diff --git a/user.js b/user.js index d3e51f2..2e5efc5 100644 --- a/user.js +++ b/user.js @@ -119,6 +119,7 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // https://bugzilla.mozilla.org/show_bug.cgi?id=1617783 user_pref("browser.aboutwelcome.enabled", false); // [DESKTOP] user_pref("browser.aboutwelcome.log", ""); // [DESKTOP] +user_pref("trailhead.firstrun.branches", ""); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Quiet Fox @@ -127,12 +128,11 @@ user_pref("browser.aboutwelcome.log", ""); // [DESKTOP] // true=application updates are installed without user approval. // false=application updates are downloaded but the user can choose when to install the update. user_pref("app.update.auto", false); // [DESKTOP] -user_pref("app.update.autodownload", "never"); // [FENNEC] +user_pref("app.update.autodownload", "never"); // [FENIX] user_pref("app.update.channel", ""); -user_pref("app.update.url", ""); // [DESKTOP] user_pref("app.update.url.details", ""); // [DESKTOP] user_pref("app.update.url.manual", ""); // [DESKTOP] -user_pref("app.update.url.android", ""); // [FENNEC] +user_pref("app.update.url.android", ""); // [FENIX] user_pref("app.update.staging.enabled", false); // [DESKTOP] user_pref("app.update.log.file", false); // [DESKTOP] // ------------------------------------- @@ -325,6 +325,7 @@ user_pref("toolkit.telemetry.geckoview.streaming", false); user_pref("toolkit.telemetry.isGeckoViewMode", false); user_pref("toolkit.telemetry.testing.overrideProductsCheck", false); user_pref("security.app_menu.recordEventTelemetry", false); // [DESKTOP] +user_pref("browser.urlbar.eventTelemetry.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Telemetry Coverage // https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ @@ -950,16 +951,22 @@ user_pref("dom.ipc.processPriorityManager.enabled", true); // [DESKTOP] // [TEST user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable purge site data after identifying tracking site via cookies -// [NOTE] Relax this with 'privacy.clearOnShutdown.*' enabled +// [NOTE] Relax this with 'privacy.clearOnShutdown.*' enabled // https://bugzilla.mozilla.org/show_bug.cgi?id=1599262 // https://www.ghacks.net/2020/03/04/firefox-75-will-purge-site-data-if-associated-with-tracking-cookies/ user_pref("privacy.purge_trackers.enabled", false); user_pref("privacy.purge_trackers.logging.enabled", false); +user_pref("privacy.purge_trackers.logging.level", ""); // ------------------------------------- // Pref : Disable permissions delegation // Currently applies to cross-origin geolocation, camera, mic and screen-sharing permissions, and fullscreen requests. Disabling delegation means any prompts for these will show/use their correct 3rd party origin // https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion user_pref("permissions.delegation.enabled", false); +// ------------------------------------- +// Pref : Disable the default checkedness for "Save card and address to Firefox" checkboxes +// https://bugzilla.mozilla.org/show_bug.cgi?id=1477106 +user_pref("dom.payments.defaults.saveAddress", false); +user_pref("dom.payments.defaults.saveCreditCard", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Web Workers @@ -1004,7 +1011,7 @@ user_pref("browser.download.hide_plugins_without_extensions", false); // [DESKTO user_pref("dom.event.contextmenu.enabled", false); // ------------------------------------- // Pref : Disable website access to clipboard events/content -// This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website +// [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress // [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one is default (false) then enabling this pref can leak clipboard content // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled // https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ @@ -1034,11 +1041,13 @@ user_pref("dom.vibrator.enabled", false); user_pref("javascript.options.asmjs", false); // ------------------------------------- // Pref : Disable Ion, baseline JIT and RegExp to help harden JS against exploits +// [NOTE] In FF75+, when (both) Ion and JIT are disabled, **and** the new hidden pref is enabled, then Ion can still be used by extensions // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 // https://trac.torproject.org/projects/tor/ticket/26019 -user_pref("javascript.options.ion", false); // [DESKTOP - BUG] Navigation issues -// user_pref("javascript.options.baselinejit", false); // [BUG] Addons issues +user_pref("javascript.options.ion", false); +// user_pref("javascript.options.baselinejit", false); // [FENNEC - BUG] Addons issues +// user_pref("javascript.options.jit_trustedprincipals", true); // [HIDDEN PREF] // [DESKTOP ?] user_pref("javascript.options.native_regexp", false); // ------------------------------------- // Pref : Disable WebAssembly @@ -1145,7 +1154,6 @@ user_pref("gfx.offscreencanvas.enabled", false); // [DEFAULT: false] // 0=Allow all, 1=Block non-muted media, 5=Block all // [NOTE] You can set exceptions under site permissions user_pref("media.autoplay.default", 5); -user_pref("media.autoplay.allow-muted", false); // [FENNEC] user_pref("media.autoplay.block-event.enabled", true); // [DEFAULT: false] user_pref("media.autoplay.block-webaudio", true); // [DEFAULT: false] // ------------------------------------- @@ -1182,14 +1190,14 @@ user_pref("browser.sessionhistory.max_entries", 4); // [DEFAULT: 50] // https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector user_pref("layout.css.visited_links_enabled", false); // ------------------------------------- -// Pref : Disable search suggestions in the search bar +// Pref : Disable live search suggestions user_pref("browser.search.suggest.enabled", false); user_pref("browser.search.suggest.enabled.private", false); -user_pref("browser.search.suggest.prompted", true); // [FENNEC] -// ------------------------------------- -// Pref : Disable "Show search suggestions in location bar results" user_pref("browser.urlbar.suggest.searches", false); // [DESKTOP] // ------------------------------------- +// Pref : Disable "Would you like to turn on search suggestions" prompt message +user_pref("browser.search.suggest.prompted", true); // [FENNEC] +// ------------------------------------- // Pref : Disable information entered in web page forms and the search bar // [NOTE] You can clear formdata on exiting Firefox user_pref("browser.formfill.enable", false); @@ -1226,8 +1234,9 @@ user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); // [DESKTOP] user_pref("browser.urlbar.daysBeforeHidingSuggestionsPrompt", 0); // [DESKTOP] user_pref("browser.urlbar.searchSuggestionsChoice", false); // [DESKTOP] // ------------------------------------- -// Pref : Disable history/bookmarks/opened pages suggestions dropdown from URL bar -// [NOTE] This does not cause privacy/leaking issue +// Pref : Disable URL bar autocomplete and history/bookmarks suggestions dropdown +// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 +user_pref("browser.urlbar.autocomplete.enabled", false); // [FENNEC] user_pref("browser.urlbar.suggest.history", false); // [DESKTOP] user_pref("browser.urlbar.suggest.bookmark", false); // [DESKTOP] user_pref("browser.urlbar.suggest.openpage", false); // [DESKTOP] @@ -1329,6 +1338,8 @@ user_pref("toolkit.startup.max_resumed_crashes", -1); // [DESKTOP] // ------------------------------------- // Pref : Force Encrypted Server Name Indication (eSNI) for TLS 1.3 if TRR/DoH is enabled // [NOTE] I don't encourage DoH (but it is a useful and valid mechanism for those who need it) +// https://wiki.mozilla.org/Trusted_Recursive_Resolver#ESNI +// https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications_(ESNI) user_pref("network.security.esni.enabled", true); // ------------------------------------- // Pref : Disable ping to Mozilla for Man-in-the-Middle detection @@ -1366,7 +1377,6 @@ user_pref("network.http.speculative-parallel-limit", 0); // Pref : Disable predictor / prefetching // Network predicator load pages before they are opened with mose hover for example user_pref("network.predictor.enabled", false); -user_pref("network.predictor.cleaned-up", true); user_pref("network.predictor.enable-prefetch", false); user_pref("network.predictor.enable-hover-on-ssl", false); // @@ -1435,6 +1445,12 @@ user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // [DESKTOP] // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : HTTPS (SSL/TLS / OCSP / Certs / HPKP / Ciphers) // >>>>>>>>>>>>>>>>>>>> +// Pref : Enable HTTPS-only-mode +// [NOTE] This is experimental +// https://www.ghacks.net/2020/03/24/firefox-76-gets-optional-https-only-mode/ +// https://bugzilla.mozilla.org/1613063 +// user_pref("dom.security.https_only_mode", true); +// ------------------------------------- // Pref : Require safe negotiation // Blocks connections to servers that don't support RFC 5746 as they're potentially vulnerable to a MiTM attack. A server *without* RFC 5746 can be safe from the attack if it disables renegotiations but the problem is that the browser can't know that. // Setting this pref to true is the only way for the browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server. @@ -1446,6 +1462,7 @@ user_pref("security.ssl.require_safe_negotiation", true); // Pref : Control TLS versions with min and max // 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 // [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. +// Firefox telemetry (April 2020) shows only 0.25% of TLS web traffic uses 1.0 or 1.1 // https://www.ssllabs.com/ssl-pulse/ // user_pref("security.tls.version.min", 3); // user_pref("security.tls.version.max", 4); @@ -1796,9 +1813,20 @@ user_pref("browser.cache.disk.smart_size.enabled", false); user_pref("browser.cache.disk.smart_size.first_run", false); // ------------------------------------- // Pref : Disable memory cache +// Capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kilobytes // user_pref("browser.cache.memory.enable", false); // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF ESR] // ------------------------------------- +// Pref : Disable permissions manager from writing to disk +// [NOTE] This means any permission changes are session only +// https://bugzilla.mozilla.org/967812 +// user_pref("permissions.memory_only", true); // [HIDDEN PREF] +// ------------------------------------- +// Pref : Disable media cache from writing to disk in Private Browsing +// [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB +user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); +user_pref("media.memory_cache_max_size", 16384); +// ------------------------------------- // Pref : Disable fastback cache // To improve performance when pressing back/forward Firefox stores visited pages so they don't have to be re-parsed. This is not the same as memory cache. // 0=none, -1=auto (that's minus 1). @@ -1814,9 +1842,6 @@ user_pref("browser.sessionstore.max_tabs_undo", 0); // 0=everywhere, 1=unencrypted sites, 2=nowhere user_pref("browser.sessionstore.privacy_level", 2); // ------------------------------------- -// Pref : Disable resuming session from crash -user_pref("browser.sessionstore.resume_from_crash", false); -// ------------------------------------- // Pref : Set the minimum interval between session save operations // Increasing this can help on older machines and some websites, as well as reducing writes. Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc. // This can also affect entries in the "Recently Closed Tabs" feature: i.e. the longer the interval the more chance a quick tab open/close won't be captured. @@ -1861,10 +1886,7 @@ user_pref("browser.sessionstore.resume_session_once", false); // [DESKTOP] // Pref : Disable geolocation user_pref("geo.enabled", false); // ------------------------------------- -// Pref : Disable GeoIP lookup on your address to set default search engine region -// https://trac.torproject.org/projects/tor/ticket/16254 -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine -user_pref("browser.search.region", "US"); +// Pref : Disable geographically specific results/search engines e.g. "browser.search.*.US", i.e. ignore all of Mozilla's various search engines in multiple locales user_pref("browser.search.geoSpecificDefaults.url", ""); user_pref("browser.snippets.geoUrl", ""); // ------------------------------------- @@ -1872,7 +1894,9 @@ user_pref("browser.snippets.geoUrl", ""); user_pref("intl.accept_languages", "en-US, en"); // ------------------------------------- // Pref : Enforce US English locale regardless of the system locale +// [NOTE] May break some input methods e.g xim/ibus for CJK languages // https://bugzilla.mozilla.org/867501 +// https://bugzilla.mozilla.org/1629630 user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] // ------------------------------------- // Pref : Disable using the OS's geolocation service @@ -2027,7 +2051,6 @@ user_pref("extensions.blocklist.lastModified", ""); // [DESKTOP] user_pref("extensions.blocklist.itemURL", ""); user_pref("extensions.blocklist.enabled", false); user_pref("extensions.blocklist.detailsURL", ""); -user_pref("extensions.blocklist.useXML", false); user_pref("services.settings.security.onecrl.bucket", ""); user_pref("services.settings.security.onecrl.collection", ""); user_pref("services.settings.security.onecrl.signer", ""); @@ -2050,11 +2073,6 @@ user_pref("urlclassifier.trackingAnnotationWhitelistTable", ""); user_pref("urlclassifier.trackingTable", ""); user_pref("urlclassifier.trackingWhitelistTable", ""); // ------------------------------------- -// Pref : Decrease system information leakage to Mozilla blocklist update servers -// https://trac.torproject.org/projects/tor/ticket/16931 -// https://old.reddit.com/r/firefox/comments/9v5lue/firefox_tip_sanitize_firefox_blocklist_url_so_it/ -user_pref("extensions.blocklist.url", ""); // [URL SANITIZED: https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/] -// ------------------------------------- // Pref : Opt-out of add-on metadata updates // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ user_pref("extensions.getAddons.cache.enabled", false); @@ -2174,7 +2192,7 @@ user_pref("browser.contentblocking.features.strict", ""); // [DESKTOP] // https://github.com/pyllyukko/user.js/issues/419 // https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1248-1257 // [NOTE] Disabling system add-on updates prevents Mozilla from "hotfixing" your browser to patch critical problems (one possible use case from the documentation) -// user_pref("extensions.systemAddon.update.enabled", false); // [DESKTOP] +// user_pref("extensions.systemAddon.update.enabled", false); user_pref("extensions.systemAddon.update.url", "https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/en-US/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml"); // [URL SANITIZED] // ------------------------------------- // Pref : Disable Normandy/Shield @@ -2197,6 +2215,11 @@ user_pref("extensions.formautofill.addresses.enabled", false); // [DESKTOP] user_pref("extensions.formautofill.available", "off"); // [DESKTOP] user_pref("extensions.formautofill.creditCards.enabled", false); // [DESKTOP] user_pref("extensions.formautofill.heuristics.enabled", false); // [DESKTOP] +// ------------------------------------- +// Pref : Disable ExperimentManager and relative API +// https://bugzilla.mozilla.org/show_bug.cgi?id=1620021 +user_pref("messaging-system.rsexperimentloader.enabled", false); // [DESKTOP] +user_pref("messaging-system.log", ""); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Persistent Storage @@ -2215,6 +2238,10 @@ user_pref("network.cookie.lifetimePolicy", 2); // [NOTE] Can breaks payment gateways user_pref("network.cookie.cookieBehavior", 1); // ------------------------------------- +// Pref : Disable compatibility heuristics to 3rd-party cookie blocking +// https://bugzilla.mozilla.org/show_bug.cgi?id=1625568 +user_pref("network.cookie.rejectForeignWithExceptions.enabled", false); +// ------------------------------------- // Pref : Set third-party cookies (i.e ALL) (if enabled) to session-only and set third-party non-secure (i.e HTTP) cookies to session-only // [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ @@ -2242,6 +2269,7 @@ user_pref("browser.cache.offline.enable", false); user_pref("browser.cache.offline.capacity", 0); // ------------------------------------- // Pref : Disable service workers cache and cache storage +// [NOTE] Service worker cache are cleared on exit // https://w3c.github.io/ServiceWorker/#privacy // user_pref("dom.caches.enabled", false); // ------------------------------------- @@ -2339,7 +2367,7 @@ user_pref("privacy.donottrackheader.enabled", false); // [DEFAULT: true] // Section : FPI (First Party Isolation) // >>>>>>>>>>>>>>>>>>>> // Pref : Enable FPI (First Party Isolation) -// [SETUP-WEB] May break cross-domain logins and site functionality until perfected +// [NOTE] May break cross-domain logins and site functionality until perfected // https://bugzilla.mozilla.org/1260931 user_pref("privacy.firstparty.isolate", true); // ------------------------------------- @@ -2535,6 +2563,13 @@ user_pref("browser.download.autohideButton", false); // [DESKTOP] // Pref : Disable browser animation // https://bugzilla.mozilla.org/show_bug.cgi?id=1352069 user_pref("toolkit.cosmeticAnimations.enabled", false); +// ------------------------------------- +// Pref : Disable (temporarily) "Megabar" design +// https://support.mozilla.org/en-US/questions/1284354 +user_pref("browser.urlbar.openViewOnFocus", false); // [DESKTOP] +user_pref("browser.urlbar.update1", false); // [DESKTOP] +user_pref("browser.urlbar.update1.interventions", false); // [DESKTOP] +user_pref("browser.urlbar.update1.searchTips", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Personal @@ -2624,7 +2659,7 @@ user_pref("plugins.click_to_play", true); // Pref : Disable autoplay of HTML5 media // https://bugzilla.mozilla.org/1562331 // https://hg.mozilla.org/mozilla-central/rev/3780202d7104 -user_pref("media.autoplay.allow-muted", false); // [FENNEC] +user_pref("media.autoplay.allow-muted", false); // ------------------------------------- // FF70+ // ------------------------------------- @@ -2839,5 +2874,34 @@ user_pref("browser.urlbar.doubleClickSelectsAll", false); // https://hg.mozilla.org/mozilla-central/rev/bb85b121d2ac user_pref("dom.vr.openvr.action_input", false); // ------------------------------------- +// Pref : Disable GeoIP-based search defaults +// [NOTE] May not be hidden if Firefox has changed your settings due to your locale +// https://trac.torproject.org/projects/tor/ticket/16254 +// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine +// user_pref("browser.search.region", "US"); // [HIDDEN PREF] +// ------------------------------------- // FF76+ +// ------------------------------------- +// Pref : Decrease system information leakage to Mozilla blocklist update servers +// https://bugzilla.mozilla.org/show_bug.cgi?id=1618188 +// https://hg.mozilla.org/mozilla-central/rev/06ca3c111fc7 +user_pref("extensions.blocklist.url", ""); +// ------------------------------------- +// Pref : Disable app from auto-update +// https://bugzilla.mozilla.org/show_bug.cgi?id=1568994 +// https://hg.mozilla.org/mozilla-central/rev/12efcfc5555a +// https://hg.mozilla.org/mozilla-central/rev/cd6bf21b54db +user_pref("app.update.url", ""); +// ------------------------------------- +// Pref : Disable add-on and certificate blocklists (OneCRL) from Mozilla +// https://bugzilla.mozilla.org/show_bug.cgi?id=1618188 +// https://hg.mozilla.org/mozilla-central/rev/06ca3c111fc7 +user_pref("extensions.blocklist.useXML", false); +// ------------------------------------- +// Pref : Disable predictor / prefetching +// https://bugzilla.mozilla.org/show_bug.cgi?id=1544868 +// https://hg.mozilla.org/mozilla-central/rev/3763471a8781 +user_pref("network.predictor.cleaned-up", true); +// ------------------------------------- +// FF77+ // ------------------------------------- \ No newline at end of file