From 8dd4d06a8cb0c381e28aae68f7db731f905ac778 Mon Sep 17 00:00:00 2001 From: Narsil Date: Fri, 2 Apr 2021 06:29:06 -0400 Subject: [PATCH] Update 'test' --- test | 1567 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 784 insertions(+), 783 deletions(-) diff --git a/test b/test index b699814..564dc3e 100644 --- a/test +++ b/test @@ -1006,12 +1006,13 @@ user_pref("privacy.userContext.enabled", true); // [NOTE] You can still override individual sites via site permissions ***/ user_pref("plugin.state.flash", 0); // ------------------------------------- +// ------------------------------------- // Disable GMP (Gecko Media Plugins) // https://wiki.mozilla.org/GeckoMediaPlugins ***/ user_pref("media.gmp-provider.enabled", false); // ------------------------------------- // Disable downloading OpenH264 codec at the first start of Firefox -user_pref("media.gmp-gmpopenh264.enabled", false); + user_pref("media.gmp-gmpopenh264.enabled", false); // ------------------------------------- // Disable widevine CDM (Content Decryption Module) // [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV @@ -1026,785 +1027,785 @@ user_pref("media.gmp-manager.url.override", ""); user_pref("media.eme.enabled", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// MEDIA / CAMERA / MIC ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Disable WebRTC (Web Real-Time Communication) -// [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not -// in your threat model, and you want Real-Time Communication, this is the pref for you -// https://www.privacytools.io/#webrtc ***/ -user_pref("media.peerconnection.enabled", false); -// ------------------------------------- -// Limit WebRTC IP leaks if using WebRTC -// In FF70+ these settings match Mode 4 (Mode 3 in older versions) -// [TEST] https://browserleaks.com/webrtc -// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 -// https://wiki.mozilla.org/Media/WebRTC/Privacy -// https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/ -user_pref("media.peerconnection.ice.default_address_only", true); -user_pref("media.peerconnection.ice.no_host", true); // [FF51+] -user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] -user_pref("media.peerconnection.turn.disable", true); -user_pref("media.peerconnection.use_document_iceservers", false); -user_pref("media.peerconnection.video.enabled", false); -user_pref("media.peerconnection.identity.timeout", 1); -// ------------------------------------- -// Disable WebGL (Web Graphics Library) -// [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy, -// especially with readPixels(). Some of the other entropy is lessened with RFP -// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ -// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ -user_pref("webgl.disabled", true); -user_pref("webgl.enable-webgl2", false); -// ------------------------------------- -// Limit WebGL ***/ -// user_pref("webgl.min_capability_mode", true); -user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] -// ------------------------------------- -// Disable screensharing ***/ -user_pref("media.getusermedia.screensharing.enabled", false); -user_pref("media.getusermedia.browser.enabled", false); -user_pref("media.getusermedia.audiocapture.enabled", false); -// ------------------------------------- -// Set a default permission for Camera/Microphone [FF58+] -// 0=always ask (default), 1=allow, 2=block -// [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone -// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/ -user_pref("permissions.default.camera", 2); -user_pref("permissions.default.microphone", 2); -// ------------------------------------- -// Disable autoplay of HTML5 media [FF63+] -// 0=Allow all, 1=Block non-muted media (default in FF67+), 2=Prompt (removed in FF66), 5=Block all (FF69+) -// [NOTE] You can set exceptions under site permissions -// [SETTING] Privacy & Security>Permissions>Autoplay>Settings>Default for all websites ***/ -// user_pref("media.autoplay.default", 5); -// ------------------------------------- -// Disable autoplay of HTML5 media if you interacted with the site [FF78+] -// 0=sticky (default), 1=transient, 2=user -// [NOTE] If you have trouble with some video sites, then add an exception -// https://support.mozilla.org/questions/1293231 ***/ -user_pref("media.autoplay.blocking_policy", 2); -// ------------------------------------- -// Pref : Disable showing avif images -// user_pref("image.avif.enabled", false); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// WINDOW MEDDLING & LEAKS / POPUPS ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Prevent scripts from moving and resizing open windows ***/ -user_pref("dom.disable_window_move_resize", true); -// ------------------------------------- -// Open links targeting new windows in a new tab instead -// This stops malicious window sizes and some screen resolution leaks. -// You can still right-click a link and open in a new window. -// [TEST] https://arkenfox.github.io/TZP/tzp.html#screen -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ -user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab -user_pref("browser.link.open_newwindow.restriction", 0); -// ------------------------------------- -// Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks -// [NOTE] You can still manually toggle the browser's fullscreen state (F11), -// but this pref will disable embedded video/game fullscreen controls, e.g. youtube -// [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ -// user_pref("full-screen-api.enabled", false); -// ------------------------------------- -// Block popup windows -// [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ -user_pref("dom.disable_open_during_load", true); -// ------------------------------------- -// Limit events that can cause a popup [SETUP-WEB] -// default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu" ***/ -user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// WEB WORKERS -// >>>>>>>>>>>>>>>>>>>>> -// Disable service workers [FF32, FF44-compat] -// Service workers essentially act as proxy servers that sit between web apps, and the -// browser and network, are event driven, and can control the web page/site it is associated -// with, intercepting and modifying navigation and resource requests, and caching resources. -// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. -// [NOTE] Service workers only run over HTTPS. Service workers have no DOM access. -// [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for -// service worker notifications, push notifications and service worker -// cache. If you enable this pref, then check those settings as well ***/ -user_pref("dom.serviceWorkers.enabled", false); -// ------------------------------------- -// Disable Web Notifications -// [NOTE] Web Notifications can also use service workers and are behind a prompt -// https://developer.mozilla.org/docs/Web/API/Notifications_API ***/ -user_pref("dom.webnotifications.enabled", false); // [FF22+] -// user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] -// ------------------------------------- -// Disable Push Notifications [FF44+] -// Push is an API that allows websites to send you (subscribed) messages even when the site -// isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server. -// [NOTE] Push requires service workers to subscribe to and display, and is behind -// a prompt. Disabling service workers alone doesn't stop Firefox polling the -// Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config -// or on start), and you will get a new one within a few seconds. -// https://support.mozilla.org/en-US/kb/push-notifications-firefox -// https://developer.mozilla.org/en-US/docs/Web/API/Push_API ***/ -user_pref("dom.push.enabled", false); -user_pref("dom.push.connection.enabled", false); -user_pref("dom.push.serverURL", ""); -user_pref("dom.push.userAgentID", ""); -// ------------------------------------- -// Set a default permission for Notifications [FF58+] -// 0=always ask (default), 1=allow, 2=block -// [NOTE] Best left at default "always ask", fingerprintable via Permissions API -// [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications -// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/ -// user_pref("permissions.default.desktop-notification", 2); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Disable website control over browser right-click context menu -// [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/ -// user_pref("dom.event.contextmenu.enabled", false); -// ------------------------------------- -// Disable website access to clipboard events/content [SETUP-HARDEN] -// [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress -// This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website -// [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one -// is default false) then enabling this pref can leak clipboard content -// https://bugzilla.mozilla.org/1528289 -user_pref("dom.event.clipboardevents.enabled", false); -// ------------------------------------- -// Disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] -// this disables document.execCommand("cut"/"copy") to protect your clipboard -// https://bugzilla.mozilla.org/1170911 ***/ -user_pref("dom.allow_cut_copy", false); -// ------------------------------------- -// Disable "Confirm you want to leave" dialog on page close -// Does not prevent JS leaks of the page close event. -// https://developer.mozilla.org/docs/Web/Events/beforeunload -// https://support.mozilla.org/questions/1043508 ***/ -user_pref("dom.disable_beforeunload", true); -// ------------------------------------- -// Disable shaking the screen ***/ -user_pref("dom.vibrator.enabled", false); -// ------------------------------------- -// Disable asm.js [FF22+] [SETUP-PERF] -// http://asmjs.org/ -// https://www.mozilla.org/security/advisories/mfsa2015-29/ -// https://www.mozilla.org/security/advisories/mfsa2015-50/ -// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 -// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 -// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ -user_pref("javascript.options.asmjs", false); -// ------------------------------------- -// Disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] -// [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new -// hidden pref is enabled, then Ion can still be used by extensions (1599226) -// [WARNING] Disabling Ion/JIT can cause some site issues and performance loss -// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ -// user_pref("javascript.options.ion", false); -// user_pref("javascript.options.baselinejit", false); -// user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] -// ------------------------------------- -// Disable WebAssembly [FF52+] [SETUP-PERF] -// Vulnerabilities have increasingly been found, including those known and fixed -// in native programs years ago. WASM has powerful low-level access, making -// certain attacks (brute-force) and vulnerabilities more possible -// [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising -// https://developer.mozilla.org/docs/WebAssembly -// https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly -// https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ -user_pref("javascript.options.wasm", false); -// ------------------------------------- -// Enable (limited but sufficient) window.opener protection [FF65+] -// Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ -user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// HARDWARE FINGERPRINTING ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Disable Battery Status API -// Initially a Linux issue (high precision readout) that was fixed. -// However, it is still another metric for fingerprinting, used to raise entropy. -// e.g. do you have a battery or not, current charging status, charge level, times remaining etc -// [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code -// https://bugzilla.mozilla.org/1313580 ***/ -user_pref("dom.battery.enabled", false); -// ------------------------------------- -// Disable media device enumeration [FF29+] -// [NOTE] media.peerconnection.enabled should also be set to false -// https://wiki.mozilla.org/Media/getUserMedia -// https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/ -user_pref("media.navigator.enabled", false); -// ------------------------------------- -// Disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN] -// [WARNING] Affects text rendering (fonts will look different), impacts video performance, -// and parts of Quantum that utilize the GPU will also be affected as they are rolled out -// [SETTING] General>Performance>Custom>Use hardware acceleration when available -// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ -// user_pref("gfx.direct2d.disabled", true); -// user_pref("layers.acceleration.disabled", true); -// ------------------------------------- -// Disable Web Audio API [FF51+] -// https://bugzilla.mozilla.org/1288359 ***/ -user_pref("dom.webaudio.enabled", false); -// ------------------------------------- -// Disable Media Capabilities API [FF63+] -// [WARNING] This *may* affect media performance if disabled, no one is sure -// https://github.com/WICG/media-capabilities -// https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ -// user_pref("media.media-capabilities.enabled", false); -// ------------------------------------- -// Disable virtual reality devices -// Optional protection depending on your connected devices -// https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ -// user_pref("dom.vr.enabled", false); -// ------------------------------------- -// Set a default permission for Virtual Reality [FF73+] -// 0=always ask (default), 1=allow, 2=block -// [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices -// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ -// user_pref("permissions.default.xr", 2); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// MISCELLANEOUS ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Prevent accessibility services from accessing your browser [RESTART] -// [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower) -// https://support.mozilla.org/kb/accessibility-services ***/ -user_pref("accessibility.force_disabled", 1); -// ------------------------------------- -// Disable sending additional analytics to web servers -// https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/ -user_pref("beacon.enabled", false); -// ------------------------------------- -// Remove temp files opened with an external application -// https://bugzilla.mozilla.org/302433 ***/ -user_pref("browser.helperApps.deleteTempFileOnExit", true); -// ------------------------------------- -// Disable page thumbnail collection -user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] -// ------------------------------------- -// Disable UITour backend so there is no chance that a remote page can use it ***/ -user_pref("browser.uitour.enabled", false); -user_pref("browser.uitour.url", ""); -// ------------------------------------- -// Disable various developer tools in browser context -// [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes -// https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ -user_pref("devtools.chrome.enabled", false); -// ------------------------------------- -// Reset remote debugging to disabled -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ -user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] -user_pref("devtools.webide.autoinstallADBHelper", false); -// ------------------------------------- -// Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] -// [TEST] https://arkenfox.github.io/TZP/tzp.html#misc -// https://bugzilla.mozilla.org/1173199 ***/ -// user_pref("mathml.disabled", true); -// ------------------------------------- -// Disable in-content SVG (Scalable Vector Graphics) [FF53+] -// [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. -// https://bugzilla.mozilla.org/1216893 ***/ -// user_pref("svg.disabled", true); -// ------------------------------------- -// Disable middle mouse click opening links from clipboard -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ -user_pref("middlemouse.contentLoadURL", false); -// ------------------------------------- -// Disable websites overriding Firefox's keyboard shortcuts [FF58+] -// 0 (default) or 1=allow, 2=block -// [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/ -// user_pref("permissions.default.shortcuts", 2); -// ------------------------------------- -// Remove special permissions for certain mozilla domains [FF35+] -// resource://app/defaults/permissions ***/ -user_pref("permissions.manager.defaultsUrl", ""); -// ------------------------------------- -// Remove webchannel whitelist ***/ -user_pref("webchannel.allowObject.urlWhitelist", ""); -// ------------------------------------- -// Enforce Punycode for Internationalized Domain Names to eliminate possible spoofing -// Firefox has *some* protections, but it is better to be safe than sorry -// [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded -// [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) -// https://wiki.mozilla.org/IDN_Display_Algorithm -// https://en.wikipedia.org/wiki/IDN_homograph_attack -// CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ -// https://www.xudongz.com/blog/2017/idn-phishing/ ***/ -user_pref("network.IDN_show_punycode", true); -// ------------------------------------- -// Enforce Firefox's built-in PDF reader [SETUP-CHROME] -// This setting controls if the option "Display in Firefox" is available in the setting below -// and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") -// PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) -// Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly. -// It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). -// It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. -// CONS: You may prefer a different pdf reader for security reasons -// CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) -// [SETTING] General>Applications>Portable Document Format (PDF) ***/ -user_pref("pdfjs.disabled", false); // [DEFAULT: false] -// ------------------------------------- -// Disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ -user_pref("network.protocol-handler.external.ms-windows-store", false); -// ------------------------------------- -// Enforce no system colors; they can be fingerprinted -// [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] -// ------------------------------------- -// Disable permissions delegation [FF73+] -// Currently applies to cross-origin geolocation, camera, mic and screen-sharing -// permissions, and fullscreen requests. Disabling delegation means any prompts -// for these will show/use their correct 3rd party origin -// https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion -user_pref("permissions.delegation.enabled", false); -// ------------------------------------- -// Enable "window.name" protection [FF82+] -// If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original -// string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks -// https://arkenfox.github.io/TZP/tests/windownamea.html -user_pref("privacy.window.name.update.enabled", true); -// ------------------------------------- -// Disable bypassing 3rd party extension install prompts [FF82+] -// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ -user_pref("extensions.postDownloadThirdPartyPrompt", false); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// DOWNLOADS ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Discourage downloading to desktop -// 0=desktop, 1=downloads (default), 2=last used -// [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ -// user_pref("browser.download.folderList", 2); -// ------------------------------------- -// Enforce user interaction for security by always asking where to download -// [SETUP-CHROME] On Android this blocks longtapping and saving images -// [SETTING] General>Downloads>Always ask you where to save files ***/ -user_pref("browser.download.useDownloadDir", false); -// ------------------------------------- -// Disable adding downloads to the system's "recent documents" list ***/ -user_pref("browser.download.manager.addToRecentDocs", false); -// ------------------------------------- -// Disable "open with" in download dialog [FF50+] [SETUP-HARDEN] -// This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) -// in such a way that it is forbidden to run external applications. -// [WARNING] This may interfere with some users' workflow or methods -// https://bugzilla.mozilla.org/1281959 ***/ -// user_pref("browser.download.forbid_open_with", true); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// EXTENSIONS ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Lock down allowed extension directories -// [SETUP-CHROME] This will break extensions, language packs, themes and any other -// XPI files which are installed outside of profile and application directories -// https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ -// archived: https://archive.is/DYjAM ***/ -user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] -user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] -// ------------------------------------- -// Disable webextension restrictions on certain mozilla domains [FF60+] -// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ -// user_pref("extensions.webextensions.restrictedDomains", ""); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// SECURITY ***/ -// >>>>>>>>>>>>>>>>>>>>> -// Enforce CSP (Content Security Policy) -// [WARNING] CSP is a very important and widespread security feature. Don't disable it! -// https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ -user_pref("security.csp.enable", true); // [DEFAULT: true] -// ------------------------------------- -// Enforce a security delay on some confirmation dialogs such as install, open/save -// https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ -user_pref("security.dialog_enable_delay", 700); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// PERSISTENT STORAGE -// >>>>>>>>>>>>>>>>>>>>> -// Disable 3rd-party cookies and site-data [SETUP-WEB] -// 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, -// 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) -// [NOTE] You can set exceptions under site permissions or use an extension -// [NOTE] Enforcing category to custom ensures ETP related prefs are always honored -// [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ -user_pref("network.cookie.cookieBehavior", 1); -user_pref("browser.contentblocking.category", "custom"); -// ------------------------------------- -// Set third-party cookies (i.e ALL) (if enabled) to session-only -// [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and -// .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones -// https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ -user_pref("network.cookie.thirdparty.sessionOnly", true); -user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] -// ------------------------------------- -// Delete cookies and site data on close -// 0=keep until they expire (default), 2=keep until you close Firefox -// [NOTE] The setting below is disabled (but not changed) if you block all cookies -// [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/ -user_pref("network.cookie.lifetimePolicy", 2); -// ------------------------------------- -// Disable DOM (Document Object Model) Storage -// [WARNING] This will break a LOT of sites' functionality AND extensions! -// You are better off using an extension for more granular control ***/ -// user_pref("dom.storage.enabled", false); -// ------------------------------------- -// Enforce no offline cache storage (appCache) -// The API is easily fingerprinted, use the "storage" pref instead ***/ -// user_pref("browser.cache.offline.enable", false); -user_pref("browser.cache.offline.storage.enable", false); // [FF71+] [DEFAULT: false FF84+] -// ------------------------------------- -// Disable service worker cache and cache storage -// [NOTE] We clear service worker cache on exiting Firefox -// https://w3c.github.io/ServiceWorker/#privacy ***/ -// user_pref("dom.caches.enabled", false); -// ------------------------------------- -// Disable Storage API [FF51+] -// The API gives sites the ability to find out how much space they can use, how much -// they are already using, and even control whether or not they need to be alerted -// before the user agent disposes of site data in order to make room for other things. -// https://developer.mozilla.org/docs/Web/API/StorageManager -// https://developer.mozilla.org/docs/Web/API/Storage_API -// https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/ -// user_pref("dom.storageManager.enabled", false); -// ------------------------------------- -// Disable Storage Access API [FF65+] -// https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/ -// user_pref("dom.storage_access.enabled", false); -// ------------------------------------- -// Enable Local Storage Next Generation (LSNG) [FF65+] ***/ -user_pref("dom.storage.next_gen", true); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// SHUTDOWN -// >>>>>>>>>>>>>>>>>>>>> -// Enable Firefox to clear items on shutdown -// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ -user_pref("privacy.sanitize.sanitizeOnShutdown", true); -// ------------------------------------- -// Set what items to clear on shutdown [SETUP-CHROME] -// [NOTE] If 'history' is true, downloads will also be cleared regardless of the value -// but if 'history' is false, downloads can still be cleared independently -// However, this may not always be the case. The interface combines and syncs these -// prefs when set from there, and the sanitize code may change at any time -// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/ -user_pref("privacy.clearOnShutdown.cache", true); -user_pref("privacy.clearOnShutdown.cookies", true); -user_pref("privacy.clearOnShutdown.downloads", true); // see note above -user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History -user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History -user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data -user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins -user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences -// ------------------------------------- -// Reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME] -// This dialog can also be accessed from the menu History>Clear Recent History -// Firefox remembers your last choices. This will reset them when you start Firefox. -// [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog -// for "Clear Recent History" is opened, it is synced to the same as 'history' ***/ -user_pref("privacy.cpd.cache", true); -user_pref("privacy.cpd.cookies", true); -// user_pref("privacy.cpd.downloads", true); // not used, see note above -user_pref("privacy.cpd.formdata", true); // Form & Search History -user_pref("privacy.cpd.history", true); // Browsing & Download History -user_pref("privacy.cpd.offlineApps", true); // Offline Website Data -user_pref("privacy.cpd.passwords", false); // this is not listed -user_pref("privacy.cpd.sessions", true); // Active Logins -user_pref("privacy.cpd.siteSettings", false); // Site Preferences -// ------------------------------------- -// Clear Session Restore data when sanitizing on shutdown or manually [FF34+] -// [NOTE] Not needed if Session Restore is not used or is already cleared with history -// [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes -// [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ -// user_pref("privacy.clearOnShutdown.openWindows", true); -// user_pref("privacy.cpd.openWindows", true); -// ------------------------------------- -// Reset default 'Time range to clear' for 'Clear Recent History' -// Firefox remembers your last choice. This will reset the value when you start Firefox. -// 0=everything, 1=last hour, 2=last two hours, 3=last four hours, -// 4=today, 5=last five minutes, 6=last twenty-four hours -// [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a -// blank value if they are used, but they do work as advertised ***/ -user_pref("privacy.sanitize.timeSpan", 0); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// FPI (FIRST PARTY ISOLATION) -// >>>>>>>>>>>>>>>>>>>>> -// Enable First Party Isolation [FF51+] -// [SETUP-WEB] May break cross-domain logins and site functionality until perfected -// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ -user_pref("privacy.firstparty.isolate", true); -// ------------------------------------- -// Enforce FPI restriction for window.opener [FF54+] -// [NOTE] Setting this to false may reduce the breakage -// FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But -// to reduce breakage it ignores the 1st-party domain (FPD) originAttribute -// The 2nd pref removes that limitation and will only allow communication if FPDs also match. -// https://bugzilla.mozilla.org/1319773#c22 -// https://bugzilla.mozilla.org/1492607 -// https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ -// user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] -// user_pref("privacy.firstparty.isolate.block_post_message", true); -// ------------------------------------- -// Enable scheme with FPI [FF78+] -// [NOTE] Experimental: existing data and site permissions are incompatible -// and some site exceptions may not work e.g. HTTPS-only mode ***/ -// user_pref("privacy.firstparty.isolate.use_site", true); -// ------------------------------------- -// Enable site partitioning (FF78+) -// https://bugzilla.mozilla.org/1590107 [META] */ -user_pref("privacy.partition.network_state", true); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// RFP (RESIST FINGERPRINTING) -// >>>>>>>>>>>>>>>>>>>>> -// Enable privacy.resistFingerprinting [FF41+] -// This pref is the master switch for all other privacy.resist* prefs unless stated -// [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects, -// but is largely robust nowadays. Give it a try. Your choice. -// https://bugzilla.mozilla.org/418986 ***/ -user_pref("privacy.resistFingerprinting", true); -// ------------------------------------- -// Set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] -// Width will round down to multiples of 200s and height to 100s, to fit your screen. -// The override values are a starting point to round from if you want some control -// https://bugzilla.mozilla.org/1330882 ***/ -// user_pref("privacy.window.maxInnerWidth", 1000); -// user_pref("privacy.window.maxInnerHeight", 1000); -// ------------------------------------- -// Disable mozAddonManager Web API [FF57+] -// [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need -// to sanitize or clear extensions.webextensions.restrictedDomains to keep that side-effect -// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ -user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] -user_pref("extensions.webextensions.restrictedDomains", ""); -// ------------------------------------- -// Enable RFP letterboxing [FF67+] -// Dynamically resizes the inner window by applying margins in stepped ranges -// If you use the dimension pref, then it will only apply those resolutions. The format is -// "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") -// [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it -// https://bugzilla.mozilla.org/1407366 -// https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ -// user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] -// user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] -// ------------------------------------- -// Disable showing about:blank as soon as possible during startup [FF60+] -// When default true this no longer masks the RFP chrome resizing activity -// https://bugzilla.mozilla.org/1448423 ***/ -user_pref("browser.startup.blankWindow", false); -// ------------------------------------- -// Disable chrome animations [FF77+] [RESTART] -// [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ -user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// RFP ALTERNATIVES -// >>>>>>>>>>>>>>>>>>>>> -// Spoof (or limit?) number of CPU cores [FF48+] -// [NOTE] *may* affect core chrome/Firefox performance, will affect content. -// https://bugzilla.mozilla.org/1008453 -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 -// https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency -// user_pref("dom.maxHardwareConcurrency", 2); -// ------------------------------------- -// Disable resource/navigation timing -user_pref("dom.enable_resource_timing", false); -// ------------------------------------- -// Disable timing attacks -// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI -user_pref("dom.enable_performance", false); -// ------------------------------------- -// Disable device sensor API -// Optional protection depending on your device -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 -// https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ -// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 -user_pref("device.sensors.enabled", false); -// ------------------------------------- -// Disable site specific zoom -// Zoom levels affect screen res and are highly fingerprintable. This does not stop you using -// zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs -// and new windows are reset to default and only the current tab retains the current zoom -user_pref("browser.zoom.siteSpecific", false); -// ------------------------------------- -// Disable gamepad API - USB device ID enumeration -// Optional protection depending on your connected devices -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 -user_pref("dom.gamepad.enabled", false); -// ------------------------------------- -// Disable giving away network info [FF31+] -// e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none -// https://developer.mozilla.org/docs/Web/API/Network_Information_API -// https://wicg.github.io/netinfo/ -// https://bugzilla.mozilla.org/960426 -user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] -// ------------------------------------- -// Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API -// https://developer.mozilla.org/docs/Web/API/Web_Speech_API -// https://developer.mozilla.org/docs/Web/API/SpeechSynthesis -// https://wiki.mozilla.org/HTML5_Speech_API -user_pref("media.webspeech.synth.enabled", false); -// ------------------------------------- -// Disable video statistics - JS performance fingerprinting [FF25+] -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 -// https://bugzilla.mozilla.org/654550 -user_pref("media.video_stats.enabled", false); -// ------------------------------------- -// Disable touch events -// fingerprinting attack vector - leaks screen res & actual screen coordinates -// 0=disabled, 1=enabled, 2=autodetect -// Optional protection depending on your device -// https://developer.mozilla.org/docs/Web/API/Touch_events -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 -user_pref("dom.w3c_touch_events.enabled", 0); -// ------------------------------------- -// Disable MediaDevices change detection [FF51+] -// https://developer.mozilla.org/docs/Web/Events/devicechange -// https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange -user_pref("media.ondevicechange.enabled", false); -// ------------------------------------- -// Disable WebGL debug info being available to websites -// https://bugzilla.mozilla.org/1171228 -// https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info -user_pref("webgl.enable-debug-renderer-info", false); -// ------------------------------------- -// Enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] -// 0=no-preference, 1=reduce -user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] -// ------------------------------------- -// Disable PointerEvents [FF86 or lower] -// https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent -// https://bugzilla.mozilla.org/1688105 -user_pref("dom.w3c_pointer_events.enabled", false); -// ------------------------------------- -// Disable exposure of system colors to CSS or canvas [FF44+] -// [NOTE] See second listed bug: may cause black on black for elements with undefined colors -// [SETUP-CHROME] Might affect CSS in themes and extensions -// https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 -user_pref("ui.use_standins_for_native_colors", true); -// ------------------------------------- -// Enforce prefers-color-scheme as light [FF67+] -// 0=light, 1=dark : This overrides your OS value -user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] -// ------------------------------------- -// Limit font visibility (non-ANDROID) [FF79+] -// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts -// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts -// [NOTE] Bundled fonts are auto-allowed -// https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc -user_pref("layout.css.font-visibility.level", 1); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// RFP ALTERNATIVES (NAVIGATOR / USER AGENT SPOOFING) -// >>>>>>>>>>>>>>>>>>>>> -// Navigator DOM object overrides -// [WARNING] DO NOT USE ***/ -// user_pref("general.appname.override", ""); // [HIDDEN PREF] -// user_pref("general.appversion.override", ""); // [HIDDEN PREF] -// user_pref("general.buildID.override", ""); // [HIDDEN PREF] -// user_pref("general.oscpu.override", ""); // [HIDDEN PREF] -// user_pref("general.platform.override", ""); // [HIDDEN PREF] -// user_pref("general.useragent.override", ""); // [HIDDEN PREF] -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// PERSONAL -// >>>>>>>>>>>>>>>>>>>>> -user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch -user_pref("startup.homepage_welcome_url", ""); -user_pref("startup.homepage_welcome_url.additional", ""); -user_pref("startup.homepage_override_url", ""); // What's New page after updates -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// WARNINGS ***/ -// >>>>>>>>>>>>>>>>>>>>> -user_pref("browser.tabs.warnOnClose", false); -user_pref("browser.tabs.warnOnCloseOtherTabs", false); -user_pref("browser.tabs.warnOnOpen", false); -user_pref("full-screen-api.warning.delay", 0); -user_pref("full-screen-api.warning.timeout", 0); -user_pref("browser.warnOnQuit", false); -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// APPEARANCE ***/ -// >>>>>>>>>>>>>>>>>>>>> -// user_pref("browser.download.autohideButton", false); // [FF57+] -// user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// CONTENT BEHAVIOR ***/ -// >>>>>>>>>>>>>>>>>>>>> -user_pref("accessibility.typeaheadfind", false); // enable "Find As You Type" -user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] -user_pref("layout.spellcheckDefault", 0); // 0=none, 1-multi-line, 2=multi-line & single-line -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// UX BEHAVIOR ***/ -// >>>>>>>>>>>>>>>>>>>>> -// user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing -// user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] -// user_pref("browser.tabs.closeWindowWithLastTab", false); -// user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] -// user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] -// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] -// user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] -// user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// UX FEATURES: Disable and hide the icons and menus ***/ -// >>>>>>>>>>>>>>>>>>>>> -user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+] -user_pref("messaging-system.rsexperimentloader.enabled", false); -user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] -user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] -user_pref("reader.parse-on-load.enabled", false); // Reader View -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// OTHER ***/ -// >>>>>>>>>>>>>>>>>>>>> -// user_pref("browser.bookmarks.max_backups", 2); -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] -user_pref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" ""); -// [SETTING] General>Browsing>Recommend extensions as you browse -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] -// [SETTING] General>Browsing>Recommend features as you browse -user_pref("network.manage-offline-status", false); // see bugzilla 620472 -// user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// DEPRECATED / REMOVED / LEGACY / RENAMED -// >>>>>>>>>>>>>>>>>>>>> -// FF79 -// Enforce fallback text encoding to match en-US -// When the content or server doesn't declare a charset the browser will -// fallback to the "Current locale" based on your application language -// [TEST] https://hsivonen.com/test/moz/check-charset.htm -// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 -// https://bugzilla.mozilla.org/1603712 -user_pref("intl.charset.fallback.override", "windows-1252"); -// ------------------------------------- -// FF82 -// Disable geographically specific results/search engines e.g. "browser.search.*.US" -// i.e. ignore all of Mozilla's various search engines in multiple locales -// https://bugzilla.mozilla.org/1619926 -user_pref("browser.search.geoSpecificDefaults", false); -user_pref("browser.search.geoSpecificDefaults.url", ""); -// ------------------------------------- -// FF86 -// Disable SSL Error Reporting -// https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html -// https://bugzilla.mozilla.org/1681839 -user_pref("security.ssl.errorReporting.automatic", false); -user_pref("security.ssl.errorReporting.enabled", false); -user_pref("security.ssl.errorReporting.url", ""); -// ------------------------------------- -// Disable hiding mime types (Options>General>Applications) not associated with a plugin -// https://bugzilla.mozilla.org/1581678 -user_pref("browser.download.hide_plugins_without_extensions", false); -// ------------------------------------- -// FF87 -// Disable Activity Stream recent Highlights in the Library [FF57+] -// https://bugzilla.mozilla.org/1689405 -user_pref("browser.library.activity-stream.enabled", false); -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// \ No newline at end of file + // MEDIA / CAMERA / MIC ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Disable WebRTC (Web Real-Time Communication) + // [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not + // in your threat model, and you want Real-Time Communication, this is the pref for you + // https://www.privacytools.io/#webrtc ***/ + user_pref("media.peerconnection.enabled", false); + // ------------------------------------- + // Limit WebRTC IP leaks if using WebRTC + // In FF70+ these settings match Mode 4 (Mode 3 in older versions) + // [TEST] https://browserleaks.com/webrtc + // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 + // https://wiki.mozilla.org/Media/WebRTC/Privacy + // https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/ + user_pref("media.peerconnection.ice.default_address_only", true); + user_pref("media.peerconnection.ice.no_host", true); // [FF51+] + user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] + user_pref("media.peerconnection.turn.disable", true); + user_pref("media.peerconnection.use_document_iceservers", false); + user_pref("media.peerconnection.video.enabled", false); + user_pref("media.peerconnection.identity.timeout", 1); + // ------------------------------------- + // Disable WebGL (Web Graphics Library) + // [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy, + // especially with readPixels(). Some of the other entropy is lessened with RFP + // https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ + // https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ + user_pref("webgl.disabled", true); + user_pref("webgl.enable-webgl2", false); + // ------------------------------------- + // Limit WebGL ***/ + // user_pref("webgl.min_capability_mode", true); + user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] + // ------------------------------------- + // Disable screensharing ***/ + user_pref("media.getusermedia.screensharing.enabled", false); + user_pref("media.getusermedia.browser.enabled", false); + user_pref("media.getusermedia.audiocapture.enabled", false); + // ------------------------------------- + // Set a default permission for Camera/Microphone [FF58+] + // 0=always ask (default), 1=allow, 2=block + // [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone + // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/ + user_pref("permissions.default.camera", 2); + user_pref("permissions.default.microphone", 2); + // ------------------------------------- + // Disable autoplay of HTML5 media [FF63+] + // 0=Allow all, 1=Block non-muted media (default in FF67+), 2=Prompt (removed in FF66), 5=Block all (FF69+) + // [NOTE] You can set exceptions under site permissions + // [SETTING] Privacy & Security>Permissions>Autoplay>Settings>Default for all websites ***/ + // user_pref("media.autoplay.default", 5); + // ------------------------------------- + // Disable autoplay of HTML5 media if you interacted with the site [FF78+] + // 0=sticky (default), 1=transient, 2=user + // [NOTE] If you have trouble with some video sites, then add an exception + // https://support.mozilla.org/questions/1293231 ***/ + user_pref("media.autoplay.blocking_policy", 2); + // ------------------------------------- + // Pref : Disable showing avif images + // user_pref("image.avif.enabled", false); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // WINDOW MEDDLING & LEAKS / POPUPS ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Prevent scripts from moving and resizing open windows ***/ + user_pref("dom.disable_window_move_resize", true); + // ------------------------------------- + // Open links targeting new windows in a new tab instead + // This stops malicious window sizes and some screen resolution leaks. + // You can still right-click a link and open in a new window. + // [TEST] https://arkenfox.github.io/TZP/tzp.html#screen + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ + user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab + user_pref("browser.link.open_newwindow.restriction", 0); + // ------------------------------------- + // Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks + // [NOTE] You can still manually toggle the browser's fullscreen state (F11), + // but this pref will disable embedded video/game fullscreen controls, e.g. youtube + // [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ + // user_pref("full-screen-api.enabled", false); + // ------------------------------------- + // Block popup windows + // [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ + user_pref("dom.disable_open_during_load", true); + // ------------------------------------- + // Limit events that can cause a popup [SETUP-WEB] + // default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu" ***/ + user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // WEB WORKERS + // >>>>>>>>>>>>>>>>>>>>> + // Disable service workers [FF32, FF44-compat] + // Service workers essentially act as proxy servers that sit between web apps, and the + // browser and network, are event driven, and can control the web page/site it is associated + // with, intercepting and modifying navigation and resource requests, and caching resources. + // [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. + // [NOTE] Service workers only run over HTTPS. Service workers have no DOM access. + // [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for + // service worker notifications, push notifications and service worker + // cache. If you enable this pref, then check those settings as well ***/ + user_pref("dom.serviceWorkers.enabled", false); + // ------------------------------------- + // Disable Web Notifications + // [NOTE] Web Notifications can also use service workers and are behind a prompt + // https://developer.mozilla.org/docs/Web/API/Notifications_API ***/ + user_pref("dom.webnotifications.enabled", false); // [FF22+] + // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] + // ------------------------------------- + // Disable Push Notifications [FF44+] + // Push is an API that allows websites to send you (subscribed) messages even when the site + // isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server. + // [NOTE] Push requires service workers to subscribe to and display, and is behind + // a prompt. Disabling service workers alone doesn't stop Firefox polling the + // Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config + // or on start), and you will get a new one within a few seconds. + // https://support.mozilla.org/en-US/kb/push-notifications-firefox + // https://developer.mozilla.org/en-US/docs/Web/API/Push_API ***/ + user_pref("dom.push.enabled", false); + user_pref("dom.push.connection.enabled", false); + user_pref("dom.push.serverURL", ""); + user_pref("dom.push.userAgentID", ""); + // ------------------------------------- + // Set a default permission for Notifications [FF58+] + // 0=always ask (default), 1=allow, 2=block + // [NOTE] Best left at default "always ask", fingerprintable via Permissions API + // [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications + // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/ + // user_pref("permissions.default.desktop-notification", 2); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Disable website control over browser right-click context menu + // [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/ + // user_pref("dom.event.contextmenu.enabled", false); + // ------------------------------------- + // Disable website access to clipboard events/content [SETUP-HARDEN] + // [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress + // This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website + // [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one + // is default false) then enabling this pref can leak clipboard content + // https://bugzilla.mozilla.org/1528289 + user_pref("dom.event.clipboardevents.enabled", false); + // ------------------------------------- + // Disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] + // this disables document.execCommand("cut"/"copy") to protect your clipboard + // https://bugzilla.mozilla.org/1170911 ***/ + user_pref("dom.allow_cut_copy", false); + // ------------------------------------- + // Disable "Confirm you want to leave" dialog on page close + // Does not prevent JS leaks of the page close event. + // https://developer.mozilla.org/docs/Web/Events/beforeunload + // https://support.mozilla.org/questions/1043508 ***/ + user_pref("dom.disable_beforeunload", true); + // ------------------------------------- + // Disable shaking the screen ***/ + user_pref("dom.vibrator.enabled", false); + // ------------------------------------- + // Disable asm.js [FF22+] [SETUP-PERF] + // http://asmjs.org/ + // https://www.mozilla.org/security/advisories/mfsa2015-29/ + // https://www.mozilla.org/security/advisories/mfsa2015-50/ + // https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 + // https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 + // https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ + user_pref("javascript.options.asmjs", false); + // ------------------------------------- + // Disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] + // [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new + // hidden pref is enabled, then Ion can still be used by extensions (1599226) + // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss + // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ + // user_pref("javascript.options.ion", false); + // user_pref("javascript.options.baselinejit", false); + // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] + // ------------------------------------- + // Disable WebAssembly [FF52+] [SETUP-PERF] + // Vulnerabilities have increasingly been found, including those known and fixed + // in native programs years ago. WASM has powerful low-level access, making + // certain attacks (brute-force) and vulnerabilities more possible + // [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising + // https://developer.mozilla.org/docs/WebAssembly + // https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly + // https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ + user_pref("javascript.options.wasm", false); + // ------------------------------------- + // Enable (limited but sufficient) window.opener protection [FF65+] + // Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ + user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // HARDWARE FINGERPRINTING ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Disable Battery Status API + // Initially a Linux issue (high precision readout) that was fixed. + // However, it is still another metric for fingerprinting, used to raise entropy. + // e.g. do you have a battery or not, current charging status, charge level, times remaining etc + // [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code + // https://bugzilla.mozilla.org/1313580 ***/ + user_pref("dom.battery.enabled", false); + // ------------------------------------- + // Disable media device enumeration [FF29+] + // [NOTE] media.peerconnection.enabled should also be set to false + // https://wiki.mozilla.org/Media/getUserMedia + // https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/ + user_pref("media.navigator.enabled", false); + // ------------------------------------- + // Disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN] + // [WARNING] Affects text rendering (fonts will look different), impacts video performance, + // and parts of Quantum that utilize the GPU will also be affected as they are rolled out + // [SETTING] General>Performance>Custom>Use hardware acceleration when available + // https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ + // user_pref("gfx.direct2d.disabled", true); + // user_pref("layers.acceleration.disabled", true); + // ------------------------------------- + // Disable Web Audio API [FF51+] + // https://bugzilla.mozilla.org/1288359 ***/ + user_pref("dom.webaudio.enabled", false); + // ------------------------------------- + // Disable Media Capabilities API [FF63+] + // [WARNING] This *may* affect media performance if disabled, no one is sure + // https://github.com/WICG/media-capabilities + // https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ + // user_pref("media.media-capabilities.enabled", false); + // ------------------------------------- + // Disable virtual reality devices + // Optional protection depending on your connected devices + // https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ + // user_pref("dom.vr.enabled", false); + // ------------------------------------- + // Set a default permission for Virtual Reality [FF73+] + // 0=always ask (default), 1=allow, 2=block + // [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices + // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ + // user_pref("permissions.default.xr", 2); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // MISCELLANEOUS ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Prevent accessibility services from accessing your browser [RESTART] + // [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower) + // https://support.mozilla.org/kb/accessibility-services ***/ + user_pref("accessibility.force_disabled", 1); + // ------------------------------------- + // Disable sending additional analytics to web servers + // https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/ + user_pref("beacon.enabled", false); + // ------------------------------------- + // Remove temp files opened with an external application + // https://bugzilla.mozilla.org/302433 ***/ + user_pref("browser.helperApps.deleteTempFileOnExit", true); + // ------------------------------------- + // Disable page thumbnail collection + user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] + // ------------------------------------- + // Disable UITour backend so there is no chance that a remote page can use it ***/ + user_pref("browser.uitour.enabled", false); + user_pref("browser.uitour.url", ""); + // ------------------------------------- + // Disable various developer tools in browser context + // [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes + // https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ + user_pref("devtools.chrome.enabled", false); + // ------------------------------------- + // Reset remote debugging to disabled + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ + user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] + user_pref("devtools.webide.autoinstallADBHelper", false); + // ------------------------------------- + // Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] + // [TEST] https://arkenfox.github.io/TZP/tzp.html#misc + // https://bugzilla.mozilla.org/1173199 ***/ + // user_pref("mathml.disabled", true); + // ------------------------------------- + // Disable in-content SVG (Scalable Vector Graphics) [FF53+] + // [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. + // https://bugzilla.mozilla.org/1216893 ***/ + // user_pref("svg.disabled", true); + // ------------------------------------- + // Disable middle mouse click opening links from clipboard + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ + user_pref("middlemouse.contentLoadURL", false); + // ------------------------------------- + // Disable websites overriding Firefox's keyboard shortcuts [FF58+] + // 0 (default) or 1=allow, 2=block + // [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/ + // user_pref("permissions.default.shortcuts", 2); + // ------------------------------------- + // Remove special permissions for certain mozilla domains [FF35+] + // resource://app/defaults/permissions ***/ + user_pref("permissions.manager.defaultsUrl", ""); + // ------------------------------------- + // Remove webchannel whitelist ***/ + user_pref("webchannel.allowObject.urlWhitelist", ""); + // ------------------------------------- + // Enforce Punycode for Internationalized Domain Names to eliminate possible spoofing + // Firefox has *some* protections, but it is better to be safe than sorry + // [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded + // [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) + // https://wiki.mozilla.org/IDN_Display_Algorithm + // https://en.wikipedia.org/wiki/IDN_homograph_attack + // CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ + // https://www.xudongz.com/blog/2017/idn-phishing/ ***/ + user_pref("network.IDN_show_punycode", true); + // ------------------------------------- + // Enforce Firefox's built-in PDF reader [SETUP-CHROME] + // This setting controls if the option "Display in Firefox" is available in the setting below + // and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") + // PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) + // Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly. + // It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). + // It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. + // CONS: You may prefer a different pdf reader for security reasons + // CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) + // [SETTING] General>Applications>Portable Document Format (PDF) ***/ + user_pref("pdfjs.disabled", false); // [DEFAULT: false] + // ------------------------------------- + // Disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ + user_pref("network.protocol-handler.external.ms-windows-store", false); + // ------------------------------------- + // Enforce no system colors; they can be fingerprinted + // [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ + user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] + // ------------------------------------- + // Disable permissions delegation [FF73+] + // Currently applies to cross-origin geolocation, camera, mic and screen-sharing + // permissions, and fullscreen requests. Disabling delegation means any prompts + // for these will show/use their correct 3rd party origin + // https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion + user_pref("permissions.delegation.enabled", false); + // ------------------------------------- + // Enable "window.name" protection [FF82+] + // If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original + // string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks + // https://arkenfox.github.io/TZP/tests/windownamea.html + user_pref("privacy.window.name.update.enabled", true); + // ------------------------------------- + // Disable bypassing 3rd party extension install prompts [FF82+] + // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ + user_pref("extensions.postDownloadThirdPartyPrompt", false); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // DOWNLOADS ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Discourage downloading to desktop + // 0=desktop, 1=downloads (default), 2=last used + // [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ + // user_pref("browser.download.folderList", 2); + // ------------------------------------- + // Enforce user interaction for security by always asking where to download + // [SETUP-CHROME] On Android this blocks longtapping and saving images + // [SETTING] General>Downloads>Always ask you where to save files ***/ + user_pref("browser.download.useDownloadDir", false); + // ------------------------------------- + // Disable adding downloads to the system's "recent documents" list ***/ + user_pref("browser.download.manager.addToRecentDocs", false); + // ------------------------------------- + // Disable "open with" in download dialog [FF50+] [SETUP-HARDEN] + // This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) + // in such a way that it is forbidden to run external applications. + // [WARNING] This may interfere with some users' workflow or methods + // https://bugzilla.mozilla.org/1281959 ***/ + // user_pref("browser.download.forbid_open_with", true); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // EXTENSIONS ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Lock down allowed extension directories + // [SETUP-CHROME] This will break extensions, language packs, themes and any other + // XPI files which are installed outside of profile and application directories + // https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ + // archived: https://archive.is/DYjAM ***/ + user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] + user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] + // ------------------------------------- + // Disable webextension restrictions on certain mozilla domains [FF60+] + // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ + // user_pref("extensions.webextensions.restrictedDomains", ""); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // SECURITY ***/ + // >>>>>>>>>>>>>>>>>>>>> + // Enforce CSP (Content Security Policy) + // [WARNING] CSP is a very important and widespread security feature. Don't disable it! + // https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ + user_pref("security.csp.enable", true); // [DEFAULT: true] + // ------------------------------------- + // Enforce a security delay on some confirmation dialogs such as install, open/save + // https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ + user_pref("security.dialog_enable_delay", 700); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // PERSISTENT STORAGE + // >>>>>>>>>>>>>>>>>>>>> + // Disable 3rd-party cookies and site-data [SETUP-WEB] + // 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, + // 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) + // [NOTE] You can set exceptions under site permissions or use an extension + // [NOTE] Enforcing category to custom ensures ETP related prefs are always honored + // [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ + user_pref("network.cookie.cookieBehavior", 1); + user_pref("browser.contentblocking.category", "custom"); + // ------------------------------------- + // Set third-party cookies (i.e ALL) (if enabled) to session-only + // [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and + // .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones + // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ + user_pref("network.cookie.thirdparty.sessionOnly", true); + user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] + // ------------------------------------- + // Delete cookies and site data on close + // 0=keep until they expire (default), 2=keep until you close Firefox + // [NOTE] The setting below is disabled (but not changed) if you block all cookies + // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/ + user_pref("network.cookie.lifetimePolicy", 2); + // ------------------------------------- + // Disable DOM (Document Object Model) Storage + // [WARNING] This will break a LOT of sites' functionality AND extensions! + // You are better off using an extension for more granular control ***/ + // user_pref("dom.storage.enabled", false); + // ------------------------------------- + // Enforce no offline cache storage (appCache) + // The API is easily fingerprinted, use the "storage" pref instead ***/ + // user_pref("browser.cache.offline.enable", false); + user_pref("browser.cache.offline.storage.enable", false); // [FF71+] [DEFAULT: false FF84+] + // ------------------------------------- + // Disable service worker cache and cache storage + // [NOTE] We clear service worker cache on exiting Firefox + // https://w3c.github.io/ServiceWorker/#privacy ***/ + // user_pref("dom.caches.enabled", false); + // ------------------------------------- + // Disable Storage API [FF51+] + // The API gives sites the ability to find out how much space they can use, how much + // they are already using, and even control whether or not they need to be alerted + // before the user agent disposes of site data in order to make room for other things. + // https://developer.mozilla.org/docs/Web/API/StorageManager + // https://developer.mozilla.org/docs/Web/API/Storage_API + // https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/ + // user_pref("dom.storageManager.enabled", false); + // ------------------------------------- + // Disable Storage Access API [FF65+] + // https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/ + // user_pref("dom.storage_access.enabled", false); + // ------------------------------------- + // Enable Local Storage Next Generation (LSNG) [FF65+] ***/ + user_pref("dom.storage.next_gen", true); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // SHUTDOWN + // >>>>>>>>>>>>>>>>>>>>> + // Enable Firefox to clear items on shutdown + // [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ + user_pref("privacy.sanitize.sanitizeOnShutdown", true); + // ------------------------------------- + // Set what items to clear on shutdown [SETUP-CHROME] + // [NOTE] If 'history' is true, downloads will also be cleared regardless of the value + // but if 'history' is false, downloads can still be cleared independently + // However, this may not always be the case. The interface combines and syncs these + // prefs when set from there, and the sanitize code may change at any time + // [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/ + user_pref("privacy.clearOnShutdown.cache", true); + user_pref("privacy.clearOnShutdown.cookies", true); + user_pref("privacy.clearOnShutdown.downloads", true); // see note above + user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History + user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History + user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data + user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins + user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences + // ------------------------------------- + // Reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME] + // This dialog can also be accessed from the menu History>Clear Recent History + // Firefox remembers your last choices. This will reset them when you start Firefox. + // [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog + // for "Clear Recent History" is opened, it is synced to the same as 'history' ***/ + user_pref("privacy.cpd.cache", true); + user_pref("privacy.cpd.cookies", true); + // user_pref("privacy.cpd.downloads", true); // not used, see note above + user_pref("privacy.cpd.formdata", true); // Form & Search History + user_pref("privacy.cpd.history", true); // Browsing & Download History + user_pref("privacy.cpd.offlineApps", true); // Offline Website Data + user_pref("privacy.cpd.passwords", false); // this is not listed + user_pref("privacy.cpd.sessions", true); // Active Logins + user_pref("privacy.cpd.siteSettings", false); // Site Preferences + // ------------------------------------- + // Clear Session Restore data when sanitizing on shutdown or manually [FF34+] + // [NOTE] Not needed if Session Restore is not used or is already cleared with history + // [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes + // [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ + // user_pref("privacy.clearOnShutdown.openWindows", true); + // user_pref("privacy.cpd.openWindows", true); + // ------------------------------------- + // Reset default 'Time range to clear' for 'Clear Recent History' + // Firefox remembers your last choice. This will reset the value when you start Firefox. + // 0=everything, 1=last hour, 2=last two hours, 3=last four hours, + // 4=today, 5=last five minutes, 6=last twenty-four hours + // [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a + // blank value if they are used, but they do work as advertised ***/ + user_pref("privacy.sanitize.timeSpan", 0); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // FPI (FIRST PARTY ISOLATION) + // >>>>>>>>>>>>>>>>>>>>> + // Enable First Party Isolation [FF51+] + // [SETUP-WEB] May break cross-domain logins and site functionality until perfected + // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ + user_pref("privacy.firstparty.isolate", true); + // ------------------------------------- + // Enforce FPI restriction for window.opener [FF54+] + // [NOTE] Setting this to false may reduce the breakage + // FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But + // to reduce breakage it ignores the 1st-party domain (FPD) originAttribute + // The 2nd pref removes that limitation and will only allow communication if FPDs also match. + // https://bugzilla.mozilla.org/1319773#c22 + // https://bugzilla.mozilla.org/1492607 + // https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ + // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] + // user_pref("privacy.firstparty.isolate.block_post_message", true); + // ------------------------------------- + // Enable scheme with FPI [FF78+] + // [NOTE] Experimental: existing data and site permissions are incompatible + // and some site exceptions may not work e.g. HTTPS-only mode ***/ + // user_pref("privacy.firstparty.isolate.use_site", true); + // ------------------------------------- + // Enable site partitioning (FF78+) + // https://bugzilla.mozilla.org/1590107 [META] */ + user_pref("privacy.partition.network_state", true); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // RFP (RESIST FINGERPRINTING) + // >>>>>>>>>>>>>>>>>>>>> + // Enable privacy.resistFingerprinting [FF41+] + // This pref is the master switch for all other privacy.resist* prefs unless stated + // [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects, + // but is largely robust nowadays. Give it a try. Your choice. + // https://bugzilla.mozilla.org/418986 ***/ + user_pref("privacy.resistFingerprinting", true); + // ------------------------------------- + // Set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] + // Width will round down to multiples of 200s and height to 100s, to fit your screen. + // The override values are a starting point to round from if you want some control + // https://bugzilla.mozilla.org/1330882 ***/ + // user_pref("privacy.window.maxInnerWidth", 1000); + // user_pref("privacy.window.maxInnerHeight", 1000); + // ------------------------------------- + // Disable mozAddonManager Web API [FF57+] + // [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need + // to sanitize or clear extensions.webextensions.restrictedDomains to keep that side-effect + // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ + user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] + user_pref("extensions.webextensions.restrictedDomains", ""); + // ------------------------------------- + // Enable RFP letterboxing [FF67+] + // Dynamically resizes the inner window by applying margins in stepped ranges + // If you use the dimension pref, then it will only apply those resolutions. The format is + // "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") + // [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it + // https://bugzilla.mozilla.org/1407366 + // https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ + // user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] + // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] + // ------------------------------------- + // Disable showing about:blank as soon as possible during startup [FF60+] + // When default true this no longer masks the RFP chrome resizing activity + // https://bugzilla.mozilla.org/1448423 ***/ + user_pref("browser.startup.blankWindow", false); + // ------------------------------------- + // Disable chrome animations [FF77+] [RESTART] + // [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ + user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // RFP ALTERNATIVES + // >>>>>>>>>>>>>>>>>>>>> + // Spoof (or limit?) number of CPU cores [FF48+] + // [NOTE] *may* affect core chrome/Firefox performance, will affect content. + // https://bugzilla.mozilla.org/1008453 + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 + // https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency + // user_pref("dom.maxHardwareConcurrency", 2); + // ------------------------------------- + // Disable resource/navigation timing + user_pref("dom.enable_resource_timing", false); + // ------------------------------------- + // Disable timing attacks + // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI + user_pref("dom.enable_performance", false); + // ------------------------------------- + // Disable device sensor API + // Optional protection depending on your device + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 + // https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ + // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 + user_pref("device.sensors.enabled", false); + // ------------------------------------- + // Disable site specific zoom + // Zoom levels affect screen res and are highly fingerprintable. This does not stop you using + // zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs + // and new windows are reset to default and only the current tab retains the current zoom + user_pref("browser.zoom.siteSpecific", false); + // ------------------------------------- + // Disable gamepad API - USB device ID enumeration + // Optional protection depending on your connected devices + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 + user_pref("dom.gamepad.enabled", false); + // ------------------------------------- + // Disable giving away network info [FF31+] + // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none + // https://developer.mozilla.org/docs/Web/API/Network_Information_API + // https://wicg.github.io/netinfo/ + // https://bugzilla.mozilla.org/960426 + user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] + // ------------------------------------- + // Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API + // https://developer.mozilla.org/docs/Web/API/Web_Speech_API + // https://developer.mozilla.org/docs/Web/API/SpeechSynthesis + // https://wiki.mozilla.org/HTML5_Speech_API + user_pref("media.webspeech.synth.enabled", false); + // ------------------------------------- + // Disable video statistics - JS performance fingerprinting [FF25+] + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 + // https://bugzilla.mozilla.org/654550 + user_pref("media.video_stats.enabled", false); + // ------------------------------------- + // Disable touch events + // fingerprinting attack vector - leaks screen res & actual screen coordinates + // 0=disabled, 1=enabled, 2=autodetect + // Optional protection depending on your device + // https://developer.mozilla.org/docs/Web/API/Touch_events + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 + user_pref("dom.w3c_touch_events.enabled", 0); + // ------------------------------------- + // Disable MediaDevices change detection [FF51+] + // https://developer.mozilla.org/docs/Web/Events/devicechange + // https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange + user_pref("media.ondevicechange.enabled", false); + // ------------------------------------- + // Disable WebGL debug info being available to websites + // https://bugzilla.mozilla.org/1171228 + // https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info + user_pref("webgl.enable-debug-renderer-info", false); + // ------------------------------------- + // Enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] + // 0=no-preference, 1=reduce + user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] + // ------------------------------------- + // Disable PointerEvents [FF86 or lower] + // https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent + // https://bugzilla.mozilla.org/1688105 + user_pref("dom.w3c_pointer_events.enabled", false); + // ------------------------------------- + // Disable exposure of system colors to CSS or canvas [FF44+] + // [NOTE] See second listed bug: may cause black on black for elements with undefined colors + // [SETUP-CHROME] Might affect CSS in themes and extensions + // https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 + user_pref("ui.use_standins_for_native_colors", true); + // ------------------------------------- + // Enforce prefers-color-scheme as light [FF67+] + // 0=light, 1=dark : This overrides your OS value + user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] + // ------------------------------------- + // Limit font visibility (non-ANDROID) [FF79+] + // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts + // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts + // [NOTE] Bundled fonts are auto-allowed + // https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc + user_pref("layout.css.font-visibility.level", 1); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // RFP ALTERNATIVES (NAVIGATOR / USER AGENT SPOOFING) + // >>>>>>>>>>>>>>>>>>>>> + // Navigator DOM object overrides + // [WARNING] DO NOT USE ***/ + // user_pref("general.appname.override", ""); // [HIDDEN PREF] + // user_pref("general.appversion.override", ""); // [HIDDEN PREF] + // user_pref("general.buildID.override", ""); // [HIDDEN PREF] + // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] + // user_pref("general.platform.override", ""); // [HIDDEN PREF] + // user_pref("general.useragent.override", ""); // [HIDDEN PREF] + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // PERSONAL + // >>>>>>>>>>>>>>>>>>>>> + user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch + user_pref("startup.homepage_welcome_url", ""); + user_pref("startup.homepage_welcome_url.additional", ""); + user_pref("startup.homepage_override_url", ""); // What's New page after updates + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // WARNINGS ***/ + // >>>>>>>>>>>>>>>>>>>>> + user_pref("browser.tabs.warnOnClose", false); + user_pref("browser.tabs.warnOnCloseOtherTabs", false); + user_pref("browser.tabs.warnOnOpen", false); + user_pref("full-screen-api.warning.delay", 0); + user_pref("full-screen-api.warning.timeout", 0); + user_pref("browser.warnOnQuit", false); + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // APPEARANCE ***/ + // >>>>>>>>>>>>>>>>>>>>> + // user_pref("browser.download.autohideButton", false); // [FF57+] + // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // CONTENT BEHAVIOR ***/ + // >>>>>>>>>>>>>>>>>>>>> + user_pref("accessibility.typeaheadfind", false); // enable "Find As You Type" + user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] + user_pref("layout.spellcheckDefault", 0); // 0=none, 1-multi-line, 2=multi-line & single-line + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // UX BEHAVIOR ***/ + // >>>>>>>>>>>>>>>>>>>>> + // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing + // user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] + // user_pref("browser.tabs.closeWindowWithLastTab", false); + // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] + // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] + // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] + // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] + // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // UX FEATURES: Disable and hide the icons and menus ***/ + // >>>>>>>>>>>>>>>>>>>>> + user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+] + user_pref("messaging-system.rsexperimentloader.enabled", false); + user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] + user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] + user_pref("reader.parse-on-load.enabled", false); // Reader View + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // OTHER ***/ + // >>>>>>>>>>>>>>>>>>>>> + // user_pref("browser.bookmarks.max_backups", 2); + user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] + user_pref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" ""); + // [SETTING] General>Browsing>Recommend extensions as you browse + user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] + // [SETTING] General>Browsing>Recommend features as you browse + user_pref("network.manage-offline-status", false); // see bugzilla 620472 + // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) + // + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // DEPRECATED / REMOVED / LEGACY / RENAMED + // >>>>>>>>>>>>>>>>>>>>> + // FF79 + // Enforce fallback text encoding to match en-US + // When the content or server doesn't declare a charset the browser will + // fallback to the "Current locale" based on your application language + // [TEST] https://hsivonen.com/test/moz/check-charset.htm + // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 + // https://bugzilla.mozilla.org/1603712 + user_pref("intl.charset.fallback.override", "windows-1252"); + // ------------------------------------- + // FF82 + // Disable geographically specific results/search engines e.g. "browser.search.*.US" + // i.e. ignore all of Mozilla's various search engines in multiple locales + // https://bugzilla.mozilla.org/1619926 + user_pref("browser.search.geoSpecificDefaults", false); + user_pref("browser.search.geoSpecificDefaults.url", ""); + // ------------------------------------- + // FF86 + // Disable SSL Error Reporting + // https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html + // https://bugzilla.mozilla.org/1681839 + user_pref("security.ssl.errorReporting.automatic", false); + user_pref("security.ssl.errorReporting.enabled", false); + user_pref("security.ssl.errorReporting.url", ""); + // ------------------------------------- + // Disable hiding mime types (Options>General>Applications) not associated with a plugin + // https://bugzilla.mozilla.org/1581678 + user_pref("browser.download.hide_plugins_without_extensions", false); + // ------------------------------------- + // FF87 + // Disable Activity Stream recent Highlights in the Library [FF57+] + // https://bugzilla.mozilla.org/1689405 + user_pref("browser.library.activity-stream.enabled", false); + // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + // \ No newline at end of file