Update user.js

 Enabled addons autoupdate (need tests)
 Sanitized FFox blocklist URL (so it won't send identifiable information)
 Enforced the proxy server to do any DNS lookups when using SOCKS
 Added some descriptions into OCSP section
 Enabled require a valid OCSP
 Added OrangeManBad in credits
 Sorted and fixed some prefs response for OCSP enabled certificates
️ Disabled more webspeech prefs
️ Disabled some more webgl prefs
This commit is contained in:
quindecim 2019-05-04 17:30:35 +00:00 committed by GitHub
parent 61386840c9
commit faac2e2858
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 74 additions and 72 deletions

122
user.js
View File

@ -11,26 +11,19 @@
// Based on : gHacks: https://github.com/ghacksuserjs/ghacks-user.js
// Librefox: https://github.com/intika/Librefox
// pyllyukko: https://github.com/pyllyukko/user.js
// OrangeManBad: https://git.nixnet.xyz/OrangeManBad/user.js
//
// License : https://github.com/quindecim/fennec_user.js/blob/master/LICENSE.txt
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Quiet Fox
// >>>>>>>>>>>>>>>>>>>>>
// Pref : Disable auto-CHECKING for extension and theme updates
// user_pref("extensions.update.enabled", false);
// -------------------------------------
// Pref : Disable app from auto-update
user_pref("app.update.auto", false);
user_pref("app.update.autodownload", "");
user_pref("app.update.channel", "");
user_pref("app.update.timerFirstInterval", -1);
user_pref("app.update.timerMinimumDelay", -1);
user_pref("app.update.url.android", "");
// -------------------------------------
// Pref : Opt-out of add-on metadata updates
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
user_pref("extensions.getAddons.cache.enabled", false);
// -------------------------------------
// Pref : Never check updates for search engines
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
user_pref("browser.search.update", false);
@ -129,10 +122,6 @@ user_pref("browser.chromeURL", "");
user_pref("general.useragent.updates.url", "");
// -------------------------------------
// Pref : Block unwanted connections
user_pref("extensions.getAddons.compatOverides.url", "");
user_pref("extensions.getAddons.get.url", "");
user_pref("extensions.getAddons.langpacks.url", "");
user_pref("extensions.getAddons.search.browseURL", "");
user_pref("extensions.getLocales.get.url", "");
user_pref("identity.sync.tokenserver.uri", "");
user_pref("media.decoder-doctor.new-issue-endpoint", "");
@ -172,13 +161,9 @@ user_pref("layout.accessiblecaret.hapticfeedback", false); // [DEFAULT: true]
// Pref :
user_pref("dom.registerProtocolHandler.insecure.enabled", true);
// -------------------------------------
// Pref : Block list url disabled
user_pref("extensions.blocklist.url", "");
user_pref("extensions.blocklist.detailsURL", "");
user_pref("extensions.blocklist.itemURL", "");
user_pref("extensions.update.url", "");
user_pref("extensions.update.background.url", "");
user_pref("extensions.getAddons.browseAddons", "");
// Pref : Updates addons automatically
// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
user_pref("extensions.update.enabled", true);
// -------------------------------------
// Pref : Disable Firefox Accounts and Sync
user_pref("identity.fxaccounts.auth.uri", "");
@ -230,7 +215,11 @@ user_pref("beacon.enabled", false);
// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.recognition.enable", false);
user_pref("media.webspeech.recognition.enable", false); // [DEFAULT: true]
user_pref("media.webspeech.recognition.force_enable", false); // [DEFAULT: false]
user_pref("media.webspeech.test.enable", false); // [DEFAULT: false]
user_pref("media.webspeech.test.fake_fsm_events", false); // [DEFAULT: false]
user_pref("media.webspeech.test.fake_recognition_service", false); // [DEFAULT: false]
// -------------------------------------
// Pref : Don't use Mozilla-provided location-specific search engines
user_pref("browser.search.geoSpecificDefaults", false);
@ -449,8 +438,10 @@ user_pref("webgl.disabled", true);
user_pref("webgl.enable-webgl2", false);
user_pref("webgl.min_capability_mode", true);
user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.disable-extensions", true);
user_pref("webgl.disable-extensions", true); // [DEFAULT: false]
user_pref("webgl.disable-wgl", true); // [DEFAULT: false]
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
user_pref("webgl.can-lose-context-in-foreground", false); // [DEFAULT: true]
// -------------------------------------
// Pref : Disable audiocapture
user_pref("media.getusermedia.browser.enabled", false);
@ -611,7 +602,7 @@ user_pref("network.dns.disableIPv6", true);
// e.g. in Tor, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request
// http://kb.mozillazine.org/Network.proxy.socks_remote_dns
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
// user_pref("network.proxy.socks_remote_dns", true);
user_pref("network.proxy.socks_remote_dns", true);
// -------------------------------------
// Pref : Remove paths when sending URLs to PAC scripts
// CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
@ -667,12 +658,33 @@ user_pref("security.ssl.errorReporting.url", "");
// https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
user_pref("security.tls.enable_0rtt_data", false);
// -------------------------------------
// Pref : Check disabled section
// OCSP Leaks the visited sited exactly same issue as safebrowsing.
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
// Pref : Require a valid OCSP response for OCSP enabled certificates
// https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
// Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
// [NOTE] `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
// [NOTE] `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
user_pref("security.OCSP.require", true);
// -------------------------------------
// Pref : Enable OSCP (Online Certificate Status Protocol)
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
// https://www.imperialviolet.org/2014/04/19/revchecking.html
// https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
// https://wiki.mozilla.org/CA:RevocationPlan
// https://wiki.mozilla.org/CA:ImprovingRevocation
// https://wiki.mozilla.org/CA:OCSP-HardFail
// https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
// https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
// [NOTE] OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
// [NOTE] OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
// [NOTE] OCSP adds latency (performance)
// [NOTE] Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
// CIS Version 1.2.0 October 21st, 2011 2.2.4
user_pref("security.OCSP.enabled", 0);
user_pref("security.OCSP.require", false);
// -------------------------------------
// Pref : Enable OCSP Stapling support
// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case.
// https://en.wikipedia.org/wiki/OCSP_stapling
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref("security.ssl.enable_ocsp_stapling", true);
// -------------------------------------
// Pref : Disallow SHA-1
@ -1040,38 +1052,24 @@ user_pref("media.mediadrm-widevinecdm.visible", false); // [DEFAULT: true]
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Blocklists / Safe Browsing / Tracking Protection
// >>>>>>>>>>>>>>>>>>>>
// This section has security & tracking protection implications vs privacy concerns vs effectiveness vs 3rd party 'censorship'. If you disable Tracking Protection (TP) and/or Safe Browsing (SB), REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
// Pref : Enable add-on and certificate blocklists (OneCRL) from Mozilla
// Updated at interval defined in extensions.blocklist.interval
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 0);
user_pref("extensions.blocklist.enabled", false);
user_pref("extensions.blocklist.interval", 0);
user_pref("extensions.blocklist.level", 0);
user_pref("extensions.blocklist.pingCountTotal", 0);
user_pref("extensions.blocklist.pingCountVersion", 0);
user_pref("extensions.blocklist.url", "");
user_pref("services.blocklist.addons.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
user_pref("services.blocklist.bucket", "");
user_pref("services.blocklist.plugins.signer", "");
user_pref("services.blocklist.pinning.signer", ""); // [DEFAULT: pinning-preload.content-signature.mozilla.org]
user_pref("services.blocklist.pinning.bucket", "");
user_pref("services.blocklist.pinning.checked", 0);
user_pref("services.blocklist.pinning.collection", "");
user_pref("services.blocklist.pinning.enabled", false);
user_pref("services.blocklist.plugins.checked", 0);
user_pref("services.blocklist.plugins.collection", "");
// https://wiki.mozilla.org/Blocklisting
// https://blocked.cdn.mozilla.net/
// http://kb.mozillazine.org/Extensions.blocklist.enabled
// http://kb.mozillazine.org/Extensions.blocklist.url
// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
// Updated at interval defined in extensions.blocklist.interval (default: 86400)
user_pref("extensions.blocklist.enabled", true);
// -------------------------------------
// Pref : Disable individual unwanted/unneeded parts of the Kinto blocklists
// What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
// As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes
user_pref("services.blocklist.onecrl.signer", ""); // [DEFAULT: onecrl.content-signature.mozilla.org]
user_pref("services.blocklist.onecrl.checked", 0);
user_pref("services.blocklist.onecrl.collection", "");
user_pref("services.blocklist.addons.checked", 0);
user_pref("services.blocklist.addons.collection", "");
user_pref("services.blocklist.gfx.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org]
user_pref("services.blocklist.gfx.checked", 0);
user_pref("services.blocklist.gfx.collection", "");
// Pref : Decrease system information leakage to Mozilla blocklist update servers
// https://trac.torproject.org/projects/tor/ticket/16931
// https://www.reddit.com/r/firefox/comments/9v5lue/firefox_tip_sanitize_firefox_blocklist_url_so_it/
user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/"); // [URL SANITIZED]
// -------------------------------------
// Pref : Opt-out of add-on metadata updates
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
user_pref("extensions.getAddons.cache.enabled", false)
user_pref("extensions.getAddons.search.browseURL", "");
// -------------------------------------
// Pref : Disable Google Safe Browsing (Block dangerous and deceptive contents)
user_pref("browser.safebrowsing.allowOverride", false);
@ -1308,15 +1306,18 @@ user_pref("dom.netinfo.enabled", false); // [DEFAULT: true]
// https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref("media.webspeech.synth.enabled", false); // [DEFAULT: false]
user_pref("media.webspeech.synth_force_global_queue", false); // [DEFAULT: false]
// -------------------------------------
// Pref : Disable video statistics - JS performance fingerprinting
// https://trac.torproject.org/projects/tor/ticket/15757
// https://bugzilla.mozilla.org/654550
user_pref("media.video_stats.enabled", false); // [DEFAULT: true]
// -------------------------------------
// Pref : Disable touch events
// Fingerprinting attack vector - leaks screen res & actual screen coordinates
// Pref : Force touch events enabled by default
// Fingerprinting attack vector - leaks screen res & actual screen coordinates.
// 0=disabled, 1=enabled, 2=autodetect
// This pref is set to 2 by default, which results in the Touch API being exposed only when touch hardware is present. So we should either set it to "1" (enable) or "0" (disable) to ensure that JS code can't fingerprint the user's hardware.
// [FENNEC - BUG] If disabled, unables you to copy or paste any text.
// https://developer.mozilla.org/docs/Web/API/Touch_events
// https://trac.torproject.org/projects/tor/ticket/10286
user_pref("dom.w3c_touch_events.enabled", 1); // [DEFAULT: 2]
@ -1379,4 +1380,5 @@ user_pref("browser.ui.zoom.force-user-scalable", true); // [DEFAULT: false]
// https://bugzilla.mozilla.org/1502392
// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
user_pref("browser.urlbar.autocomplete.enabled", false); // [DEFAULT: true]
// -------------------------------------
//
//