From 8ad625e23167fa40eb014a42ba4a890e9a4e5096 Mon Sep 17 00:00:00 2001 From: quindecim <49964366+quindecim@users.noreply.github.com> Date: Sat, 27 Apr 2019 17:36:54 +0000 Subject: [PATCH] Update user.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ✅ Sorted a lot of rules and fixed some parameters ✅ Enabled window.opener protection ⛔️ Disabled Service Workers ⛔️ Disabled Web Notifications ⛔️ Disabled Push Notifications ⛔️ Disabled "Confirm you want to leave" dialog on page close ⛔️ Disabled asm.js ⛔️ Disabled Intersection Observer API --- user.js | 92 ++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 78 insertions(+), 14 deletions(-) diff --git a/user.js b/user.js index aa8722c..3e70619 100644 --- a/user.js +++ b/user.js @@ -52,7 +52,7 @@ user_pref("datareporting.policy.firstRunURL", ""); user_pref("datareporting.policy.minimumPolicyVersion", 0); user_pref("datareporting.policy.minimumPolicyVersion.channel-beta", 0); // Pref : Disable personalized Extension Recommendations in about:addons and AMO -//[NOTE] This pref has no effect when Health Reports are disabled +// [NOTE] This pref has no effect when Health Reports are disabled // https://support.mozilla.org/kb/personalized-extension-recommendations user_pref("browser.discovery.enabled", false); // [DEFAULT: false] // Pref : Disable Crash Reports @@ -180,13 +180,6 @@ user_pref("browser.snippets.statsUrl", ""); user_pref("browser.snippets.updateInterval", -1); user_pref("browser.snippets.updateUrl", ""); user_pref("browser.snippets.syncPromo.enabled", false); -// Pref : Disable right-click menu manipulation via JavaScript (disabled) -user_pref("dom.event.contextmenu.enabled", false); -// Pref : Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript -// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in -// JS-based web applications (Google Docs...) -// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled -user_pref("dom.event.clipboardevents.enabled", false); // Pref : Force Punycode for Internationalized Domain Names // http://kb.mozillazine.org/Network.IDN_show_punycode // https://www.xudongz.com/blog/2017/idn-phishing/ @@ -219,8 +212,6 @@ user_pref("beacon.enabled", false); // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition // https://wiki.mozilla.org/HTML5_Speech_API user_pref("media.webspeech.recognition.enable", false); -// Pref : Disable vibrator API -user_pref("dom.vibrator.enabled", false); // Pref : Don't use Mozilla-provided location-specific search engines user_pref("browser.search.geoSpecificDefaults", false); // Pref : Don't monitor OS online/offline connection state @@ -325,10 +316,83 @@ user_pref("security.csp.enable", true); // [DEFAULT: true] user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// Section : Web Workers +// >>>>>>>>>>>>>>>>>>>>>> +// Pref : Disable service workers +// Service workers essentially act as proxy servers that sit between web apps, and the browser and network, are event driven, and can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources. +// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. +// [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access. +user_pref("dom.serviceWorkers.enabled", false); +// Pref : Disable web notifications +// https://developer.mozilla.org/docs/Web/API/Notifications_API +user_pref("dom.webnotifications.enabled", false); +user_pref("dom.webnotifications.serviceworker.enabled", false); +// Pref : Disable push notifications +// Web apps can receive messages pushed to them from a server, whether or not the web app is in the foreground, or even currently loaded +// https://developer.mozilla.org/docs/Web/API/Push_API +user_pref("dom.push.alwaysConnect", false); +user_pref("dom.push.enabled", false); +user_pref("dom.push.debug", false); +user_pref("dom.push.connection.enabled", false); +user_pref("dom.push.serverURL", ""); +user_pref("dom.push.userAgentID", ""); +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// Section : DOM (Document Object Model) & Javascript +// >>>>>>>>>>>>>>>>>>>>>> +// Pref : Disable right-click menu manipulation via JavaScript +user_pref("dom.event.contextmenu.enabled", false); +// Pref : Disable website access to clipboard events/content +// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) +// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled +user_pref("dom.event.clipboardevents.enabled", false); +// Pref : Disable "Confirm you want to leave" dialog on page close +// Does not prevent JS leaks of the page close event. +// https://developer.mozilla.org/docs/Web/Events/beforeunload +// https://support.mozilla.org/questions/1043508 +user_pref("dom.disable_beforeunload", true); +// Pref : Disable shaking the screen (Vibrator API) +user_pref("dom.vibrator.enabled", false); +// Pref : Disable asm.js +// http://asmjs.org/ +// https://www.mozilla.org/security/advisories/mfsa2015-29/ +// https://www.mozilla.org/security/advisories/mfsa2015-50/ +// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 +// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 +// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ +user_pref("javascript.options.asmjs", false); +// Pref : Disable Ion and baseline JIT to help harden JS against exploits +// If false, causes the odd site issue and there is also a performance loss +// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 +// user_pref("javascript.options.ion", false); +// user_pref("javascript.options.baselinejit", false); +// Pref : Disable WebAssembly +// https://webassembly.org/ +// https://developer.mozilla.org/docs/WebAssembly +// https://en.wikipedia.org/wiki/WebAssembly +// https://trac.torproject.org/projects/tor/ticket/21549 +// user_pref("javascript.options.wasm", false); +// Pref : Disable Intersection Observer API +// Almost a year to complete, three versions late to stable (as default false), number #1 cause of crashes in nightly numerous times, and is (primarily) an ad network API for "ad viewability checks" down to a pixel level +// https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API +// https://w3c.github.io/IntersectionObserver/ +// https://bugzilla.mozilla.org/1243846 +user_pref("dom.IntersectionObserver.enabled", false); +// Pref : Disable Shared Memory (Spectre mitigation) +// https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md +// https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ +user_pref("javascript.options.shared_memory", false); // [DEFAULT: false] +// Pref : Enforce DOMHighResTimeStamp API +// [WARNING] Required for normalization of timestamps and any timer resolution mitigations +user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true] +// Pref : Enable (limited but sufficient) window.opener protection +// Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false] +// +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Media / Camera / Mic // >>>>>>>>>>>>>>>>>>>>>> -// Pref : WebSockets is a technology that makes it possible to open an interactive communication -// session between the user's browser and a server. (May leak IP when using proxy/VPN) +// Pref : WebSockets is a technology that makes it possible to open an interactive communication session between the user's browser and a server. (May leak IP when using proxy/VPN) user_pref("media.peerconnection.enabled", false); // Pref : Limit WebRTC IP leaks if using WebRTC // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416 @@ -633,7 +697,7 @@ user_pref("dom.disable_window_move_resize", true); // [DEFAULT: true] // You can still right-click a link and open in a new window. // [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html // https://trac.torproject.org/projects/tor/ticket/9881 -user_pref("browser.link.open_newwindow", 2); // [DEFAULT: 3] +user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3] user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0] // Pref : Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks // [NOTE] You can still manually toggle the browser's fullscreen state, but this pref will disable embedded video fullscreen controls, e.g. youtube @@ -642,7 +706,7 @@ user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0] // Pref : Block popup windows user_pref("dom.disable_open_during_load", true); // [DEFAULT: true] // Pref : Set max popups from a single non-click event -user_pref("dom.popup_maximum", 3); // [DEFAULT: 4] +user_pref("dom.popup_maximum", 2); // [DEFAULT: 20] // Pref : Limit events that can cause a popup // http://kb.mozillazine.org/Dom.popup_allowed_events user_pref("dom.popup_allowed_events", "click dblclick"); // [DEFAULT: "change click dblclick mouseup pointerup notificationclick reset submit touchend"]