diff --git a/config/mozilla.cfg b/config/mozilla.cfg index a9d1775..31acb44 100644 --- a/config/mozilla.cfg +++ b/config/mozilla.cfg @@ -14,7 +14,6 @@ // Librefox : https://github.com/intika/Librefox // pyllyukko : https://github.com/pyllyukko/user.js // OrangeManBad : https://git.nixnet.xyz/OrangeManBad/user.js -// CHEF-KOCH : https://github.com/CHEF-KOCH/FFCK/tree/master/user.js // // License : https://git.nixnet.xyz/quindecim/mozilla.cfg/src/branch/master/LICENSE.txt // @@ -107,6 +106,10 @@ lockPref("browser.newtabpage.activity-stream.discoverystream.region-basic-layout lockPref("browser.newtabpage.activity-stream.discoverystream.region-layout-config", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.discoverystream.region-spocs-config", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.discoverystream.region-stories-config", ""); // [DESKTOP] +lockPref("browser.newtabpage.activity-stream.discoverystream.recs.personalized", false); // [DESKTOP] +lockPref("browser.newtabpage.activity-stream.discoverystream.spocs.personalized", false); // [DESKTOP] +lockPref("browser.newtabpage.activity-stream.feeds.system.topsites", false); // [DESKTOP] +lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false); // [DESKTOP] // ------------------------------------- // Pref : Disable new tab tile ads & preload // https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping @@ -125,6 +128,7 @@ lockPref("browser.startup.homepage_override.mstone", "ignore"); // https://bugzilla.mozilla.org/show_bug.cgi?id=1617783 lockPref("browser.aboutwelcome.enabled", false); // [DESKTOP] lockPref("trailhead.firstrun.branches", ""); // [DESKTOP] +lockPref("browser.aboutwelcome.overrideContent", ""); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Quiet Fox @@ -422,7 +426,6 @@ lockPref("extensions.abuseReport.enabled", false); lockPref("extensions.abuseReport.url", ""); lockPref("extensions.abuseReport.amoDetailsURL", ""); lockPref("extensions.abuseReport.amWebAPI.enabled", false); -lockPref("extensions.abuseReport.openDialog", false); // ------------------------------------- // Pref : Disable Firefox Hello metrics collection // https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion @@ -446,6 +449,9 @@ lockPref("browser.contentblocking.report.social.url", ""); // [DESKTOP] lockPref("browser.contentblocking.report.tracker.url", ""); // [DESKTOP] lockPref("browser.contentblocking.allowlist.annotations.enabled", false); // [FENNEC] lockPref("browser.contentblocking.allowlist.storage.enabled", false); // [FENNEC] +lockPref("browser.contentblocking.report.endpoint_url", ""); // [DESKTOP] +lockPref("browser.contentblocking.report.monitor.home_page_url", ""); // [DESKTOP] +lockPref("browser.contentblocking.report.monitor.preferences_url", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable lockwise app callout to the ETP card // https://bugzilla.mozilla.org/show_bug.cgi?id=1612091 @@ -562,6 +568,12 @@ lockPref("security.remote_settings.crlite_filters.signer", ""); // Pref : Disable Default Browser Agent // https://firefox-source-docs.mozilla.org/main/latest/toolkit/mozapps/defaultagent/default-browser-agent/index.html lockPref("default-browser-agent.enabled", false); // [WINDOWS] // [DESKTOP] +// ------------------------------------- +// Pref : Disable location bar leaking single words to a DNS provider (after searching) +// 0=never resolve single words, 1=heuristic (default), 2=always resolve +// [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions +// https://bugzilla.mozilla.org/1642623 +lockPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : IJWY To Shut Up @@ -717,6 +729,7 @@ lockPref("browser.snippets.syncPromo.enabled", false); // [FENNEC] // Pref : Disable Webextensions sync lockPref("webextensions.storage.sync.enabled", false); // [DESKTOP] lockPref("webextensions.storage.sync.serverURL", ""); +lockPref("webextensions.storage.sync.kinto", false); // ------------------------------------- // Pref : Force Punycode for Internationalized Domain Names // https://www.xudongz.com/blog/2017/idn-phishing/ @@ -750,7 +763,7 @@ lockPref("media.webspeech.test.fake_recognition_service", false); // [DEFAULT: f lockPref("browser.search.geoSpecificDefaults", false); // ------------------------------------- // Pref : Don't monitor OS online/offline connection state -// https://trac.torproject.org/projects/tor/ticket/18945 +// https://gitlab.torproject.org/legacy/trac/-/issues/18945 lockPref("network.manage-offline-status", false); // [DEFAULT: true] // ------------------------------------- // Pref : Set File URI Origin Policy @@ -766,7 +779,7 @@ lockPref("security.dialog_enable_delay", 700); // ------------------------------------- // Pref : Disable ADB extension download // https://developer.mozilla.org/docs/Tools/WebIDE -// https://trac.torproject.org/projects/tor/ticket/16222 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 defaultPref("devtools.debugger.remote-enabled", false); lockPref("devtools.remote.adb.extensionURL", ""); // [DESKTOP] lockPref("devtools.remote.adb.extensionID", ""); // [DESKTOP] @@ -799,7 +812,7 @@ lockPref("mathml.disabled", true); lockPref("middlemouse.paste", false); // ------------------------------------- // Pref : Disable middle mouse click opening links from clipboard -// https://trac.torproject.org/projects/tor/ticket/10089 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 lockPref("middlemouse.contentLoadURL", false); // ------------------------------------- // Pref : Limit HTTP redirects (this does not control redirects with HTML meta tags or JS) @@ -920,6 +933,7 @@ lockPref("browser.urlbar.filter.javascript", true); // [DESKTOP] defaultPref("pdfjs.disabled", true); // [DEFAULT: false] // [DESKTOP] lockPref("pdfjs.enabledCache.state", false); // [DESKTOP] lockPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); // [DESKTOP] +defaultPref("browser.helperApps.showOpenOptionForPdfJS", false); // [DESKTOP] // ------------------------------------- // Pref : Disable exposure of system colors to CSS or canvas // [NOTE] See second listed bug: may cause black on black for elements with undefined colors @@ -998,6 +1012,14 @@ lockPref("dom.push.udp.wakeupEnabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable hiding mime types not associated with a plugin lockPref("browser.download.hide_plugins_without_extensions", false); // [DESKTOP] +// ------------------------------------- +// Pref : Disable PiP (Picture-in-picture) +lockPref("media.videocontrols.picture-in-picture.enabled", false); +lockPref("media.videocontrols.picture-in-picture.video-toggle.enabled", false); +lockPref("media.videocontrols.picture-in-picture.video-toggle.flyout-enabled", false); // [FENIX] +lockPref("media.videocontrols.picture-in-picture.audio-toggle.enabled", false); // [DESKTOP] +lockPref("media.videocontrols.picture-in-picture.keyboard-controls.enabled", false); // [DESKTOP] +lockPref("media.videocontrols.picture-in-picture.video-toggle.always-show", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : DOM (Document Object Model) & Javascript @@ -1039,7 +1061,7 @@ lockPref("javascript.options.asmjs", false); // [NOTE] In FF75+, when (both) Ion and JIT are disabled, **and** the new hidden pref is enabled, then Ion can still be used by extensions // [WARNING] Disabling Ion/JIT can cause some site issues and performance loss // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 -// https://trac.torproject.org/projects/tor/ticket/26019 +// https://gitlab.torproject.org/legacy/trac/-/issues/26019 lockPref("javascript.options.ion", false); lockPref("javascript.options.baselinejit", false); // [FENNEC - BUG] Addons issues lockPref("javascript.options.jit_trustedprincipals", true); // [HIDDEN PREF] // [DESKTOP ?] @@ -1049,7 +1071,7 @@ lockPref("javascript.options.native_regexp", false); // https://webassembly.org/ // https://developer.mozilla.org/docs/WebAssembly // https://en.wikipedia.org/wiki/WebAssembly -// https://trac.torproject.org/projects/tor/ticket/21549 +// https://gitlab.torproject.org/legacy/trac/-/issues/21549 lockPref("javascript.options.wasm", false); lockPref("javascript.options.wasm_baselinejit", false); lockPref("javascript.options.wasm_cranelift", false); @@ -1058,6 +1080,7 @@ lockPref("javascript.options.wasm_ionjit", false); lockPref("javascript.options.wasm_reftypes", false); lockPref("javascript.options.wasm_trustedprincipals", false); lockPref("javascript.options.wasm_verbose", false); +lockPref("javascript.options.wasm_multi_value", false); // ------------------------------------- // Pref : Disable Intersection Observer API // Almost a year to complete, three versions late to stable (as default false), number #1 cause of crashes in nightly numerous times, and is (primarily) an ad network API for "ad viewability checks" down to a pixel level @@ -1069,7 +1092,7 @@ lockPref("dom.IntersectionObserver.enabled", false); // Pref : Disable Shared Memory (Spectre mitigation) // https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md // https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ -lockPref("javascript.options.shared_memory", false); // [DEFAULT: false] +lockPref("javascript.options.shared_memory", false); // [DEFAULT: true] // ------------------------------------- // Pref : Enable (limited but sufficient) window.opener protection // Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set @@ -1084,7 +1107,7 @@ lockPref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false] // lockPref("general.buildID.override", ""); // ------------------------------------- // Pref : Disable raw TCP socket support (mozTCPSocket) -// https://trac.torproject.org/projects/tor/ticket/18863 +// https://gitlab.torproject.org/legacy/trac/-/issues/18863 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/ // https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket lockPref("dom.mozTCPSocket.enabled", false); // [DESKTOP] @@ -1139,7 +1162,7 @@ lockPref("media.realtime_decoder.enabled", false); // [DEFAULT: true] // [FENNEC lockPref("canvas.capturestream.enabled", false); // ------------------------------------- // Pref : Disable camera image capture -// https://trac.torproject.org/projects/tor/ticket/16339 +// https://gitlab.torproject.org/legacy/trac/-/issues/16339 lockPref("dom.imagecapture.enabled", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable offscreen canvas @@ -1154,7 +1177,9 @@ lockPref("media.autoplay.block-event.enabled", true); // [DEFAULT: false] lockPref("media.autoplay.block-webaudio", true); // [DEFAULT: false] // ------------------------------------- // Pref : Disable autoplay of HTML5 media if you interacted with the site -lockPref("media.autoplay.enabled.user-gestures-needed", true); // [DEFAULT: true] +// 0=sticky (default), 1=transient, 2=user +// https://html.spec.whatwg.org/multipage/interaction.html#sticky-activation +lockPref("media.autoplay.blocking_policy", 2); // ------------------------------------- // Pref : Disable autoplay of HTML5 media in non-active tabs // https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ @@ -1200,7 +1225,7 @@ defaultPref("browser.formfill.enable", false); // ------------------------------------- // Pref : Disable date/time picker // [WARNING] This can leak your locale if not en-US -// https://trac.torproject.org/projects/tor/ticket/21787 +// https://gitlab.torproject.org/legacy/trac/-/issues/21787 // https://bugzilla.mozilla.org/show_bug.cgi?id=1287503 // lockPref("dom.forms.datetime", false); // ------------------------------------- @@ -1236,6 +1261,7 @@ lockPref("browser.urlbar.autocomplete.enabled", false); // [FENNEC] defaultPref("browser.urlbar.suggest.history", false); // [DESKTOP] defaultPref("browser.urlbar.suggest.bookmark", false); // [DESKTOP] defaultPref("browser.urlbar.suggest.openpage", false); // [DESKTOP] +defaultPref("browser.urlbar.suggest.topsites", false); // [DESKTOP] // ------------------------------------- // Pref : Disable browsing and download history // lockPref("places.history.enabled", false); // [DESKTOP] @@ -1380,7 +1406,10 @@ lockPref("network.predictor.enable-hover-on-ssl", false); // Section : HTTP* / TCP/IP / DNS / PROXY / SOCKS etc. // >>>>>>>>>>>>>>>>>>>> // Pref : Disable IPv6 -// If your OS or ISP does not support IPv6, there is no reason to have this preference set to false. +// IPv6 can be abused, especially regarding MAC addresses. They also do not play nice with VPNs. That's even assuming your ISP and/or router and/or website can handle it. +// [STATS] Firefox telemetry (June 2020) shows only 5% of all connections are IPv6 +// [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, then this won't make much difference. If you are masking your IP, then it can only help. +// [TEST] https://ipleak.org/ lockPref("network.dns.disableIPv6", true); // ------------------------------------- // Pref : Disable HTTP2 (which was based on SPDY which is now deprecated) @@ -1423,7 +1452,7 @@ defaultPref("network.trr.resolvers", "[]"); lockPref("security.sri.enable", true); // [DEFAULT: true] // ------------------------------------- // Pref : Disable using UNC (Uniform Naming Convention) paths -// https://trac.torproject.org/projects/tor/ticket/26424 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 lockPref("network.file.disable_unc_paths", true); // [HIDDEN PREF] // [DESKTOP] // ------------------------------------- // Pref : Disable HTTP Alternative Services @@ -1456,14 +1485,6 @@ lockPref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // [DESKTOP] // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 lockPref("security.ssl.require_safe_negotiation", true); // ------------------------------------- -// Pref : Control TLS versions with min and max -// 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 -// [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. -// Firefox telemetry (April 2020) shows only 0.25% of TLS web traffic uses 1.0 or 1.1 -// https://www.ssllabs.com/ssl-pulse/ -// lockPref("security.tls.version.min", 3); -// lockPref("security.tls.version.max", 4); -// ------------------------------------- // Pref : Enforce TLS 1.0 and 1.1 downgrades as session only lockPref("security.tls.version.enable-deprecated", false); // ------------------------------------- @@ -1528,7 +1549,7 @@ lockPref("security.pki.sha1_enforcement_level", 1); // 0=disable detecting Family Safety mode and importing the root // 1=only attempt to detect Family Safety mode (don't import the root) // 2=detect Family Safety mode and import the root -// https://trac.torproject.org/projects/tor/ticket/21686 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 lockPref("security.family_safety.mode", 0); // ------------------------------------- // Pref : Enfore Public Key Pinning @@ -1538,7 +1559,7 @@ lockPref("security.family_safety.mode", 0); lockPref("security.cert_pinning.enforcement_level", 2); // ------------------------------------- // Pref : Disable insecure active content on https pages -// https://trac.torproject.org/projects/tor/ticket/21323 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 lockPref("security.mixed_content.block_active_content", true); // [DEFAULT: true] // ------------------------------------- // Pref : Disable insecure passive content (such as images) on https pages @@ -1589,15 +1610,11 @@ lockPref("security.ssl3.ecdhe_ecdsa_null_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_rsa_null_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_ecdsa_null_sha", false); // [DESKTOP] // ------------------------------------- -// Pref : Enable GCM ciphers (TLSv1.2 only) +// Pref : Enable GCM ciphers (TLS 1.2 only) // https://en.wikipedia.org/wiki/Galois/Counter_Mode lockPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // [DEFAULT: true] lockPref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // [DEFAULT: true] // ------------------------------------- -// Pref : Disable ciphers with ECDHE and key size > 128bits -lockPref("security.ssl3.ecdhe_rsa_aes_256_sha", false); // [DEFAULT: true] -lockPref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: true] -// ------------------------------------- // Pref : Enable ChaCha20 and Poly1305 // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/ // https://tools.ietf.org/html/rfc7905 @@ -1607,9 +1624,11 @@ lockPref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: true] lockPref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true); lockPref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true); // ------------------------------------- -// Pref : Disable the remaining non-modern cipher suites (fallbacks) -lockPref("security.ssl3.rsa_aes_128_sha", false); -lockPref("security.ssl3.rsa_aes_256_sha", false); +// Pref : Ciphers with CBC & SHA-1 (disabled) +lockPref("security.ssl3.ecdhe_rsa_aes_256_sha", false); // [DEFAULT: true] +lockPref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: true] +lockPref("security.ssl3.rsa_aes_128_sha", false); // [DEFAULT: true] +lockPref("security.ssl3.rsa_aes_256_sha", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable ciphers with DSA (max 1024 bits) lockPref("security.ssl3.dhe_dss_aes_128_sha", false); // [DESKTOP] @@ -1640,8 +1659,10 @@ lockPref("security.ssl3.rsa_rc4_128_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Display warning on the padlock for "broken security" // [BUG] Warning padlock not indicated for subresources on a secure page! +// [STATS] SSL Labs (June 2020) reports 98.8% of sites have secure renegotiation // https://wiki.mozilla.org/Security:Renegotiation // https://bugzilla.mozilla.org/1353705 +// https://www.ssllabs.com/ssl-pulse/ lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // ------------------------------------- // Pref : Control "Add Security Exception" dialog on SSL warnings @@ -1657,7 +1678,7 @@ lockPref("browser.xul.error_pages.expert_bad_cert", true); // Pref : Disable GIO as a potential proxy bypass vector // Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far. // https://bugzilla.mozilla.org/1433507 -// https://trac.torproject.org/23044 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 // https://en.wikipedia.org/wiki/GVfs // https://en.wikipedia.org/wiki/GIO_(software) lockPref("network.gio.supported-protocols", ""); // [HIDDEN PREF] @@ -1773,7 +1794,7 @@ lockPref("dom.disable_window_move_resize", true); // [DEFAULT: true] // This stops malicious window sizes and some screen resolution leaks. // You can still right-click a link and open in a new window. // [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html -// https://trac.torproject.org/projects/tor/ticket/9881 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 defaultPref("browser.link.open_newwindow", 3); // [DEFAULT: 3] defaultPref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0] // ------------------------------------- @@ -1900,8 +1921,10 @@ lockPref("geo.provider.ms-windows-location", false); // [WINDOWS] // [DESKTOP] lockPref("geo.provider.use_corelocation", false); // [MAC] // [DESKTOP] lockPref("geo.provider.use_gpsd", false); // [LINUX] // [DESKTOP] lockPref("geo.provider.network.url", ""); -lockPref("geo.provider-country.network.scan", false); -lockPref("geo.provider-country.network.url", ""); +lockPref("browser.region.update.enabled", false); // [FENIX] +lockPref("browser.region.log", false); +lockPref("browser.region.network.scan", false); +lockPref("browser.region.network.url", ""); // ------------------------------------- // Pref : Disable logging geolocation to the console lockPref("geo.provider.network.logging.enabled", false); // [HIDDEN PREF] // [DESKTOP] @@ -1909,7 +1932,7 @@ lockPref("geo.provider.network.logging.enabled", false); // [HIDDEN PREF] // [DE // Pref : Enforce fallback text encoding to match en-US // When the content or server doesn't declare a charset the browser will fallback to the "Current locale" based on your application language // [TEST] https://hsivonen.com/test/moz/check-charset.htm -// https://trac.torproject.org/projects/tor/ticket/20025 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 lockPref("intl.charset.fallback.override", "windows-1252"); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @@ -1932,7 +1955,7 @@ lockPref("font.name.monospace.x-western", "Lucida Console"); // [DEFAULT: Courie // Pref : Disable icon fonts (glyphs) and local fallback rendering // [NOTE] You can do this with uBlock Origin // https://bugzilla.mozilla.org/789788 -// https://trac.torproject.org/projects/tor/ticket/8455 +// https://gitlab.torproject.org/legacy/trac/-/issues/8455 // https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-remote-fonts // defaultPref("gfx.downloadable_fonts.enabled", false); // defaultPref("gfx.downloadable_fonts.fallback_delay", -1); @@ -2408,8 +2431,8 @@ lockPref("media.navigator.video.enabled", false); // [NOTE] *may* affect core performance, will affect content. // Default settings seems to be the best // https://bugzilla.mozilla.org/1008453 -// https://trac.torproject.org/projects/tor/ticket/21675 -// https://trac.torproject.org/projects/tor/ticket/22127 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 // https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency // lockPref("dom.maxHardwareConcurrency", 2); // ------------------------------------- @@ -2424,7 +2447,7 @@ lockPref("dom.enable_performance", false); // [DEFAULT: true] lockPref("dom.enable_performance_navigation_timing", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable sensor API -// https://trac.torproject.org/projects/tor/ticket/15758 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 // https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 lockPref("device.sensors.enabled", false); // [DEFAULT: true] @@ -2436,7 +2459,7 @@ lockPref("device.sensors.test.events", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable gamepad API - USB device ID enumeration // Optional protection depending on your connected devices -// https://trac.torproject.org/projects/tor/ticket/13023 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 lockPref("dom.gamepad.enabled", false); // [DEFAULT: true] lockPref("dom.gamepad.extensions.enabled", false); // [DEFAULT: true] lockPref("dom.gamepad.haptic_feedback.enabled", false); // [DEFAULT: false] @@ -2459,7 +2482,7 @@ lockPref("media.webspeech.synth.enabled", false); // [DEFAULT: true] lockPref("media.webspeech.synth_force_global_queue", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable video statistics - JS performance fingerprinting -// https://trac.torproject.org/projects/tor/ticket/15757 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 // https://bugzilla.mozilla.org/654550 lockPref("media.video_stats.enabled", false); // [DEFAULT: true] // ------------------------------------- @@ -2468,7 +2491,7 @@ lockPref("media.video_stats.enabled", false); // [DEFAULT: true] // 0=disabled, 1=enabled, 2=autodetect // This pref is set to 2 by default, which results in the Touch API being exposed only when touch hardware is present. So we should either set it to "1" (enable) or "0" (disable) to ensure that JS code can't fingerprint the user's hardware. // https://developer.mozilla.org/docs/Web/API/Touch_events -// https://trac.torproject.org/projects/tor/ticket/10286 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 defaultPref("dom.w3c_touch_events.enabled", 0); // [DEFAULT: 2] // [FENNEC - BUG] ff disabled, disallow copy/paste any text // ------------------------------------- // Pref : Disable MediaDevices change detection @@ -2544,9 +2567,9 @@ lockPref("browser.startup.blankWindow", false); // [DESKTOP] // https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses lockPref("dom.network.enabled", false); // [DESKTOP] // ------------------------------------- -// Pref : Enforce prefers-reduced-motion as no-preference -// 0=no-preference, 1=reduce -lockPref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] +// Pref : Disable chrome animations +// 0=no-preference, 1=reduce. RFP spoofs this for web content +lockPref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : UI (User Interface) @@ -2559,10 +2582,6 @@ lockPref("browser.contentblocking.trackingprotection.ui.enabled", false); // [DE // ------------------------------------- // Pref : Disable auto hide download button defaultPref("browser.download.autohideButton", false); // [DESKTOP] -// ------------------------------------- -// Pref : Disable browser animation -// https://bugzilla.mozilla.org/show_bug.cgi?id=1352069 -defaultPref("toolkit.cosmeticAnimations.enabled", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Personal @@ -2606,14 +2625,6 @@ defaultPref("browser.ctrlTab.recentlyUsedOrder", false); // [DESKTOP] defaultPref("view_source.wrap_long_lines", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Hotfix -// >>>>>>>>>>>>>>>>>>>>> -// Pref : Disable UNC -// [NOTE] Disabling UNC can cause extension storage to fail -// https://github.com/ghacksuserjs/ghacks-user.js/issues/923 -lockPref("network.file.disable_unc_paths", false); // [HIDDEN PREF] -// -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Deprecated / Removed / Legacy / Renamed // >>>>>>>>>>>>>>>>>>>> // ESR68.x still uses all the following prefs @@ -2877,7 +2888,7 @@ lockPref("dom.vr.openvr.action_input", false); // ------------------------------------- // Pref : Disable GeoIP-based search defaults // [NOTE] May not be hidden if Firefox has changed your settings due to your locale -// https://trac.torproject.org/projects/tor/ticket/16254 +// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine // lockPref("browser.search.region", "US"); // [HIDDEN PREF] // ------------------------------------- @@ -2928,3 +2939,36 @@ lockPref("signon.management.overrideURI", ""); // ------------------------------------- // FF78+ // ------------------------------------- +// Pref : Disable autoplay of HTML5 media if you interacted with the site +// https://bugzilla.mozilla.org/show_bug.cgi?id=1509933 +// https://hg.mozilla.org/mozilla-central/rev/5b34a70e2378 +// https://hg.mozilla.org/mozilla-central/rev/95805db3a142 +lockPref("media.autoplay.enabled.user-gestures-needed", true); +// ------------------------------------- +// Pref : Disable browser animations +// https://bugzilla.mozilla.org/show_bug.cgi?id=1640501 +// https://hg.mozilla.org/comm-central/rev/4d4bad93b27d +lockPref("toolkit.cosmeticAnimations.enabled", false); +// ------------------------------------- +// Pref : Control TLS versions with min and max +// 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 +// [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. +// Firefox telemetry (April 2020) shows only 0.25% of TLS web traffic uses 1.0 or 1.1 +// https://www.ssllabs.com/ssl-pulse/ +// lockPref("security.tls.version.min", 3); +// lockPref("security.tls.version.max", 4); +// ------------------------------------- +// Pref : Disable extension's report option in about:addons +// https://bugzilla.mozilla.org/show_bug.cgi?id=1614653 +// https://hg.mozilla.org/mozilla-central/rev/92e149d41267 +// https://hg.mozilla.org/mozilla-central/rev/682318515715 +lockPref("extensions.abuseReport.openDialog", false); +// ------------------------------------- +// Pref : Disable using the OS's geolocation service +// https://bugzilla.mozilla.org/show_bug.cgi?id=1627538 +// https://hg.mozilla.org/mozilla-central/rev/710b5a3282f8 +lockPref("geo.provider-country.network.scan", false); +lockPref("geo.provider-country.network.url", ""); +// ------------------------------------- +// FF79+ +// -------------------------------------