From fea114e16ad3696bba6c046ce588ccb7fcabb13d Mon Sep 17 00:00:00 2001 From: quindecim <49964366+quindecim@users.noreply.github.com> Date: Tue, 7 May 2019 08:26:05 +0000 Subject: [PATCH] Update user.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ✅ Fully synced with gHacks and pyllukko user.js ✅ Reviewed and added all the "HIDDEN PREFS" from gHacks and pyllyukko ✅ Reordered some prefs and fixed some text descriptions ✅ Enabled only whitelisted URL protocol handlers ✅ Enabled CSP 1.1 script-nonce directive support ✅ Enabled OCSP Must-Staple support ✅ Enabled Subresource Integrity by default ✅ Enabled GCM, ECDHE and key size > 128bits, ChaCha20 and Poly1305 ciphers ✅ reEnabled ssl3.rsa_aes_128/256_sha due compatibility reasons ✅ Enforce US English locale regardless of the system locale (hidden pref) ✅ Enforced websites to ask to store data for offline use ⛔️ Disabled SSDP (Simple Service Discovery Protocol) ⛔️ Disable auto updating of lightweight themes [FENNEC] ⛔️ Romeved some unused prefs ⛔️ Disabled page thumbnail collection ⛔️ Disabled automatic send selection to clipboard (autocopy) ⛔️Disabled middle mouse click paste (useless on android) ⛔️ Disabled clipboard commands (cut/copy) from "non-privileged" content ⛔️ Disabled WebAssembly ⛔️ Disabled DNS prefetching from HTTPS too ⛔️ Disable SSL session tracking by default ⛔️ Disabled GIO as a potential proxy bypass vector ⛔️ Disabled one more GeoIP lookup on your address (hidden pref) ⛔️ Rejected .onion hostnames before passing the to DNS ℹ️ Set to "2" bookmarks backups in case of system crash ℹ️ Removed Set browser, os and app locale prefs (figure out that are useless) ℹ️ Set how often in minutes Firefox should ask for the master password = 1 ℹ️ Set "Delete Search and Form History" from "180" days to "0" --- user.js | 280 ++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 192 insertions(+), 88 deletions(-) diff --git a/user.js b/user.js index 4422a0c..1d083cf 100644 --- a/user.js +++ b/user.js @@ -17,13 +17,6 @@ // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Quiet Fox // >>>>>>>>>>>>>>>>>>>>> -// Pref : Disable app from auto-update -user_pref("app.update.autodownload", ""); -user_pref("app.update.channel", ""); -user_pref("app.update.timerFirstInterval", -1); -user_pref("app.update.timerMinimumDelay", -1); -user_pref("app.update.url.android", ""); -// ------------------------------------- // Pref : Never check updates for search engines // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking user_pref("browser.search.update", false); @@ -31,8 +24,7 @@ user_pref("browser.search.update.interval", -1); user_pref("browser.search.update.log", false); // ------------------------------------- // Pref : Tell the search service that we don't really expose the "current engine" -// [FENNEC] -user_pref("browser.search.noCurrentEngine", true); // [DEFAULT: true] +user_pref("browser.search.noCurrentEngine", true); // [DEFAULT: true] // [FENNEC] // ------------------------------------- // Pref : Disable sending Flash Player crash reports user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); @@ -40,6 +32,11 @@ user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); // Pref : Disable sending the URL of the website where a plugin crashed user_pref("dom.ipc.plugins.reportCrashURL", false); // ------------------------------------- +// Pref : Disable SSDP (Simple Service Discovery Protocol) +// https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol +// https://bugzilla.mozilla.org/show_bug.cgi?id=1111967 +user_pref("browser.casting.enabled", false); // [DEFAULT: false] +// ------------------------------------- // Pref : Disable Telemetry user_pref("toolkit.telemetry.enabled", false); user_pref("toolkit.telemetry.debugSlowSql", false); @@ -68,19 +65,18 @@ user_pref("datareporting.policy.minimumPolicyVersion.channel-beta", 0); // Pref : Disable In-Browser Feed Handling // https://wiki.mozilla.org/Feed_Handling // http://kb.mozillazine.org/Browser.contentHandlers.types.%2A.uri -// [FENNEC] -user_pref("browser.contentHandlers.types.0.title", ""); -user_pref("browser.contentHandlers.types.0.type", ""); -user_pref("browser.contentHandlers.types.0.uri", ""); -user_pref("browser.contentHandlers.types.1.title", ""); -user_pref("browser.contentHandlers.types.1.type", ""); -user_pref("browser.contentHandlers.types.1.uri", ""); -user_pref("browser.contentHandlers.types.2.title", ""); -user_pref("browser.contentHandlers.types.2.type", ""); -user_pref("browser.contentHandlers.types.2.uri", ""); -user_pref("browser.contentHandlers.types.3.title", ""); -user_pref("browser.contentHandlers.types.3.type", ""); -user_pref("browser.contentHandlers.types.3.uri", ""); +user_pref("browser.contentHandlers.types.0.title", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.0.type", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.0.uri", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.1.title", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.1.type", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.1.uri", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.2.title", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.2.type", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.2.uri", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.3.title", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.3.type", ""); // [FENNEC] +user_pref("browser.contentHandlers.types.3.uri", ""); // [FENNEC] // ------------------------------------- // Pref : Disable personalized Extension Recommendations in about:addons and AMO // [NOTE] This pref has no effect when Health Reports are disabled @@ -107,24 +103,45 @@ user_pref("network.connectivity-service.IPv4.url", ""); user_pref("network.connectivity-service.IPv6.url", ""); user_pref("network.connectivity-service.DNSv4.domain", ""); user_pref("network.connectivity-service.DNSv6.domain", ""); +// ------------------------------------- +// Pref : Disable auto updating of lightweight themes (LWT) +// Not to be confused with themes, which use the Theme API +// Mozilla plan to convert existing LWTs and remove LWT support in the future +// https://blog.mozilla.org/addons/2018/09/20/future-themes-here/ +user_pref("lightweightThemes.persisted.headerURL", false); +user_pref("lightweightThemes.persistedThemeID", ""); // [FENNEC] +user_pref("lightweightThemes.selectedThemeID", ""); // [FENNEC] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : IJWY To Shut Up // I Just Want You To Shut Up : Closing all non necessary communication to mozilla.org etc. // >>>>>>>>>>>>>>>>>>>>> // Pref : Block unwanted connections -// [FENNEC] user_pref("app.feedback.baseURL", ""); -user_pref("app.feedbackURL", ""); -user_pref("app.channelURL", ""); -user_pref("app.creditsURL", ""); -user_pref("app.faqURL", ""); -user_pref("app.privacyURL", ""); +user_pref("app.feedbackURL", ""); // [FENNEC] +user_pref("app.channelURL", ""); // [FENNEC] +user_pref("app.creditsURL", ""); // [FENNEC] +user_pref("app.faqURL", ""); // [FENNEC] +user_pref("app.privacyURL", ""); // [FENNEC] user_pref("app.releaseNotesURL", ""); user_pref("app.support.baseURL", ""); -user_pref("app.supportURL", ""); -user_pref("browser.chromeURL", ""); -user_pref("general.useragent.updates.url", ""); +user_pref("app.supportURL", ""); // [FENNEC] +user_pref("browser.chromeURL", ""); // [FENNEC] +// ------------------------------------- +// Pref : Disable app from auto-update +user_pref("app.update.autodownload", ""); +user_pref("app.update.channel", ""); +user_pref("app.update.timerFirstInterval", -1); +user_pref("app.update.timerMinimumDelay", -1); +user_pref("app.update.url.android", ""); +// user_pref("app.update.url.android", "https://aus5.mozilla.org/update/4/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%MOZ_VERSION%/update.xml"); // [URL SANITIZED from locale] +// ------------------------------------- +// Pref : Updates addons automatically +// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/ +user_pref("extensions.update.enabled", true); +// ------------------------------------- +// Pref : Disable System Add-on updates +user_pref("extensions.systemAddon.update.url", ""); // ------------------------------------- // Pref : Block unwanted connections user_pref("identity.sync.tokenserver.uri", ""); @@ -133,8 +150,6 @@ user_pref("network.trr.confirmationNS", ""); // ------------------------------------- // Pref : Test To Make FFox Silent user_pref("security.content.signature.root_hash", ""); -user_pref("services.settings.default_signer", ""); -user_pref("services.settings.server", ""); user_pref("urlclassifier.phishTable", ""); user_pref("urlclassifier.passwordAllowTable", ""); // @@ -142,17 +157,13 @@ user_pref("urlclassifier.passwordAllowTable", ""); // Section : Miscellaneous // >>>>>>>>>>>>>>>>>>>>>> // Pref : Test user.js in about:config -// [FENNEC] -user_pref("user.js.applied", true); +user_pref("user.js.applied", true); // [FENNEC] // ------------------------------------- // Pref : Disable Web Compatibility Reporter // Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla user_pref("extensions.webcompat-reporter.enabled", false); user_pref("extensions.webcompat-reporter.newIssueEndpoint", ""); // ------------------------------------- -// Pref : Disable System Add-on updates -user_pref("extensions.systemAddon.update.url", ""); -// ------------------------------------- // Pref : user_pref("devtools.devices.url", ""); // ------------------------------------- @@ -162,10 +173,6 @@ user_pref("layout.accessiblecaret.hapticfeedback", false); // [DEFAULT: true] // Pref : user_pref("dom.registerProtocolHandler.insecure.enabled", false); // ------------------------------------- -// Pref : Updates addons automatically -// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/ -user_pref("extensions.update.enabled", true); -// ------------------------------------- // Pref : Disable Firefox Accounts and Sync user_pref("identity.fxaccounts.auth.uri", ""); user_pref("identity.fxaccounts.remote.oauth.uri", ""); @@ -174,19 +181,15 @@ user_pref("identity.fxaccounts.remote.webchannel.uri", "https://0.0.0.0"); // [ // ------------------------------------- // Pref : Disable sync user_pref("services.sync.enabled", false); -user_pref("browser.startup.homepage_override.mstone", "ignore"); -user_pref("webextensions.storage.sync.enabled", false); -user_pref("webextensions.storage.sync.serverURL", ""); user_pref("privacy.item.syncAccount", false); // ------------------------------------- // Pref : Disable snippets -// [FENNEC] -user_pref("browser.snippets.enabled", false); -user_pref("browser.snippets.firstrunHomepage.enabled", false); -user_pref("browser.snippets.statsUrl", ""); -user_pref("browser.snippets.updateInterval", -1); -user_pref("browser.snippets.updateUrl", ""); -user_pref("browser.snippets.syncPromo.enabled", false); +user_pref("browser.snippets.enabled", false); // [FENNEC] +user_pref("browser.snippets.firstrunHomepage.enabled", false); // [FENNEC] +user_pref("browser.snippets.statsUrl", ""); // [FENNEC] +user_pref("browser.snippets.updateInterval", -1); // [FENNEC] +user_pref("browser.snippets.updateUrl", ""); // [FENNEC] +user_pref("browser.snippets.syncPromo.enabled", false); // [FENNEC] // ------------------------------------- // Pref : Force Punycode for Internationalized Domain Names // http://kb.mozillazine.org/Network.IDN_show_punycode @@ -197,6 +200,10 @@ user_pref("browser.snippets.syncPromo.enabled", false); // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6 user_pref("network.IDN_show_punycode", true); // ------------------------------------- +// Pref : Disable page thumbnail collection +// Look in profile/thumbnails directory, you may want to clean that out +user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] +// ------------------------------------- // Pref : Disable prefetching of URLs // http://kb.mozillazine.org/Network.prefetch-next // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F @@ -208,6 +215,10 @@ user_pref("network.prefetch-next", false); // https://bugzilla.mozilla.org/show_bug.cgi?id=814169 user_pref("network.http.speculative-parallel-limit", 0); // ------------------------------------- +// Pref : Do not automatically send selection to clipboard on Linux and some UNIX-like platforms +// http://kb.mozillazine.org/Clipboard.autocopy +user_pref("clipboard.autocopy", false); +// ------------------------------------- // Pref : Disable "beacon" asynchronous HTTP transfers (used for analytics) // https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon user_pref("beacon.enabled", false); @@ -274,6 +285,11 @@ user_pref("mathml.disabled", true); // https://bugzilla.mozilla.org/1216893 // user_pref("svg.disabled", true); // ------------------------------------- +// Pref : Disable middle mouse click paste +// This preference determines how to handle middle clicks in text fields. +// Useless on Android +user_pref("middlemouse.paste", false); +// ------------------------------------- // Pref : Disable middle mouse click opening links from clipboard // https://trac.torproject.org/projects/tor/ticket/10089 // http://kb.mozillazine.org/Middlemouse.contentLoadURL @@ -310,7 +326,7 @@ user_pref("browser.download.forbid_open_with", true); // This will break extensions, language packs, themes and any other XPI files which are installed outside of profile directories // https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ // archived: https://archive.is/DYjAM -user_pref("extensions.enabledScopes", 1); // [DEFAULT: 1] +user_pref("extensions.enabledScopes", 1); // [DEFAULT: 1] // [HIDDEN PREF] user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] // ------------------------------------- // Pref : Enable warning when websites try to install add-ons @@ -330,6 +346,32 @@ user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DE // You may want to disable this for corporate or developer environments // https://bugzilla.mozilla.org/1343184 // user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); // [DEFAULT: true] +// ------------------------------------- +// Pref : Enable only whitelisted URL protocol handlers +// http://kb.mozillazine.org/Network.protocol-handler.external-default +// http://kb.mozillazine.org/Network.protocol-handler.warn-external-default +// http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29 +// https://news.ycombinator.com/item?id=13047883 +// https://bugzilla.mozilla.org/show_bug.cgi?id=167475 +// https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005 +// [NOTE] Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols +// If you want to enable a protocol, set network.protocol-handler.expose.(protocol) to true and network.protocol-handler.external.(protocol) to: +// * true, if the protocol should be handled by an external application +// * false, if the protocol should be handled internally by Firefox +user_pref("network.protocol-handler.warn-external-default", true); +user_pref("network.protocol-handler.external.javascript", false); +user_pref("network.protocol-handler.external.data", false); +user_pref("network.protocol-handler.expose-all", false); +user_pref("network.protocol-handler.expose.http", true); +user_pref("network.protocol-handler.expose.https", true); +user_pref("network.protocol-handler.expose.javascript", true); +user_pref("network.protocol-handler.expose.moz-extension", true); +user_pref("network.protocol-handler.expose.ftp", true); +user_pref("network.protocol-handler.expose.file", true); +user_pref("network.protocol-handler.expose.about", true); +user_pref("network.protocol-handler.expose.chrome", true); +user_pref("network.protocol-handler.expose.blob", true); +user_pref("network.protocol-handler.expose.data", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Web Workers @@ -375,6 +417,11 @@ user_pref("dom.disable_beforeunload", true); // Pref : Disable shaking the screen (Vibrator API) user_pref("dom.vibrator.enabled", false); // ------------------------------------- +// Pref : Disable clipboard commands (cut/copy) from "non-privileged" content +// This disables document.execCommand("cut"/"copy") to protect your clipboard +// https://bugzilla.mozilla.org/1170911 +user_pref("dom.allow_cut_copy", false); // [HIDDEN PREF] +// ------------------------------------- // Pref : Disable asm.js // http://asmjs.org/ // https://www.mozilla.org/security/advisories/mfsa2015-29/ @@ -395,7 +442,7 @@ user_pref("javascript.options.asmjs", false); // https://developer.mozilla.org/docs/WebAssembly // https://en.wikipedia.org/wiki/WebAssembly // https://trac.torproject.org/projects/tor/ticket/21549 -// user_pref("javascript.options.wasm", false); +user_pref("javascript.options.wasm", false); // ------------------------------------- // Pref : Disable Intersection Observer API // Almost a year to complete, three versions late to stable (as default false), number #1 cause of crashes in nightly numerous times, and is (primarily) an ad network API for "ad viewability checks" down to a pixel level @@ -479,9 +526,9 @@ user_pref("media.block-autoplay-until-in-foreground", true); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Location Bar / Search Bar / Suggestions / History / Forms // >>>>>>>>>>>>>>>>>>>> -// Pref : Disable location bar using search -// Don't leak typos to a search engine, give an error message instead -// user_pref("keyword.enabled", false); // [DEFAULT: true] +// Pref : Do not submit invalid URIs entered in the address bar to the default search engine +// http://kb.mozillazine.org/Keyword.enabled +user_pref("keyword.enabled", true); // [DEFAULT: true] // ------------------------------------- // Pref : Don't try to guess domain names when entering an invalid domain name in URL bar // http://www-archive.mozilla.org/docs/end-user/domain-guessing.html @@ -536,6 +583,17 @@ user_pref("security.tls.version.fallback-limit", 3); // Pref : Only allow TLS 1.[0-3] // http://kb.mozillazine.org/Security.tls.version.* user_pref("security.tls.version.min", 2); +// ------------------------------------- +// Pref : Enable CSP 1.1 script-nonce directive support +// https://bugzilla.mozilla.org/show_bug.cgi?id=855326 +user_pref("security.csp.experimentalEnabled", true); +// ------------------------------------- +// Pref : Enable OCSP Must-Staple support +// https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/ +// https://www.entrust.com/ocsp-must-staple/ +// https://github.com/schomery/privacy-settings/issues/40 +// [NOTE] Firefox falls back on plain OCSP when must-staple is not configured on the host certificate +user_pref("security.ssl.enable_ocsp_must_staple", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Block Implicit Outbound @@ -550,6 +608,7 @@ user_pref("network.prefetch-next", false); // http://kb.mozillazine.org/Network.dns.disablePrefetch // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching user_pref("network.dns.disablePrefetch", true); +user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF] // ------------------------------------- // Pref : Disable speculative pre-connections // Disable prefetch link on hover. @@ -572,7 +631,7 @@ user_pref("network.predictor.cleaned-up", true); user_pref("network.predictor.enable-prefetch", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : HTTP / TCP/IP / DNS / PROXY / SOCKS etc. +// Section : HTTP* / TCP/IP / DNS / PROXY / SOCKS etc. // >>>>>>>>>>>>>>>>>>>> // Pref : Disable IPv6 // If your OS or ISP does not support IPv6, there is no reason to have this preference set to false. @@ -619,6 +678,11 @@ user_pref("network.proxy.autoconfig_url.include_path", false); // [DEFAULT: fals user_pref("network.trr.mode", 0); user_pref("network.trr.bootstrapAddress", ""); user_pref("network.trr.uri", ""); +// ------------------------------------- +// Pref : Enable Subresource Integrity +// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity +// https://wiki.mozilla.org/Security/Subresource_Integrity +user_pref("security.sri.enable", true); // [DEFAULT: true] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : HTTPS (SSL/TLS / OCSP / Certs / HPKP / Ciphers) @@ -638,20 +702,19 @@ user_pref("security.ssl.require_safe_negotiation", true); user_pref("security.tls.version.min", 3); user_pref("security.tls.version.max", 4); // ------------------------------------- -// Pref : Disable SSL session tracking -// SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking. -// [SETUP-PERF] Relax this if you have FPI enabled and you understand the consequences. FPI isolates these, but it was designed with the Tor protocol in mind, and the Tor Browser has extra protection, including enhanced sanitizing per Identity. -// https://tools.ietf.org/html/rfc5077 -// https://bugzilla.mozilla.org/967977 -// https://arxiv.org/abs/1810.07304 -// user_pref("security.ssl.disable_session_identifiers", true); -// ------------------------------------- // Pref : Disable SSL Error Reporting // https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html user_pref("security.ssl.errorReporting.enabled", false); user_pref("security.ssl.errorReporting.automatic", false); user_pref("security.ssl.errorReporting.url", ""); // ------------------------------------- +// Pref : Disable SSL session tracking +// SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking +// https://tools.ietf.org/html/rfc5077 +// https://bugzilla.mozilla.org/967977 +// https://arxiv.org/abs/1810.07304 +user_pref("security.ssl.disable_session_identifiers", true); // [DEFAULT: true] // [HIDDEN PREF] +// ------------------------------------- // Pref : Disable TLS1.3 0-RTT (round-trip time) // https://github.com/tlswg/tls13-spec/issues/1001 // https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ @@ -732,14 +795,32 @@ user_pref("security.ssl3.rsa_des_ede3_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); // ------------------------------------- +// Pref : Enable GCM ciphers (TLSv1.2 only) +// https://en.wikipedia.org/wiki/Galois/Counter_Mode +user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // [DEFAULT: true] +user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // [DEFAULT: true] +// ------------------------------------- +// Pref : Enable ciphers with ECDHE and key size > 128bits +user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // [DEFAULT: true] +user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // [DEFAULT: true] +// ------------------------------------- +// Pref : Enable ChaCha20 and Poly1305 +// https://www.mozilla.org/en-US/firefox/47.0/releasenotes/ +// https://tools.ietf.org/html/rfc7905 +// https://bugzilla.mozilla.org/show_bug.cgi?id=917571 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1247860 +// https://cr.yp.to/chacha.html +user_pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true); +user_pref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true); +// ------------------------------------- // Pref : Disable DHE (Diffie-Hellman Key Exchange) // https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // ------------------------------------- -// Pref : Disable the remaining non-modern cipher suites -user_pref("security.ssl3.rsa_aes_128_sha", false); -user_pref("security.ssl3.rsa_aes_256_sha", false); +// Pref : Fallbacks due compatibility reasons +user_pref("security.ssl3.rsa_aes_128_sha", true); +user_pref("security.ssl3.rsa_aes_256_sha", true); // ------------------------------------- // Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken @@ -756,6 +837,14 @@ user_pref("browser.ssl_override_behavior", 1); // https://subdomain.preloaded-hsts.badssl.com/ // [TEST] https://expired.badssl.com/ user_pref("browser.xul.error_pages.expert_bad_cert", true); +// ------------------------------------- +// Pref : Disable GIO as a potential proxy bypass vector +// Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far. +// https://bugzilla.mozilla.org/1433507 +// https://trac.torproject.org/23044 +// https://en.wikipedia.org/wiki/GVfs +// https://en.wikipedia.org/wiki/GIO_(software) +user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : User Settings @@ -815,8 +904,8 @@ user_pref("signon.rememberSignons", false); // 0=the first time (default), 1=every time it's needed, 2=every n minutes user_pref("security.ask_for_password", 2); // ------------------------------------- -// Pref : Set how often in minutes Firefox should ask for the master password in minutes, default is 30 -user_pref("security.password_lifetime", 5); +// Pref : Set how often in minutes Firefox should ask for the master password +user_pref("security.password_lifetime", 1); // [DEFAULT: 30] // ------------------------------------- // Pref : Disable auto-filling username & password form fields // Can leak in cross-site forms AND be spoofed. @@ -895,7 +984,6 @@ user_pref("dom.popup_allowed_events", "click dblclick"); // [DEFAULT: "change cl // ------------------------------------- // Pref : Disable disk cache user_pref("browser.cache.disk.enable", false); -user_pref("browser.cache.disk.capacity", 0); user_pref("browser.cache.disk.smart_size.enabled", false); user_pref("browser.cache.disk.smart_size.first_run", false); // ------------------------------------- @@ -936,6 +1024,10 @@ user_pref("browser.sessionstore.interval", 30000); // ------------------------------------- // Pref : Disable favicons in web notifications user_pref("alerts.showFavicons", false); +// ------------------------------------- +// Pref : Delete Search and Form History +// CIS Version 1.2.0 October 21st, 2011 2.5.6 +user_pref("browser.formfill.expire_days", 0); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Geolocation @@ -947,26 +1039,23 @@ user_pref("geo.wifi.xhr.timeout", -1); // Pref : Disable GeoIP lookup on your address to set default search engine region // https://trac.torproject.org/projects/tor/ticket/16254 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine +user_pref("browser.search.countryCode", "US"); // [HIDDEN PREF] user_pref("browser.search.region", "US"); user_pref("browser.search.geoip.url", ""); user_pref("browser.search.geoip.timeout", -1); user_pref("browser.search.geoSpecificDefaults.url", ""); user_pref("browser.snippets.geoUrl", ""); // ------------------------------------- -// Pref : Set Browser locale -// [FENNEC] -user_pref("intl.locale.os", "en-US"); -// ------------------------------------- -// Pref : Set OS & APP locale -// If set to empty, the OS locales are used. If not set at all, default locale is used -user_pref("intl.locale.requested", "en-US"); -// ------------------------------------- // Pref : Set language to match user_pref("intl.accept_languages", "en-US, en"); // ------------------------------------- // Pref : Use APP locale over OS locale in regional preferences // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1379420,1364789 user_pref("intl.regional_prefs.use_os_locales", false); +// ------------------------------------- +// Pref : Enforce US English locale regardless of the system locale +// https://bugzilla.mozilla.org/867501 +user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Fonts @@ -1070,7 +1159,6 @@ user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozi // Pref : Opt-out of add-on metadata updates // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ user_pref("extensions.getAddons.cache.enabled", false) -user_pref("extensions.getAddons.search.browseURL", ""); // ------------------------------------- // Pref : Disable Google Safe Browsing (Block dangerous and deceptive contents) user_pref("browser.safebrowsing.allowOverride", false); @@ -1149,7 +1237,7 @@ user_pref("network.cookie.thirdparty.sessionOnly", true); user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // ------------------------------------- // Pref : Delete cookies and site data on close -// 0=keep until they expire (default), 2=keep until you close Firefox +// 0=keep until they expire (default), 1=user is prompted, 2=keep until you close Firefox // [NOTE] The setting below is disabled (but not changed) if you block all cookies // user_pref("network.cookie.lifetimePolicy", 2); // ------------------------------------- @@ -1168,11 +1256,14 @@ user_pref("network.cookie.same-site.enabled", true); // [DEFAULT: true] // You are better off using an extension for more granular control // user_pref("dom.storage.enabled", false); // ------------------------------------- -// Pref : Enforce IndexedDB (IDB) as enabled -// IDB is required for extensions and Firefox internals. -// To control *website* IDB data, control allowing cookies and service workers, or use Temporary Containers. To mitigate *website* IDB, FPI helps, and/or sanitize on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically via an extension. Note that IDB currently cannot be sanitized by host. -// https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ -user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] +// Pref : Disable IndexedDB +// https://developer.mozilla.org/en-US/docs/IndexedDB +// https://en.wikipedia.org/wiki/Indexed_Database_API +// https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review +// http://forums.mozillazine.org/viewtopic.php?p=13842047 +// https://github.com/pyllyukko/user.js/issues/8 +// [NOTE] IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled +// user_pref("dom.indexedDB.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Do not download URLs for the offline cache // http://kb.mozillazine.org/Browser.cache.offline.enable @@ -1206,6 +1297,11 @@ user_pref("dom.storageManager.enabled", false); // Pref : Disable Storage Access API // https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API user_pref("dom.storage_access.enabled", false); +// ------------------------------------- +// Pref : Enforce websites to ask to store data for offline use +// https://support.mozilla.org/questions/1098540 +// https://bugzilla.mozilla.org/959985 +user_pref("offline-apps.allow_by_default", false); // [DEFAULT: true] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Headers / Referers @@ -1243,6 +1339,10 @@ user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] // https://bugzilla.mozilla.org/1305144 user_pref("network.http.referer.hideOnionSource", true); // [DEFAULT: false] // ------------------------------------- +// Pref : Reject .onion hostnames before passing the to DNS +// https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 +user_pref("network.dns.blockDotOnion", true); // [DEFAULT: true] +// ------------------------------------- // Pref : Disable the DNT (Do Not Track) HTTP header user_pref("privacy.donottrackheader.enabled", false); // [DEFAULT: true] // @@ -1374,12 +1474,16 @@ user_pref("dom.webaudio.enabled", false); // [DEFAULT: true] // >>>>>>>>>>>>>>>>>>>> // Pref : Enable "Always enable zoom" feature by default // Just for a better experience -// [FENNEC] user_pref("browser.ui.zoom.force-user-scalable", true); // [DEFAULT: false] // ------------------------------------- // Pref : Disable location bar autocomplete and suggestion types // https://bugzilla.mozilla.org/1502392 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 user_pref("browser.urlbar.autocomplete.enabled", false); // [DEFAULT: true] +// ------------------------------------- +// Pref : Set bookmarks backups +// To compensate for the case of bookmarks being lost due to a system crash. +// http://kb.mozillazine.org/Browser.bookmarks.max_backups +user_pref("browser.bookmarks.max_backups", 2); // [DEFAULT: 5] // //