From faac2e28583b8c8e9ce59a11e61d3d85bb6b0833 Mon Sep 17 00:00:00 2001 From: quindecim <49964366+quindecim@users.noreply.github.com> Date: Sat, 4 May 2019 17:30:35 +0000 Subject: [PATCH] Update user.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ✅ Enabled addons autoupdate (need tests) ✅ Sanitized FFox blocklist URL (so it won't send identifiable information) ✅ Enforced the proxy server to do any DNS lookups when using SOCKS ✅ Added some descriptions into OCSP section ✅ Enabled require a valid OCSP ✅ Added OrangeManBad in credits ✅ Sorted and fixed some prefs response for OCSP enabled certificates ⛔️ Disabled more webspeech prefs ⛔️ Disabled some more webgl prefs --- user.js | 146 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 74 insertions(+), 72 deletions(-) diff --git a/user.js b/user.js index b525511..5a7a380 100644 --- a/user.js +++ b/user.js @@ -11,26 +11,19 @@ // Based on : gHacks: https://github.com/ghacksuserjs/ghacks-user.js // Librefox: https://github.com/intika/Librefox // pyllyukko: https://github.com/pyllyukko/user.js +// OrangeManBad: https://git.nixnet.xyz/OrangeManBad/user.js // // License : https://github.com/quindecim/fennec_user.js/blob/master/LICENSE.txt // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Quiet Fox // >>>>>>>>>>>>>>>>>>>>> -// Pref : Disable auto-CHECKING for extension and theme updates -// user_pref("extensions.update.enabled", false); -// ------------------------------------- // Pref : Disable app from auto-update -user_pref("app.update.auto", false); user_pref("app.update.autodownload", ""); user_pref("app.update.channel", ""); user_pref("app.update.timerFirstInterval", -1); user_pref("app.update.timerMinimumDelay", -1); user_pref("app.update.url.android", ""); // ------------------------------------- -// Pref : Opt-out of add-on metadata updates -// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ -user_pref("extensions.getAddons.cache.enabled", false); -// ------------------------------------- // Pref : Never check updates for search engines // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking user_pref("browser.search.update", false); @@ -129,10 +122,6 @@ user_pref("browser.chromeURL", ""); user_pref("general.useragent.updates.url", ""); // ------------------------------------- // Pref : Block unwanted connections -user_pref("extensions.getAddons.compatOverides.url", ""); -user_pref("extensions.getAddons.get.url", ""); -user_pref("extensions.getAddons.langpacks.url", ""); -user_pref("extensions.getAddons.search.browseURL", ""); user_pref("extensions.getLocales.get.url", ""); user_pref("identity.sync.tokenserver.uri", ""); user_pref("media.decoder-doctor.new-issue-endpoint", ""); @@ -172,13 +161,9 @@ user_pref("layout.accessiblecaret.hapticfeedback", false); // [DEFAULT: true] // Pref : user_pref("dom.registerProtocolHandler.insecure.enabled", true); // ------------------------------------- -// Pref : Block list url disabled -user_pref("extensions.blocklist.url", ""); -user_pref("extensions.blocklist.detailsURL", ""); -user_pref("extensions.blocklist.itemURL", ""); -user_pref("extensions.update.url", ""); -user_pref("extensions.update.background.url", ""); -user_pref("extensions.getAddons.browseAddons", ""); +// Pref : Updates addons automatically +// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/ +user_pref("extensions.update.enabled", true); // ------------------------------------- // Pref : Disable Firefox Accounts and Sync user_pref("identity.fxaccounts.auth.uri", ""); @@ -230,7 +215,11 @@ user_pref("beacon.enabled", false); // https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition // https://wiki.mozilla.org/HTML5_Speech_API -user_pref("media.webspeech.recognition.enable", false); +user_pref("media.webspeech.recognition.enable", false); // [DEFAULT: true] +user_pref("media.webspeech.recognition.force_enable", false); // [DEFAULT: false] +user_pref("media.webspeech.test.enable", false); // [DEFAULT: false] +user_pref("media.webspeech.test.fake_fsm_events", false); // [DEFAULT: false] +user_pref("media.webspeech.test.fake_recognition_service", false); // [DEFAULT: false] // ------------------------------------- // Pref : Don't use Mozilla-provided location-specific search engines user_pref("browser.search.geoSpecificDefaults", false); @@ -449,8 +438,10 @@ user_pref("webgl.disabled", true); user_pref("webgl.enable-webgl2", false); user_pref("webgl.min_capability_mode", true); user_pref("pdfjs.enableWebGL", false); -user_pref("webgl.disable-extensions", true); +user_pref("webgl.disable-extensions", true); // [DEFAULT: false] +user_pref("webgl.disable-wgl", true); // [DEFAULT: false] user_pref("webgl.disable-fail-if-major-performance-caveat", true); +user_pref("webgl.can-lose-context-in-foreground", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable audiocapture user_pref("media.getusermedia.browser.enabled", false); @@ -611,7 +602,7 @@ user_pref("network.dns.disableIPv6", true); // e.g. in Tor, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request // http://kb.mozillazine.org/Network.proxy.socks_remote_dns // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers -// user_pref("network.proxy.socks_remote_dns", true); +user_pref("network.proxy.socks_remote_dns", true); // ------------------------------------- // Pref : Remove paths when sending URLs to PAC scripts // CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) @@ -667,12 +658,33 @@ user_pref("security.ssl.errorReporting.url", ""); // https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ user_pref("security.tls.enable_0rtt_data", false); // ------------------------------------- -// Pref : Check disabled section -// OCSP Leaks the visited sited exactly same issue as safebrowsing. -// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case. -// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ +// Pref : Require a valid OCSP response for OCSP enabled certificates +// https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA +// Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses +// [NOTE] `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable +// [NOTE] `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal) +user_pref("security.OCSP.require", true); +// ------------------------------------- +// Pref : Enable OSCP (Online Certificate Status Protocol) +// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol +// https://www.imperialviolet.org/2014/04/19/revchecking.html +// https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/ +// https://wiki.mozilla.org/CA:RevocationPlan +// https://wiki.mozilla.org/CA:ImprovingRevocation +// https://wiki.mozilla.org/CA:OCSP-HardFail +// https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html +// https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html +// [NOTE] OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host +// [NOTE] OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder +// [NOTE] OCSP adds latency (performance) +// [NOTE] Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10) +// CIS Version 1.2.0 October 21st, 2011 2.2.4 user_pref("security.OCSP.enabled", 0); -user_pref("security.OCSP.require", false); +// ------------------------------------- +// Pref : Enable OCSP Stapling support +// Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case. +// https://en.wikipedia.org/wiki/OCSP_stapling +// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ user_pref("security.ssl.enable_ocsp_stapling", true); // ------------------------------------- // Pref : Disallow SHA-1 @@ -887,7 +899,7 @@ user_pref("browser.cache.disk.smart_size.enabled", false); user_pref("browser.cache.disk.smart_size.first_run", false); // ------------------------------------- // Pref : Disable disk cache for SSL pages -//http://kb.mozillazine.org/Browser.cache.disk_cache_ssl +// http://kb.mozillazine.org/Browser.cache.disk_cache_ssl user_pref("browser.cache.disk_cache_ssl", false); // ------------------------------------- // Pref : Disable memory cache @@ -948,7 +960,7 @@ user_pref("intl.locale.os", "en-US"); // If set to empty, the OS locales are used. If not set at all, default locale is used user_pref("intl.locale.requested", "en-US"); // ------------------------------------- -// Pref: Set language to match +// Pref : Set language to match user_pref("intl.accept_languages", "en-US, en"); // ------------------------------------- // Pref : Use APP locale over OS locale in regional preferences @@ -963,7 +975,7 @@ user_pref("intl.regional_prefs.use_os_locales", false); // [NOTE] Disabling fonts can uglify the web a fair bit. user_pref("browser.display.use_document_fonts", 0); // ------------------------------------- -// Pref: Set more legible default fonts +// Pref : Set more legible default fonts // [NOTE] Example below for Windows/Western only // user_pref("font.name.serif.x-unicode", "Georgia"); // user_pref("font.name.serif.x-western", "Georgia"); // [DEFAULT: Times New Roman] @@ -972,33 +984,33 @@ user_pref("browser.display.use_document_fonts", 0); // user_pref("font.name.monospace.x-unicode", "Lucida Console"); // user_pref("font.name.monospace.x-western", "Lucida Console"); // [DEFAULT: Courier New] // ------------------------------------- -// Pref: Disable icon fonts (glyphs) and local fallback rendering +// Pref : Disable icon fonts (glyphs) and local fallback rendering // https://bugzilla.mozilla.org/789788 // https://trac.torproject.org/projects/tor/ticket/8455 user_pref("gfx.downloadable_fonts.enabled", false); user_pref("gfx.downloadable_fonts.fallback_delay", -1); // ------------------------------------- -// Pref: Disable rendering of SVG OpenType fonts +// Pref : Disable rendering of SVG OpenType fonts // https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this user_pref("gfx.font_rendering.opentype_svg.enabled", false); // ------------------------------------- -// Pref: Disable WOFF2 (Web Open Font Format) +// Pref : Disable WOFF2 (Web Open Font Format) user_pref("gfx.downloadable_fonts.woff2.enabled", false); // ------------------------------------- -// Pref: Disable CSS Font Loading API +// Pref : Disable CSS Font Loading API // [NOTE] Disabling fonts can uglify the web a fair bit. user_pref("layout.css.font-loading-api.enabled", false); // ------------------------------------- -// Pref: Disable special underline handling for a few fonts which you will probably never use +// Pref : Disable special underline handling for a few fonts which you will probably never use // Any of these fonts on your system can be enumerated for fingerprinting. // http://kb.mozillazine.org/Font.blacklist.underline_offset user_pref("font.blacklist.underline_offset", ""); // ------------------------------------- -// Pref: Disable graphite which turned back on by default +// Pref : Disable graphite which turned back on by default // https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 user_pref("gfx.font_rendering.graphite.enabled", false); // ------------------------------------- -// Pref: Limit system font exposure to a whitelist [RESTART] +// Pref : Limit system font exposure to a whitelist [RESTART] // If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed. // [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. Eventually privacy.resistFingerprinting will cover this. // https://bugzilla.mozilla.org/1121643 @@ -1007,7 +1019,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Plugins // >>>>>>>>>>>>>>>>>>>> -// Pref: Set default plugin state (i.e. new plugins on discovery) to never activate +// Pref : Set default plugin state (i.e. new plugins on discovery) to never activate // 0=disabled, 1=ask to activate, 2=active - you can override individual plugins user_pref("plugin.default.state", 0); // ------------------------------------- @@ -1040,38 +1052,24 @@ user_pref("media.mediadrm-widevinecdm.visible", false); // [DEFAULT: true] // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Blocklists / Safe Browsing / Tracking Protection // >>>>>>>>>>>>>>>>>>>> -// This section has security & tracking protection implications vs privacy concerns vs effectiveness vs 3rd party 'censorship'. If you disable Tracking Protection (TP) and/or Safe Browsing (SB), REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED. // Pref : Enable add-on and certificate blocklists (OneCRL) from Mozilla -// Updated at interval defined in extensions.blocklist.interval -user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 0); -user_pref("extensions.blocklist.enabled", false); -user_pref("extensions.blocklist.interval", 0); -user_pref("extensions.blocklist.level", 0); -user_pref("extensions.blocklist.pingCountTotal", 0); -user_pref("extensions.blocklist.pingCountVersion", 0); -user_pref("extensions.blocklist.url", ""); -user_pref("services.blocklist.addons.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org] -user_pref("services.blocklist.bucket", ""); -user_pref("services.blocklist.plugins.signer", ""); -user_pref("services.blocklist.pinning.signer", ""); // [DEFAULT: pinning-preload.content-signature.mozilla.org] -user_pref("services.blocklist.pinning.bucket", ""); -user_pref("services.blocklist.pinning.checked", 0); -user_pref("services.blocklist.pinning.collection", ""); -user_pref("services.blocklist.pinning.enabled", false); -user_pref("services.blocklist.plugins.checked", 0); -user_pref("services.blocklist.plugins.collection", ""); +// https://wiki.mozilla.org/Blocklisting +// https://blocked.cdn.mozilla.net/ +// http://kb.mozillazine.org/Extensions.blocklist.enabled +// http://kb.mozillazine.org/Extensions.blocklist.url +// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ +// Updated at interval defined in extensions.blocklist.interval (default: 86400) +user_pref("extensions.blocklist.enabled", true); // ------------------------------------- -// Pref : Disable individual unwanted/unneeded parts of the Kinto blocklists -// What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications -// As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes -user_pref("services.blocklist.onecrl.signer", ""); // [DEFAULT: onecrl.content-signature.mozilla.org] -user_pref("services.blocklist.onecrl.checked", 0); -user_pref("services.blocklist.onecrl.collection", ""); -user_pref("services.blocklist.addons.checked", 0); -user_pref("services.blocklist.addons.collection", ""); -user_pref("services.blocklist.gfx.signer", ""); // [DEFAULT: remote-settings.content-signature.mozilla.org] -user_pref("services.blocklist.gfx.checked", 0); -user_pref("services.blocklist.gfx.collection", ""); +// Pref : Decrease system information leakage to Mozilla blocklist update servers +// https://trac.torproject.org/projects/tor/ticket/16931 +// https://www.reddit.com/r/firefox/comments/9v5lue/firefox_tip_sanitize_firefox_blocklist_url_so_it/ +user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/"); // [URL SANITIZED] +// ------------------------------------- +// Pref : Opt-out of add-on metadata updates +// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ +user_pref("extensions.getAddons.cache.enabled", false) +user_pref("extensions.getAddons.search.browseURL", ""); // ------------------------------------- // Pref : Disable Google Safe Browsing (Block dangerous and deceptive contents) user_pref("browser.safebrowsing.allowOverride", false); @@ -1184,7 +1182,7 @@ user_pref("browser.cache.offline.capacity", 0); // https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ user_pref("browser.cache.offline.insecure.enable", false); // ------------------------------------- -// Pref: Display a notification bar when websites offer data for offline use +// Pref : Display a notification bar when websites offer data for offline use // http://kb.mozillazine.org/Browser.offline-apps.notify user_pref("browser.offline-apps.notify", true); // [DEFAULT: true] // ------------------------------------- @@ -1308,15 +1306,18 @@ user_pref("dom.netinfo.enabled", false); // [DEFAULT: true] // https://developer.mozilla.org/docs/Web/API/SpeechSynthesis // https://wiki.mozilla.org/HTML5_Speech_API user_pref("media.webspeech.synth.enabled", false); // [DEFAULT: false] +user_pref("media.webspeech.synth_force_global_queue", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable video statistics - JS performance fingerprinting // https://trac.torproject.org/projects/tor/ticket/15757 // https://bugzilla.mozilla.org/654550 user_pref("media.video_stats.enabled", false); // [DEFAULT: true] // ------------------------------------- -// Pref : Disable touch events -// Fingerprinting attack vector - leaks screen res & actual screen coordinates +// Pref : Force touch events enabled by default +// Fingerprinting attack vector - leaks screen res & actual screen coordinates. // 0=disabled, 1=enabled, 2=autodetect +// This pref is set to 2 by default, which results in the Touch API being exposed only when touch hardware is present. So we should either set it to "1" (enable) or "0" (disable) to ensure that JS code can't fingerprint the user's hardware. +// [FENNEC - BUG] If disabled, unables you to copy or paste any text. // https://developer.mozilla.org/docs/Web/API/Touch_events // https://trac.torproject.org/projects/tor/ticket/10286 user_pref("dom.w3c_touch_events.enabled", 1); // [DEFAULT: 2] @@ -1379,4 +1380,5 @@ user_pref("browser.ui.zoom.force-user-scalable", true); // [DEFAULT: false] // https://bugzilla.mozilla.org/1502392 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 user_pref("browser.urlbar.autocomplete.enabled", false); // [DEFAULT: true] -// ------------------------------------- +// +//