From 848dfe138522626d7288db2d9951c16a9119545d Mon Sep 17 00:00:00 2001 From: quindecim <49964366+quindecim@users.noreply.github.com> Date: Tue, 28 May 2019 09:00:22 +0000 Subject: [PATCH] Update user.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ✅ Masked more builID in according to TBB ✅ reEnabled reader mode ⛔️ Disabled new cryptomining and fingerprinting trackingprotection ⛔️ Disabled javascript Ion, baseline JIT and RegExp to help harden JS against exploits (disabled in TBB, performance loss??) [need test] ℹ️ Added some descriptions --- user.js | 71 ++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 52 insertions(+), 19 deletions(-) diff --git a/user.js b/user.js index 028c9b6..15b7e40 100644 --- a/user.js +++ b/user.js @@ -44,7 +44,8 @@ user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", user_pref("browser.newtabpage.activity-stream.showSponsored", false); // [DESKTOP] user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [DESKTOP] // ------------------------------------- -// Pref : Set HOME+NEWWINDOW page +// Pref : Set first run page and HOME+NEWWINDOW page +user_pref("startup.homepage_welcome_url", ""); // [DESKTOP] user_pref("browser.startup.homepage", "about:blank"); // [DESKTOP] // ------------------------------------- // Pref : Disable Activity Stream Snippets @@ -115,16 +116,14 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // Pref : Disable app from auto-update user_pref("app.update.enabled", false); user_pref("app.update.auto", false); // [DESKTOP] -user_pref("app.update.autodownload", ""); // [TEST] -user_pref("app.update.channel", ""); // [TEST] +user_pref("app.update.autodownload", ""); // [TEST] // [FENNEC] +user_pref("app.update.channel", ""); user_pref("app.update.url", ""); // [DESKTOP] user_pref("app.update.url.details", ""); // [DESKTOP] user_pref("app.update.url.manual", ""); // [DESKTOP] user_pref("app.update.url.android", ""); // [FENNEC] // user_pref("app.update.timerFirstInterval", 0); // user_pref("app.update.timerMinimumDelay", 0); -// user_pref("app.update.url.android", "https://aus5.mozilla.org/update/4/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%MOZ_VERSION%/update.xml"); // [TEST] -user_pref("app.update.service.enabled", false); // [DESKTOP] user_pref("app.update.silent", false); // [DESKTOP] user_pref("app.update.staging.enabled", false); // [DESKTOP] user_pref("app.update.log.file", false); // [DESKTOP] @@ -696,11 +695,6 @@ user_pref("devtools.chrome.enabled", false); // https://bugzilla.mozilla.org/1173199 user_pref("mathml.disabled", true); // ------------------------------------- -// Pref : Disable in-content SVG (Scalable Vector Graphics) -// [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. -// https://bugzilla.mozilla.org/1216893 -// user_pref("svg.disabled", true); -// ------------------------------------- // Pref : Disable middle mouse click paste // This preference determines how to handle middle clicks in text fields. // Useless on Android @@ -860,6 +854,12 @@ user_pref("ui.use_standins_for_native_colors", true); // [DESKTOP] // Pref : Remove special permissions for certain mozilla domains // resource://app/defaults/permissions user_pref("permissions.manager.defaultsUrl", ""); // [DESKTOP] +// ------------------------------------- +// Pref : Disable in-content SVG rendering +// Disabling SVG support breaks many UI elements on many sites incl. youtube player controls +// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 +// https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16 +// user_pref("svg.disabled", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Web Workers @@ -930,11 +930,13 @@ user_pref("dom.vibrator.enabled", false); // https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ user_pref("javascript.options.asmjs", false); // ------------------------------------- -// Pref : Disable Ion and baseline JIT to help harden JS against exploits +// Pref : Disable Ion, baseline JIT and RegExp to help harden JS against exploits // If false, causes the odd site issue and there is also a performance loss // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 -// user_pref("javascript.options.ion", false); -// user_pref("javascript.options.baselinejit", false); +// https://trac.torproject.org/projects/tor/ticket/26019 +user_pref("javascript.options.ion", false); +user_pref("javascript.options.baselinejit", false); +user_pref("javascript.options.native_regexp", false); // ------------------------------------- // Pref : Disable WebAssembly // https://webassembly.org/ @@ -966,8 +968,11 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false] // Pref : Don't reveal build ID // Value taken from Tor Browser // https://bugzilla.mozilla.org/show_bug.cgi?id=583181 -user_pref("general.buildID.override", "20100101"); // [DESKTOP] -user_pref("browser.startup.homepage_override.buildID", "20100101"); // [DESKTOP] +user_pref("general.buildID.override", "20100101"); +user_pref("browser.startup.homepage_override.buildID", "20100101"); +user_pref("media.gmp-manager.buildID", "20190307010101"); // [DESKTOP] +user_pref("extensions.lastAppBuildID", "20190307010101"); +user_pref("browser.sessionstore.upgradeBackup.latestBuildID", "20190307010101"); // [DESKTOP] // ------------------------------------- // Pref : Disable Archive API // https://wiki.mozilla.org/WebAPI/ArchiveAPI @@ -1756,7 +1761,6 @@ user_pref("geo.wifi.logging.enabled", false); // [HIDDEN PREF] // [DESKTOP] // >>>>>>>>>>>>>>>>>>>>>> // Pref : Disable websites choosing fonts (0=block, 1=allow) // If you disallow fonts, this drastically limits/reduces font enumeration (by JS) which is a high entropy fingerprinting vector. -// [NOTE] You can do this with uBlock Origin // [NOTE] Disabling fonts can uglify the web a fair bit. // https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ user_pref("browser.display.use_document_fonts", 0); @@ -1960,6 +1964,29 @@ user_pref("privacy.trackingprotection.enabled", false); user_pref("privacy.trackingprotection.pbmode.enabled", false); user_pref("privacy.trackingprotection.introURL", ""); // [DESKTOP] // ------------------------------------- +// Pref : Disable cryptomining trackingprotection +// [NOTE] uBlock is far superior and you can customize the lists as you wish +// https://m.wiki.mozilla.org/Security/Tracking_protection#Lists +// https://github.com/AdroitAdorKhan/EnergizedProtection +// https://github.com/theel0ja/firefox-recommendations/blob/master/README.md +// https://github.com/hoshsadiq/adblock-nocoin-list +user_pref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); // [DESKTOP] +user_pref("privacy.trackingprotection.cryptomining.annotate.enabled", false); +user_pref("privacy.trackingprotection.cryptomining.enabled", false); +user_pref("urlclassifier.features.cryptomining.blacklistTables", ""); +user_pref("urlclassifier.features.cryptomining.whitelistTables", ""); +// ------------------------------------- +// Pref : Disable fingerprinting trackingprotection +// [NOTE] uBlock is far superior and you can customize the lists as you wish +// https://m.wiki.mozilla.org/Security/Tracking_protection#Lists +// https://github.com/AdroitAdorKhan/EnergizedProtection +// https://github.com/theel0ja/firefox-recommendations/blob/master/README.md +user_pref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); // [DESKTOP] +user_pref("privacy.trackingprotection.fingerprinting.annotate.enabled", false); +user_pref("privacy.trackingprotection.fingerprinting.enabled", false); +user_pref("urlclassifier.features.fingerprinting.blacklistTables", ""); +user_pref("urlclassifier.features.fingerprinting.whitelistTables", ""); +// ------------------------------------- // Pref : Disable PingCentre telemetry (used in several System Add-ons) // Currently blocked by 'datareporting.healthreport.uploadEnabled' user_pref("browser.ping-centre.telemetry", false); // [DESKTOP] @@ -2139,7 +2166,13 @@ user_pref("network.http.referer.XOriginPolicy", 2); // 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port user_pref("network.http.referer.XOriginTrimmingPolicy", 2); // ------------------------------------- -// Pref : Disable spoofing a referer +// Pref : Send a referer header with the target URI as the source +// https://bugzilla.mozilla.org/show_bug.cgi?id=822869 +// https://github.com/pyllyukko/user.js/issues/227 +// https://github.com/pyllyukko/user.js/issues/94 +// [NOTE] Spoofing referers breaks functionality on websites relying on authentic referer headers +// [NOTE] Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon +// [NOTE] Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection user_pref("network.http.referer.spoofSource", true); // [DEFAULT: false] // ------------------------------------- // Pref : Set the default Referrer Policy @@ -2373,7 +2406,7 @@ user_pref("pref.general.disable_button.default_browser", true); // [DESKTOP] user_pref("pref.privacy.disable_button.view_passwords", true); // [DESKTOP] // ------------------------------------- // Pref : Disable Reader mode -user_pref("reader.parse-on-load.enabled", false); +// user_pref("reader.parse-on-load.enabled", false); // ------------------------------------- // Pref : Disable dark theme on forms user_pref("widget.content.gtk-theme-override", "Adwaita"); // [DESKTOP] @@ -2384,7 +2417,7 @@ user_pref("browser.ctrlTab.recentlyUsedOrder", false); // [DESKTOP] // Pref : Display long lines in view-source page user_pref("view_source.wrap_long_lines", true); // ------------------------------------- -// Pref : Enable dark mode in all "about:" pages +// Pref : Enable dark mode in all about:* pages user_pref("browser.in-content.dark-mode", true); // //