Update user.js

 Sorted a lot of rules and fixed some parameters
 Enabled window.opener protection
️ Disabled Service Workers
️ Disabled Web Notifications
️ Disabled Push Notifications
️ Disabled "Confirm you want to leave" dialog on page close
️ Disabled asm.js
️ Disabled Intersection Observer API
This commit is contained in:
quindecim 2019-04-27 17:36:54 +00:00 committed by GitHub
parent c37fe0699b
commit 8ad625e231
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 78 additions and 14 deletions

92
user.js
View File

@ -52,7 +52,7 @@ user_pref("datareporting.policy.firstRunURL", "");
user_pref("datareporting.policy.minimumPolicyVersion", 0); user_pref("datareporting.policy.minimumPolicyVersion", 0);
user_pref("datareporting.policy.minimumPolicyVersion.channel-beta", 0); user_pref("datareporting.policy.minimumPolicyVersion.channel-beta", 0);
// Pref : Disable personalized Extension Recommendations in about:addons and AMO // Pref : Disable personalized Extension Recommendations in about:addons and AMO
//[NOTE] This pref has no effect when Health Reports are disabled // [NOTE] This pref has no effect when Health Reports are disabled
// https://support.mozilla.org/kb/personalized-extension-recommendations // https://support.mozilla.org/kb/personalized-extension-recommendations
user_pref("browser.discovery.enabled", false); // [DEFAULT: false] user_pref("browser.discovery.enabled", false); // [DEFAULT: false]
// Pref : Disable Crash Reports // Pref : Disable Crash Reports
@ -180,13 +180,6 @@ user_pref("browser.snippets.statsUrl", "");
user_pref("browser.snippets.updateInterval", -1); user_pref("browser.snippets.updateInterval", -1);
user_pref("browser.snippets.updateUrl", ""); user_pref("browser.snippets.updateUrl", "");
user_pref("browser.snippets.syncPromo.enabled", false); user_pref("browser.snippets.syncPromo.enabled", false);
// Pref : Disable right-click menu manipulation via JavaScript (disabled)
user_pref("dom.event.contextmenu.enabled", false);
// Pref : Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in
// JS-based web applications (Google Docs...)
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
user_pref("dom.event.clipboardevents.enabled", false);
// Pref : Force Punycode for Internationalized Domain Names // Pref : Force Punycode for Internationalized Domain Names
// http://kb.mozillazine.org/Network.IDN_show_punycode // http://kb.mozillazine.org/Network.IDN_show_punycode
// https://www.xudongz.com/blog/2017/idn-phishing/ // https://www.xudongz.com/blog/2017/idn-phishing/
@ -219,8 +212,6 @@ user_pref("beacon.enabled", false);
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
// https://wiki.mozilla.org/HTML5_Speech_API // https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.recognition.enable", false); user_pref("media.webspeech.recognition.enable", false);
// Pref : Disable vibrator API
user_pref("dom.vibrator.enabled", false);
// Pref : Don't use Mozilla-provided location-specific search engines // Pref : Don't use Mozilla-provided location-specific search engines
user_pref("browser.search.geoSpecificDefaults", false); user_pref("browser.search.geoSpecificDefaults", false);
// Pref : Don't monitor OS online/offline connection state // Pref : Don't monitor OS online/offline connection state
@ -325,10 +316,83 @@ user_pref("security.csp.enable", true); // [DEFAULT: true]
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true] user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true]
// //
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Web Workers
// >>>>>>>>>>>>>>>>>>>>>>
// Pref : Disable service workers
// Service workers essentially act as proxy servers that sit between web apps, and the browser and network, are event driven, and can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources.
// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode.
// [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access.
user_pref("dom.serviceWorkers.enabled", false);
// Pref : Disable web notifications
// https://developer.mozilla.org/docs/Web/API/Notifications_API
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);
// Pref : Disable push notifications
// Web apps can receive messages pushed to them from a server, whether or not the web app is in the foreground, or even currently loaded
// https://developer.mozilla.org/docs/Web/API/Push_API
user_pref("dom.push.alwaysConnect", false);
user_pref("dom.push.enabled", false);
user_pref("dom.push.debug", false);
user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.serverURL", "");
user_pref("dom.push.userAgentID", "");
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : DOM (Document Object Model) & Javascript
// >>>>>>>>>>>>>>>>>>>>>>
// Pref : Disable right-click menu manipulation via JavaScript
user_pref("dom.event.contextmenu.enabled", false);
// Pref : Disable website access to clipboard events/content
// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
user_pref("dom.event.clipboardevents.enabled", false);
// Pref : Disable "Confirm you want to leave" dialog on page close
// Does not prevent JS leaks of the page close event.
// https://developer.mozilla.org/docs/Web/Events/beforeunload
// https://support.mozilla.org/questions/1043508
user_pref("dom.disable_beforeunload", true);
// Pref : Disable shaking the screen (Vibrator API)
user_pref("dom.vibrator.enabled", false);
// Pref : Disable asm.js
// http://asmjs.org/
// https://www.mozilla.org/security/advisories/mfsa2015-29/
// https://www.mozilla.org/security/advisories/mfsa2015-50/
// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
user_pref("javascript.options.asmjs", false);
// Pref : Disable Ion and baseline JIT to help harden JS against exploits
// If false, causes the odd site issue and there is also a performance loss
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
// user_pref("javascript.options.ion", false);
// user_pref("javascript.options.baselinejit", false);
// Pref : Disable WebAssembly
// https://webassembly.org/
// https://developer.mozilla.org/docs/WebAssembly
// https://en.wikipedia.org/wiki/WebAssembly
// https://trac.torproject.org/projects/tor/ticket/21549
// user_pref("javascript.options.wasm", false);
// Pref : Disable Intersection Observer API
// Almost a year to complete, three versions late to stable (as default false), number #1 cause of crashes in nightly numerous times, and is (primarily) an ad network API for "ad viewability checks" down to a pixel level
// https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API
// https://w3c.github.io/IntersectionObserver/
// https://bugzilla.mozilla.org/1243846
user_pref("dom.IntersectionObserver.enabled", false);
// Pref : Disable Shared Memory (Spectre mitigation)
// https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md
// https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
user_pref("javascript.options.shared_memory", false); // [DEFAULT: false]
// Pref : Enforce DOMHighResTimeStamp API
// [WARNING] Required for normalization of timestamps and any timer resolution mitigations
user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
// Pref : Enable (limited but sufficient) window.opener protection
// Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set
user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false]
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Media / Camera / Mic // Section : Media / Camera / Mic
// >>>>>>>>>>>>>>>>>>>>>> // >>>>>>>>>>>>>>>>>>>>>>
// Pref : WebSockets is a technology that makes it possible to open an interactive communication // Pref : WebSockets is a technology that makes it possible to open an interactive communication session between the user's browser and a server. (May leak IP when using proxy/VPN)
// session between the user's browser and a server. (May leak IP when using proxy/VPN)
user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.enabled", false);
// Pref : Limit WebRTC IP leaks if using WebRTC // Pref : Limit WebRTC IP leaks if using WebRTC
// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416 // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
@ -633,7 +697,7 @@ user_pref("dom.disable_window_move_resize", true); // [DEFAULT: true]
// You can still right-click a link and open in a new window. // You can still right-click a link and open in a new window.
// [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html // [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html
// https://trac.torproject.org/projects/tor/ticket/9881 // https://trac.torproject.org/projects/tor/ticket/9881
user_pref("browser.link.open_newwindow", 2); // [DEFAULT: 3] user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0] user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0]
// Pref : Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks // Pref : Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks
// [NOTE] You can still manually toggle the browser's fullscreen state, but this pref will disable embedded video fullscreen controls, e.g. youtube // [NOTE] You can still manually toggle the browser's fullscreen state, but this pref will disable embedded video fullscreen controls, e.g. youtube
@ -642,7 +706,7 @@ user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0]
// Pref : Block popup windows // Pref : Block popup windows
user_pref("dom.disable_open_during_load", true); // [DEFAULT: true] user_pref("dom.disable_open_during_load", true); // [DEFAULT: true]
// Pref : Set max popups from a single non-click event // Pref : Set max popups from a single non-click event
user_pref("dom.popup_maximum", 3); // [DEFAULT: 4] user_pref("dom.popup_maximum", 2); // [DEFAULT: 20]
// Pref : Limit events that can cause a popup // Pref : Limit events that can cause a popup
// http://kb.mozillazine.org/Dom.popup_allowed_events // http://kb.mozillazine.org/Dom.popup_allowed_events
user_pref("dom.popup_allowed_events", "click dblclick"); // [DEFAULT: "change click dblclick mouseup pointerup notificationclick reset submit touchend"] user_pref("dom.popup_allowed_events", "click dblclick"); // [DEFAULT: "change click dblclick mouseup pointerup notificationclick reset submit touchend"]