -// Disable remembering site specific zoom -// user_pref("browser.zoom.siteSpecific", false); -// ------------------------------------- -// Disable gamepad API to prevent USB device ID enumeration +// user_pref("dom.enable_performance", false); +// user_pref("dom.enable_resource_timing", false); // user_pref("dom.gamepad.enabled", false); -// ------------------------------------- -// Disable Network Information API [FF31+] user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] -// ------------------------------------- -// Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API -// user_pref("media.webspeech.synth.enabled", false); -// ------------------------------------- -// Disable video statistics to mitigate JS performance fingerprinting [FF25+] -// user_pref("media.video_stats.enabled", false); -// ------------------------------------- -// Disable touch events: 0=disabled, 1=enabled, 2=autodetect [FENNEC BUG] -user_pref("dom.w3c_touch_events.enabled", 1); -// ------------------------------------- -// Disable media device enumeration [FF29+] -user_pref("media.navigator.enabled", false); -// ------------------------------------- -// Disable MediaDevices change detection [FF51+] -// user_pref("media.ondevicechange.enabled", false); -// ------------------------------------- -// Disable WebGL debug info being available to websites -// user_pref("webgl.enable-debug-renderer-info", false); -// ------------------------------------- -// Enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART] -// user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] -// ------------------------------------- -// Disable exposure of system colors to CSS or canvas [FF44+] -// user_pref("ui.use_standins_for_native_colors", true); -// ------------------------------------- -// Enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+] -// user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] -// ------------------------------------- -// Disable Web Audio API [FF51+] user_pref("dom.webaudio.enabled", false); // ------------------------------------- -// Disable websites choosing fonts (0=block, 1=allow) ***/ +// Disable other // user_pref("browser.display.use_document_fonts", 0); +// user_pref("browser.zoom.siteSpecific", false); +// user_pref("media.webspeech.synth.enabled", false); +user_pref("dom.w3c_touch_events.enabled", 1); // [FENNEC BUG] +user_pref("media.navigator.enabled", false); +// user_pref("media.ondevicechange.enabled", false); +// user_pref("media.video_stats.enabled", false); +// user_pref("media.webspeech.synth.enabled", false); +// user_pref("webgl.enable-debug-renderer-info", false); +user_pref("dom.webaudio.enabled", false); // ------------------------------------- -// Limit system font exposure to a whitelist [FF52+] [RESTART] -// If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed -// [NOTE] In FF81+ the whitelist overrides RFP and font visibility -// https://bugzilla.mozilla.org/1121643 +// Spoof +// user_pref("dom.maxHardwareConcurrency", 2); // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] -// ------------------------------------- -// Navigator DOM object overrides -// [WHY] These prefs are insufficient and leak // user_pref("general.appname.override", ""); // [HIDDEN PREF] // user_pref("general.appversion.override", ""); // [HIDDEN PREF] // user_pref("general.buildID.override", "20181001000000"); // [HIDDEN PREF] // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] // user_pref("general.platform.override", ""); // [HIDDEN PREF] // user_pref("general.useragent.override", "Mozilla/5.0 (Android 9; Mobile; rv:78.0) Gecko/78.0 Firefox/78.0"); // [HIDDEN PREF] +// user_pref("ui.use_standins_for_native_colors", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // DEPRECATED / REMOVED / LEGACY / RENAMED