From bc213adf3520eae13c28189f1e91ad5a68157ceb Mon Sep 17 00:00:00 2001 From: Narsil Date: Mon, 26 Oct 2020 14:42:05 -0400 Subject: [PATCH] Update 'user.js' --- user.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index c8612f7..1455053 100644 --- a/user.js +++ b/user.js @@ -1045,14 +1045,17 @@ user_pref("javascript.options.asmjs", false); // https://gitlab.torproject.org/legacy/trac/-/issues/26019 user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); // [BUG] Addons issues -// user_pref("javascript.options.jit_trustedprincipals", true); // [HIDDEN PREF] // [DESKTOP ?] +// user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [DESKTOP HIDDEN PREF] user_pref("javascript.options.native_regexp", false); // ------------------------------------- // Pref : Disable WebAssembly -// https://webassembly.org/ +// Vulnerabilities have increasingly been found, including those known and fixed +// in native programs years ago. WASM has powerful low-level access, making +// certain attacks (brute-force) and vulnerabilities more possible +// [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising // https://developer.mozilla.org/docs/WebAssembly -// https://en.wikipedia.org/wiki/WebAssembly -// https://gitlab.torproject.org/legacy/trac/-/issues/21549 +// https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly +// https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ user_pref("javascript.options.wasm", false); user_pref("javascript.options.wasm_baselinejit", false); user_pref("javascript.options.wasm_cranelift", false); @@ -1382,6 +1385,7 @@ user_pref("network.predictor.enable-hover-on-ssl", false); // * IPv6 can be abused, especially with MAC addresses, and they do not play nice with VPNs. That's even assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 // [STATS] Firefox telemetry (June 2020) shows only 5% of all connections are IPv6 // [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, then this won't make much difference. If you are masking your IP, then it can only help. +// [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" // [TEST] https://ipleak.org/ user_pref("network.dns.disableIPv6", true); // -------------------------------------