forked from d3cim/mobile_user.js
Update 'user.js'
This commit is contained in:
parent
7d0c33d89f
commit
f877564292
68
user.js
68
user.js
|
|
@ -501,30 +501,6 @@ user_pref("network.http.speculative-parallel-limit", 0);
|
|||
// https://www.internetsociety.org/tag/ipv6-security/
|
||||
user_pref("network.dns.disableIPv6", true);
|
||||
// -------------------------------------
|
||||
// Disable HTTP2
|
||||
// HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
|
||||
// enhance privacy, and opens up a number of server-side fingerprinting opportunities
|
||||
// [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
|
||||
// [STATS] ~46% of sites (July 2021)
|
||||
// https://http2.github.io/faq/
|
||||
// https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
|
||||
// https://datatracker.ietf.org/doc/html/rfc7540#section-10.8
|
||||
// https://queue.acm.org/detail.cfm?id=2716278
|
||||
// https://w3techs.com/technologies/details/ce-http2/all/all
|
||||
// user_pref("network.http.spdy.enabled", false);
|
||||
// user_pref("network.http.spdy.enabled.deps", false);
|
||||
// user_pref("network.http.spdy.enabled.http2", false);
|
||||
// user_pref("network.http.spdy.websockets", false); // [FF65+]
|
||||
// -------------------------------------
|
||||
// Disable HTTP Alternative Services [FF37+]
|
||||
// [SETUP-PERF] Relax this if you have FPI enabled and you understand the
|
||||
// consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
|
||||
// and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
|
||||
// https://tools.ietf.org/html/rfc7838#section-9
|
||||
// https://www.mnot.net/blog/2016/03/09/alt-svc
|
||||
user_pref("network.http.altsvc.enabled", false);
|
||||
user_pref("network.http.altsvc.oe", false);
|
||||
// -------------------------------------
|
||||
// Set the proxy server to do any DNS lookups when using SOCKS
|
||||
// e.g. in Tor, this stops your local DNS server from knowing your Tor destination
|
||||
// as a remote Tor node will handle the DNS request
|
||||
|
|
@ -580,7 +556,7 @@ user_pref("browser.fixup.alternate.enabled", false);
|
|||
// Display all parts of the url in the location bar
|
||||
user_pref("browser.urlbar.trimURLs", false);
|
||||
// -------------------------------------
|
||||
// Disable coloring of visited links - CSS history leak
|
||||
// Disable coloring of visited links
|
||||
// Bulk rapid history sniffing was mitigated in 2010. Slower and more expensive
|
||||
// redraw timing attacks were largely mitigated in FF77+. Using RFP further hampers timing
|
||||
// attacks. Don't forget clearing history on close. However, social engineering
|
||||
|
|
@ -662,11 +638,12 @@ user_pref("signon.management.page.breachAlertUrl", "");
|
|||
// There are no preferences for this. It is all handled internally
|
||||
// [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password
|
||||
// https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
|
||||
// Set how often Firefox should ask for the primary password
|
||||
// Set when Firefox should prompt for the primary password
|
||||
// 0=the first time (default), 1=every time it's needed, 2=every n minutes
|
||||
user_pref("security.ask_for_password", 2);
|
||||
// -------------------------------------
|
||||
// Set how often in minutes Firefox should ask for the primary password
|
||||
// Set how long in minutes Firefox should remember the primary password
|
||||
// in minutes, default is 30 ***/
|
||||
user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
|
||||
// -------------------------------------
|
||||
// Disable auto-filling username & password form fields
|
||||
|
|
@ -923,7 +900,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
|
|||
// -------------------------------------
|
||||
// Disable graphite
|
||||
// Graphite has had many critical security issues in the past
|
||||
// https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
|
||||
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
|
||||
// https://en.wikipedia.org/wiki/Graphite_(SIL)
|
||||
user_pref("gfx.font_rendering.graphite.enabled", false);
|
||||
// -------------------------------------
|
||||
|
|
@ -1104,7 +1081,7 @@ user_pref("javascript.options.asmjs", false);
|
|||
// [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
|
||||
// hidden pref is enabled, then Ion can still be used by extensions (1599226)
|
||||
// [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
|
||||
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT
|
||||
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
|
||||
user_pref("javascript.options.ion", false);
|
||||
user_pref("javascript.options.baselinejit", false);
|
||||
user_pref("javascript.options.native_regexp", false);
|
||||
|
|
@ -1197,16 +1174,6 @@ user_pref("devtools.remote.adb.extensionURL", ""); // [FF64+]
|
|||
user_pref("devtools.remote.adb.extensionID", "");
|
||||
user_pref("devtools.selfxss.count", 0);
|
||||
// -------------------------------------
|
||||
// Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
|
||||
// [TEST] https://arkenfox.github.io/TZP/tzp.html#misc
|
||||
// https://bugzilla.mozilla.org/1173199
|
||||
user_pref("mathml.disabled", true);
|
||||
// -------------------------------------
|
||||
// Disable in-content SVG (Scalable Vector Graphics) [FF53+]
|
||||
// [WARNING] Expect breakage including youtube player controls
|
||||
// https://bugzilla.mozilla.org/1216893
|
||||
// user_pref("svg.disabled", true);
|
||||
// -------------------------------------
|
||||
// Disable middle mouse click opening links from clipboard
|
||||
// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089
|
||||
user_pref("middlemouse.contentLoadURL", false);
|
||||
|
|
@ -1582,6 +1549,29 @@ user_pref("permissions.default.xr", 0); // Virtual Reality
|
|||
// [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy
|
||||
// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+]
|
||||
// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2
|
||||
// -------------------------------------
|
||||
// Disable HTTP2
|
||||
// [WHY] Passive fingerprinting. ~50% of sites use HTTP2
|
||||
// https://w3techs.com/technologies/details/ce-http2/all/all
|
||||
// user_pref("network.http.spdy.enabled", false);
|
||||
// user_pref("network.http.spdy.enabled.deps", false);
|
||||
// user_pref("network.http.spdy.enabled.http2", false);
|
||||
// user_pref("network.http.spdy.websockets", false); // [FF65+]
|
||||
// -------------------------------------
|
||||
// Disable HTTP Alternative Services [FF37+]
|
||||
// [WHY] Already isolated by network partitioning (FF85+) or FPI
|
||||
// user_pref("network.http.altsvc.enabled", false);
|
||||
// user_pref("network.http.altsvc.oe", false);
|
||||
// -------------------------------------
|
||||
// Disable MathML (Mathematical Markup Language) [FF51+]
|
||||
// [WHY] Fingerprintable, breakage, threat model
|
||||
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml
|
||||
user_pref("mathml.disabled", true);
|
||||
// -------------------------------------
|
||||
// Disable in-content SVG (Scalable Vector Graphics) [FF53+]
|
||||
// [WHY] Fingerprintable, breakage, threat model
|
||||
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg
|
||||
// user_pref("svg.disabled", true);
|
||||
//
|
||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// DON'T BOTHER: NON-RFP
|
||||
|
|
|
|||
Loading…
Reference in New Issue