diff --git a/config/mozilla.cfg b/config/mozilla.cfg index 6652cd4..62322ac 100644 --- a/config/mozilla.cfg +++ b/config/mozilla.cfg @@ -60,7 +60,6 @@ lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DESKTO // Pref : Disable Activity Stream telemetry lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry", false); // [DESKTOP] -lockPref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry.ut.events", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint", ""); // [DESKTOP] @@ -293,7 +292,6 @@ lockPref("toolkit.telemetry.shutdownPingSender.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.updatePing.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.bhrPing.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.firstShutdownPing.enabled", false); // [DESKTOP] -lockPref("toolkit.telemetry.hybridContent.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.previousBuildID", ""); // [DESKTOP] lockPref("toolkit.telemetry.prompted", 2); // [DESKTOP] lockPref("toolkit.telemetry.rejected", true); // [DESKTOP] @@ -458,8 +456,8 @@ defaultPref("layout.spellcheckDefault", 0); // [DESKTOP] // ------------------------------------- // Pref : Enable Firefox internal pages and disable the related warnings lockPref("general.aboutConfig.enable", true); -lockPref("general.warnOnAboutConfig", false); -lockPref("browser.aboutConfig.showWarning", false); // [DESKTOP] +lockPref("general.warnOnAboutConfig", false); // [XUL] +lockPref("browser.aboutConfig.showWarning", false); // [DESKTOP] // [HTML] // ------------------------------------- // Pref : Disable recent Highlights in the Library lockPref("browser.library.activity-stream.enabled", false); // [DESKTOP] @@ -525,8 +523,6 @@ lockPref("startup.homepage_welcome_url.additional", ""); // [DESKTOP] lockPref("startup.homepage_override_url", ""); // [DESKTOP] lockPref("browser.search.param.yahoo-fr", ""); // [DESKTOP] lockPref("privacy.restrict3rdpartystorage.partitionedHosts", ""); -lockPref("network.netlink.route.check.IPv4", ""); -lockPref("network.netlink.route.check.IPv6", ""); // ------------------------------------- // Pref : Devtools cleanup lockPref("devtools.devices.url", ""); @@ -915,8 +911,11 @@ lockPref("browser.download.hide_plugins_without_extensions", false); // [DESKTOP lockPref("dom.event.contextmenu.enabled", false); // ------------------------------------- // Pref : Disable website access to clipboard events/content -// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) +// This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website +// [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one is default (false) then enabling this pref can leak clipboard content // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled +// https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ +// https://bugzilla.mozilla.org/1528289 lockPref("dom.event.clipboardevents.enabled", false); // ------------------------------------- // Pref : Disable "Confirm you want to leave" dialog on page close @@ -981,9 +980,9 @@ lockPref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false] // Pref : Don't reveal build ID // Value taken from Tor Browser for Desktop // https://bugzilla.mozilla.org/show_bug.cgi?id=583181 -lockPref("browser.startup.homepage_override.buildID", "20190402030101"); +lockPref("browser.startup.homepage_override.buildID", "20200402050101"); lockPref("extensions.lastAppBuildId", "20190402030101"); -lockPref("media.gmp-manager.buildID", "20190402030101"); +lockPref("media.gmp-manager.buildID", "20200402050101"); lockPref("browser.sessionstore.upgradeBackup.latestBuildID", ""); // [DESKTOP] lockPref("general.buildID.override", "20100101"); // ------------------------------------- @@ -1027,6 +1026,8 @@ lockPref("webgl.all-angle-options", false); lockPref("webgl.allow-immediate-queries", false); lockPref("webgl.default-antialias", false); lockPref("webgl.enable-surface-texture", false); +lockPref("webgl.cgl.multithreaded", false); +lockPref("webgl.dxgl.enabled", false); // ------------------------------------- // Pref : Disable screensharing and audiocapture lockPref("media.getusermedia.screensharing.enabled", false); // [DESKTOP] @@ -1133,7 +1134,6 @@ lockPref("browser.urlbar.usepreloadedtopurls.enabled", false); // [DESKTOP] // Pref : Disable Firefox Tips / Search suggestions lockPref("browser.urlbar.daysBeforeHidingSuggestionsPrompt", 0); // [DESKTOP] lockPref("browser.urlbar.searchSuggestionsChoice", false); // [DESKTOP] -lockPref("browser.urlbar.timesBeforeHidingSuggestionsHint", 0); // [DESKTOP] // ------------------------------------- // Pref : Disable history/bookmarks/opened pages suggestions dropdown from URL bar // [NOTE] This does not cause privacy/leaking issue @@ -1347,8 +1347,12 @@ lockPref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // [DESKTOP] // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : HTTPS (SSL/TLS / OCSP / Certs / HPKP / Ciphers) // >>>>>>>>>>>>>>>>>>>> -// Pref : Disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack) +// Pref : Require safe negotiation +// Blocks connections to servers that don't support RFC 5746 as they're potentially vulnerable to a MiTM attack. A server *without* RFC 5746 can be safe from the attack if it disables renegotiations but the problem is that the browser can't know that. +// Setting this pref to true is the only way for the browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server. // https://wiki.mozilla.org/Security:Renegotiation +// https://tools.ietf.org/html/rfc5746 +// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 lockPref("security.ssl.require_safe_negotiation", true); // ------------------------------------- // Pref : Control TLS versions with min and max @@ -1532,9 +1536,10 @@ lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); // [DESKTOP] lockPref("security.ssl3.rsa_rc4_128_md5", false); // [DESKTOP] lockPref("security.ssl3.rsa_rc4_128_sha", false); // [DESKTOP] // ------------------------------------- -// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) -// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken -// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 +// Pref : Display warning on the padlock for "broken security" +// [BUG] Warning padlock not indicated for subresources on a secure page! +// https://wiki.mozilla.org/Security:Renegotiation +// https://bugzilla.mozilla.org/1353705 lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // ------------------------------------- // Pref : Control "Add Security Exception" dialog on SSL warnings @@ -1595,6 +1600,8 @@ lockPref("signon.management.page.breachAlertUrl", ""); // [DESKTOP] lockPref("signon.management.page.hideMobileFooter", true); // [DESKTOP] lockPref("signon.management.page.mobileAndroidURL", ""); // [DESKTOP] lockPref("signon.management.page.mobileAppleURL", ""); // [DESKTOP] +lockPref("signon.management.page.showPasswordSyncNotification", false); // [DESKTOP] +lockPref("signon.storeSignons", true); // [DESKTOP] (// Disable login manager storage. https://hg.mozilla.org/integration/autoland/rev/300057f0ec79) // ------------------------------------- // Pref : Disable autofilling saved passwords on HTTP pages and show warning // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 @@ -1837,8 +1844,10 @@ defaultPref("layout.css.font-loading-api.enabled", false); // https://github.com/ghacksuserjs/ghacks-user.js/issues/744 // lockPref("font.blacklist.underline_offset", ""); // ------------------------------------- -// Pref : Disable graphite which turned back on by default +// Pref : Disable graphite +// [NOTE] Graphite has had many critical security issues in the past // https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 +// https://en.wikipedia.org/wiki/Graphite_(SIL) lockPref("gfx.font_rendering.graphite.enabled", false); // ------------------------------------- // Pref : Limit system font exposure to a whitelist [RESTART] @@ -1858,7 +1867,6 @@ lockPref("plugins.crash.supportUrl", ""); // [DESKTOP] // Pref : Set default plugin state (i.e. new plugins on discovery) to never activate // 0=disabled, 1=ask to activate, 2=active - you can override individual plugins lockPref("plugin.default.state", 0); -lockPref("plugin.defaultXpi.state", 0); // ------------------------------------- // Pref : Disable scanning for plugins lockPref("plugin.scan.plid.all", false); // [WINDOWS] // [DESKTOP] @@ -1934,11 +1942,11 @@ lockPref("services.blocklist.gfx.collection", ""); lockPref("services.blocklist.bucket", ""); lockPref("services.blocklist.addons.signer", ""); // [DESKTOP] lockPref("services.blocklist.addons.collection", ""); -// lockPref("extensions.blocklist.level", 2); // [DEFAULT: 2] lockPref("extensions.blocklist.lastModified", ""); // [DESKTOP] lockPref("extensions.blocklist.itemURL", ""); lockPref("extensions.blocklist.enabled", false); lockPref("extensions.blocklist.detailsURL", ""); +lockPref("extensions.blocklist.useXML", false); lockPref("services.settings.security.onecrl.bucket", ""); lockPref("services.settings.security.onecrl.collection", ""); lockPref("services.settings.security.onecrl.signer", ""); @@ -2071,8 +2079,6 @@ lockPref("privacy.socialtracking.block_cookies.enabled", false); // [DESKTOP] // Pref : Disable PingCentre telemetry (used in several System Add-ons) // Currently blocked by 'datareporting.healthreport.uploadEnabled' lockPref("browser.ping-centre.telemetry", false); // [DESKTOP] -lockPref("browser.ping-centre.production.endpoint", ""); // [DESKTOP] -lockPref("browser.ping-centre.staging.endpoint", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable all the trackingprotection blocked elements by default lockPref("browser.contentblocking.features.strict", ""); // [DESKTOP] @@ -2114,11 +2120,15 @@ lockPref("extensions.formautofill.heuristics.enabled", false); // [DESKTOP] // Section : Persistent Storage // >>>>>>>>>>>>>>>>>>>> // Pref : Delete cookies and site data on close -// 0=keep until they expire (default), 2=keep until you close Firefox +// 0=keep until they expire (default),1=Prompt for each cookie, 2=keep until you close Firefox, 3=Accept for N days // [NOTE] Use "Cookie AutoDelete" extension to manage your cookies // https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/ // defaultPref("network.cookie.lifetimePolicy", 2); // ------------------------------------- +// Pref : Sets the number of days that the lifetime of cookies should be limited to +// [NOTE] Only use if network.cookie.lifetimePolicy is set to 3 +// defaultPref("network.cookie.lifetime.days", 1); // [DEFAULT: 90] +// ------------------------------------- // Pref : Disable 3rd-party cookies and site-data // 0=(Allow) cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers // [NOTE] Can breaks payment gateways @@ -2145,16 +2155,6 @@ lockPref("network.cookie.same-site.enabled", true); // [DEFAULT: true] // You are better off using an extension for more granular control // lockPref("dom.storage.enabled", false); // ------------------------------------- -// Pref : Disable IndexedDB -// https://developer.mozilla.org/en-US/docs/IndexedDB -// https://en.wikipedia.org/wiki/Indexed_Database_API -// https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review -// https://github.com/pyllyukko/user.js/issues/8 -// https://github.com/ghacksuserjs/ghacks-user.js/issues/80#issuecomment-294178018 -// https://superuser.com/questions/1250944/how-can-this-website-reidentify-me-even-after-deleting-all-of-my-browsers-histo -// [NOTE] IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), and breaks almost every webpage so is left enabled -// lockPref("dom.indexedDB.enabled", false); // [DEFAULT: true] -// ------------------------------------- // Pref : Do not download URLs for the offline cache lockPref("browser.cache.offline.storage.enable", false); lockPref("browser.cache.offline.enable", false); @@ -2387,6 +2387,7 @@ lockPref("gfx.vr.osvr.clientLibPath", ""); lockPref("gfx.vr.osvr.commonLibPath", ""); lockPref("gfx.vr.osvr.utilLibPath", ""); lockPref("dom.vr.process.enabled", false); +lockPref("dom.vr.webxr.enabled", false); // ------------------------------------- // Pref : Disable hardware acceleration to reduce graphics fingerprinting // [WARNING] Affects text rendering (fonts will look different), impacts video performance, and parts of Quantum that utilize the GPU will also be affected as they are rolled out @@ -2618,4 +2619,39 @@ lockPref("devtools.webide.adaptersAddonURL", ""); lockPref("privacy.socialtracking.notification.enabled", false); // ------------------------------------- // FF72+ +// ------------------------------------- +// Pref : Disable PingCentre telemetry (used in several System Add-ons) +// https://bugzilla.mozilla.org/show_bug.cgi?id=1597697 +// https://hg.mozilla.org/mozilla-central/rev/7fcdfe9a24e4 +lockPref("browser.ping-centre.production.endpoint", ""); +lockPref("browser.ping-centre.staging.endpoint", ""); +lockPref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); +// ------------------------------------- +// Pref : Disable Firefox Tips / Search suggestions +// https://bugzilla.mozilla.org/show_bug.cgi?id=1525296 +// https://hg.mozilla.org/mozilla-central/rev/0fb16f92be6f +lockPref("browser.urlbar.timesBeforeHidingSuggestionsHint", 0); +// ------------------------------------- +// Pref : Block unwanted connections +// https://bugzilla.mozilla.org/show_bug.cgi?id=1593693 +// https://hg.mozilla.org/mozilla-central/rev/ca070ea1fc32 +lockPref("network.netlink.route.check.IPv4", ""); +lockPref("network.netlink.route.check.IPv6", ""); +// ------------------------------------- +// Pref : Set default plugin state (i.e. new plugins on discovery) to never activate +// https://bugzilla.mozilla.org/show_bug.cgi?id=1596090 +// https://hg.mozilla.org/mozilla-central/rev/df333402f126 +lockPref("plugin.defaultXpi.state", 0); +// ------------------------------------- +// Pref : Disable Telemetry +// https://bugzilla.mozilla.org/1520491 +// https://hg.mozilla.org/mozilla-central/rev/76b117a14bca +lockPref("toolkit.telemetry.hybridContent.enabled", false); +// ------------------------------------- +// Pref : Disable IndexedDB +// https://bugzilla.mozilla.org/1488583 +// https://hg.mozilla.org/mozilla-central/rev/c2ab1dc00f21 +// lockPref("dom.indexedDB.enabled", false); +// ------------------------------------- +// FF73+ // ------------------------------------- \ No newline at end of file