diff --git a/test b/test index 7642c1b..7676b8d 100644 --- a/test +++ b/test @@ -1,8 +1,8 @@ // // ********************************************************************************** -// user.js | Firefox * +// user.js | Firefox mobile * // * -// https://git.nixnet.xyz/Narsil/desktop_user.js * +// https://git.nixnet.xyz/Narsil/mobile_user.js * // *********************************************************************************/ // // Author : Narsil : https://git.nixnet.xyz/Narsil @@ -10,6 +10,7 @@ // // // Based on : arkenfox : https://github.com/arkenfox/user.js + : Quindecim : https://git.nixnet.xyz/quindecim/mobile_user.js // // // License : https://git.nixnet.xyz/Narsil/desktop_user.js/raw/branch/master/LICENSE @@ -165,6 +166,7 @@ user_pref("services.settings.server", ""); // Disable search engine updates (e.g. OpenSearch) // This does not affect Mozilla's built-in or Web Extension search engines ***/ user_pref("browser.search.update", false); +user_pref("browser.search.update.log", false); // ------------------------------------- // Disable sending Flash crash reports ***/ user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); @@ -1010,799 +1012,799 @@ user_pref("media.gmp-provider.enabled", false); // ------------------------------------- // Disable downloading OpenH264 codec at the first start of Firefox user_pref("media.gmp-gmpopenh264.enabled", false); - // ------------------------------------- - // Disable widevine CDM (Content Decryption Module) - // [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV - user_pref("media.gmp-widevinecdm.enabled", false); - user_pref("media.gmp-manager.url", ""); - user_pref("media.gmp-manager.url.override", ""); - // ------------------------------------- - // Disable all DRM content (EME: Encryption Media Extension) - // [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV - // [SETTING] General>DRM Content>Play DRM-controlled content - // https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ - user_pref("media.eme.enabled", false); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // MEDIA / CAMERA / MIC ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Disable WebRTC (Web Real-Time Communication) - // [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not - // in your threat model, and you want Real-Time Communication, this is the pref for you - // https://www.privacytools.io/#webrtc ***/ - user_pref("media.peerconnection.enabled", false); - // ------------------------------------- - // Limit WebRTC IP leaks if using WebRTC - // In FF70+ these settings match Mode 4 (Mode 3 in older versions) - // [TEST] https://browserleaks.com/webrtc - // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 - // https://wiki.mozilla.org/Media/WebRTC/Privacy - // https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/ - user_pref("media.peerconnection.ice.default_address_only", true); - user_pref("media.peerconnection.ice.no_host", true); // [FF51+] - user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] - user_pref("media.peerconnection.turn.disable", true); - user_pref("media.peerconnection.use_document_iceservers", false); - user_pref("media.peerconnection.video.enabled", false); - user_pref("media.peerconnection.identity.timeout", 1); - // ------------------------------------- - // Disable WebGL (Web Graphics Library) - // [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy, - // especially with readPixels(). Some of the other entropy is lessened with RFP - // https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ - // https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ - user_pref("webgl.disabled", true); - user_pref("webgl.enable-webgl2", false); - // ------------------------------------- - // Limit WebGL ***/ - // user_pref("webgl.min_capability_mode", true); - user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] - // ------------------------------------- - // Disable screensharing ***/ - user_pref("media.getusermedia.screensharing.enabled", false); - user_pref("media.getusermedia.browser.enabled", false); - user_pref("media.getusermedia.audiocapture.enabled", false); - // ------------------------------------- - // Set a default permission for Camera/Microphone [FF58+] - // 0=always ask (default), 1=allow, 2=block - // [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone - // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/ - user_pref("permissions.default.camera", 2); - user_pref("permissions.default.microphone", 2); - // ------------------------------------- - // Disable autoplay of HTML5 media [FF63+] - // 0=Allow all, 1=Block non-muted media (default in FF67+), 2=Prompt (removed in FF66), 5=Block all (FF69+) - // [NOTE] You can set exceptions under site permissions - // [SETTING] Privacy & Security>Permissions>Autoplay>Settings>Default for all websites ***/ - // user_pref("media.autoplay.default", 5); - // ------------------------------------- - // Disable autoplay of HTML5 media if you interacted with the site [FF78+] - // 0=sticky (default), 1=transient, 2=user - // [NOTE] If you have trouble with some video sites, then add an exception - // https://support.mozilla.org/questions/1293231 ***/ - user_pref("media.autoplay.blocking_policy", 2); - // ------------------------------------- - // Pref : Disable showing avif images - // user_pref("image.avif.enabled", false); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // WINDOW MEDDLING & LEAKS / POPUPS ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Prevent scripts from moving and resizing open windows ***/ - user_pref("dom.disable_window_move_resize", true); - // ------------------------------------- - // Open links targeting new windows in a new tab instead - // This stops malicious window sizes and some screen resolution leaks. - // You can still right-click a link and open in a new window. - // [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ - user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab - user_pref("browser.link.open_newwindow.restriction", 0); - // ------------------------------------- - // Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks - // [NOTE] You can still manually toggle the browser's fullscreen state (F11), - // but this pref will disable embedded video/game fullscreen controls, e.g. youtube - // [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ - // user_pref("full-screen-api.enabled", false); - // ------------------------------------- - // Block popup windows - // [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ - user_pref("dom.disable_open_during_load", true); - // ------------------------------------- - // Limit events that can cause a popup [SETUP-WEB] - // default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu" ***/ - user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // WEB WORKERS - // >>>>>>>>>>>>>>>>>>>>> - // Disable service workers [FF32, FF44-compat] - // Service workers essentially act as proxy servers that sit between web apps, and the - // browser and network, are event driven, and can control the web page/site it is associated - // with, intercepting and modifying navigation and resource requests, and caching resources. - // [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. - // [NOTE] Service workers only run over HTTPS. Service workers have no DOM access. - // [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for - // service worker notifications, push notifications and service worker - // cache. If you enable this pref, then check those settings as well ***/ - user_pref("dom.serviceWorkers.enabled", false); - // ------------------------------------- - // Disable Web Notifications - // [NOTE] Web Notifications can also use service workers and are behind a prompt - // https://developer.mozilla.org/docs/Web/API/Notifications_API ***/ - user_pref("dom.webnotifications.enabled", false); // [FF22+] - // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] - // ------------------------------------- - // Disable Push Notifications [FF44+] - // Push is an API that allows websites to send you (subscribed) messages even when the site - // isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server. - // [NOTE] Push requires service workers to subscribe to and display, and is behind - // a prompt. Disabling service workers alone doesn't stop Firefox polling the - // Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config - // or on start), and you will get a new one within a few seconds. - // https://support.mozilla.org/en-US/kb/push-notifications-firefox - // https://developer.mozilla.org/en-US/docs/Web/API/Push_API ***/ - user_pref("dom.push.enabled", false); - user_pref("dom.push.connection.enabled", false); - user_pref("dom.push.serverURL", ""); - user_pref("dom.push.userAgentID", ""); - // ------------------------------------- - // Set a default permission for Notifications [FF58+] - // 0=always ask (default), 1=allow, 2=block - // [NOTE] Best left at default "always ask", fingerprintable via Permissions API - // [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications - // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/ - // user_pref("permissions.default.desktop-notification", 2); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Disable website control over browser right-click context menu - // [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/ - // user_pref("dom.event.contextmenu.enabled", false); - // ------------------------------------- - // Disable website access to clipboard events/content [SETUP-HARDEN] - // [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress - // This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website - // [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one - // is default false) then enabling this pref can leak clipboard content - // https://bugzilla.mozilla.org/1528289 - user_pref("dom.event.clipboardevents.enabled", false); - // ------------------------------------- - // Disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] - // this disables document.execCommand("cut"/"copy") to protect your clipboard - // https://bugzilla.mozilla.org/1170911 ***/ - user_pref("dom.allow_cut_copy", false); - // ------------------------------------- - // Disable "Confirm you want to leave" dialog on page close - // Does not prevent JS leaks of the page close event. - // https://developer.mozilla.org/docs/Web/Events/beforeunload - // https://support.mozilla.org/questions/1043508 ***/ - user_pref("dom.disable_beforeunload", true); - // ------------------------------------- - // Disable shaking the screen ***/ - user_pref("dom.vibrator.enabled", false); - // ------------------------------------- - // Disable asm.js [FF22+] [SETUP-PERF] - // http://asmjs.org/ - // https://www.mozilla.org/security/advisories/mfsa2015-29/ - // https://www.mozilla.org/security/advisories/mfsa2015-50/ - // https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 - // https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 - // https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ - user_pref("javascript.options.asmjs", false); - // ------------------------------------- - // Disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] - // [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new - // hidden pref is enabled, then Ion can still be used by extensions (1599226) - // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss - // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ - // user_pref("javascript.options.ion", false); - // user_pref("javascript.options.baselinejit", false); - // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] - // ------------------------------------- - // Disable WebAssembly [FF52+] [SETUP-PERF] - // Vulnerabilities have increasingly been found, including those known and fixed - // in native programs years ago. WASM has powerful low-level access, making - // certain attacks (brute-force) and vulnerabilities more possible - // [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising - // https://developer.mozilla.org/docs/WebAssembly - // https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly - // https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ - user_pref("javascript.options.wasm", false); - // ------------------------------------- - // Enable (limited but sufficient) window.opener protection [FF65+] - // Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ - user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // HARDWARE FINGERPRINTING ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Disable Battery Status API - // Initially a Linux issue (high precision readout) that was fixed. - // However, it is still another metric for fingerprinting, used to raise entropy. - // e.g. do you have a battery or not, current charging status, charge level, times remaining etc - // [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code - // https://bugzilla.mozilla.org/1313580 ***/ - user_pref("dom.battery.enabled", false); - // ------------------------------------- - // Disable media device enumeration [FF29+] - // [NOTE] media.peerconnection.enabled should also be set to false - // https://wiki.mozilla.org/Media/getUserMedia - // https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/ - user_pref("media.navigator.enabled", false); - // ------------------------------------- - // Disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN] - // [WARNING] Affects text rendering (fonts will look different), impacts video performance, - // and parts of Quantum that utilize the GPU will also be affected as they are rolled out - // [SETTING] General>Performance>Custom>Use hardware acceleration when available - // https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ - // user_pref("gfx.direct2d.disabled", true); - // user_pref("layers.acceleration.disabled", true); - // ------------------------------------- - // Disable Web Audio API [FF51+] - // https://bugzilla.mozilla.org/1288359 ***/ - user_pref("dom.webaudio.enabled", false); - // ------------------------------------- - // Disable Media Capabilities API [FF63+] - // [WARNING] This *may* affect media performance if disabled, no one is sure - // https://github.com/WICG/media-capabilities - // https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ - // user_pref("media.media-capabilities.enabled", false); - // ------------------------------------- - // Disable virtual reality devices - // Optional protection depending on your connected devices - // https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ - // user_pref("dom.vr.enabled", false); - // ------------------------------------- - // Set a default permission for Virtual Reality [FF73+] - // 0=always ask (default), 1=allow, 2=block - // [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices - // [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ - // user_pref("permissions.default.xr", 2); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // MISCELLANEOUS ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Prevent accessibility services from accessing your browser [RESTART] - // [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower) - // https://support.mozilla.org/kb/accessibility-services ***/ - user_pref("accessibility.force_disabled", 1); - // ------------------------------------- - // Disable sending additional analytics to web servers - // https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/ - user_pref("beacon.enabled", false); - // ------------------------------------- - // Remove temp files opened with an external application - // https://bugzilla.mozilla.org/302433 ***/ - user_pref("browser.helperApps.deleteTempFileOnExit", true); - // ------------------------------------- - // Disable page thumbnail collection - user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] - // ------------------------------------- - // Disable UITour backend so there is no chance that a remote page can use it ***/ - user_pref("browser.uitour.enabled", false); - user_pref("browser.uitour.url", ""); - // ------------------------------------- - // Disable various developer tools in browser context - // [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes - // https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ - user_pref("devtools.chrome.enabled", false); - // ------------------------------------- - // Reset remote debugging to disabled - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ - user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] - user_pref("devtools.webide.autoinstallADBHelper", false); - // ------------------------------------- - // Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] - // [TEST] https://arkenfox.github.io/TZP/tzp.html#misc - // https://bugzilla.mozilla.org/1173199 ***/ - // user_pref("mathml.disabled", true); - // ------------------------------------- - // Disable in-content SVG (Scalable Vector Graphics) [FF53+] - // [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. - // https://bugzilla.mozilla.org/1216893 ***/ - // user_pref("svg.disabled", true); - // ------------------------------------- - // Disable middle mouse click opening links from clipboard - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ - user_pref("middlemouse.contentLoadURL", false); - // ------------------------------------- - // Disable websites overriding Firefox's keyboard shortcuts [FF58+] - // 0 (default) or 1=allow, 2=block - // [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/ - // user_pref("permissions.default.shortcuts", 2); - // ------------------------------------- - // Remove special permissions for certain mozilla domains [FF35+] - // resource://app/defaults/permissions ***/ - user_pref("permissions.manager.defaultsUrl", ""); - // ------------------------------------- - // Remove webchannel whitelist ***/ - user_pref("webchannel.allowObject.urlWhitelist", ""); - // ------------------------------------- - // Enforce Punycode for Internationalized Domain Names to eliminate possible spoofing - // Firefox has *some* protections, but it is better to be safe than sorry - // [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded - // [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) - // https://wiki.mozilla.org/IDN_Display_Algorithm - // https://en.wikipedia.org/wiki/IDN_homograph_attack - // CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ - // https://www.xudongz.com/blog/2017/idn-phishing/ ***/ - user_pref("network.IDN_show_punycode", true); - // ------------------------------------- - // Enforce Firefox's built-in PDF reader [SETUP-CHROME] - // This setting controls if the option "Display in Firefox" is available in the setting below - // and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") - // PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) - // Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly. - // It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). - // It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. - // CONS: You may prefer a different pdf reader for security reasons - // CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) - // [SETTING] General>Applications>Portable Document Format (PDF) ***/ - user_pref("pdfjs.disabled", false); // [DEFAULT: false] - // ------------------------------------- - // Disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ - user_pref("network.protocol-handler.external.ms-windows-store", false); - // ------------------------------------- - // Enforce no system colors; they can be fingerprinted - // [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ - user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] - // ------------------------------------- - // Disable permissions delegation [FF73+] - // Currently applies to cross-origin geolocation, camera, mic and screen-sharing - // permissions, and fullscreen requests. Disabling delegation means any prompts - // for these will show/use their correct 3rd party origin - // https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion - user_pref("permissions.delegation.enabled", false); - // ------------------------------------- - // Enable "window.name" protection [FF82+] - // If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original - // string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks - // https://arkenfox.github.io/TZP/tests/windownamea.html - user_pref("privacy.window.name.update.enabled", true); - // ------------------------------------- - // Disable bypassing 3rd party extension install prompts [FF82+] - // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ - user_pref("extensions.postDownloadThirdPartyPrompt", false); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // DOWNLOADS ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Discourage downloading to desktop - // 0=desktop, 1=downloads (default), 2=last used - // [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ - // user_pref("browser.download.folderList", 2); - // ------------------------------------- - // Enforce user interaction for security by always asking where to download - // [SETUP-CHROME] On Android this blocks longtapping and saving images - // [SETTING] General>Downloads>Always ask you where to save files ***/ - user_pref("browser.download.useDownloadDir", false); - // ------------------------------------- - // Disable adding downloads to the system's "recent documents" list ***/ - user_pref("browser.download.manager.addToRecentDocs", false); - // ------------------------------------- - // Disable "open with" in download dialog [FF50+] [SETUP-HARDEN] - // This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) - // in such a way that it is forbidden to run external applications. - // [WARNING] This may interfere with some users' workflow or methods - // https://bugzilla.mozilla.org/1281959 ***/ - // user_pref("browser.download.forbid_open_with", true); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // EXTENSIONS ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Lock down allowed extension directories - // [SETUP-CHROME] This will break extensions, language packs, themes and any other - // XPI files which are installed outside of profile and application directories - // https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ - // archived: https://archive.is/DYjAM ***/ - user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] - user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] - // ------------------------------------- - // Disable webextension restrictions on certain mozilla domains [FF60+] - // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ - // user_pref("extensions.webextensions.restrictedDomains", ""); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // SECURITY ***/ - // >>>>>>>>>>>>>>>>>>>>> - // Enforce CSP (Content Security Policy) - // [WARNING] CSP is a very important and widespread security feature. Don't disable it! - // https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ - user_pref("security.csp.enable", true); // [DEFAULT: true] - // ------------------------------------- - // Enforce a security delay on some confirmation dialogs such as install, open/save - // https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ - user_pref("security.dialog_enable_delay", 700); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // PERSISTENT STORAGE - // >>>>>>>>>>>>>>>>>>>>> - // Disable 3rd-party cookies and site-data [SETUP-WEB] - // 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, - // 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) - // [NOTE] You can set exceptions under site permissions or use an extension - // [NOTE] Enforcing category to custom ensures ETP related prefs are always honored - // [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ - user_pref("network.cookie.cookieBehavior", 1); - user_pref("browser.contentblocking.category", "custom"); - // ------------------------------------- - // Set third-party cookies (i.e ALL) (if enabled) to session-only - // [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and - // .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones - // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ - user_pref("network.cookie.thirdparty.sessionOnly", true); - user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] - // ------------------------------------- - // Delete cookies and site data on close - // 0=keep until they expire (default), 2=keep until you close Firefox - // [NOTE] The setting below is disabled (but not changed) if you block all cookies - // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/ - user_pref("network.cookie.lifetimePolicy", 2); - // ------------------------------------- - // Disable DOM (Document Object Model) Storage - // [WARNING] This will break a LOT of sites' functionality AND extensions! - // You are better off using an extension for more granular control ***/ - // user_pref("dom.storage.enabled", false); - // ------------------------------------- - // Enforce no offline cache storage (appCache) - // The API is easily fingerprinted, use the "storage" pref instead ***/ - // user_pref("browser.cache.offline.enable", false); - user_pref("browser.cache.offline.storage.enable", false); // [FF71+] [DEFAULT: false FF84+] - // ------------------------------------- - // Disable service worker cache and cache storage - // [NOTE] We clear service worker cache on exiting Firefox - // https://w3c.github.io/ServiceWorker/#privacy ***/ - // user_pref("dom.caches.enabled", false); - // ------------------------------------- - // Disable Storage API [FF51+] - // The API gives sites the ability to find out how much space they can use, how much - // they are already using, and even control whether or not they need to be alerted - // before the user agent disposes of site data in order to make room for other things. - // https://developer.mozilla.org/docs/Web/API/StorageManager - // https://developer.mozilla.org/docs/Web/API/Storage_API - // https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/ - // user_pref("dom.storageManager.enabled", false); - // ------------------------------------- - // Disable Storage Access API [FF65+] - // https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/ - // user_pref("dom.storage_access.enabled", false); - // ------------------------------------- - // Enable Local Storage Next Generation (LSNG) [FF65+] ***/ - user_pref("dom.storage.next_gen", true); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // SHUTDOWN - // >>>>>>>>>>>>>>>>>>>>> - // Enable Firefox to clear items on shutdown - // [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ - user_pref("privacy.sanitize.sanitizeOnShutdown", true); - // ------------------------------------- - // Set what items to clear on shutdown [SETUP-CHROME] - // [NOTE] If 'history' is true, downloads will also be cleared regardless of the value - // but if 'history' is false, downloads can still be cleared independently - // However, this may not always be the case. The interface combines and syncs these - // prefs when set from there, and the sanitize code may change at any time - // [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/ - user_pref("privacy.clearOnShutdown.cache", true); - user_pref("privacy.clearOnShutdown.cookies", true); - user_pref("privacy.clearOnShutdown.downloads", true); // see note above - user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History - user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History - user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data - user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins - user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences - // ------------------------------------- - // Reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME] - // This dialog can also be accessed from the menu History>Clear Recent History - // Firefox remembers your last choices. This will reset them when you start Firefox. - // [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog - // for "Clear Recent History" is opened, it is synced to the same as 'history' ***/ - user_pref("privacy.cpd.cache", true); - user_pref("privacy.cpd.cookies", true); - // user_pref("privacy.cpd.downloads", true); // not used, see note above - user_pref("privacy.cpd.formdata", true); // Form & Search History - user_pref("privacy.cpd.history", true); // Browsing & Download History - user_pref("privacy.cpd.offlineApps", true); // Offline Website Data - user_pref("privacy.cpd.passwords", false); // this is not listed - user_pref("privacy.cpd.sessions", true); // Active Logins - user_pref("privacy.cpd.siteSettings", false); // Site Preferences - // ------------------------------------- - // Clear Session Restore data when sanitizing on shutdown or manually [FF34+] - // [NOTE] Not needed if Session Restore is not used or is already cleared with history - // [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes - // [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ - // user_pref("privacy.clearOnShutdown.openWindows", true); - // user_pref("privacy.cpd.openWindows", true); - // ------------------------------------- - // Reset default 'Time range to clear' for 'Clear Recent History' - // Firefox remembers your last choice. This will reset the value when you start Firefox. - // 0=everything, 1=last hour, 2=last two hours, 3=last four hours, - // 4=today, 5=last five minutes, 6=last twenty-four hours - // [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a - // blank value if they are used, but they do work as advertised ***/ - user_pref("privacy.sanitize.timeSpan", 0); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // FPI (FIRST PARTY ISOLATION) - // >>>>>>>>>>>>>>>>>>>>> - // Enable First Party Isolation [FF51+] - // [SETUP-WEB] May break cross-domain logins and site functionality until perfected - // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ - user_pref("privacy.firstparty.isolate", true); - // ------------------------------------- - // Enforce FPI restriction for window.opener [FF54+] - // [NOTE] Setting this to false may reduce the breakage - // FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But - // to reduce breakage it ignores the 1st-party domain (FPD) originAttribute - // The 2nd pref removes that limitation and will only allow communication if FPDs also match. - // https://bugzilla.mozilla.org/1319773#c22 - // https://bugzilla.mozilla.org/1492607 - // https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ - // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] - // user_pref("privacy.firstparty.isolate.block_post_message", true); - // ------------------------------------- - // Enable scheme with FPI [FF78+] - // [NOTE] Experimental: existing data and site permissions are incompatible - // and some site exceptions may not work e.g. HTTPS-only mode ***/ - // user_pref("privacy.firstparty.isolate.use_site", true); - // ------------------------------------- - // Enable site partitioning (FF78+) - // https://bugzilla.mozilla.org/1590107 [META] */ - user_pref("privacy.partition.network_state", true); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // RFP (RESIST FINGERPRINTING) - // >>>>>>>>>>>>>>>>>>>>> - // Enable privacy.resistFingerprinting [FF41+] - // This pref is the master switch for all other privacy.resist* prefs unless stated - // [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects, - // but is largely robust nowadays. Give it a try. Your choice. - // https://bugzilla.mozilla.org/418986 ***/ - user_pref("privacy.resistFingerprinting", true); - // ------------------------------------- - // Set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] - // Width will round down to multiples of 200s and height to 100s, to fit your screen. - // The override values are a starting point to round from if you want some control - // https://bugzilla.mozilla.org/1330882 ***/ - // user_pref("privacy.window.maxInnerWidth", 1000); - // user_pref("privacy.window.maxInnerHeight", 1000); - // ------------------------------------- - // Disable mozAddonManager Web API [FF57+] - // [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need - // to sanitize or clear extensions.webextensions.restrictedDomains to keep that side-effect - // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ - user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] - user_pref("extensions.webextensions.restrictedDomains", ""); - // ------------------------------------- - // Enable RFP letterboxing [FF67+] - // Dynamically resizes the inner window by applying margins in stepped ranges - // If you use the dimension pref, then it will only apply those resolutions. The format is - // "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") - // [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it - // https://bugzilla.mozilla.org/1407366 - // https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ - // user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] - // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] - // ------------------------------------- - // Disable showing about:blank as soon as possible during startup [FF60+] - // When default true this no longer masks the RFP chrome resizing activity - // https://bugzilla.mozilla.org/1448423 ***/ - user_pref("browser.startup.blankWindow", false); - // ------------------------------------- - // Disable chrome animations [FF77+] [RESTART] - // [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ - user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // RFP ALTERNATIVES - // >>>>>>>>>>>>>>>>>>>>> - // Spoof (or limit?) number of CPU cores [FF48+] - // [NOTE] *may* affect core chrome/Firefox performance, will affect content. - // https://bugzilla.mozilla.org/1008453 - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 - // https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency - // user_pref("dom.maxHardwareConcurrency", 2); - // ------------------------------------- - // Disable resource/navigation timing - user_pref("dom.enable_resource_timing", false); - // ------------------------------------- - // Disable timing attacks - // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI - user_pref("dom.enable_performance", false); - // ------------------------------------- - // Disable device sensor API - // Optional protection depending on your device - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 - // https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ - // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 - user_pref("device.sensors.enabled", false); - // ------------------------------------- - // Disable site specific zoom - // Zoom levels affect screen res and are highly fingerprintable. This does not stop you using - // zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs - // and new windows are reset to default and only the current tab retains the current zoom - user_pref("browser.zoom.siteSpecific", false); - // ------------------------------------- - // Disable gamepad API - USB device ID enumeration - // Optional protection depending on your connected devices - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 - user_pref("dom.gamepad.enabled", false); - // ------------------------------------- - // Disable giving away network info [FF31+] - // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none - // https://developer.mozilla.org/docs/Web/API/Network_Information_API - // https://wicg.github.io/netinfo/ - // https://bugzilla.mozilla.org/960426 - user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] - // ------------------------------------- - // Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API - // https://developer.mozilla.org/docs/Web/API/Web_Speech_API - // https://developer.mozilla.org/docs/Web/API/SpeechSynthesis - // https://wiki.mozilla.org/HTML5_Speech_API - user_pref("media.webspeech.synth.enabled", false); - // ------------------------------------- - // Disable video statistics - JS performance fingerprinting [FF25+] - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 - // https://bugzilla.mozilla.org/654550 - user_pref("media.video_stats.enabled", false); - // ------------------------------------- - // Disable touch events - // fingerprinting attack vector - leaks screen res & actual screen coordinates - // 0=disabled, 1=enabled, 2=autodetect - // Optional protection depending on your device - // https://developer.mozilla.org/docs/Web/API/Touch_events - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 - user_pref("dom.w3c_touch_events.enabled", 0); - // ------------------------------------- - // Disable MediaDevices change detection [FF51+] - // https://developer.mozilla.org/docs/Web/Events/devicechange - // https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange - user_pref("media.ondevicechange.enabled", false); - // ------------------------------------- - // Disable WebGL debug info being available to websites - // https://bugzilla.mozilla.org/1171228 - // https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info - user_pref("webgl.enable-debug-renderer-info", false); - // ------------------------------------- - // Enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] - // 0=no-preference, 1=reduce - user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] - // ------------------------------------- - // Disable PointerEvents [FF86 or lower] - // https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent - // https://bugzilla.mozilla.org/1688105 - user_pref("dom.w3c_pointer_events.enabled", false); - // ------------------------------------- - // Disable exposure of system colors to CSS or canvas [FF44+] - // [NOTE] See second listed bug: may cause black on black for elements with undefined colors - // [SETUP-CHROME] Might affect CSS in themes and extensions - // https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 - user_pref("ui.use_standins_for_native_colors", true); - // ------------------------------------- - // Enforce prefers-color-scheme as light [FF67+] - // 0=light, 1=dark : This overrides your OS value - user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] - // ------------------------------------- - // Limit font visibility (non-ANDROID) [FF79+] - // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts - // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts - // [NOTE] Bundled fonts are auto-allowed - // https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc - user_pref("layout.css.font-visibility.level", 1); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // RFP ALTERNATIVES (NAVIGATOR / USER AGENT SPOOFING) - // >>>>>>>>>>>>>>>>>>>>> - // Navigator DOM object overrides - // [WARNING] DO NOT USE ***/ - // user_pref("general.appname.override", ""); // [HIDDEN PREF] - // user_pref("general.appversion.override", ""); // [HIDDEN PREF] - // user_pref("general.buildID.override", ""); // [HIDDEN PREF] - // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] - // user_pref("general.platform.override", ""); // [HIDDEN PREF] - // user_pref("general.useragent.override", ""); // [HIDDEN PREF] - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // PERSONAL - // >>>>>>>>>>>>>>>>>>>>> - user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch - user_pref("startup.homepage_welcome_url", ""); - user_pref("startup.homepage_welcome_url.additional", ""); - user_pref("startup.homepage_override_url", ""); // What's New page after updates - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // WARNINGS ***/ - // >>>>>>>>>>>>>>>>>>>>> - user_pref("browser.tabs.warnOnClose", false); - user_pref("browser.tabs.warnOnCloseOtherTabs", false); - user_pref("browser.tabs.warnOnOpen", false); - user_pref("full-screen-api.warning.delay", 0); - user_pref("full-screen-api.warning.timeout", 0); - user_pref("browser.warnOnQuit", false); - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // APPEARANCE ***/ - // >>>>>>>>>>>>>>>>>>>>> - // user_pref("browser.download.autohideButton", false); // [FF57+] - // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // CONTENT BEHAVIOR ***/ - // >>>>>>>>>>>>>>>>>>>>> - user_pref("accessibility.typeaheadfind", false); // enable "Find As You Type" - user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] - user_pref("layout.spellcheckDefault", 0); // 0=none, 1-multi-line, 2=multi-line & single-line - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // UX BEHAVIOR ***/ - // >>>>>>>>>>>>>>>>>>>>> - // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing - // user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] - // user_pref("browser.tabs.closeWindowWithLastTab", false); - // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] - // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] - // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] - // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] - // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // UX FEATURES: Disable and hide the icons and menus ***/ - // >>>>>>>>>>>>>>>>>>>>> - user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+] - user_pref("messaging-system.rsexperimentloader.enabled", false); - user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] - user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] - user_pref("reader.parse-on-load.enabled", false); // Reader View - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // OTHER ***/ - // >>>>>>>>>>>>>>>>>>>>> - // user_pref("browser.bookmarks.max_backups", 2); - user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] - user_pref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" ""); - // [SETTING] General>Browsing>Recommend extensions as you browse - user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] - // [SETTING] General>Browsing>Recommend features as you browse - user_pref("network.manage-offline-status", false); // see bugzilla 620472 - // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) - // - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // DEPRECATED / REMOVED / LEGACY / RENAMED - // >>>>>>>>>>>>>>>>>>>>> - // FF79 - // Enforce fallback text encoding to match en-US - // When the content or server doesn't declare a charset the browser will - // fallback to the "Current locale" based on your application language - // [TEST] https://hsivonen.com/test/moz/check-charset.htm - // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 - // https://bugzilla.mozilla.org/1603712 - user_pref("intl.charset.fallback.override", "windows-1252"); - // ------------------------------------- - // FF82 - // Disable geographically specific results/search engines e.g. "browser.search.*.US" - // i.e. ignore all of Mozilla's various search engines in multiple locales - // https://bugzilla.mozilla.org/1619926 - user_pref("browser.search.geoSpecificDefaults", false); - user_pref("browser.search.geoSpecificDefaults.url", ""); - // ------------------------------------- - // FF86 - // Disable SSL Error Reporting - // https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html - // https://bugzilla.mozilla.org/1681839 - user_pref("security.ssl.errorReporting.automatic", false); - user_pref("security.ssl.errorReporting.enabled", false); - user_pref("security.ssl.errorReporting.url", ""); - // ------------------------------------- - // Disable hiding mime types (Options>General>Applications) not associated with a plugin - // https://bugzilla.mozilla.org/1581678 - user_pref("browser.download.hide_plugins_without_extensions", false); - // ------------------------------------- - // FF87 - // Disable Activity Stream recent Highlights in the Library [FF57+] - // https://bugzilla.mozilla.org/1689405 - user_pref("browser.library.activity-stream.enabled", false); - // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - // \ No newline at end of file +// ------------------------------------- +// Disable widevine CDM (Content Decryption Module) +// [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV +user_pref("media.gmp-widevinecdm.enabled", false); +user_pref("media.gmp-manager.url", ""); +user_pref("media.gmp-manager.url.override", ""); +// ------------------------------------- +// Disable all DRM content (EME: Encryption Media Extension) +// [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV +// [SETTING] General>DRM Content>Play DRM-controlled content +// https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ +user_pref("media.eme.enabled", false); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// MEDIA / CAMERA / MIC ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Disable WebRTC (Web Real-Time Communication) +// [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not +// in your threat model, and you want Real-Time Communication, this is the pref for you +// https://www.privacytools.io/#webrtc ***/ +user_pref("media.peerconnection.enabled", false); +// ------------------------------------- +// Limit WebRTC IP leaks if using WebRTC +// In FF70+ these settings match Mode 4 (Mode 3 in older versions) +// [TEST] https://browserleaks.com/webrtc +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 +// https://wiki.mozilla.org/Media/WebRTC/Privacy +// https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/ +user_pref("media.peerconnection.ice.default_address_only", true); +user_pref("media.peerconnection.ice.no_host", true); // [FF51+] +user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] +user_pref("media.peerconnection.turn.disable", true); +user_pref("media.peerconnection.use_document_iceservers", false); +user_pref("media.peerconnection.video.enabled", false); +user_pref("media.peerconnection.identity.timeout", 1); +// ------------------------------------- +// Disable WebGL (Web Graphics Library) +// [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy, +// especially with readPixels(). Some of the other entropy is lessened with RFP +// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ +// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ +user_pref("webgl.disabled", true); +user_pref("webgl.enable-webgl2", false); +// ------------------------------------- +// Limit WebGL ***/ +// user_pref("webgl.min_capability_mode", true); +user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] +// ------------------------------------- +// Disable screensharing ***/ +user_pref("media.getusermedia.screensharing.enabled", false); +user_pref("media.getusermedia.browser.enabled", false); +user_pref("media.getusermedia.audiocapture.enabled", false); +// ------------------------------------- +// Set a default permission for Camera/Microphone [FF58+] +// 0=always ask (default), 1=allow, 2=block +// [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone +// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/ +user_pref("permissions.default.camera", 2); +user_pref("permissions.default.microphone", 2); +// ------------------------------------- +// Disable autoplay of HTML5 media [FF63+] +// 0=Allow all, 1=Block non-muted media (default in FF67+), 2=Prompt (removed in FF66), 5=Block all (FF69+) +// [NOTE] You can set exceptions under site permissions +// [SETTING] Privacy & Security>Permissions>Autoplay>Settings>Default for all websites ***/ +// user_pref("media.autoplay.default", 5); +// ------------------------------------- +// Disable autoplay of HTML5 media if you interacted with the site [FF78+] +// 0=sticky (default), 1=transient, 2=user +// [NOTE] If you have trouble with some video sites, then add an exception +// https://support.mozilla.org/questions/1293231 ***/ +user_pref("media.autoplay.blocking_policy", 2); +// ------------------------------------- +// Pref : Disable showing avif images +// user_pref("image.avif.enabled", false); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// WINDOW MEDDLING & LEAKS / POPUPS ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Prevent scripts from moving and resizing open windows ***/ +user_pref("dom.disable_window_move_resize", true); +// ------------------------------------- +// Open links targeting new windows in a new tab instead +// This stops malicious window sizes and some screen resolution leaks. +// You can still right-click a link and open in a new window. +// [TEST] https://arkenfox.github.io/TZP/tzp.html#screen +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ +user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab +user_pref("browser.link.open_newwindow.restriction", 0); +// ------------------------------------- +// Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks +// [NOTE] You can still manually toggle the browser's fullscreen state (F11), +// but this pref will disable embedded video/game fullscreen controls, e.g. youtube +// [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ +// user_pref("full-screen-api.enabled", false); +// ------------------------------------- +// Block popup windows +// [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ +user_pref("dom.disable_open_during_load", true); +// ------------------------------------- +// Limit events that can cause a popup [SETUP-WEB] +// default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu" ***/ +user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// WEB WORKERS +// >>>>>>>>>>>>>>>>>>>>> +// Disable service workers [FF32, FF44-compat] +// Service workers essentially act as proxy servers that sit between web apps, and the +// browser and network, are event driven, and can control the web page/site it is associated +// with, intercepting and modifying navigation and resource requests, and caching resources. +// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. +// [NOTE] Service workers only run over HTTPS. Service workers have no DOM access. +// [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for +// service worker notifications, push notifications and service worker +// cache. If you enable this pref, then check those settings as well ***/ +user_pref("dom.serviceWorkers.enabled", false); +// ------------------------------------- +// Disable Web Notifications +// [NOTE] Web Notifications can also use service workers and are behind a prompt +// https://developer.mozilla.org/docs/Web/API/Notifications_API ***/ +user_pref("dom.webnotifications.enabled", false); // [FF22+] +// user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] +// ------------------------------------- +// Disable Push Notifications [FF44+] +// Push is an API that allows websites to send you (subscribed) messages even when the site +// isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server. +// [NOTE] Push requires service workers to subscribe to and display, and is behind +// a prompt. Disabling service workers alone doesn't stop Firefox polling the +// Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config +// or on start), and you will get a new one within a few seconds. +// https://support.mozilla.org/en-US/kb/push-notifications-firefox +// https://developer.mozilla.org/en-US/docs/Web/API/Push_API ***/ +user_pref("dom.push.enabled", false); +user_pref("dom.push.connection.enabled", false); +user_pref("dom.push.serverURL", ""); +user_pref("dom.push.userAgentID", ""); +// ------------------------------------- +// Set a default permission for Notifications [FF58+] +// 0=always ask (default), 1=allow, 2=block +// [NOTE] Best left at default "always ask", fingerprintable via Permissions API +// [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications +// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/ +// user_pref("permissions.default.desktop-notification", 2); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Disable website control over browser right-click context menu +// [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/ +// user_pref("dom.event.contextmenu.enabled", false); +// ------------------------------------- +// Disable website access to clipboard events/content [SETUP-HARDEN] +// [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress +// This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website +// [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one +// is default false) then enabling this pref can leak clipboard content +// https://bugzilla.mozilla.org/1528289 +user_pref("dom.event.clipboardevents.enabled", false); +// ------------------------------------- +// Disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] +// this disables document.execCommand("cut"/"copy") to protect your clipboard +// https://bugzilla.mozilla.org/1170911 ***/ +user_pref("dom.allow_cut_copy", false); +// ------------------------------------- +// Disable "Confirm you want to leave" dialog on page close +// Does not prevent JS leaks of the page close event. +// https://developer.mozilla.org/docs/Web/Events/beforeunload +// https://support.mozilla.org/questions/1043508 ***/ +user_pref("dom.disable_beforeunload", true); +// ------------------------------------- +// Disable shaking the screen ***/ +user_pref("dom.vibrator.enabled", false); +// ------------------------------------- +// Disable asm.js [FF22+] [SETUP-PERF] +// http://asmjs.org/ +// https://www.mozilla.org/security/advisories/mfsa2015-29/ +// https://www.mozilla.org/security/advisories/mfsa2015-50/ +// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 +// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 +// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ +user_pref("javascript.options.asmjs", false); +// ------------------------------------- +// Disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] +// [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new +// hidden pref is enabled, then Ion can still be used by extensions (1599226) +// [WARNING] Disabling Ion/JIT can cause some site issues and performance loss +// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ +// user_pref("javascript.options.ion", false); +// user_pref("javascript.options.baselinejit", false); +// user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] +// ------------------------------------- +// Disable WebAssembly [FF52+] [SETUP-PERF] +// Vulnerabilities have increasingly been found, including those known and fixed +// in native programs years ago. WASM has powerful low-level access, making +// certain attacks (brute-force) and vulnerabilities more possible +// [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising +// https://developer.mozilla.org/docs/WebAssembly +// https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly +// https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ +user_pref("javascript.options.wasm", false); +// ------------------------------------- +// Enable (limited but sufficient) window.opener protection [FF65+] +// Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// HARDWARE FINGERPRINTING ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Disable Battery Status API +// Initially a Linux issue (high precision readout) that was fixed. +// However, it is still another metric for fingerprinting, used to raise entropy. +// e.g. do you have a battery or not, current charging status, charge level, times remaining etc +// [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code +// https://bugzilla.mozilla.org/1313580 ***/ +user_pref("dom.battery.enabled", false); +// ------------------------------------- +// Disable media device enumeration [FF29+] +// [NOTE] media.peerconnection.enabled should also be set to false +// https://wiki.mozilla.org/Media/getUserMedia +// https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/ +user_pref("media.navigator.enabled", false); +// ------------------------------------- +// Disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN] +// [WARNING] Affects text rendering (fonts will look different), impacts video performance, +// and parts of Quantum that utilize the GPU will also be affected as they are rolled out +// [SETTING] General>Performance>Custom>Use hardware acceleration when available +// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ +// user_pref("gfx.direct2d.disabled", true); +// user_pref("layers.acceleration.disabled", true); +// ------------------------------------- +// Disable Web Audio API [FF51+] +// https://bugzilla.mozilla.org/1288359 ***/ +user_pref("dom.webaudio.enabled", false); +// ------------------------------------- +// Disable Media Capabilities API [FF63+] +// [WARNING] This *may* affect media performance if disabled, no one is sure +// https://github.com/WICG/media-capabilities +// https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ +// user_pref("media.media-capabilities.enabled", false); +// ------------------------------------- +// Disable virtual reality devices +// Optional protection depending on your connected devices +// https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ +// user_pref("dom.vr.enabled", false); +// ------------------------------------- +// Set a default permission for Virtual Reality [FF73+] +// 0=always ask (default), 1=allow, 2=block +// [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices +// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ +// user_pref("permissions.default.xr", 2); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// MISCELLANEOUS ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Prevent accessibility services from accessing your browser [RESTART] +// [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower) +// https://support.mozilla.org/kb/accessibility-services ***/ +user_pref("accessibility.force_disabled", 1); +// ------------------------------------- +// Disable sending additional analytics to web servers +// https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/ +user_pref("beacon.enabled", false); +// ------------------------------------- +// Remove temp files opened with an external application +// https://bugzilla.mozilla.org/302433 ***/ +user_pref("browser.helperApps.deleteTempFileOnExit", true); +// ------------------------------------- +// Disable page thumbnail collection +user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] +// ------------------------------------- +// Disable UITour backend so there is no chance that a remote page can use it ***/ +user_pref("browser.uitour.enabled", false); +user_pref("browser.uitour.url", ""); +// ------------------------------------- +// Disable various developer tools in browser context +// [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes +// https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ +user_pref("devtools.chrome.enabled", false); +// ------------------------------------- +// Reset remote debugging to disabled +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ +user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] +user_pref("devtools.webide.autoinstallADBHelper", false); +// ------------------------------------- +// Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] +// [TEST] https://arkenfox.github.io/TZP/tzp.html#misc +// https://bugzilla.mozilla.org/1173199 ***/ +// user_pref("mathml.disabled", true); +// ------------------------------------- +// Disable in-content SVG (Scalable Vector Graphics) [FF53+] +// [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. +// https://bugzilla.mozilla.org/1216893 ***/ +// user_pref("svg.disabled", true); +// ------------------------------------- +// Disable middle mouse click opening links from clipboard +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ +user_pref("middlemouse.contentLoadURL", false); +// ------------------------------------- +// Disable websites overriding Firefox's keyboard shortcuts [FF58+] +// 0 (default) or 1=allow, 2=block +// [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/ +// user_pref("permissions.default.shortcuts", 2); +// ------------------------------------- +// Remove special permissions for certain mozilla domains [FF35+] +// resource://app/defaults/permissions ***/ +user_pref("permissions.manager.defaultsUrl", ""); +// ------------------------------------- +// Remove webchannel whitelist ***/ +user_pref("webchannel.allowObject.urlWhitelist", ""); +// ------------------------------------- +// Enforce Punycode for Internationalized Domain Names to eliminate possible spoofing +// Firefox has *some* protections, but it is better to be safe than sorry +// [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded +// [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) +// https://wiki.mozilla.org/IDN_Display_Algorithm +// https://en.wikipedia.org/wiki/IDN_homograph_attack +// CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ +// https://www.xudongz.com/blog/2017/idn-phishing/ ***/ +user_pref("network.IDN_show_punycode", true); +// ------------------------------------- +// Enforce Firefox's built-in PDF reader [SETUP-CHROME] +// This setting controls if the option "Display in Firefox" is available in the setting below +// and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") +// PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) +// Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly. +// It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). +// It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. +// CONS: You may prefer a different pdf reader for security reasons +// CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) +// [SETTING] General>Applications>Portable Document Format (PDF) ***/ +user_pref("pdfjs.disabled", false); // [DEFAULT: false] +// ------------------------------------- +// Disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ +user_pref("network.protocol-handler.external.ms-windows-store", false); +// ------------------------------------- +// Enforce no system colors; they can be fingerprinted +// [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ +user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] +// ------------------------------------- +// Disable permissions delegation [FF73+] +// Currently applies to cross-origin geolocation, camera, mic and screen-sharing +// permissions, and fullscreen requests. Disabling delegation means any prompts +// for these will show/use their correct 3rd party origin +// https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion +user_pref("permissions.delegation.enabled", false); +// ------------------------------------- +// Enable "window.name" protection [FF82+] +// If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original +// string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks +// https://arkenfox.github.io/TZP/tests/windownamea.html +user_pref("privacy.window.name.update.enabled", true); +// ------------------------------------- +// Disable bypassing 3rd party extension install prompts [FF82+] +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ +user_pref("extensions.postDownloadThirdPartyPrompt", false); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// DOWNLOADS ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Discourage downloading to desktop +// 0=desktop, 1=downloads (default), 2=last used +// [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ +// user_pref("browser.download.folderList", 2); +// ------------------------------------- +// Enforce user interaction for security by always asking where to download +// [SETUP-CHROME] On Android this blocks longtapping and saving images +// [SETTING] General>Downloads>Always ask you where to save files ***/ +user_pref("browser.download.useDownloadDir", false); +// ------------------------------------- +// Disable adding downloads to the system's "recent documents" list ***/ +user_pref("browser.download.manager.addToRecentDocs", false); +// ------------------------------------- +// Disable "open with" in download dialog [FF50+] [SETUP-HARDEN] +// This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) +// in such a way that it is forbidden to run external applications. +// [WARNING] This may interfere with some users' workflow or methods +// https://bugzilla.mozilla.org/1281959 ***/ +// user_pref("browser.download.forbid_open_with", true); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// EXTENSIONS ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Lock down allowed extension directories +// [SETUP-CHROME] This will break extensions, language packs, themes and any other +// XPI files which are installed outside of profile and application directories +// https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ +// archived: https://archive.is/DYjAM ***/ +user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] +user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] +// ------------------------------------- +// Disable webextension restrictions on certain mozilla domains [FF60+] +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ +// user_pref("extensions.webextensions.restrictedDomains", ""); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// SECURITY ***/ +// >>>>>>>>>>>>>>>>>>>>> +// Enforce CSP (Content Security Policy) +// [WARNING] CSP is a very important and widespread security feature. Don't disable it! +// https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ +user_pref("security.csp.enable", true); // [DEFAULT: true] +// ------------------------------------- +// Enforce a security delay on some confirmation dialogs such as install, open/save +// https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ +user_pref("security.dialog_enable_delay", 700); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// PERSISTENT STORAGE +// >>>>>>>>>>>>>>>>>>>>> +// Disable 3rd-party cookies and site-data [SETUP-WEB] +// 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, +// 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) +// [NOTE] You can set exceptions under site permissions or use an extension +// [NOTE] Enforcing category to custom ensures ETP related prefs are always honored +// [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ +user_pref("network.cookie.cookieBehavior", 1); +user_pref("browser.contentblocking.category", "custom"); +// ------------------------------------- +// Set third-party cookies (i.e ALL) (if enabled) to session-only +// [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and +// .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones +// https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ +user_pref("network.cookie.thirdparty.sessionOnly", true); +user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] +// ------------------------------------- +// Delete cookies and site data on close +// 0=keep until they expire (default), 2=keep until you close Firefox +// [NOTE] The setting below is disabled (but not changed) if you block all cookies +// [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/ +user_pref("network.cookie.lifetimePolicy", 2); +// ------------------------------------- +// Disable DOM (Document Object Model) Storage +// [WARNING] This will break a LOT of sites' functionality AND extensions! +// You are better off using an extension for more granular control ***/ +// user_pref("dom.storage.enabled", false); +// ------------------------------------- +// Enforce no offline cache storage (appCache) +// The API is easily fingerprinted, use the "storage" pref instead ***/ +// user_pref("browser.cache.offline.enable", false); +user_pref("browser.cache.offline.storage.enable", false); // [FF71+] [DEFAULT: false FF84+] +// ------------------------------------- +// Disable service worker cache and cache storage +// [NOTE] We clear service worker cache on exiting Firefox +// https://w3c.github.io/ServiceWorker/#privacy ***/ +// user_pref("dom.caches.enabled", false); +// ------------------------------------- +// Disable Storage API [FF51+] +// The API gives sites the ability to find out how much space they can use, how much +// they are already using, and even control whether or not they need to be alerted +// before the user agent disposes of site data in order to make room for other things. +// https://developer.mozilla.org/docs/Web/API/StorageManager +// https://developer.mozilla.org/docs/Web/API/Storage_API +// https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/ +// user_pref("dom.storageManager.enabled", false); +// ------------------------------------- +// Disable Storage Access API [FF65+] +// https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/ +// user_pref("dom.storage_access.enabled", false); +// ------------------------------------- +// Enable Local Storage Next Generation (LSNG) [FF65+] ***/ +user_pref("dom.storage.next_gen", true); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// SHUTDOWN +// >>>>>>>>>>>>>>>>>>>>> +// Enable Firefox to clear items on shutdown +// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ +user_pref("privacy.sanitize.sanitizeOnShutdown", true); +// ------------------------------------- +// Set what items to clear on shutdown [SETUP-CHROME] +// [NOTE] If 'history' is true, downloads will also be cleared regardless of the value +// but if 'history' is false, downloads can still be cleared independently +// However, this may not always be the case. The interface combines and syncs these +// prefs when set from there, and the sanitize code may change at any time +// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/ +user_pref("privacy.clearOnShutdown.cache", true); +user_pref("privacy.clearOnShutdown.cookies", true); +user_pref("privacy.clearOnShutdown.downloads", true); // see note above +user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History +user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History +user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data +user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins +user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences +// ------------------------------------- +// Reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME] +// This dialog can also be accessed from the menu History>Clear Recent History +// Firefox remembers your last choices. This will reset them when you start Firefox. +// [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog +// for "Clear Recent History" is opened, it is synced to the same as 'history' ***/ +user_pref("privacy.cpd.cache", true); +user_pref("privacy.cpd.cookies", true); +// user_pref("privacy.cpd.downloads", true); // not used, see note above +user_pref("privacy.cpd.formdata", true); // Form & Search History +user_pref("privacy.cpd.history", true); // Browsing & Download History +user_pref("privacy.cpd.offlineApps", true); // Offline Website Data +user_pref("privacy.cpd.passwords", false); // this is not listed +user_pref("privacy.cpd.sessions", true); // Active Logins +user_pref("privacy.cpd.siteSettings", false); // Site Preferences +// ------------------------------------- +// Clear Session Restore data when sanitizing on shutdown or manually [FF34+] +// [NOTE] Not needed if Session Restore is not used or is already cleared with history +// [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes +// [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ +// user_pref("privacy.clearOnShutdown.openWindows", true); +// user_pref("privacy.cpd.openWindows", true); +// ------------------------------------- +// Reset default 'Time range to clear' for 'Clear Recent History' +// Firefox remembers your last choice. This will reset the value when you start Firefox. +// 0=everything, 1=last hour, 2=last two hours, 3=last four hours, +// 4=today, 5=last five minutes, 6=last twenty-four hours +// [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a +// blank value if they are used, but they do work as advertised ***/ +user_pref("privacy.sanitize.timeSpan", 0); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// FPI (FIRST PARTY ISOLATION) +// >>>>>>>>>>>>>>>>>>>>> +// Enable First Party Isolation [FF51+] +// [SETUP-WEB] May break cross-domain logins and site functionality until perfected +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ +user_pref("privacy.firstparty.isolate", true); +// ------------------------------------- +// Enforce FPI restriction for window.opener [FF54+] +// [NOTE] Setting this to false may reduce the breakage +// FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But +// to reduce breakage it ignores the 1st-party domain (FPD) originAttribute +// The 2nd pref removes that limitation and will only allow communication if FPDs also match. +// https://bugzilla.mozilla.org/1319773#c22 +// https://bugzilla.mozilla.org/1492607 +// https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ +// user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] +// user_pref("privacy.firstparty.isolate.block_post_message", true); +// ------------------------------------- +// Enable scheme with FPI [FF78+] +// [NOTE] Experimental: existing data and site permissions are incompatible +// and some site exceptions may not work e.g. HTTPS-only mode ***/ +// user_pref("privacy.firstparty.isolate.use_site", true); +// ------------------------------------- +// Enable site partitioning (FF78+) +// https://bugzilla.mozilla.org/1590107 [META] */ +user_pref("privacy.partition.network_state", true); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// RFP (RESIST FINGERPRINTING) +// >>>>>>>>>>>>>>>>>>>>> +// Enable privacy.resistFingerprinting [FF41+] +// This pref is the master switch for all other privacy.resist* prefs unless stated +// [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects, +// but is largely robust nowadays. Give it a try. Your choice. +// https://bugzilla.mozilla.org/418986 ***/ +user_pref("privacy.resistFingerprinting", true); +// ------------------------------------- +// Set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] +// Width will round down to multiples of 200s and height to 100s, to fit your screen. +// The override values are a starting point to round from if you want some control +// https://bugzilla.mozilla.org/1330882 ***/ +// user_pref("privacy.window.maxInnerWidth", 1000); +// user_pref("privacy.window.maxInnerHeight", 1000); +// ------------------------------------- +// Disable mozAddonManager Web API [FF57+] +// [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need +// to sanitize or clear extensions.webextensions.restrictedDomains to keep that side-effect +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ +user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] +user_pref("extensions.webextensions.restrictedDomains", ""); +// ------------------------------------- +// Enable RFP letterboxing [FF67+] +// Dynamically resizes the inner window by applying margins in stepped ranges +// If you use the dimension pref, then it will only apply those resolutions. The format is +// "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") +// [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it +// https://bugzilla.mozilla.org/1407366 +// https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ +// user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] +// user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] +// ------------------------------------- +// Disable showing about:blank as soon as possible during startup [FF60+] +// When default true this no longer masks the RFP chrome resizing activity +// https://bugzilla.mozilla.org/1448423 ***/ +user_pref("browser.startup.blankWindow", false); +// ------------------------------------- +// Disable chrome animations [FF77+] [RESTART] +// [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ +user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// RFP ALTERNATIVES +// >>>>>>>>>>>>>>>>>>>>> +// Spoof (or limit?) number of CPU cores [FF48+] +// [NOTE] *may* affect core chrome/Firefox performance, will affect content. +// https://bugzilla.mozilla.org/1008453 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 +// https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency +// user_pref("dom.maxHardwareConcurrency", 2); +// ------------------------------------- +// Disable resource/navigation timing +user_pref("dom.enable_resource_timing", false); +// ------------------------------------- +// Disable timing attacks +// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI +user_pref("dom.enable_performance", false); +// ------------------------------------- +// Disable device sensor API +// Optional protection depending on your device +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 +// https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 +user_pref("device.sensors.enabled", false); +// ------------------------------------- +// Disable site specific zoom +// Zoom levels affect screen res and are highly fingerprintable. This does not stop you using +// zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs +// and new windows are reset to default and only the current tab retains the current zoom +user_pref("browser.zoom.siteSpecific", false); +// ------------------------------------- +// Disable gamepad API - USB device ID enumeration +// Optional protection depending on your connected devices +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 +user_pref("dom.gamepad.enabled", false); +// ------------------------------------- +// Disable giving away network info [FF31+] +// e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none +// https://developer.mozilla.org/docs/Web/API/Network_Information_API +// https://wicg.github.io/netinfo/ +// https://bugzilla.mozilla.org/960426 +user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] +// ------------------------------------- +// Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API +// https://developer.mozilla.org/docs/Web/API/Web_Speech_API +// https://developer.mozilla.org/docs/Web/API/SpeechSynthesis +// https://wiki.mozilla.org/HTML5_Speech_API +user_pref("media.webspeech.synth.enabled", false); +// ------------------------------------- +// Disable video statistics - JS performance fingerprinting [FF25+] +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 +// https://bugzilla.mozilla.org/654550 +user_pref("media.video_stats.enabled", false); +// ------------------------------------- +// Disable touch events +// fingerprinting attack vector - leaks screen res & actual screen coordinates +// 0=disabled, 1=enabled, 2=autodetect +// Optional protection depending on your device +// https://developer.mozilla.org/docs/Web/API/Touch_events +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 +user_pref("dom.w3c_touch_events.enabled", 0); +// ------------------------------------- +// Disable MediaDevices change detection [FF51+] +// https://developer.mozilla.org/docs/Web/Events/devicechange +// https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange +user_pref("media.ondevicechange.enabled", false); +// ------------------------------------- +// Disable WebGL debug info being available to websites +// https://bugzilla.mozilla.org/1171228 +// https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info +user_pref("webgl.enable-debug-renderer-info", false); +// ------------------------------------- +// Enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] +// 0=no-preference, 1=reduce +user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] +// ------------------------------------- +// Disable PointerEvents [FF86 or lower] +// https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent +// https://bugzilla.mozilla.org/1688105 +user_pref("dom.w3c_pointer_events.enabled", false); +// ------------------------------------- +// Disable exposure of system colors to CSS or canvas [FF44+] +// [NOTE] See second listed bug: may cause black on black for elements with undefined colors +// [SETUP-CHROME] Might affect CSS in themes and extensions +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 +user_pref("ui.use_standins_for_native_colors", true); +// ------------------------------------- +// Enforce prefers-color-scheme as light [FF67+] +// 0=light, 1=dark : This overrides your OS value +user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] +// ------------------------------------- +// Limit font visibility (non-ANDROID) [FF79+] +// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts +// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts +// [NOTE] Bundled fonts are auto-allowed +// https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc +user_pref("layout.css.font-visibility.level", 1); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// RFP ALTERNATIVES (NAVIGATOR / USER AGENT SPOOFING) +// >>>>>>>>>>>>>>>>>>>>> +// Navigator DOM object overrides +// [WARNING] DO NOT USE ***/ +// user_pref("general.appname.override", ""); // [HIDDEN PREF] +// user_pref("general.appversion.override", ""); // [HIDDEN PREF] +// user_pref("general.buildID.override", ""); // [HIDDEN PREF] +// user_pref("general.oscpu.override", ""); // [HIDDEN PREF] +// user_pref("general.platform.override", ""); // [HIDDEN PREF] +// user_pref("general.useragent.override", ""); // [HIDDEN PREF] +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// PERSONAL +// >>>>>>>>>>>>>>>>>>>>> +user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch +user_pref("startup.homepage_welcome_url", ""); +user_pref("startup.homepage_welcome_url.additional", ""); +user_pref("startup.homepage_override_url", ""); // What's New page after updates +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// WARNINGS ***/ +// >>>>>>>>>>>>>>>>>>>>> +user_pref("browser.tabs.warnOnClose", false); +user_pref("browser.tabs.warnOnCloseOtherTabs", false); +user_pref("browser.tabs.warnOnOpen", false); +user_pref("full-screen-api.warning.delay", 0); +user_pref("full-screen-api.warning.timeout", 0); +user_pref("browser.warnOnQuit", false); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// APPEARANCE ***/ +// >>>>>>>>>>>>>>>>>>>>> +// user_pref("browser.download.autohideButton", false); // [FF57+] +// user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// CONTENT BEHAVIOR ***/ +// >>>>>>>>>>>>>>>>>>>>> +user_pref("accessibility.typeaheadfind", false); // enable "Find As You Type" +user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] +user_pref("layout.spellcheckDefault", 0); // 0=none, 1-multi-line, 2=multi-line & single-line +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// UX BEHAVIOR ***/ +// >>>>>>>>>>>>>>>>>>>>> +// user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing +// user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] +// user_pref("browser.tabs.closeWindowWithLastTab", false); +// user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] +// user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] +// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] +// user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] +// user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// UX FEATURES: Disable and hide the icons and menus ***/ +// >>>>>>>>>>>>>>>>>>>>> +user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+] +user_pref("messaging-system.rsexperimentloader.enabled", false); +user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] +user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] +user_pref("reader.parse-on-load.enabled", false); // Reader View +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// OTHER ***/ +// >>>>>>>>>>>>>>>>>>>>> +// user_pref("browser.bookmarks.max_backups", 2); +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] +user_pref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" ""); +// [SETTING] General>Browsing>Recommend extensions as you browse +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] +// [SETTING] General>Browsing>Recommend features as you browse +user_pref("network.manage-offline-status", false); // see bugzilla 620472 +// user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// DEPRECATED / REMOVED / LEGACY / RENAMED +// >>>>>>>>>>>>>>>>>>>>> +// FF79 +// Enforce fallback text encoding to match en-US +// When the content or server doesn't declare a charset the browser will +// fallback to the "Current locale" based on your application language +// [TEST] https://hsivonen.com/test/moz/check-charset.htm +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 +// https://bugzilla.mozilla.org/1603712 +user_pref("intl.charset.fallback.override", "windows-1252"); +// ------------------------------------- +// FF82 +// Disable geographically specific results/search engines e.g. "browser.search.*.US" +// i.e. ignore all of Mozilla's various search engines in multiple locales +// https://bugzilla.mozilla.org/1619926 +user_pref("browser.search.geoSpecificDefaults", false); +user_pref("browser.search.geoSpecificDefaults.url", ""); +// ------------------------------------- +// FF86 +// Disable SSL Error Reporting +// https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html +// https://bugzilla.mozilla.org/1681839 +user_pref("security.ssl.errorReporting.automatic", false); +user_pref("security.ssl.errorReporting.enabled", false); +user_pref("security.ssl.errorReporting.url", ""); +// ------------------------------------- +// Disable hiding mime types (Options>General>Applications) not associated with a plugin +// https://bugzilla.mozilla.org/1581678 +user_pref("browser.download.hide_plugins_without_extensions", false); +// ------------------------------------- +// FF87 +// Disable Activity Stream recent Highlights in the Library [FF57+] +// https://bugzilla.mozilla.org/1689405 +user_pref("browser.library.activity-stream.enabled", false); +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// \ No newline at end of file