forked from d3cim/mobile_user.js
Update user.js
✅ Sorted a lot of rules and fixed some parameters ✅ Enabled window.opener protection ⛔️ Disabled Service Workers ⛔️ Disabled Web Notifications ⛔️ Disabled Push Notifications ⛔️ Disabled "Confirm you want to leave" dialog on page close ⛔️ Disabled asm.js ⛔️ Disabled Intersection Observer API
This commit is contained in:
parent
c37fe0699b
commit
8ad625e231
90
user.js
90
user.js
|
@ -180,13 +180,6 @@ user_pref("browser.snippets.statsUrl", "");
|
|||
user_pref("browser.snippets.updateInterval", -1);
|
||||
user_pref("browser.snippets.updateUrl", "");
|
||||
user_pref("browser.snippets.syncPromo.enabled", false);
|
||||
// Pref : Disable right-click menu manipulation via JavaScript (disabled)
|
||||
user_pref("dom.event.contextmenu.enabled", false);
|
||||
// Pref : Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
|
||||
// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in
|
||||
// JS-based web applications (Google Docs...)
|
||||
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
|
||||
user_pref("dom.event.clipboardevents.enabled", false);
|
||||
// Pref : Force Punycode for Internationalized Domain Names
|
||||
// http://kb.mozillazine.org/Network.IDN_show_punycode
|
||||
// https://www.xudongz.com/blog/2017/idn-phishing/
|
||||
|
@ -219,8 +212,6 @@ user_pref("beacon.enabled", false);
|
|||
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
|
||||
// https://wiki.mozilla.org/HTML5_Speech_API
|
||||
user_pref("media.webspeech.recognition.enable", false);
|
||||
// Pref : Disable vibrator API
|
||||
user_pref("dom.vibrator.enabled", false);
|
||||
// Pref : Don't use Mozilla-provided location-specific search engines
|
||||
user_pref("browser.search.geoSpecificDefaults", false);
|
||||
// Pref : Don't monitor OS online/offline connection state
|
||||
|
@ -325,10 +316,83 @@ user_pref("security.csp.enable", true); // [DEFAULT: true]
|
|||
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true]
|
||||
//
|
||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// Section : Web Workers
|
||||
// >>>>>>>>>>>>>>>>>>>>>>
|
||||
// Pref : Disable service workers
|
||||
// Service workers essentially act as proxy servers that sit between web apps, and the browser and network, are event driven, and can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources.
|
||||
// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode.
|
||||
// [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access.
|
||||
user_pref("dom.serviceWorkers.enabled", false);
|
||||
// Pref : Disable web notifications
|
||||
// https://developer.mozilla.org/docs/Web/API/Notifications_API
|
||||
user_pref("dom.webnotifications.enabled", false);
|
||||
user_pref("dom.webnotifications.serviceworker.enabled", false);
|
||||
// Pref : Disable push notifications
|
||||
// Web apps can receive messages pushed to them from a server, whether or not the web app is in the foreground, or even currently loaded
|
||||
// https://developer.mozilla.org/docs/Web/API/Push_API
|
||||
user_pref("dom.push.alwaysConnect", false);
|
||||
user_pref("dom.push.enabled", false);
|
||||
user_pref("dom.push.debug", false);
|
||||
user_pref("dom.push.connection.enabled", false);
|
||||
user_pref("dom.push.serverURL", "");
|
||||
user_pref("dom.push.userAgentID", "");
|
||||
//
|
||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// Section : DOM (Document Object Model) & Javascript
|
||||
// >>>>>>>>>>>>>>>>>>>>>>
|
||||
// Pref : Disable right-click menu manipulation via JavaScript
|
||||
user_pref("dom.event.contextmenu.enabled", false);
|
||||
// Pref : Disable website access to clipboard events/content
|
||||
// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
|
||||
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
|
||||
user_pref("dom.event.clipboardevents.enabled", false);
|
||||
// Pref : Disable "Confirm you want to leave" dialog on page close
|
||||
// Does not prevent JS leaks of the page close event.
|
||||
// https://developer.mozilla.org/docs/Web/Events/beforeunload
|
||||
// https://support.mozilla.org/questions/1043508
|
||||
user_pref("dom.disable_beforeunload", true);
|
||||
// Pref : Disable shaking the screen (Vibrator API)
|
||||
user_pref("dom.vibrator.enabled", false);
|
||||
// Pref : Disable asm.js
|
||||
// http://asmjs.org/
|
||||
// https://www.mozilla.org/security/advisories/mfsa2015-29/
|
||||
// https://www.mozilla.org/security/advisories/mfsa2015-50/
|
||||
// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
|
||||
// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
|
||||
// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
|
||||
user_pref("javascript.options.asmjs", false);
|
||||
// Pref : Disable Ion and baseline JIT to help harden JS against exploits
|
||||
// If false, causes the odd site issue and there is also a performance loss
|
||||
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
|
||||
// user_pref("javascript.options.ion", false);
|
||||
// user_pref("javascript.options.baselinejit", false);
|
||||
// Pref : Disable WebAssembly
|
||||
// https://webassembly.org/
|
||||
// https://developer.mozilla.org/docs/WebAssembly
|
||||
// https://en.wikipedia.org/wiki/WebAssembly
|
||||
// https://trac.torproject.org/projects/tor/ticket/21549
|
||||
// user_pref("javascript.options.wasm", false);
|
||||
// Pref : Disable Intersection Observer API
|
||||
// Almost a year to complete, three versions late to stable (as default false), number #1 cause of crashes in nightly numerous times, and is (primarily) an ad network API for "ad viewability checks" down to a pixel level
|
||||
// https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API
|
||||
// https://w3c.github.io/IntersectionObserver/
|
||||
// https://bugzilla.mozilla.org/1243846
|
||||
user_pref("dom.IntersectionObserver.enabled", false);
|
||||
// Pref : Disable Shared Memory (Spectre mitigation)
|
||||
// https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md
|
||||
// https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
|
||||
user_pref("javascript.options.shared_memory", false); // [DEFAULT: false]
|
||||
// Pref : Enforce DOMHighResTimeStamp API
|
||||
// [WARNING] Required for normalization of timestamps and any timer resolution mitigations
|
||||
user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
|
||||
// Pref : Enable (limited but sufficient) window.opener protection
|
||||
// Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set
|
||||
user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false]
|
||||
//
|
||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// Section : Media / Camera / Mic
|
||||
// >>>>>>>>>>>>>>>>>>>>>>
|
||||
// Pref : WebSockets is a technology that makes it possible to open an interactive communication
|
||||
// session between the user's browser and a server. (May leak IP when using proxy/VPN)
|
||||
// Pref : WebSockets is a technology that makes it possible to open an interactive communication session between the user's browser and a server. (May leak IP when using proxy/VPN)
|
||||
user_pref("media.peerconnection.enabled", false);
|
||||
// Pref : Limit WebRTC IP leaks if using WebRTC
|
||||
// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
|
||||
|
@ -633,7 +697,7 @@ user_pref("dom.disable_window_move_resize", true); // [DEFAULT: true]
|
|||
// You can still right-click a link and open in a new window.
|
||||
// [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html
|
||||
// https://trac.torproject.org/projects/tor/ticket/9881
|
||||
user_pref("browser.link.open_newwindow", 2); // [DEFAULT: 3]
|
||||
user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
|
||||
user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0]
|
||||
// Pref : Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks
|
||||
// [NOTE] You can still manually toggle the browser's fullscreen state, but this pref will disable embedded video fullscreen controls, e.g. youtube
|
||||
|
@ -642,7 +706,7 @@ user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0]
|
|||
// Pref : Block popup windows
|
||||
user_pref("dom.disable_open_during_load", true); // [DEFAULT: true]
|
||||
// Pref : Set max popups from a single non-click event
|
||||
user_pref("dom.popup_maximum", 3); // [DEFAULT: 4]
|
||||
user_pref("dom.popup_maximum", 2); // [DEFAULT: 20]
|
||||
// Pref : Limit events that can cause a popup
|
||||
// http://kb.mozillazine.org/Dom.popup_allowed_events
|
||||
user_pref("dom.popup_allowed_events", "click dblclick"); // [DEFAULT: "change click dblclick mouseup pointerup notificationclick reset submit touchend"]
|
||||
|
|
Loading…
Reference in New Issue