Update 'user.js'

This commit is contained in:
Narsil 2021-09-01 09:08:59 +00:00
parent 7d0c33d89f
commit f877564292
1 changed files with 29 additions and 39 deletions

68
user.js
View File

@ -501,30 +501,6 @@ user_pref("network.http.speculative-parallel-limit", 0);
// https://www.internetsociety.org/tag/ipv6-security/ // https://www.internetsociety.org/tag/ipv6-security/
user_pref("network.dns.disableIPv6", true); user_pref("network.dns.disableIPv6", true);
// ------------------------------------- // -------------------------------------
// Disable HTTP2
// HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
// enhance privacy, and opens up a number of server-side fingerprinting opportunities
// [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
// [STATS] ~46% of sites (July 2021)
// https://http2.github.io/faq/
// https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
// https://datatracker.ietf.org/doc/html/rfc7540#section-10.8
// https://queue.acm.org/detail.cfm?id=2716278
// https://w3techs.com/technologies/details/ce-http2/all/all
// user_pref("network.http.spdy.enabled", false);
// user_pref("network.http.spdy.enabled.deps", false);
// user_pref("network.http.spdy.enabled.http2", false);
// user_pref("network.http.spdy.websockets", false); // [FF65+]
// -------------------------------------
// Disable HTTP Alternative Services [FF37+]
// [SETUP-PERF] Relax this if you have FPI enabled and you understand the
// consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
// and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
// https://tools.ietf.org/html/rfc7838#section-9
// https://www.mnot.net/blog/2016/03/09/alt-svc
user_pref("network.http.altsvc.enabled", false);
user_pref("network.http.altsvc.oe", false);
// -------------------------------------
// Set the proxy server to do any DNS lookups when using SOCKS // Set the proxy server to do any DNS lookups when using SOCKS
// e.g. in Tor, this stops your local DNS server from knowing your Tor destination // e.g. in Tor, this stops your local DNS server from knowing your Tor destination
// as a remote Tor node will handle the DNS request // as a remote Tor node will handle the DNS request
@ -580,7 +556,7 @@ user_pref("browser.fixup.alternate.enabled", false);
// Display all parts of the url in the location bar // Display all parts of the url in the location bar
user_pref("browser.urlbar.trimURLs", false); user_pref("browser.urlbar.trimURLs", false);
// ------------------------------------- // -------------------------------------
// Disable coloring of visited links - CSS history leak // Disable coloring of visited links
// Bulk rapid history sniffing was mitigated in 2010. Slower and more expensive // Bulk rapid history sniffing was mitigated in 2010. Slower and more expensive
// redraw timing attacks were largely mitigated in FF77+. Using RFP further hampers timing // redraw timing attacks were largely mitigated in FF77+. Using RFP further hampers timing
// attacks. Don't forget clearing history on close. However, social engineering // attacks. Don't forget clearing history on close. However, social engineering
@ -662,11 +638,12 @@ user_pref("signon.management.page.breachAlertUrl", "");
// There are no preferences for this. It is all handled internally // There are no preferences for this. It is all handled internally
// [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password // [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password
// https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas // https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
// Set how often Firefox should ask for the primary password // Set when Firefox should prompt for the primary password
// 0=the first time (default), 1=every time it's needed, 2=every n minutes // 0=the first time (default), 1=every time it's needed, 2=every n minutes
user_pref("security.ask_for_password", 2); user_pref("security.ask_for_password", 2);
// ------------------------------------- // -------------------------------------
// Set how often in minutes Firefox should ask for the primary password // Set how long in minutes Firefox should remember the primary password
// in minutes, default is 30 ***/
user_pref("security.password_lifetime", 5); // [DEFAULT: 30] user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
// ------------------------------------- // -------------------------------------
// Disable auto-filling username & password form fields // Disable auto-filling username & password form fields
@ -923,7 +900,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
// ------------------------------------- // -------------------------------------
// Disable graphite // Disable graphite
// Graphite has had many critical security issues in the past // Graphite has had many critical security issues in the past
// https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 // https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
// https://en.wikipedia.org/wiki/Graphite_(SIL) // https://en.wikipedia.org/wiki/Graphite_(SIL)
user_pref("gfx.font_rendering.graphite.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false);
// ------------------------------------- // -------------------------------------
@ -1104,7 +1081,7 @@ user_pref("javascript.options.asmjs", false);
// [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new // [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
// hidden pref is enabled, then Ion can still be used by extensions (1599226) // hidden pref is enabled, then Ion can still be used by extensions (1599226)
// [WARNING] Disabling Ion/JIT can cause some site issues and performance loss // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT // https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
user_pref("javascript.options.ion", false); user_pref("javascript.options.ion", false);
user_pref("javascript.options.baselinejit", false); user_pref("javascript.options.baselinejit", false);
user_pref("javascript.options.native_regexp", false); user_pref("javascript.options.native_regexp", false);
@ -1197,16 +1174,6 @@ user_pref("devtools.remote.adb.extensionURL", ""); // [FF64+]
user_pref("devtools.remote.adb.extensionID", ""); user_pref("devtools.remote.adb.extensionID", "");
user_pref("devtools.selfxss.count", 0); user_pref("devtools.selfxss.count", 0);
// ------------------------------------- // -------------------------------------
// Disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
// [TEST] https://arkenfox.github.io/TZP/tzp.html#misc
// https://bugzilla.mozilla.org/1173199
user_pref("mathml.disabled", true);
// -------------------------------------
// Disable in-content SVG (Scalable Vector Graphics) [FF53+]
// [WARNING] Expect breakage including youtube player controls
// https://bugzilla.mozilla.org/1216893
// user_pref("svg.disabled", true);
// -------------------------------------
// Disable middle mouse click opening links from clipboard // Disable middle mouse click opening links from clipboard
// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089
user_pref("middlemouse.contentLoadURL", false); user_pref("middlemouse.contentLoadURL", false);
@ -1582,6 +1549,29 @@ user_pref("permissions.default.xr", 0); // Virtual Reality
// [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy // [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy
// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+]
// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2 // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2
// -------------------------------------
// Disable HTTP2
// [WHY] Passive fingerprinting. ~50% of sites use HTTP2
// https://w3techs.com/technologies/details/ce-http2/all/all
// user_pref("network.http.spdy.enabled", false);
// user_pref("network.http.spdy.enabled.deps", false);
// user_pref("network.http.spdy.enabled.http2", false);
// user_pref("network.http.spdy.websockets", false); // [FF65+]
// -------------------------------------
// Disable HTTP Alternative Services [FF37+]
// [WHY] Already isolated by network partitioning (FF85+) or FPI
// user_pref("network.http.altsvc.enabled", false);
// user_pref("network.http.altsvc.oe", false);
// -------------------------------------
// Disable MathML (Mathematical Markup Language) [FF51+]
// [WHY] Fingerprintable, breakage, threat model
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml
user_pref("mathml.disabled", true);
// -------------------------------------
// Disable in-content SVG (Scalable Vector Graphics) [FF53+]
// [WHY] Fingerprintable, breakage, threat model
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg
// user_pref("svg.disabled", true);
// //
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// DON'T BOTHER: NON-RFP // DON'T BOTHER: NON-RFP