forked from d3cim/mobile_user.js
Update user.js
✅ Sorted lot of rules and sections ✅ Adjusted credits (added pyllyukko) ✅ Control TLS versions with min (1.2) and max (1.3) ✅ Added some descriptions ✅ Enebled warn the user when server doesn't support RFC 5746 ("safe" renegotiation) ✅ Set control "Add Security Exception" dialog on SSL warnings to "pre-populate url" only ✅ Enabled display advanced information on Insecure Connection warning pages ⛔️ Disabled old SSL/TLS "insecure" renegotiation ⛔️ Disabled SSL Error Reporting ⛔️ Disabled TLS1.3 0-RTT (round-trip time) ⛔️ Disallowed SHA-1 ⛔️ Disabled Family Safety cert ⛔️ Disabled 3DES, 128 bits, DHE (Diffie-Hellman Key Exchange), and the remaining non-modern cipher suites ⛔️ Disabled resource timing API ⛔️ Disabled sensor API ⛔️ Disabled gamepad API (USB device ID enumeration) ⛔️ Disabled "dom.netinfo" (giving away network info) ⛔️ Disabled video statistics (JS performance fingerprinting) ⛔️ Disabled touch(screen) events ⛔️ Disabled MediaDevices change detection ⛔️ Disabled WebGL debug info being available to websites ⛔️ Disabled PointerEvents
This commit is contained in:
parent
8ad625e231
commit
96da182e37
354
user.js
354
user.js
|
@ -1,13 +1,18 @@
|
||||||
//
|
//
|
||||||
/******************************************************************************
|
/******************************************************************************
|
||||||
* * * * * * * * * * * * * * @quindecim | user.js * * * * * * * * * * * * * *
|
* Fennec F-Droid | user.js *
|
||||||
* *
|
* *
|
||||||
* project based on gHacksuser.js and Librefox Browser. Redesigned for Fennec *
|
* https://github.com/quindecim/fennec_user.js *
|
||||||
******************************************************************************/
|
******************************************************************************/
|
||||||
//
|
//
|
||||||
// gHacks: https://github.com/ghacksuserjs/ghacks-user.js
|
// Author : @quindecim
|
||||||
// Librefox: https://github.com/intika/Librefox
|
|
||||||
//
|
//
|
||||||
|
//
|
||||||
|
// Based on : gHacks: https://github.com/ghacksuserjs/ghacks-user.js
|
||||||
|
// Librefox: https://github.com/intika/Librefox
|
||||||
|
// pyllyukko: https://github.com/pyllyukko/user.js
|
||||||
|
//
|
||||||
|
//
|
||||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||||
// Section : Quiet Fox
|
// Section : Quiet Fox
|
||||||
// >>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>
|
||||||
|
@ -79,59 +84,33 @@ user_pref("network.connectivity-service.DNSv6.domain", "");
|
||||||
// I Just Want You To Shut Up : Closing all non necessary communication to mozilla.org etc.
|
// I Just Want You To Shut Up : Closing all non necessary communication to mozilla.org etc.
|
||||||
// >>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("urlclassifier.passwordAllowTable", "");
|
user_pref("urlclassifier.passwordAllowTable", ""); // [DEFAULT: goog-passwordwhite-proto]
|
||||||
// Default Value
|
|
||||||
// goog-passwordwhite-proto
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("app.support.baseURL", "");
|
user_pref("app.support.baseURL", ""); // [DEFAULT: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/]
|
||||||
// Default Value
|
|
||||||
// https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("extensions.getAddons.compatOverides.url", "");
|
user_pref("extensions.getAddons.compatOverides.url", ""); // [DEFAULT: https://services.addons.mozilla.org/api/v3/addons/compat-override/?guid=%IDS%&lang=%LOCALE%]
|
||||||
// Default Value
|
|
||||||
// https://services.addons.mozilla.org/api/v3/addons/compat-override/?guid=%IDS%&lang=%LOCALE%
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("extensions.getAddons.get.url", "");
|
user_pref("extensions.getAddons.get.url", ""); // [DEFAULT: https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE%]
|
||||||
// Default Value
|
|
||||||
// https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE%
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("extensions.getAddons.langpacks.url", "");
|
user_pref("extensions.getAddons.langpacks.url", ""); // [DEFAULT: https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION%]
|
||||||
// Default Value
|
|
||||||
// https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION%
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("extensions.getAddons.search.browseURL", "");
|
user_pref("extensions.getAddons.search.browseURL", ""); // [DEFAULT: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%]
|
||||||
// Default Value
|
|
||||||
// https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("identity.sync.tokenserver.uri", "");
|
user_pref("identity.sync.tokenserver.uri", ""); // [DEFAULT: https://token.services.mozilla.com/1.0/sync/1.5/]
|
||||||
// Default Value
|
|
||||||
// https://token.services.mozilla.com/1.0/sync/1.5
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("media.decoder-doctor.new-issue-endpoint", "");
|
user_pref("media.decoder-doctor.new-issue-endpoint", ""); // [DEFAULT: https://webcompat.com/issues/new]
|
||||||
// Default Value
|
|
||||||
// https://webcompat.com/issues/new
|
|
||||||
// Pref : Accept Only 1st Party Cookies
|
// Pref : Accept Only 1st Party Cookies
|
||||||
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
|
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("network.trr.confirmationNS", "");
|
user_pref("network.trr.confirmationNS", ""); // [DEFAULT: example.com]
|
||||||
// Default Value
|
|
||||||
// example.com
|
|
||||||
// Pref : Test To Make FFox Silent
|
// Pref : Test To Make FFox Silent
|
||||||
user_pref("security.content.signature.root_hash", "");
|
user_pref("security.content.signature.root_hash", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
|
||||||
// Default Value
|
|
||||||
// remote-settings.content-signature.mozilla.org
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("services.settings.default_signer", "");
|
user_pref("services.settings.default_signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
|
||||||
// Default Value
|
|
||||||
// remote-settings.content-signature.mozilla.org
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("services.settings.server", "");
|
user_pref("services.settings.server", ""); // [DEFAULT: https://firefox.settings.services.mozilla.com/v1]
|
||||||
// Default Value
|
|
||||||
// https://firefox.settings.services.mozilla.com/v1
|
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("urlclassifier.phishTable", "");
|
user_pref("urlclassifier.phishTable", ""); // [DEFAULT: goog-phish-proto,test-phish-simple]
|
||||||
// Default Value
|
|
||||||
// goog-phish-proto,test-phish-simple
|
|
||||||
//
|
//
|
||||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||||
// Section : Miscellaneous
|
// Section : Miscellaneous
|
||||||
|
@ -146,8 +125,6 @@ user_pref("extensions.systemAddon.update.url", "");
|
||||||
user_pref("app.feedback.baseURL", "");
|
user_pref("app.feedback.baseURL", "");
|
||||||
// Pref :
|
// Pref :
|
||||||
user_pref("devtools.devices.url", "");
|
user_pref("devtools.devices.url", "");
|
||||||
// Pref :
|
|
||||||
user_pref("dom.battery.enabled", false);
|
|
||||||
// Pref : Maximum pop launch at the same time
|
// Pref : Maximum pop launch at the same time
|
||||||
user_pref("dom.popup_maximum", 4);
|
user_pref("dom.popup_maximum", 4);
|
||||||
// Pref :
|
// Pref :
|
||||||
|
@ -199,11 +176,6 @@ user_pref("network.prefetch-next", false);
|
||||||
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
|
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
|
||||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=814169
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=814169
|
||||||
user_pref("network.http.speculative-parallel-limit", 0);
|
user_pref("network.http.speculative-parallel-limit", 0);
|
||||||
// Pref : Disable DOM timing API
|
|
||||||
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
|
|
||||||
// https://www.w3.org/TR/navigation-timing/#privacy
|
|
||||||
user_pref("dom.enable_performance", false);
|
|
||||||
user_pref("dom.enable_performance_navigation_timing", false);
|
|
||||||
// Pref : Disable "beacon" asynchronous HTTP transfers (used for analytics)
|
// Pref : Disable "beacon" asynchronous HTTP transfers (used for analytics)
|
||||||
// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
|
// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
|
||||||
user_pref("beacon.enabled", false);
|
user_pref("beacon.enabled", false);
|
||||||
|
@ -474,11 +446,6 @@ user_pref("browser.formfill.enable", false);
|
||||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||||
// Section : Security
|
// Section : Security
|
||||||
// >>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>
|
||||||
// Pref : Pre-populate the current URL but do not pre-fetch the certificate in the
|
|
||||||
// "Add Security Exception" dialog
|
|
||||||
// http://kb.mozillazine.org/Browser.ssl_override_behavior
|
|
||||||
// https://github.com/pyllyukko/user.js/issues/210
|
|
||||||
user_pref("browser.ssl_override_behavior", 1);
|
|
||||||
// Pref : Blocking GD Parking Scam Site
|
// Pref : Blocking GD Parking Scam Site
|
||||||
user_pref("network.dns.localDomains", "librefox.com");
|
user_pref("network.dns.localDomains", "librefox.com");
|
||||||
// Pref : Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
|
// Pref : Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
|
||||||
|
@ -486,41 +453,6 @@ user_pref("network.dns.localDomains", "librefox.com");
|
||||||
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
|
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
|
||||||
// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
||||||
user_pref("network.stricttransportsecurity.preloadlist", false);
|
user_pref("network.stricttransportsecurity.preloadlist", false);
|
||||||
// Pref : Check disabled section
|
|
||||||
// OCSP Leaks the visited sited exactly same issue as safebrowsing.
|
|
||||||
// Stapling have the site itsefl proof that his certificate is good
|
|
||||||
// through the CA so apparently nothing is leaked in this case.
|
|
||||||
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
|
||||||
user_pref("security.OCSP.enabled", 0);
|
|
||||||
user_pref("security.OCSP.require", false);
|
|
||||||
user_pref("security.ssl.enable_ocsp_stapling", true);
|
|
||||||
// Pref :
|
|
||||||
user_pref("security.ssl.errorReporting.enabled", false);
|
|
||||||
// Pref : Enfore Public Key Pinning
|
|
||||||
// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
|
|
||||||
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
|
|
||||||
// "2. Strict. Pinning is always enforced."
|
|
||||||
user_pref("security.cert_pinning.enforcement_level", 2);
|
|
||||||
// Pref :
|
|
||||||
user_pref("security.mixed_content.upgrade_display_content", true);
|
|
||||||
user_pref("security.mixed_content.block_object_subrequest", true);
|
|
||||||
user_pref("security.mixed_content.block_display_content", true);
|
|
||||||
user_pref("security.mixed_content.block_active_content", true);
|
|
||||||
// Pref : Disallow SHA-1
|
|
||||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
|
|
||||||
// https://shattered.io/
|
|
||||||
user_pref("security.pki.sha1_enforcement_level", 1);
|
|
||||||
// Pref :
|
|
||||||
user_pref("security.ssl.errorReporting.automatic", false);
|
|
||||||
user_pref("security.ssl.errorReporting.url", "");
|
|
||||||
// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
|
|
||||||
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
|
|
||||||
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
|
|
||||||
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
|
|
||||||
// Pref :
|
|
||||||
user_pref("security.ssl3.rsa_des_ede3_sha", false);
|
|
||||||
user_pref("security.ssl3.rsa_aes_256_sha", false);
|
|
||||||
user_pref("security.ssl3.rsa_aes_128_sha", false);
|
|
||||||
// Pref : Disable insecure TLS version fallback
|
// Pref : Disable insecure TLS version fallback
|
||||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
|
||||||
// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
|
// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
|
||||||
|
@ -608,6 +540,104 @@ user_pref("network.trr.bootstrapAddress", "");
|
||||||
user_pref("network.trr.uri", "");
|
user_pref("network.trr.uri", "");
|
||||||
//
|
//
|
||||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||||
|
// Section : HTTPS (SSL/TLS / OCSP / Certs / HPKP / Ciphers)
|
||||||
|
// >>>>>>>>>>>>>>>>>>>>
|
||||||
|
// Pref : Disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack)
|
||||||
|
// [SETUP-WEB] <2% of secure sites do NOT support the newer "secure" renegotiation
|
||||||
|
// https://wiki.mozilla.org/Security:Renegotiation
|
||||||
|
// https://www.ssllabs.com/ssl-pulse/
|
||||||
|
user_pref("security.ssl.require_safe_negotiation", true);
|
||||||
|
// Pref : Control TLS versions with min and max
|
||||||
|
// 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
|
||||||
|
// [NOTE] Jul-2017: Telemetry indicates approx 2% of TLS web traffic uses 1.0 or 1.1
|
||||||
|
// http://kb.mozillazine.org/Security.tls.version.*
|
||||||
|
// https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
|
||||||
|
// archived: https://archive.is/hY2Mm
|
||||||
|
user_pref("security.tls.version.min", 3);
|
||||||
|
user_pref("security.tls.version.max", 4);
|
||||||
|
// Pref : Disable SSL session tracking
|
||||||
|
// SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking.
|
||||||
|
// [SETUP-PERF] Relax this if you have FPI enabled and you understand the consequences. FPI isolates these, but it was designed with the Tor protocol in mind, and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
|
||||||
|
// https://tools.ietf.org/html/rfc5077
|
||||||
|
// https://bugzilla.mozilla.org/967977
|
||||||
|
// https://arxiv.org/abs/1810.07304
|
||||||
|
// user_pref("security.ssl.disable_session_identifiers", true);
|
||||||
|
// Pref : Disable SSL Error Reporting
|
||||||
|
// https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html
|
||||||
|
user_pref("security.ssl.errorReporting.enabled", false);
|
||||||
|
user_pref("security.ssl.errorReporting.automatic", false);
|
||||||
|
user_pref("security.ssl.errorReporting.url", "");
|
||||||
|
// Pref : Disable TLS1.3 0-RTT (round-trip time)
|
||||||
|
// https://github.com/tlswg/tls13-spec/issues/1001
|
||||||
|
// https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
|
||||||
|
user_pref("security.tls.enable_0rtt_data", false);
|
||||||
|
// Pref : Check disabled section
|
||||||
|
// OCSP Leaks the visited sited exactly same issue as safebrowsing.
|
||||||
|
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
|
||||||
|
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||||
|
user_pref("security.OCSP.enabled", 0);
|
||||||
|
user_pref("security.OCSP.require", false);
|
||||||
|
user_pref("security.ssl.enable_ocsp_stapling", true);
|
||||||
|
// Pref : Disallow SHA-1
|
||||||
|
// 0=all SHA1 certs are allowed
|
||||||
|
// 1=all SHA1 certs are blocked
|
||||||
|
// 2=deprecated option that now maps to 1
|
||||||
|
// 3=only allowed for locally-added roots (e.g. anti-virus)
|
||||||
|
// 4=only allowed for locally-added roots or for certs in 2015 and earlier
|
||||||
|
// https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
|
||||||
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
|
||||||
|
// https://shattered.io/
|
||||||
|
user_pref("security.pki.sha1_enforcement_level", 1);
|
||||||
|
// Pref : Disable Windows 8.1's Microsoft Family Safety cert
|
||||||
|
// 0=disable detecting Family Safety mode and importing the root
|
||||||
|
// 1=only attempt to detect Family Safety mode (don't import the root)
|
||||||
|
// 2=detect Family Safety mode and import the root
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/21686
|
||||||
|
user_pref("security.family_safety.mode", 0);
|
||||||
|
// Pref : Enfore Public Key Pinning
|
||||||
|
// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
|
||||||
|
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
|
||||||
|
// 2= strict (pinning is always enforced)
|
||||||
|
user_pref("security.cert_pinning.enforcement_level", 2);
|
||||||
|
// Pref : Disable insecure active content on https pages
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/21323
|
||||||
|
user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
|
||||||
|
// Pref : Disable insecure passive content (such as images) on https pages
|
||||||
|
user_pref("security.mixed_content.upgrade_display_content", true);
|
||||||
|
user_pref("security.mixed_content.block_display_content", true);
|
||||||
|
// Pref : Block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks
|
||||||
|
// https://bugzilla.mozilla.org/1190623
|
||||||
|
user_pref("security.mixed_content.block_object_subrequest", true);
|
||||||
|
// Pref : Disable 3DES (effective key size < 128)
|
||||||
|
// https://en.wikipedia.org/wiki/3des#Security
|
||||||
|
// http://en.citizendium.org/wiki/Meet-in-the-middle_attack
|
||||||
|
// https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
|
||||||
|
user_pref("security.ssl3.rsa_des_ede3_sha", false);
|
||||||
|
// Pref : Disable 128 bits
|
||||||
|
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
|
||||||
|
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
|
||||||
|
// Pref : Disable DHE (Diffie-Hellman Key Exchange)
|
||||||
|
// https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
|
||||||
|
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
|
||||||
|
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
|
||||||
|
// Pref : Disable the remaining non-modern cipher suites
|
||||||
|
user_pref("security.ssl3.rsa_aes_128_sha", false);
|
||||||
|
user_pref("security.ssl3.rsa_aes_256_sha", false);
|
||||||
|
// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
|
||||||
|
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
|
||||||
|
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
|
||||||
|
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
|
||||||
|
// Pref : Control "Add Security Exception" dialog on SSL warnings
|
||||||
|
// 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
|
||||||
|
// http://kb.mozillazine.org/Browser.ssl_override_behavior
|
||||||
|
// https://github.com/pyllyukko/user.js/issues/210
|
||||||
|
user_pref("browser.ssl_override_behavior", 1);
|
||||||
|
// Pref : Display advanced information on Insecure Connection warning pages (only works when it's possible to add an exception), i.e. it doesn't work for HSTS discrepancies
|
||||||
|
// https://subdomain.preloaded-hsts.badssl.com/
|
||||||
|
// [TEST] https://expired.badssl.com/
|
||||||
|
user_pref("browser.xul.error_pages.expert_bad_cert", true);
|
||||||
|
//
|
||||||
|
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||||
// Section : User Settings
|
// Section : User Settings
|
||||||
// >>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>
|
||||||
// Pref : Do No Tracker enabled by default
|
// Pref : Do No Tracker enabled by default
|
||||||
|
@ -626,7 +656,7 @@ user_pref("privacy.userContext.ui.enabled", true);
|
||||||
// Pref : Enable Container Tabs
|
// Pref : Enable Container Tabs
|
||||||
user_pref("privacy.userContext.enabled", true);
|
user_pref("privacy.userContext.enabled", true);
|
||||||
// Pref : Enable a private container for thumbnail loads
|
// Pref : Enable a private container for thumbnail loads
|
||||||
user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // default: true
|
user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // [DEFAULT: true]
|
||||||
// Pref : Set long press behaviour on "+ Tab" button to display container menu
|
// Pref : Set long press behaviour on "+ Tab" button to display container menu
|
||||||
// 0=disables long press, 1=when clicked, the menu is shown
|
// 0=disables long press, 1=when clicked, the menu is shown
|
||||||
// 2=the menu is shown after X milliseconds
|
// 2=the menu is shown after X milliseconds
|
||||||
|
@ -793,11 +823,11 @@ user_pref("browser.display.use_document_fonts", 0);
|
||||||
// Pref: Set more legible default fonts
|
// Pref: Set more legible default fonts
|
||||||
// [NOTE] Example below for Windows/Western only
|
// [NOTE] Example below for Windows/Western only
|
||||||
// user_pref("font.name.serif.x-unicode", "Georgia");
|
// user_pref("font.name.serif.x-unicode", "Georgia");
|
||||||
// user_pref("font.name.serif.x-western", "Georgia"); // default: Times New Roman
|
// user_pref("font.name.serif.x-western", "Georgia"); // [DEFAULT: Times New Roman]
|
||||||
// user_pref("font.name.sans-serif.x-unicode", "Arial");
|
// user_pref("font.name.sans-serif.x-unicode", "Arial");
|
||||||
// user_pref("font.name.sans-serif.x-western", "Arial"); // default: Arial
|
// user_pref("font.name.sans-serif.x-western", "Arial"); // [DEFAULT: Arial]
|
||||||
// user_pref("font.name.monospace.x-unicode", "Lucida Console");
|
// user_pref("font.name.monospace.x-unicode", "Lucida Console");
|
||||||
// user_pref("font.name.monospace.x-western", "Lucida Console"); // default: Courier New
|
// user_pref("font.name.monospace.x-western", "Lucida Console"); // [DEFAULT: Courier New]
|
||||||
// Pref: Disable icon fonts (glyphs) and local fallback rendering
|
// Pref: Disable icon fonts (glyphs) and local fallback rendering
|
||||||
// https://bugzilla.mozilla.org/789788
|
// https://bugzilla.mozilla.org/789788
|
||||||
// https://trac.torproject.org/projects/tor/ticket/8455
|
// https://trac.torproject.org/projects/tor/ticket/8455
|
||||||
|
@ -851,40 +881,6 @@ user_pref("media.eme.enabled", false);
|
||||||
user_pref("media.gmp-gmpopenh264.enabled", false);
|
user_pref("media.gmp-gmpopenh264.enabled", false);
|
||||||
//
|
//
|
||||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||||
// Section : Hardware Fingerprinting
|
|
||||||
// >>>>>>>>>>>>>>>>>>>>
|
|
||||||
// Pref : Disable Battery Status API
|
|
||||||
// Initially a Linux issue (high precision readout) that was fixed.
|
|
||||||
// However, it is still another metric for fingerprinting, used to raise entropy.
|
|
||||||
// e.g. do you have a battery or not, current charging status, charge level, times remaining etc
|
|
||||||
// https://bugzilla.mozilla.org/1313580
|
|
||||||
// user_pref("dom.battery.enabled", false);
|
|
||||||
// Pref : Disable virtual reality devices APIs
|
|
||||||
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
|
|
||||||
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
|
|
||||||
user_pref("dom.vr.enabled", false);
|
|
||||||
// Pref : Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
|
|
||||||
// https://wiki.mozilla.org/Media/getUserMedia
|
|
||||||
// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
|
|
||||||
// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
|
|
||||||
user_pref("media.navigator.enabled", false);
|
|
||||||
user_pref("media.navigator.video.enabled", false);
|
|
||||||
// Pref : Disable hardware acceleration to reduce graphics fingerprinting
|
|
||||||
// [SETUP-PERF] Affects text rendering (fonts will look different), impacts video performance,
|
|
||||||
// and parts of Quantum that utilize the GPU will also be affected as they are rolled out
|
|
||||||
// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
|
|
||||||
// user_pref("layers.acceleration.disabled", true);
|
|
||||||
// Pref : Disable Web Audio API
|
|
||||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
|
|
||||||
// Avoid fingerprinting...
|
|
||||||
user_pref("dom.webaudio.enabled", false);
|
|
||||||
// Pref : Disable Media Capabilities API
|
|
||||||
// [SETUP-PERF] This *may* affect media performance if disabled, no one is sure
|
|
||||||
// https://github.com/WICG/media-capabilities
|
|
||||||
// https://wicg.github.io/media-capabilities/#security-privacy-considerations
|
|
||||||
// user_pref("media.media-capabilities.enabled", false);
|
|
||||||
//
|
|
||||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
|
||||||
// Section : Blocklists / Safe Browsing / Tracking Protection
|
// Section : Blocklists / Safe Browsing / Tracking Protection
|
||||||
// >>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>
|
||||||
// This section has security & tracking protection implications vs privacy concerns vs effectiveness vs 3rd party 'censorship'. If you disable Tracking Protection (TP) and/or Safe Browsing (SB), REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
|
// This section has security & tracking protection implications vs privacy concerns vs effectiveness vs 3rd party 'censorship'. If you disable Tracking Protection (TP) and/or Safe Browsing (SB), REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
|
||||||
|
@ -1067,11 +1063,105 @@ user_pref("network.http.referer.hideOnionSource", true); // [DEFAULT: false]
|
||||||
user_pref("privacy.donottrackheader.enabled", false); // [DEFAULT: true]
|
user_pref("privacy.donottrackheader.enabled", false); // [DEFAULT: true]
|
||||||
//
|
//
|
||||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||||
// Section : Resist Fingerprinting
|
// Section : RFP (Resist Fingerprinting) / RFP Alternatives / APIs
|
||||||
// >>>>>>>>>>>>>>>>>>>>
|
// >>>>>>>>>>>>>>>>>>>>
|
||||||
// Pref : Enable hardening against various fingerprinting vectors (Tor Uplift project)
|
// Pref : Enable hardening against various fingerprinting vectors (Tor Uplift project)
|
||||||
// https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
|
// https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
|
||||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
|
||||||
user_pref("privacy.resistFingerprinting", true);
|
user_pref("privacy.resistFingerprinting", true); // [DEFAULT: false]
|
||||||
// Pref : [FENNEC]
|
// Pref : Disable WebRTC, getUserMedia, screen sharing, audio capture, video capture
|
||||||
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
|
// https://wiki.mozilla.org/Media/getUserMedia
|
||||||
|
// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
|
||||||
|
// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
|
||||||
|
user_pref("media.navigator.enabled", false);
|
||||||
|
user_pref("media.navigator.video.enabled", false);
|
||||||
|
// Pref : Spoof CPU Core
|
||||||
|
// [NOTE] *may* affect core chrome/Firefox performance, will affect content.
|
||||||
|
// Default settings seems to be the best
|
||||||
|
// https://bugzilla.mozilla.org/1008453
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/21675
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/22127
|
||||||
|
// https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency
|
||||||
|
// user_pref("dom.maxHardwareConcurrency", 2); // [DEFAULT: 16]
|
||||||
|
// Pref : Disable resource timing API
|
||||||
|
// https://www.w3.org/TR/resource-timing/#privacy-security
|
||||||
|
user_pref("dom.enable_resource_timing", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable DOM timing API
|
||||||
|
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
|
||||||
|
// https://www.w3.org/TR/navigation-timing/#privacy
|
||||||
|
user_pref("dom.enable_performance", false); // [DEFAULT: true]
|
||||||
|
user_pref("dom.enable_performance_navigation_timing", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable sensor API
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/15758
|
||||||
|
// https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
|
||||||
|
// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
|
||||||
|
user_pref("device.sensors.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable gamepad API - USB device ID enumeration
|
||||||
|
// Optional protection depending on your connected devices
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/13023
|
||||||
|
user_pref("dom.gamepad.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable giving away network info
|
||||||
|
// e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/Network_Information_API
|
||||||
|
// https://wicg.github.io/netinfo/
|
||||||
|
// https://bugzilla.mozilla.org/960426
|
||||||
|
user_pref("dom.netinfo.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/Web_Speech_API
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
|
||||||
|
// https://wiki.mozilla.org/HTML5_Speech_API
|
||||||
|
user_pref("media.webspeech.synth.enabled", false); // [DEFAULT: false]
|
||||||
|
// Pref : Disable video statistics - JS performance fingerprinting
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/15757
|
||||||
|
// https://bugzilla.mozilla.org/654550
|
||||||
|
user_pref("media.video_stats.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable touch events
|
||||||
|
// Fingerprinting attack vector - leaks screen res & actual screen coordinates
|
||||||
|
// 0=disabled, 1=enabled, 2=autodetect
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/Touch_events
|
||||||
|
// https://trac.torproject.org/projects/tor/ticket/10286
|
||||||
|
user_pref("dom.w3c_touch_events.enabled", 0); // [DEFAULT: 2]
|
||||||
|
// Pref : Disable MediaDevices change detection
|
||||||
|
// https://developer.mozilla.org/docs/Web/Events/devicechange
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
|
||||||
|
user_pref("media.ondevicechange.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable WebGL debug info being available to websites
|
||||||
|
// https://bugzilla.mozilla.org/1171228
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
|
||||||
|
user_pref("webgl.enable-debug-renderer-info", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable PointerEvents
|
||||||
|
// https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent
|
||||||
|
user_pref("dom.w3c_pointer_events.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable MediaDevices change detection
|
||||||
|
// https://developer.mozilla.org/docs/Web/Events/devicechange
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
|
||||||
|
user_pref("media.ondevicechange.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable WebGL debug info being available to websites
|
||||||
|
// https://bugzilla.mozilla.org/1171228
|
||||||
|
// https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
|
||||||
|
user_pref("webgl.enable-debug-renderer-info", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable PointerEvents
|
||||||
|
// https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent
|
||||||
|
user_pref("dom.w3c_pointer_events.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable Battery Status API
|
||||||
|
// Initially a Linux issue (high precision readout) that was fixed.
|
||||||
|
// However, it is still another metric for fingerprinting, used to raise entropy.
|
||||||
|
// e.g. do you have a battery or not, current charging status, charge level, times remaining etc
|
||||||
|
// https://bugzilla.mozilla.org/1313580
|
||||||
|
user_pref("dom.battery.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable virtual reality devices APIs
|
||||||
|
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
|
||||||
|
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
|
||||||
|
user_pref("dom.vr.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable hardware acceleration to reduce graphics fingerprinting
|
||||||
|
// [SETUP-PERF] Affects text rendering (fonts will look different), impacts video performance, and parts of Quantum that utilize the GPU will also be affected as they are rolled out
|
||||||
|
// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
|
||||||
|
// user_pref("layers.acceleration.disabled", true); // [DEFAULT: false]
|
||||||
|
// Pref : Disable Web Audio API
|
||||||
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
|
||||||
|
user_pref("dom.webaudio.enabled", false); // [DEFAULT: true]
|
||||||
|
// Pref : Disable Media Capabilities API
|
||||||
|
// [SETUP-PERF] This *may* affect media performance if disabled, no one is sure
|
||||||
|
// https://github.com/WICG/media-capabilities
|
||||||
|
// https://wicg.github.io/media-capabilities/#security-privacy-considerations
|
||||||
|
// user_pref("media.media-capabilities.enabled", false); // [DEFAULT: true]
|
||||||
|
|
Loading…
Reference in New Issue