Update user.js

 Sorted lot of rules and sections
 Adjusted credits (added pyllyukko)
 Control TLS versions with min (1.2) and max (1.3)
 Added some descriptions
 Enebled warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
 Set control "Add Security Exception" dialog on SSL warnings to "pre-populate url" only
 Enabled display advanced information on Insecure Connection warning pages
️ Disabled old SSL/TLS "insecure" renegotiation
️ Disabled SSL Error Reporting
️ Disabled TLS1.3 0-RTT (round-trip time)
️ Disallowed SHA-1
️ Disabled Family Safety cert
️ Disabled 3DES, 128 bits, DHE (Diffie-Hellman Key Exchange), and the remaining non-modern cipher suites
️ Disabled resource timing API
️ Disabled sensor API
️ Disabled gamepad API (USB device ID enumeration)
️ Disabled "dom.netinfo" (giving away network info)
️ Disabled video statistics (JS performance fingerprinting)
️ Disabled touch(screen) events
️ Disabled MediaDevices change detection
️ Disabled WebGL debug info being available to websites
️ Disabled PointerEvents
This commit is contained in:
quindecim 2019-04-28 23:52:16 +00:00 committed by GitHub
parent 8ad625e231
commit 96da182e37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 222 additions and 132 deletions

354
user.js
View File

@ -1,12 +1,17 @@
//
/******************************************************************************
* * * * * * * * * * * * * * @quindecim | user.js * * * * * * * * * * * * * *
* Fennec F-Droid | user.js *
* *
* project based on gHacksuser.js and Librefox Browser. Redesigned for Fennec *
* https://github.com/quindecim/fennec_user.js *
******************************************************************************/
//
// gHacks: https://github.com/ghacksuserjs/ghacks-user.js
// Librefox: https://github.com/intika/Librefox
// Author : @quindecim
//
//
// Based on : gHacks: https://github.com/ghacksuserjs/ghacks-user.js
// Librefox: https://github.com/intika/Librefox
// pyllyukko: https://github.com/pyllyukko/user.js
//
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Quiet Fox
@ -79,59 +84,33 @@ user_pref("network.connectivity-service.DNSv6.domain", "");
// I Just Want You To Shut Up : Closing all non necessary communication to mozilla.org etc.
// >>>>>>>>>>>>>>>>>>>>>
// Pref :
user_pref("urlclassifier.passwordAllowTable", "");
// Default Value
// goog-passwordwhite-proto
user_pref("urlclassifier.passwordAllowTable", ""); // [DEFAULT: goog-passwordwhite-proto]
// Pref :
user_pref("app.support.baseURL", "");
// Default Value
// https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
user_pref("app.support.baseURL", ""); // [DEFAULT: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/]
// Pref :
user_pref("extensions.getAddons.compatOverides.url", "");
// Default Value
// https://services.addons.mozilla.org/api/v3/addons/compat-override/?guid=%IDS%&lang=%LOCALE%
user_pref("extensions.getAddons.compatOverides.url", ""); // [DEFAULT: https://services.addons.mozilla.org/api/v3/addons/compat-override/?guid=%IDS%&lang=%LOCALE%]
// Pref :
user_pref("extensions.getAddons.get.url", "");
// Default Value
// https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE%
user_pref("extensions.getAddons.get.url", ""); // [DEFAULT: https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE%]
// Pref :
user_pref("extensions.getAddons.langpacks.url", "");
// Default Value
// https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION%
user_pref("extensions.getAddons.langpacks.url", ""); // [DEFAULT: https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION%]
// Pref :
user_pref("extensions.getAddons.search.browseURL", "");
// Default Value
// https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
user_pref("extensions.getAddons.search.browseURL", ""); // [DEFAULT: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%]
// Pref :
user_pref("identity.sync.tokenserver.uri", "");
// Default Value
// https://token.services.mozilla.com/1.0/sync/1.5
user_pref("identity.sync.tokenserver.uri", ""); // [DEFAULT: https://token.services.mozilla.com/1.0/sync/1.5/]
// Pref :
user_pref("media.decoder-doctor.new-issue-endpoint", "");
// Default Value
// https://webcompat.com/issues/new
user_pref("media.decoder-doctor.new-issue-endpoint", ""); // [DEFAULT: https://webcompat.com/issues/new]
// Pref : Accept Only 1st Party Cookies
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
// Pref :
user_pref("network.trr.confirmationNS", "");
// Default Value
// example.com
user_pref("network.trr.confirmationNS", ""); // [DEFAULT: example.com]
// Pref : Test To Make FFox Silent
user_pref("security.content.signature.root_hash", "");
// Default Value
// remote-settings.content-signature.mozilla.org
user_pref("security.content.signature.root_hash", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
// Pref :
user_pref("services.settings.default_signer", "");
// Default Value
// remote-settings.content-signature.mozilla.org
user_pref("services.settings.default_signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
// Pref :
user_pref("services.settings.server", "");
// Default Value
// https://firefox.settings.services.mozilla.com/v1
user_pref("services.settings.server", ""); // [DEFAULT: https://firefox.settings.services.mozilla.com/v1]
// Pref :
user_pref("urlclassifier.phishTable", "");
// Default Value
// goog-phish-proto,test-phish-simple
user_pref("urlclassifier.phishTable", ""); // [DEFAULT: goog-phish-proto,test-phish-simple]
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Miscellaneous
@ -146,8 +125,6 @@ user_pref("extensions.systemAddon.update.url", "");
user_pref("app.feedback.baseURL", "");
// Pref :
user_pref("devtools.devices.url", "");
// Pref :
user_pref("dom.battery.enabled", false);
// Pref : Maximum pop launch at the same time
user_pref("dom.popup_maximum", 4);
// Pref :
@ -199,11 +176,6 @@ user_pref("network.prefetch-next", false);
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
// https://bugzilla.mozilla.org/show_bug.cgi?id=814169
user_pref("network.http.speculative-parallel-limit", 0);
// Pref : Disable DOM timing API
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
// https://www.w3.org/TR/navigation-timing/#privacy
user_pref("dom.enable_performance", false);
user_pref("dom.enable_performance_navigation_timing", false);
// Pref : Disable "beacon" asynchronous HTTP transfers (used for analytics)
// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
user_pref("beacon.enabled", false);
@ -474,11 +446,6 @@ user_pref("browser.formfill.enable", false);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Security
// >>>>>>>>>>>>>>>>>>>>
// Pref : Pre-populate the current URL but do not pre-fetch the certificate in the
// "Add Security Exception" dialog
// http://kb.mozillazine.org/Browser.ssl_override_behavior
// https://github.com/pyllyukko/user.js/issues/210
user_pref("browser.ssl_override_behavior", 1);
// Pref : Blocking GD Parking Scam Site
user_pref("network.dns.localDomains", "librefox.com");
// Pref : Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
@ -486,41 +453,6 @@ user_pref("network.dns.localDomains", "librefox.com");
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
user_pref("network.stricttransportsecurity.preloadlist", false);
// Pref : Check disabled section
// OCSP Leaks the visited sited exactly same issue as safebrowsing.
// Stapling have the site itsefl proof that his certificate is good
// through the CA so apparently nothing is leaked in this case.
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref("security.OCSP.enabled", 0);
user_pref("security.OCSP.require", false);
user_pref("security.ssl.enable_ocsp_stapling", true);
// Pref :
user_pref("security.ssl.errorReporting.enabled", false);
// Pref : Enfore Public Key Pinning
// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
// "2. Strict. Pinning is always enforced."
user_pref("security.cert_pinning.enforcement_level", 2);
// Pref :
user_pref("security.mixed_content.upgrade_display_content", true);
user_pref("security.mixed_content.block_object_subrequest", true);
user_pref("security.mixed_content.block_display_content", true);
user_pref("security.mixed_content.block_active_content", true);
// Pref : Disallow SHA-1
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
// https://shattered.io/
user_pref("security.pki.sha1_enforcement_level", 1);
// Pref :
user_pref("security.ssl.errorReporting.automatic", false);
user_pref("security.ssl.errorReporting.url", "");
// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
// Pref :
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_aes_256_sha", false);
user_pref("security.ssl3.rsa_aes_128_sha", false);
// Pref : Disable insecure TLS version fallback
// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
@ -608,6 +540,104 @@ user_pref("network.trr.bootstrapAddress", "");
user_pref("network.trr.uri", "");
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : HTTPS (SSL/TLS / OCSP / Certs / HPKP / Ciphers)
// >>>>>>>>>>>>>>>>>>>>
// Pref : Disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack)
// [SETUP-WEB] <2% of secure sites do NOT support the newer "secure" renegotiation
// https://wiki.mozilla.org/Security:Renegotiation
// https://www.ssllabs.com/ssl-pulse/
user_pref("security.ssl.require_safe_negotiation", true);
// Pref : Control TLS versions with min and max
// 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
// [NOTE] Jul-2017: Telemetry indicates approx 2% of TLS web traffic uses 1.0 or 1.1
// http://kb.mozillazine.org/Security.tls.version.*
// https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
// archived: https://archive.is/hY2Mm
user_pref("security.tls.version.min", 3);
user_pref("security.tls.version.max", 4);
// Pref : Disable SSL session tracking
// SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking.
// [SETUP-PERF] Relax this if you have FPI enabled and you understand the consequences. FPI isolates these, but it was designed with the Tor protocol in mind, and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
// https://tools.ietf.org/html/rfc5077
// https://bugzilla.mozilla.org/967977
// https://arxiv.org/abs/1810.07304
// user_pref("security.ssl.disable_session_identifiers", true);
// Pref : Disable SSL Error Reporting
// https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html
user_pref("security.ssl.errorReporting.enabled", false);
user_pref("security.ssl.errorReporting.automatic", false);
user_pref("security.ssl.errorReporting.url", "");
// Pref : Disable TLS1.3 0-RTT (round-trip time)
// https://github.com/tlswg/tls13-spec/issues/1001
// https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
user_pref("security.tls.enable_0rtt_data", false);
// Pref : Check disabled section
// OCSP Leaks the visited sited exactly same issue as safebrowsing.
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref("security.OCSP.enabled", 0);
user_pref("security.OCSP.require", false);
user_pref("security.ssl.enable_ocsp_stapling", true);
// Pref : Disallow SHA-1
// 0=all SHA1 certs are allowed
// 1=all SHA1 certs are blocked
// 2=deprecated option that now maps to 1
// 3=only allowed for locally-added roots (e.g. anti-virus)
// 4=only allowed for locally-added roots or for certs in 2015 and earlier
// https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
// https://shattered.io/
user_pref("security.pki.sha1_enforcement_level", 1);
// Pref : Disable Windows 8.1's Microsoft Family Safety cert
// 0=disable detecting Family Safety mode and importing the root
// 1=only attempt to detect Family Safety mode (don't import the root)
// 2=detect Family Safety mode and import the root
// https://trac.torproject.org/projects/tor/ticket/21686
user_pref("security.family_safety.mode", 0);
// Pref : Enfore Public Key Pinning
// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
// 2= strict (pinning is always enforced)
user_pref("security.cert_pinning.enforcement_level", 2);
// Pref : Disable insecure active content on https pages
// https://trac.torproject.org/projects/tor/ticket/21323
user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
// Pref : Disable insecure passive content (such as images) on https pages
user_pref("security.mixed_content.upgrade_display_content", true);
user_pref("security.mixed_content.block_display_content", true);
// Pref : Block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks
// https://bugzilla.mozilla.org/1190623
user_pref("security.mixed_content.block_object_subrequest", true);
// Pref : Disable 3DES (effective key size < 128)
// https://en.wikipedia.org/wiki/3des#Security
// http://en.citizendium.org/wiki/Meet-in-the-middle_attack
// https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
user_pref("security.ssl3.rsa_des_ede3_sha", false);
// Pref : Disable 128 bits
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
// Pref : Disable DHE (Diffie-Hellman Key Exchange)
// https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
// Pref : Disable the remaining non-modern cipher suites
user_pref("security.ssl3.rsa_aes_128_sha", false);
user_pref("security.ssl3.rsa_aes_256_sha", false);
// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
// Pref : Control "Add Security Exception" dialog on SSL warnings
// 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
// http://kb.mozillazine.org/Browser.ssl_override_behavior
// https://github.com/pyllyukko/user.js/issues/210
user_pref("browser.ssl_override_behavior", 1);
// Pref : Display advanced information on Insecure Connection warning pages (only works when it's possible to add an exception), i.e. it doesn't work for HSTS discrepancies
// https://subdomain.preloaded-hsts.badssl.com/
// [TEST] https://expired.badssl.com/
user_pref("browser.xul.error_pages.expert_bad_cert", true);
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : User Settings
// >>>>>>>>>>>>>>>>>>>>
// Pref : Do No Tracker enabled by default
@ -626,7 +656,7 @@ user_pref("privacy.userContext.ui.enabled", true);
// Pref : Enable Container Tabs
user_pref("privacy.userContext.enabled", true);
// Pref : Enable a private container for thumbnail loads
user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // default: true
user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // [DEFAULT: true]
// Pref : Set long press behaviour on "+ Tab" button to display container menu
// 0=disables long press, 1=when clicked, the menu is shown
// 2=the menu is shown after X milliseconds
@ -793,11 +823,11 @@ user_pref("browser.display.use_document_fonts", 0);
// Pref: Set more legible default fonts
// [NOTE] Example below for Windows/Western only
// user_pref("font.name.serif.x-unicode", "Georgia");
// user_pref("font.name.serif.x-western", "Georgia"); // default: Times New Roman
// user_pref("font.name.serif.x-western", "Georgia"); // [DEFAULT: Times New Roman]
// user_pref("font.name.sans-serif.x-unicode", "Arial");
// user_pref("font.name.sans-serif.x-western", "Arial"); // default: Arial
// user_pref("font.name.sans-serif.x-western", "Arial"); // [DEFAULT: Arial]
// user_pref("font.name.monospace.x-unicode", "Lucida Console");
// user_pref("font.name.monospace.x-western", "Lucida Console"); // default: Courier New
// user_pref("font.name.monospace.x-western", "Lucida Console"); // [DEFAULT: Courier New]
// Pref: Disable icon fonts (glyphs) and local fallback rendering
// https://bugzilla.mozilla.org/789788
// https://trac.torproject.org/projects/tor/ticket/8455
@ -851,40 +881,6 @@ user_pref("media.eme.enabled", false);
user_pref("media.gmp-gmpopenh264.enabled", false);
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Hardware Fingerprinting
// >>>>>>>>>>>>>>>>>>>>
// Pref : Disable Battery Status API
// Initially a Linux issue (high precision readout) that was fixed.
// However, it is still another metric for fingerprinting, used to raise entropy.
// e.g. do you have a battery or not, current charging status, charge level, times remaining etc
// https://bugzilla.mozilla.org/1313580
// user_pref("dom.battery.enabled", false);
// Pref : Disable virtual reality devices APIs
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
user_pref("dom.vr.enabled", false);
// Pref : Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
// https://wiki.mozilla.org/Media/getUserMedia
// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
user_pref("media.navigator.enabled", false);
user_pref("media.navigator.video.enabled", false);
// Pref : Disable hardware acceleration to reduce graphics fingerprinting
// [SETUP-PERF] Affects text rendering (fonts will look different), impacts video performance,
// and parts of Quantum that utilize the GPU will also be affected as they are rolled out
// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
// user_pref("layers.acceleration.disabled", true);
// Pref : Disable Web Audio API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
// Avoid fingerprinting...
user_pref("dom.webaudio.enabled", false);
// Pref : Disable Media Capabilities API
// [SETUP-PERF] This *may* affect media performance if disabled, no one is sure
// https://github.com/WICG/media-capabilities
// https://wicg.github.io/media-capabilities/#security-privacy-considerations
// user_pref("media.media-capabilities.enabled", false);
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Blocklists / Safe Browsing / Tracking Protection
// >>>>>>>>>>>>>>>>>>>>
// This section has security & tracking protection implications vs privacy concerns vs effectiveness vs 3rd party 'censorship'. If you disable Tracking Protection (TP) and/or Safe Browsing (SB), REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
@ -1067,11 +1063,105 @@ user_pref("network.http.referer.hideOnionSource", true); // [DEFAULT: false]
user_pref("privacy.donottrackheader.enabled", false); // [DEFAULT: true]
//
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Resist Fingerprinting
// Section : RFP (Resist Fingerprinting) / RFP Alternatives / APIs
// >>>>>>>>>>>>>>>>>>>>
// Pref : Enable hardening against various fingerprinting vectors (Tor Uplift project)
// https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
user_pref("privacy.resistFingerprinting", true);
// Pref : [FENNEC]
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
user_pref("privacy.resistFingerprinting", true); // [DEFAULT: false]
// Pref : Disable WebRTC, getUserMedia, screen sharing, audio capture, video capture
// https://wiki.mozilla.org/Media/getUserMedia
// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
user_pref("media.navigator.enabled", false);
user_pref("media.navigator.video.enabled", false);
// Pref : Spoof CPU Core
// [NOTE] *may* affect core chrome/Firefox performance, will affect content.
// Default settings seems to be the best
// https://bugzilla.mozilla.org/1008453
// https://trac.torproject.org/projects/tor/ticket/21675
// https://trac.torproject.org/projects/tor/ticket/22127
// https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency
// user_pref("dom.maxHardwareConcurrency", 2); // [DEFAULT: 16]
// Pref : Disable resource timing API
// https://www.w3.org/TR/resource-timing/#privacy-security
user_pref("dom.enable_resource_timing", false); // [DEFAULT: true]
// Pref : Disable DOM timing API
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
// https://www.w3.org/TR/navigation-timing/#privacy
user_pref("dom.enable_performance", false); // [DEFAULT: true]
user_pref("dom.enable_performance_navigation_timing", false); // [DEFAULT: true]
// Pref : Disable sensor API
// https://trac.torproject.org/projects/tor/ticket/15758
// https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
user_pref("device.sensors.enabled", false); // [DEFAULT: true]
// Pref : Disable gamepad API - USB device ID enumeration
// Optional protection depending on your connected devices
// https://trac.torproject.org/projects/tor/ticket/13023
user_pref("dom.gamepad.enabled", false); // [DEFAULT: true]
// Pref : Disable giving away network info
// e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
// https://developer.mozilla.org/docs/Web/API/Network_Information_API
// https://wicg.github.io/netinfo/
// https://bugzilla.mozilla.org/960426
user_pref("dom.netinfo.enabled", false); // [DEFAULT: true]
// Pref : Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
// https://developer.mozilla.org/docs/Web/API/Web_Speech_API
// https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.synth.enabled", false); // [DEFAULT: false]
// Pref : Disable video statistics - JS performance fingerprinting
// https://trac.torproject.org/projects/tor/ticket/15757
// https://bugzilla.mozilla.org/654550
user_pref("media.video_stats.enabled", false); // [DEFAULT: true]
// Pref : Disable touch events
// Fingerprinting attack vector - leaks screen res & actual screen coordinates
// 0=disabled, 1=enabled, 2=autodetect
// https://developer.mozilla.org/docs/Web/API/Touch_events
// https://trac.torproject.org/projects/tor/ticket/10286
user_pref("dom.w3c_touch_events.enabled", 0); // [DEFAULT: 2]
// Pref : Disable MediaDevices change detection
// https://developer.mozilla.org/docs/Web/Events/devicechange
// https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
user_pref("media.ondevicechange.enabled", false); // [DEFAULT: true]
// Pref : Disable WebGL debug info being available to websites
// https://bugzilla.mozilla.org/1171228
// https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
user_pref("webgl.enable-debug-renderer-info", false); // [DEFAULT: true]
// Pref : Disable PointerEvents
// https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent
user_pref("dom.w3c_pointer_events.enabled", false); // [DEFAULT: true]
// Pref : Disable MediaDevices change detection
// https://developer.mozilla.org/docs/Web/Events/devicechange
// https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
user_pref("media.ondevicechange.enabled", false); // [DEFAULT: true]
// Pref : Disable WebGL debug info being available to websites
// https://bugzilla.mozilla.org/1171228
// https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
user_pref("webgl.enable-debug-renderer-info", false); // [DEFAULT: true]
// Pref : Disable PointerEvents
// https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent
user_pref("dom.w3c_pointer_events.enabled", false); // [DEFAULT: true]
// Pref : Disable Battery Status API
// Initially a Linux issue (high precision readout) that was fixed.
// However, it is still another metric for fingerprinting, used to raise entropy.
// e.g. do you have a battery or not, current charging status, charge level, times remaining etc
// https://bugzilla.mozilla.org/1313580
user_pref("dom.battery.enabled", false); // [DEFAULT: true]
// Pref : Disable virtual reality devices APIs
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
user_pref("dom.vr.enabled", false); // [DEFAULT: true]
// Pref : Disable hardware acceleration to reduce graphics fingerprinting
// [SETUP-PERF] Affects text rendering (fonts will look different), impacts video performance, and parts of Quantum that utilize the GPU will also be affected as they are rolled out
// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
// user_pref("layers.acceleration.disabled", true); // [DEFAULT: false]
// Pref : Disable Web Audio API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
user_pref("dom.webaudio.enabled", false); // [DEFAULT: true]
// Pref : Disable Media Capabilities API
// [SETUP-PERF] This *may* affect media performance if disabled, no one is sure
// https://github.com/WICG/media-capabilities
// https://wicg.github.io/media-capabilities/#security-privacy-considerations
// user_pref("media.media-capabilities.enabled", false); // [DEFAULT: true]