forked from d3cim/mobile_user.js
Update user.js
✅ Enabled addons autoupdate (need tests) ✅ Sanitized FFox blocklist URL (so it won't send identifiable information) ✅ Enforced the proxy server to do any DNS lookups when using SOCKS ✅ Added some descriptions into OCSP section ✅ Enabled require a valid OCSP ✅ Added OrangeManBad in credits ✅ Sorted and fixed some prefs response for OCSP enabled certificates ⛔️ Disabled more webspeech prefs ⛔️ Disabled some more webgl prefs
This commit is contained in:
parent
61386840c9
commit
faac2e2858
122
user.js
122
user.js
|
@ -11,26 +11,19 @@
|
|||
// Based on : gHacks: https://github.com/ghacksuserjs/ghacks-user.js
|
||||
// Librefox: https://github.com/intika/Librefox
|
||||
// pyllyukko: https://github.com/pyllyukko/user.js
|
||||
// OrangeManBad: https://git.nixnet.xyz/OrangeManBad/user.js
|
||||
//
|
||||
// License : https://github.com/quindecim/fennec_user.js/blob/master/LICENSE.txt
|
||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// Section : Quiet Fox
|
||||
// >>>>>>>>>>>>>>>>>>>>>
|
||||
// Pref : Disable auto-CHECKING for extension and theme updates
|
||||
// user_pref("extensions.update.enabled", false);
|
||||
// -------------------------------------
|
||||
// Pref : Disable app from auto-update
|
||||
user_pref("app.update.auto", false);
|
||||
user_pref("app.update.autodownload", "");
|
||||
user_pref("app.update.channel", "");
|
||||
user_pref("app.update.timerFirstInterval", -1);
|
||||
user_pref("app.update.timerMinimumDelay", -1);
|
||||
user_pref("app.update.url.android", "");
|
||||
// -------------------------------------
|
||||
// Pref : Opt-out of add-on metadata updates
|
||||
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
|
||||
user_pref("extensions.getAddons.cache.enabled", false);
|
||||
// -------------------------------------
|
||||
// Pref : Never check updates for search engines
|
||||
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
|
||||
user_pref("browser.search.update", false);
|
||||
|
@ -129,10 +122,6 @@ user_pref("browser.chromeURL", "");
|
|||
user_pref("general.useragent.updates.url", "");
|
||||
// -------------------------------------
|
||||
// Pref : Block unwanted connections
|
||||
user_pref("extensions.getAddons.compatOverides.url", "");
|
||||
user_pref("extensions.getAddons.get.url", "");
|
||||
user_pref("extensions.getAddons.langpacks.url", "");
|
||||
user_pref("extensions.getAddons.search.browseURL", "");
|
||||
user_pref("extensions.getLocales.get.url", "");
|
||||
user_pref("identity.sync.tokenserver.uri", "");
|
||||
user_pref("media.decoder-doctor.new-issue-endpoint", "");
|
||||
|
@ -172,13 +161,9 @@ user_pref("layout.accessiblecaret.hapticfeedback", false); // [DEFAULT: true]
|
|||
// Pref :
|
||||
user_pref("dom.registerProtocolHandler.insecure.enabled", true);
|
||||
// -------------------------------------
|
||||
// Pref : Block list url disabled
|
||||
user_pref("extensions.blocklist.url", "");
|
||||
user_pref("extensions.blocklist.detailsURL", "");
|
||||
user_pref("extensions.blocklist.itemURL", "");
|
||||
user_pref("extensions.update.url", "");
|
||||
user_pref("extensions.update.background.url", "");
|
||||
user_pref("extensions.getAddons.browseAddons", "");
|
||||
// Pref : Updates addons automatically
|
||||
// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
|
||||
user_pref("extensions.update.enabled", true);
|
||||
// -------------------------------------
|
||||
// Pref : Disable Firefox Accounts and Sync
|
||||
user_pref("identity.fxaccounts.auth.uri", "");
|
||||
|
@ -230,7 +215,11 @@ user_pref("beacon.enabled", false);
|
|||
// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
|
||||
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
|
||||
// https://wiki.mozilla.org/HTML5_Speech_API
|
||||
user_pref("media.webspeech.recognition.enable", false);
|
||||
user_pref("media.webspeech.recognition.enable", false); // [DEFAULT: true]
|
||||
user_pref("media.webspeech.recognition.force_enable", false); // [DEFAULT: false]
|
||||
user_pref("media.webspeech.test.enable", false); // [DEFAULT: false]
|
||||
user_pref("media.webspeech.test.fake_fsm_events", false); // [DEFAULT: false]
|
||||
user_pref("media.webspeech.test.fake_recognition_service", false); // [DEFAULT: false]
|
||||
// -------------------------------------
|
||||
// Pref : Don't use Mozilla-provided location-specific search engines
|
||||
user_pref("browser.search.geoSpecificDefaults", false);
|
||||
|
@ -449,8 +438,10 @@ user_pref("webgl.disabled", true);
|
|||
user_pref("webgl.enable-webgl2", false);
|
||||
user_pref("webgl.min_capability_mode", true);
|
||||
user_pref("pdfjs.enableWebGL", false);
|
||||
user_pref("webgl.disable-extensions", true);
|
||||
user_pref("webgl.disable-extensions", true); // [DEFAULT: false]
|
||||
user_pref("webgl.disable-wgl", true); // [DEFAULT: false]
|
||||
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
|
||||
user_pref("webgl.can-lose-context-in-foreground", false); // [DEFAULT: true]
|
||||
// -------------------------------------
|
||||
// Pref : Disable audiocapture
|
||||
user_pref("media.getusermedia.browser.enabled", false);
|
||||
|
@ -611,7 +602,7 @@ user_pref("network.dns.disableIPv6", true);
|
|||
// e.g. in Tor, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request
|
||||
// http://kb.mozillazine.org/Network.proxy.socks_remote_dns
|
||||
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
|
||||
// user_pref("network.proxy.socks_remote_dns", true);
|
||||
user_pref("network.proxy.socks_remote_dns", true);
|
||||
// -------------------------------------
|
||||
// Pref : Remove paths when sending URLs to PAC scripts
|
||||
// CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
|
||||
|
@ -667,12 +658,33 @@ user_pref("security.ssl.errorReporting.url", "");
|
|||
// https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
|
||||
user_pref("security.tls.enable_0rtt_data", false);
|
||||
// -------------------------------------
|
||||
// Pref : Check disabled section
|
||||
// OCSP Leaks the visited sited exactly same issue as safebrowsing.
|
||||
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
|
||||
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||
// Pref : Require a valid OCSP response for OCSP enabled certificates
|
||||
// https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
|
||||
// Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
|
||||
// [NOTE] `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
|
||||
// [NOTE] `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
|
||||
user_pref("security.OCSP.require", true);
|
||||
// -------------------------------------
|
||||
// Pref : Enable OSCP (Online Certificate Status Protocol)
|
||||
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
|
||||
// https://www.imperialviolet.org/2014/04/19/revchecking.html
|
||||
// https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
|
||||
// https://wiki.mozilla.org/CA:RevocationPlan
|
||||
// https://wiki.mozilla.org/CA:ImprovingRevocation
|
||||
// https://wiki.mozilla.org/CA:OCSP-HardFail
|
||||
// https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
|
||||
// https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
|
||||
// [NOTE] OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
|
||||
// [NOTE] OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
|
||||
// [NOTE] OCSP adds latency (performance)
|
||||
// [NOTE] Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
|
||||
// CIS Version 1.2.0 October 21st, 2011 2.2.4
|
||||
user_pref("security.OCSP.enabled", 0);
|
||||
user_pref("security.OCSP.require", false);
|
||||
// -------------------------------------
|
||||
// Pref : Enable OCSP Stapling support
|
||||
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
|
||||
// https://en.wikipedia.org/wiki/OCSP_stapling
|
||||
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||
user_pref("security.ssl.enable_ocsp_stapling", true);
|
||||
// -------------------------------------
|
||||
// Pref : Disallow SHA-1
|
||||
|
@ -1040,38 +1052,24 @@ user_pref("media.mediadrm-widevinecdm.visible", false); // [DEFAULT: true]
|
|||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// Section : Blocklists / Safe Browsing / Tracking Protection
|
||||
// >>>>>>>>>>>>>>>>>>>>
|
||||
// This section has security & tracking protection implications vs privacy concerns vs effectiveness vs 3rd party 'censorship'. If you disable Tracking Protection (TP) and/or Safe Browsing (SB), REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
|
||||
// Pref : Enable add-on and certificate blocklists (OneCRL) from Mozilla
|
||||
// Updated at interval defined in extensions.blocklist.interval
|
||||
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 0);
|
||||
user_pref("extensions.blocklist.enabled", false);
|
||||
user_pref("extensions.blocklist.interval", 0);
|
||||
user_pref("extensions.blocklist.level", 0);
|
||||
user_pref("extensions.blocklist.pingCountTotal", 0);
|
||||
user_pref("extensions.blocklist.pingCountVersion", 0);
|
||||
user_pref("extensions.blocklist.url", "");
|
||||
user_pref("services.blocklist.addons.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
|
||||
user_pref("services.blocklist.bucket", "");
|
||||
user_pref("services.blocklist.plugins.signer", "");
|
||||
user_pref("services.blocklist.pinning.signer", ""); // [DEFAULT: pinning-preload.content-signature.mozilla.org]
|
||||
user_pref("services.blocklist.pinning.bucket", "");
|
||||
user_pref("services.blocklist.pinning.checked", 0);
|
||||
user_pref("services.blocklist.pinning.collection", "");
|
||||
user_pref("services.blocklist.pinning.enabled", false);
|
||||
user_pref("services.blocklist.plugins.checked", 0);
|
||||
user_pref("services.blocklist.plugins.collection", "");
|
||||
// https://wiki.mozilla.org/Blocklisting
|
||||
// https://blocked.cdn.mozilla.net/
|
||||
// http://kb.mozillazine.org/Extensions.blocklist.enabled
|
||||
// http://kb.mozillazine.org/Extensions.blocklist.url
|
||||
// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
|
||||
// Updated at interval defined in extensions.blocklist.interval (default: 86400)
|
||||
user_pref("extensions.blocklist.enabled", true);
|
||||
// -------------------------------------
|
||||
// Pref : Disable individual unwanted/unneeded parts of the Kinto blocklists
|
||||
// What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
|
||||
// As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes
|
||||
user_pref("services.blocklist.onecrl.signer", ""); // [DEFAULT: onecrl.content-signature.mozilla.org]
|
||||
user_pref("services.blocklist.onecrl.checked", 0);
|
||||
user_pref("services.blocklist.onecrl.collection", "");
|
||||
user_pref("services.blocklist.addons.checked", 0);
|
||||
user_pref("services.blocklist.addons.collection", "");
|
||||
user_pref("services.blocklist.gfx.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
|
||||
user_pref("services.blocklist.gfx.checked", 0);
|
||||
user_pref("services.blocklist.gfx.collection", "");
|
||||
// Pref : Decrease system information leakage to Mozilla blocklist update servers
|
||||
// https://trac.torproject.org/projects/tor/ticket/16931
|
||||
// https://www.reddit.com/r/firefox/comments/9v5lue/firefox_tip_sanitize_firefox_blocklist_url_so_it/
|
||||
user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/"); // [URL SANITIZED]
|
||||
// -------------------------------------
|
||||
// Pref : Opt-out of add-on metadata updates
|
||||
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
|
||||
user_pref("extensions.getAddons.cache.enabled", false)
|
||||
user_pref("extensions.getAddons.search.browseURL", "");
|
||||
// -------------------------------------
|
||||
// Pref : Disable Google Safe Browsing (Block dangerous and deceptive contents)
|
||||
user_pref("browser.safebrowsing.allowOverride", false);
|
||||
|
@ -1308,15 +1306,18 @@ user_pref("dom.netinfo.enabled", false); // [DEFAULT: true]
|
|||
// https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
|
||||
// https://wiki.mozilla.org/HTML5_Speech_API
|
||||
user_pref("media.webspeech.synth.enabled", false); // [DEFAULT: false]
|
||||
user_pref("media.webspeech.synth_force_global_queue", false); // [DEFAULT: false]
|
||||
// -------------------------------------
|
||||
// Pref : Disable video statistics - JS performance fingerprinting
|
||||
// https://trac.torproject.org/projects/tor/ticket/15757
|
||||
// https://bugzilla.mozilla.org/654550
|
||||
user_pref("media.video_stats.enabled", false); // [DEFAULT: true]
|
||||
// -------------------------------------
|
||||
// Pref : Disable touch events
|
||||
// Fingerprinting attack vector - leaks screen res & actual screen coordinates
|
||||
// Pref : Force touch events enabled by default
|
||||
// Fingerprinting attack vector - leaks screen res & actual screen coordinates.
|
||||
// 0=disabled, 1=enabled, 2=autodetect
|
||||
// This pref is set to 2 by default, which results in the Touch API being exposed only when touch hardware is present. So we should either set it to "1" (enable) or "0" (disable) to ensure that JS code can't fingerprint the user's hardware.
|
||||
// [FENNEC - BUG] If disabled, unables you to copy or paste any text.
|
||||
// https://developer.mozilla.org/docs/Web/API/Touch_events
|
||||
// https://trac.torproject.org/projects/tor/ticket/10286
|
||||
user_pref("dom.w3c_touch_events.enabled", 1); // [DEFAULT: 2]
|
||||
|
@ -1379,4 +1380,5 @@ user_pref("browser.ui.zoom.force-user-scalable", true); // [DEFAULT: false]
|
|||
// https://bugzilla.mozilla.org/1502392
|
||||
// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
|
||||
user_pref("browser.urlbar.autocomplete.enabled", false); // [DEFAULT: true]
|
||||
// -------------------------------------
|
||||
//
|
||||
//
|
||||
|
|
Loading…
Reference in New Issue