From 0d921bbc22ecaf474744f665f43215d064e92265 Mon Sep 17 00:00:00 2001 From: Narsil Date: Wed, 21 Jul 2021 07:21:47 +0000 Subject: [PATCH] Update 'user.js' --- user.js | 46 ++++++++++++++++++++++------------------------ 1 file changed, 22 insertions(+), 24 deletions(-) diff --git a/user.js b/user.js index 03cc84b..e6231f3 100644 --- a/user.js +++ b/user.js @@ -127,7 +127,7 @@ user_pref("browser.search.region", "en-US, en"); // [HIDDEN PREF] // https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US"); // ------------------------------------- -// Enforce US English locale regardless of the system locale +// Use US English locale regardless of the system locale // [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages // https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] @@ -316,19 +316,6 @@ user_pref("media.webvtt.testing.events", false); // https://bugzilla.mozilla.org/show_bug.cgi?id=1608308 user_pref("corroborator.enabled", false); // ------------------------------------- -// Disable Remote Settings -// https://github.com/mozilla-services/remote-settings-lambdas -// https://remote-settings.readthedocs.io/en/latest/ -user_pref("security.remote_settings.intermediates.enabled", false); -user_pref("security.remote_settings.intermediates.bucket", ""); -user_pref("security.remote_settings.intermediates.collection", ""); -user_pref("security.remote_settings.intermediates.signer", ""); -user_pref("security.remote_settings.crlite_filters.enabled", false); -user_pref("security.remote_settings.crlite_filters.bucket", ""); -user_pref("security.remote_settings.crlite_filters.collection", ""); -user_pref("security.remote_settings.crlite_filters.signer", ""); -user_pref("security.pki.crlite_mode", 0); -// ------------------------------------- // Block unwanted connections user_pref("app.feedback.baseURL", ""); user_pref("app.feedbackURL", ""); @@ -553,7 +540,7 @@ user_pref("network.dns.disableIPv6", true); user_pref("network.http.altsvc.enabled", false); user_pref("network.http.altsvc.oe", false); // ------------------------------------- -// Enforce the proxy server to do any DNS lookups when using SOCKS +// Set the proxy server to do any DNS lookups when using SOCKS // e.g. in Tor, this stops your local DNS server from knowing your Tor destination // as a remote Tor node will handle the DNS request // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers @@ -821,9 +808,6 @@ user_pref("security.ssl.require_safe_negotiation", true); // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); // ------------------------------------- -// Enforce TLS 1.0 and 1.1 downgrades as session only -user_pref("security.tls.version.enable-deprecated", false); -// ------------------------------------- // Disable SSL session tracking [FF36+] // SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) // These are not used in PB mode. In normal windows they are isolated when using FPI @@ -891,12 +875,26 @@ user_pref("security.family_safety.mode", 0); // https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/ // user_pref("security.nocertdb", true); // [HIDDEN PREF] // ------------------------------------- -// Enforce strict pinning +// Enable strict pinning // PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict // [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing // by inspecting ALL your web traffic, then leave at current default=1 // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 user_pref("security.cert_pinning.enforcement_level", 2); +// ------------------------------------- +// Disable CRLite [FF73+] +// In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985 +// https://blog.mozilla.org/security/tag/crlite/ ***/ +user_pref("security.remote_settings.intermediates.enabled", false); +user_pref("security.remote_settings.intermediates.bucket", ""); +user_pref("security.remote_settings.intermediates.collection", ""); +user_pref("security.remote_settings.intermediates.signer", ""); +user_pref("security.remote_settings.crlite_filters.enabled", false); +user_pref("security.remote_settings.crlite_filters.bucket", ""); +user_pref("security.remote_settings.crlite_filters.collection", ""); +user_pref("security.remote_settings.crlite_filters.signer", ""); +user_pref("security.pki.crlite_mode", 0); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // MIXED CONTENT @@ -1381,7 +1379,7 @@ user_pref("permissions.manager.defaultsUrl", ""); // Remove webchannel whitelist ***/ user_pref("webchannel.allowObject.urlWhitelist", ""); // ------------------------------------- -// Enforce Punycode for Internationalized Domain Names to eliminate possible spoofing +// Use Punycode in Internationalized Domain Names to eliminate possible spoofing // Firefox has *some* protections, but it is better to be safe than sorry // [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded // [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) @@ -1443,7 +1441,7 @@ user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] // [SETTING] To set your default "downloads": General>Downloads>Save files to // user_pref("browser.download.folderList", 2); // ------------------------------------- -// Enforce user interaction for security by always asking where to download +// Enable user interaction for security by always asking where to download // [SETUP-CHROME] On Android this blocks longtapping and saving images // [SETTING] General>Downloads>Always ask you where to save files user_pref("browser.download.useDownloadDir", false); @@ -1477,13 +1475,13 @@ user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] // SECURITY // >>>>>>>>>>>>>>>>>>>>> // Enforce CSP (Content Security Policy) -// [WARNING] CSP is a very important and widespread security feature. Don't disable it! +// [NOTE] CSP is a very important and widespread security feature. Don't disable it! // https://developer.mozilla.org/docs/Web/HTTP/CSP user_pref("security.csp.enable", true); // [DEFAULT: true] // ------------------------------------- // Enforce a security delay on some confirmation dialogs such as install, open/save // https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ -user_pref("security.dialog_enable_delay", 700); +user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] // ------------------------------------- // Enable Site Isolation user_pref("fission.autostart", true); @@ -1778,7 +1776,7 @@ user_pref("ui.use_standins_for_native_colors", true); // https://bugzilla.mozilla.org/1288359 user_pref("dom.webaudio.enabled", false); // ------------------------------------- -// Limit font visibility (non-ANDROID) [FF79+] +// Limit font visibility (Windows, Mac, some Linux) [FF79+] // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts // [NOTE] Bundled fonts are auto-allowed