Narsil
/
mobile_user.js
forked from d3cim/mobile_user.js
2
1
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Update user.js 

 Enabled addons autoupdate (need tests)
 Sanitized FFox blocklist URL (so it won't send identifiable information)
 Enforced the proxy server to do any DNS lookups when using SOCKS
 Added some descriptions into OCSP section
 Enabled require a valid OCSP
 Added OrangeManBad in credits
 Sorted and fixed some prefs response for OCSP enabled certificates
️ Disabled more webspeech prefs
️ Disabled some more webgl prefs
This commit is contained in:
quindecim 2019-05-04 17:30:35 +00:00 committed by GitHub
parent 61386840c9
commit faac2e2858
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 74 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
user.js
View File

@ -11,26 +11,19 @@
// Based on : gHacks: https://github.com/ghacksuserjs/ghacks-user.js
// Librefox: https://github.com/intika/Librefox
// pyllyukko: https://github.com/pyllyukko/user.js
// OrangeManBad: https://git.nixnet.xyz/OrangeManBad/user.js
//
// License : https://github.com/quindecim/fennec_user.js/blob/master/LICENSE.txt
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Quiet Fox
// >>>>>>>>>>>>>>>>>>>>>
// Pref : Disable auto-CHECKING for extension and theme updates
// user_pref("extensions.update.enabled", false);
// -------------------------------------
// Pref : Disable app from auto-update
user_pref("app.update.auto", false);
user_pref("app.update.autodownload", "");
user_pref("app.update.channel", "");
user_pref("app.update.timerFirstInterval", -1);
user_pref("app.update.timerMinimumDelay", -1);
user_pref("app.update.url.android", "");
// -------------------------------------
// Pref : Opt-out of add-on metadata updates
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
user_pref("extensions.getAddons.cache.enabled", false);
// -------------------------------------
// Pref : Never check updates for search engines
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
user_pref("browser.search.update", false);
@ -129,10 +122,6 @@ user_pref("browser.chromeURL", "");
user_pref("general.useragent.updates.url", "");
// -------------------------------------
// Pref : Block unwanted connections
user_pref("extensions.getAddons.compatOverides.url", "");
user_pref("extensions.getAddons.get.url", "");
user_pref("extensions.getAddons.langpacks.url", "");
user_pref("extensions.getAddons.search.browseURL", "");
user_pref("extensions.getLocales.get.url", "");
user_pref("identity.sync.tokenserver.uri", "");
user_pref("media.decoder-doctor.new-issue-endpoint", "");
@ -172,13 +161,9 @@ user_pref("layout.accessiblecaret.hapticfeedback", false); // [DEFAULT: true]
// Pref :
user_pref("dom.registerProtocolHandler.insecure.enabled", true);
// -------------------------------------
// Pref : Block list url disabled
user_pref("extensions.blocklist.url", "");
user_pref("extensions.blocklist.detailsURL", "");
user_pref("extensions.blocklist.itemURL", "");
user_pref("extensions.update.url", "");
user_pref("extensions.update.background.url", "");
user_pref("extensions.getAddons.browseAddons", "");
// Pref : Updates addons automatically
// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
user_pref("extensions.update.enabled", true);
// -------------------------------------
// Pref : Disable Firefox Accounts and Sync
user_pref("identity.fxaccounts.auth.uri", "");
@ -230,7 +215,11 @@ user_pref("beacon.enabled", false);
// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.recognition.enable", false);
user_pref("media.webspeech.recognition.enable", false); // [DEFAULT: true]
user_pref("media.webspeech.recognition.force_enable", false); // [DEFAULT: false]
user_pref("media.webspeech.test.enable", false); // [DEFAULT: false]
user_pref("media.webspeech.test.fake_fsm_events", false); // [DEFAULT: false]
user_pref("media.webspeech.test.fake_recognition_service", false); // [DEFAULT: false]
// -------------------------------------
// Pref : Don't use Mozilla-provided location-specific search engines
user_pref("browser.search.geoSpecificDefaults", false);
@ -449,8 +438,10 @@ user_pref("webgl.disabled", true);
user_pref("webgl.enable-webgl2", false);
user_pref("webgl.min_capability_mode", true);
user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.disable-extensions", true);
user_pref("webgl.disable-extensions", true); // [DEFAULT: false]
user_pref("webgl.disable-wgl", true); // [DEFAULT: false]
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
user_pref("webgl.can-lose-context-in-foreground", false); // [DEFAULT: true]
// -------------------------------------
// Pref : Disable audiocapture
user_pref("media.getusermedia.browser.enabled", false);
@ -611,7 +602,7 @@ user_pref("network.dns.disableIPv6", true);
// e.g. in Tor, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request
// http://kb.mozillazine.org/Network.proxy.socks_remote_dns
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
// user_pref("network.proxy.socks_remote_dns", true);
user_pref("network.proxy.socks_remote_dns", true);
// -------------------------------------
// Pref : Remove paths when sending URLs to PAC scripts
// CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
@ -667,12 +658,33 @@ user_pref("security.ssl.errorReporting.url", "");
// https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
user_pref("security.tls.enable_0rtt_data", false);
// -------------------------------------
// Pref : Check disabled section
// OCSP Leaks the visited sited exactly same issue as safebrowsing.
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
// Pref : Require a valid OCSP response for OCSP enabled certificates
// https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
// Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
// [NOTE] `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
// [NOTE] `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
user_pref("security.OCSP.require", true);
// -------------------------------------
// Pref : Enable OSCP (Online Certificate Status Protocol)
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
// https://www.imperialviolet.org/2014/04/19/revchecking.html
// https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
// https://wiki.mozilla.org/CA:RevocationPlan
// https://wiki.mozilla.org/CA:ImprovingRevocation
// https://wiki.mozilla.org/CA:OCSP-HardFail
// https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
// https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
// [NOTE] OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
// [NOTE] OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
// [NOTE] OCSP adds latency (performance)
// [NOTE] Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
// CIS Version 1.2.0 October 21st, 2011 2.2.4
user_pref("security.OCSP.enabled", 0);
user_pref("security.OCSP.require", false);
// -------------------------------------
// Pref : Enable OCSP Stapling support
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
// https://en.wikipedia.org/wiki/OCSP_stapling
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref("security.ssl.enable_ocsp_stapling", true);
// -------------------------------------
// Pref : Disallow SHA-1
@ -887,7 +899,7 @@ user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk.smart_size.first_run", false);
// -------------------------------------
// Pref : Disable disk cache for SSL pages
//http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
// http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
user_pref("browser.cache.disk_cache_ssl", false);
// -------------------------------------
// Pref : Disable memory cache
@ -948,7 +960,7 @@ user_pref("intl.locale.os", "en-US");
// If set to empty, the OS locales are used. If not set at all, default locale is used
user_pref("intl.locale.requested", "en-US");
// -------------------------------------
// Pref: Set language to match
// Pref : Set language to match
user_pref("intl.accept_languages", "en-US, en");
// -------------------------------------
// Pref : Use APP locale over OS locale in regional preferences
@ -963,7 +975,7 @@ user_pref("intl.regional_prefs.use_os_locales", false);
// [NOTE] Disabling fonts can uglify the web a fair bit.
user_pref("browser.display.use_document_fonts", 0);
// -------------------------------------
// Pref: Set more legible default fonts
// Pref : Set more legible default fonts
// [NOTE] Example below for Windows/Western only
// user_pref("font.name.serif.x-unicode", "Georgia");
// user_pref("font.name.serif.x-western", "Georgia"); // [DEFAULT: Times New Roman]
@ -972,33 +984,33 @@ user_pref("browser.display.use_document_fonts", 0);
// user_pref("font.name.monospace.x-unicode", "Lucida Console");
// user_pref("font.name.monospace.x-western", "Lucida Console"); // [DEFAULT: Courier New]
// -------------------------------------
// Pref: Disable icon fonts (glyphs) and local fallback rendering
// Pref : Disable icon fonts (glyphs) and local fallback rendering
// https://bugzilla.mozilla.org/789788
// https://trac.torproject.org/projects/tor/ticket/8455
user_pref("gfx.downloadable_fonts.enabled", false);
user_pref("gfx.downloadable_fonts.fallback_delay", -1);
// -------------------------------------
// Pref: Disable rendering of SVG OpenType fonts
// Pref : Disable rendering of SVG OpenType fonts
// https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
// -------------------------------------
// Pref: Disable WOFF2 (Web Open Font Format)
// Pref : Disable WOFF2 (Web Open Font Format)
user_pref("gfx.downloadable_fonts.woff2.enabled", false);
// -------------------------------------
// Pref: Disable CSS Font Loading API
// Pref : Disable CSS Font Loading API
// [NOTE] Disabling fonts can uglify the web a fair bit.
user_pref("layout.css.font-loading-api.enabled", false);
// -------------------------------------
// Pref: Disable special underline handling for a few fonts which you will probably never use
// Pref : Disable special underline handling for a few fonts which you will probably never use
// Any of these fonts on your system can be enumerated for fingerprinting.
// http://kb.mozillazine.org/Font.blacklist.underline_offset
user_pref("font.blacklist.underline_offset", "");
// -------------------------------------
// Pref: Disable graphite which turned back on by default
// Pref : Disable graphite which turned back on by default
// https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
user_pref("gfx.font_rendering.graphite.enabled", false);
// -------------------------------------
// Pref: Limit system font exposure to a whitelist [RESTART]
// Pref : Limit system font exposure to a whitelist [RESTART]
// If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
// [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. Eventually privacy.resistFingerprinting will cover this.
// https://bugzilla.mozilla.org/1121643
@ -1007,7 +1019,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Plugins
// >>>>>>>>>>>>>>>>>>>>
// Pref: Set default plugin state (i.e. new plugins on discovery) to never activate
// Pref : Set default plugin state (i.e. new plugins on discovery) to never activate
// 0=disabled, 1=ask to activate, 2=active - you can override individual plugins
user_pref("plugin.default.state", 0);
// -------------------------------------
@ -1040,38 +1052,24 @@ user_pref("media.mediadrm-widevinecdm.visible", false); // [DEFAULT: true]
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Blocklists / Safe Browsing / Tracking Protection
// >>>>>>>>>>>>>>>>>>>>
// This section has security & tracking protection implications vs privacy concerns vs effectiveness vs 3rd party 'censorship'. If you disable Tracking Protection (TP) and/or Safe Browsing (SB), REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
// Pref : Enable add-on and certificate blocklists (OneCRL) from Mozilla
// Updated at interval defined in extensions.blocklist.interval
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 0);
user_pref("extensions.blocklist.enabled", false);
user_pref("extensions.blocklist.interval", 0);
user_pref("extensions.blocklist.level", 0);
user_pref("extensions.blocklist.pingCountTotal", 0);
user_pref("extensions.blocklist.pingCountVersion", 0);
user_pref("extensions.blocklist.url", "");
user_pref("services.blocklist.addons.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
user_pref("services.blocklist.bucket", "");
user_pref("services.blocklist.plugins.signer", "");
user_pref("services.blocklist.pinning.signer", ""); // [DEFAULT: pinning-preload.content-signature.mozilla.org]
user_pref("services.blocklist.pinning.bucket", "");
user_pref("services.blocklist.pinning.checked", 0);
user_pref("services.blocklist.pinning.collection", "");
user_pref("services.blocklist.pinning.enabled", false);
user_pref("services.blocklist.plugins.checked", 0);
user_pref("services.blocklist.plugins.collection", "");
// https://wiki.mozilla.org/Blocklisting
// https://blocked.cdn.mozilla.net/
// http://kb.mozillazine.org/Extensions.blocklist.enabled
// http://kb.mozillazine.org/Extensions.blocklist.url
// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
// Updated at interval defined in extensions.blocklist.interval (default: 86400)
user_pref("extensions.blocklist.enabled", true);
// -------------------------------------
// Pref : Disable individual unwanted/unneeded parts of the Kinto blocklists
// What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
// As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes
user_pref("services.blocklist.onecrl.signer", ""); // [DEFAULT: onecrl.content-signature.mozilla.org]
user_pref("services.blocklist.onecrl.checked", 0);
user_pref("services.blocklist.onecrl.collection", "");
user_pref("services.blocklist.addons.checked", 0);
user_pref("services.blocklist.addons.collection", "");
user_pref("services.blocklist.gfx.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
user_pref("services.blocklist.gfx.checked", 0);
user_pref("services.blocklist.gfx.collection", "");
// Pref : Decrease system information leakage to Mozilla blocklist update servers
// https://trac.torproject.org/projects/tor/ticket/16931
// https://www.reddit.com/r/firefox/comments/9v5lue/firefox_tip_sanitize_firefox_blocklist_url_so_it/
user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/"); // [URL SANITIZED]
// -------------------------------------
// Pref : Opt-out of add-on metadata updates
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
user_pref("extensions.getAddons.cache.enabled", false)
user_pref("extensions.getAddons.search.browseURL", "");
// -------------------------------------
// Pref : Disable Google Safe Browsing (Block dangerous and deceptive contents)
user_pref("browser.safebrowsing.allowOverride", false);
@ -1184,7 +1182,7 @@ user_pref("browser.cache.offline.capacity", 0);
// https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/
user_pref("browser.cache.offline.insecure.enable", false);
// -------------------------------------
// Pref: Display a notification bar when websites offer data for offline use
// Pref : Display a notification bar when websites offer data for offline use
// http://kb.mozillazine.org/Browser.offline-apps.notify
user_pref("browser.offline-apps.notify", true); // [DEFAULT: true]
// -------------------------------------
@ -1308,15 +1306,18 @@ user_pref("dom.netinfo.enabled", false); // [DEFAULT: true]
// https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.synth.enabled", false); // [DEFAULT: false]
user_pref("media.webspeech.synth_force_global_queue", false); // [DEFAULT: false]
// -------------------------------------
// Pref : Disable video statistics - JS performance fingerprinting
// https://trac.torproject.org/projects/tor/ticket/15757
// https://bugzilla.mozilla.org/654550
user_pref("media.video_stats.enabled", false); // [DEFAULT: true]
// -------------------------------------
// Pref : Disable touch events
// Fingerprinting attack vector - leaks screen res & actual screen coordinates
// Pref : Force touch events enabled by default
// Fingerprinting attack vector - leaks screen res & actual screen coordinates.
// 0=disabled, 1=enabled, 2=autodetect
// This pref is set to 2 by default, which results in the Touch API being exposed only when touch hardware is present. So we should either set it to "1" (enable) or "0" (disable) to ensure that JS code can't fingerprint the user's hardware.
// [FENNEC - BUG] If disabled, unables you to copy or paste any text.
// https://developer.mozilla.org/docs/Web/API/Touch_events
// https://trac.torproject.org/projects/tor/ticket/10286
user_pref("dom.w3c_touch_events.enabled", 1); // [DEFAULT: 2]
@ -1379,4 +1380,5 @@ user_pref("browser.ui.zoom.force-user-scalable", true); // [DEFAULT: false]
// https://bugzilla.mozilla.org/1502392
// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
user_pref("browser.urlbar.autocomplete.enabled", false); // [DEFAULT: true]
// -------------------------------------
//
//