diff --git a/user.js b/user.js index 9d7ed6b..229d7f4 100644 --- a/user.js +++ b/user.js @@ -560,6 +560,7 @@ user_pref("security.remote_settings.crlite_filters.enabled", false); user_pref("security.remote_settings.crlite_filters.bucket", ""); user_pref("security.remote_settings.crlite_filters.collection", ""); user_pref("security.remote_settings.crlite_filters.signer", ""); +user_pref("security.pki.crlite_mode", 2); // ------------------------------------- // Pref : Disable Default Browser Agent // https://firefox-source-docs.mozilla.org/main/latest/toolkit/mozapps/defaultagent/default-browser-agent/index.html @@ -1458,15 +1459,26 @@ user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // [DESKTOP] // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : HTTPS (SSL/TLS / OCSP / Certs / HPKP / Ciphers) // >>>>>>>>>>>>>>>>>>>> -// Pref : Enable HTTPS-only-mode -// * [WARNING] This is experimental, see [1] and you can't set exceptions if FPI is enabled, see [2] -// https://www.ghacks.net/2020/03/24/firefox-76-gets-optional-https-only-mode/ -// * [1] https://bugzilla.mozilla.org/1613063 [META] -// * [2] https://bugzilla.mozilla.org/1647829 ***/ -// user_pref("dom.security.https_only_mode", true); +// Pref : Enable HTTPS-only-mode [FF76+] +// [SETTING] to add site exceptions: Page Info>HTTPS-Only mode>On/Off/Off temporarily +// [SETTING] Privacy & Security>HTTPS-Only Mode +// [TEST] http://example.com [upgrade] +// [TEST] http://neverssl.org/ [no upgrade] +// https://bugzilla.mozilla.org/1613063 [META] +// https://bugzilla.mozilla.org/1647829 ***/ +user_pref("dom.security.https_only_mode", true); [FF76+] // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] +// ------------------------------------- +// Pref: Enable HTTPS-Only mode for local resources [FF77+] ***/ // user_pref("dom.security.https_only_mode.upgrade_local", true); // ------------------------------------- +// Pref: Disable HTTP background requests [FF82+] +// When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox +// sends HTTP requests in order to check if the server supports HTTPS or not. +// This is done to avoid waiting for a timeout which takes 90 seconds +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ +user_pref("dom.security.https_only_mode_send_http_background_request", false); +// ------------------------------------- // Pref : Require safe negotiation // Blocks connections to servers that don't support RFC 5746 as they're potentially vulnerable to a MiTM attack. A server *without* RFC 5746 can be safe from the attack if it disables renegotiations but the problem is that the browser can't know that. // Setting this pref to true is the only way for the browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server. @@ -2379,7 +2391,11 @@ user_pref("privacy.firstparty.isolate", true); // https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage user_pref("privacy.firstparty.isolate.restrict_opener_access", true); user_pref("privacy.firstparty.isolate.block_post_message", true); -// +// ------------------------------------- +// Pref: Enable scheme with FPI [FF78+] +// [NOTE] Experimental: existing data and site permissions are incompatible +// and some site exceptions may not work e.g. HTTPS-only mode ***/ +// user_pref("privacy.firstparty.isolate.use_site", true); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : RFP (Resist Fingerprinting) / RFP Alternatives (USER AGENT SPOOFING) // >>>>>>>>>>>>>>>>>>>>