From f877564292b3ce6e9932f22d4855e3f303cf2321 Mon Sep 17 00:00:00 2001 From: Narsil Date: Wed, 1 Sep 2021 09:08:59 +0000 Subject: [PATCH] Update 'user.js' --- user.js | 68 ++++++++++++++++++++++++--------------------------------- 1 file changed, 29 insertions(+), 39 deletions(-) diff --git a/user.js b/user.js index 9c04a1e..6c28d3d 100644 --- a/user.js +++ b/user.js @@ -501,30 +501,6 @@ user_pref("network.http.speculative-parallel-limit", 0); // https://www.internetsociety.org/tag/ipv6-security/ user_pref("network.dns.disableIPv6", true); // ------------------------------------- -// Disable HTTP2 -// HTTP2 raises concerns with "multiplexing" and "server push", does nothing to -// enhance privacy, and opens up a number of server-side fingerprinting opportunities -// [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites -// [STATS] ~46% of sites (July 2021) -// https://http2.github.io/faq/ -// https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html -// https://datatracker.ietf.org/doc/html/rfc7540#section-10.8 -// https://queue.acm.org/detail.cfm?id=2716278 -// https://w3techs.com/technologies/details/ce-http2/all/all -// user_pref("network.http.spdy.enabled", false); -// user_pref("network.http.spdy.enabled.deps", false); -// user_pref("network.http.spdy.enabled.http2", false); -// user_pref("network.http.spdy.websockets", false); // [FF65+] -// ------------------------------------- -// Disable HTTP Alternative Services [FF37+] -// [SETUP-PERF] Relax this if you have FPI enabled and you understand the -// consequences. FPI isolates these, but it was designed with the Tor protocol in mind, -// and the Tor Browser has extra protection, including enhanced sanitizing per Identity. -// https://tools.ietf.org/html/rfc7838#section-9 -// https://www.mnot.net/blog/2016/03/09/alt-svc -user_pref("network.http.altsvc.enabled", false); -user_pref("network.http.altsvc.oe", false); -// ------------------------------------- // Set the proxy server to do any DNS lookups when using SOCKS // e.g. in Tor, this stops your local DNS server from knowing your Tor destination // as a remote Tor node will handle the DNS request @@ -580,7 +556,7 @@ user_pref("browser.fixup.alternate.enabled", false); // Display all parts of the url in the location bar user_pref("browser.urlbar.trimURLs", false); // ------------------------------------- -// Disable coloring of visited links - CSS history leak +// Disable coloring of visited links // Bulk rapid history sniffing was mitigated in 2010. Slower and more expensive // redraw timing attacks were largely mitigated in FF77+. Using RFP further hampers timing // attacks. Don't forget clearing history on close. However, social engineering @@ -662,11 +638,12 @@ user_pref("signon.management.page.breachAlertUrl", ""); // There are no preferences for this. It is all handled internally // [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password // https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas -// Set how often Firefox should ask for the primary password +// Set when Firefox should prompt for the primary password // 0=the first time (default), 1=every time it's needed, 2=every n minutes user_pref("security.ask_for_password", 2); // ------------------------------------- -// Set how often in minutes Firefox should ask for the primary password +// Set how long in minutes Firefox should remember the primary password +// in minutes, default is 30 ***/ user_pref("security.password_lifetime", 5); // [DEFAULT: 30] // ------------------------------------- // Disable auto-filling username & password form fields @@ -923,7 +900,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); // ------------------------------------- // Disable graphite // Graphite has had many critical security issues in the past -// https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite // https://en.wikipedia.org/wiki/Graphite_(SIL) user_pref("gfx.font_rendering.graphite.enabled", false); // ------------------------------------- @@ -1104,7 +1081,7 @@ user_pref("javascript.options.asmjs", false); // [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new // hidden pref is enabled, then Ion can still be used by extensions (1599226) // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss -// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit user_pref("javascript.options.ion", false); user_pref("javascript.options.baselinejit", false); user_pref("javascript.options.native_regexp", false); @@ -1197,16 +1174,6 @@ user_pref("devtools.remote.adb.extensionURL", ""); // [FF64+] user_pref("devtools.remote.adb.extensionID", ""); user_pref("devtools.selfxss.count", 0); // ------------------------------------- -// Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] -// [TEST] https://arkenfox.github.io/TZP/tzp.html#misc -// https://bugzilla.mozilla.org/1173199 -user_pref("mathml.disabled", true); -// ------------------------------------- -// Disable in-content SVG (Scalable Vector Graphics) [FF53+] -// [WARNING] Expect breakage including youtube player controls -// https://bugzilla.mozilla.org/1216893 -// user_pref("svg.disabled", true); -// ------------------------------------- // Disable middle mouse click opening links from clipboard // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 user_pref("middlemouse.contentLoadURL", false); @@ -1582,6 +1549,29 @@ user_pref("permissions.default.xr", 0); // Virtual Reality // [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2 +// ------------------------------------- +// Disable HTTP2 +// [WHY] Passive fingerprinting. ~50% of sites use HTTP2 +// https://w3techs.com/technologies/details/ce-http2/all/all +// user_pref("network.http.spdy.enabled", false); +// user_pref("network.http.spdy.enabled.deps", false); +// user_pref("network.http.spdy.enabled.http2", false); +// user_pref("network.http.spdy.websockets", false); // [FF65+] +// ------------------------------------- +// Disable HTTP Alternative Services [FF37+] +// [WHY] Already isolated by network partitioning (FF85+) or FPI +// user_pref("network.http.altsvc.enabled", false); +// user_pref("network.http.altsvc.oe", false); +// ------------------------------------- +// Disable MathML (Mathematical Markup Language) [FF51+] +// [WHY] Fingerprintable, breakage, threat model +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml +user_pref("mathml.disabled", true); +// ------------------------------------- +// Disable in-content SVG (Scalable Vector Graphics) [FF53+] +// [WHY] Fingerprintable, breakage, threat model +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg +// user_pref("svg.disabled", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // DON'T BOTHER: NON-RFP