Update mozilla.cfg
✅ Masked more builID in according to TBB ✅ reEnabled reader mode ⛔️ Locked documents loading fonts (this drastically limits/reduces font enumeration) ⛔️ Locked first run page (no more firefox welcome) ⛔️ Locked javascript Ion, baseline JIT and RegExp to help harden JS against exploits (disabled in TBB, performance loss??) [need test] ⛔️ Locked new cryptomining and fingerprinting trackingprotection ℹ️ Added some descriptions
This commit is contained in:
parent
88293ff1d3
commit
9d60d01678
|
@ -49,7 +49,8 @@ lockPref("browser.newtabpage.activity-stream.section.highlights.includePocket",
|
|||
lockPref("browser.newtabpage.activity-stream.showSponsored", false); // [DESKTOP]
|
||||
lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [DESKTOP]
|
||||
// -------------------------------------
|
||||
// Pref : Set HOME+NEWWINDOW page
|
||||
// Pref : Set first run page and HOME+NEWWINDOW page
|
||||
lockPref("startup.homepage_welcome_url", ""); // [DESKTOP]
|
||||
lockPref("browser.startup.homepage", "about:blank"); // [DESKTOP]
|
||||
// -------------------------------------
|
||||
// Pref : Disable Activity Stream Snippets
|
||||
|
@ -120,17 +121,15 @@ lockPref("browser.startup.homepage_override.mstone", "ignore");
|
|||
// Pref : Disable app from auto-update
|
||||
// lockPref("app.update.enabled", false);
|
||||
// lockPref("app.update.auto", false); // [DESKTOP]
|
||||
// lockPref("app.update.autodownload", ""); // [TEST]
|
||||
// lockPref("app.update.channel", ""); // [TEST]
|
||||
// lockPref("app.update.url", ""); // [DESKTOP]
|
||||
// lockPref("app.update.url.details", ""); // [DESKTOP]
|
||||
// lockPref("app.update.autodownload", ""); // [TEST] // [FENNEC]
|
||||
// lockPref("app.update.channel", "");
|
||||
lockPref("app.update.url", "https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml"); // [URL SANITIZED] // [DESKTOP]
|
||||
lockPref("app.update.url.details", "https://www.mozilla.org/firefox/notes"); // [URL SANITIZED] // [DESKTOP]
|
||||
// lockPref("app.update.url.manual", ""); // [DESKTOP]
|
||||
// lockPref("app.update.url.android", ""); // [FENNEC]
|
||||
// lockPref("app.update.timerFirstInterval", 0);
|
||||
// lockPref("app.update.timerMinimumDelay", 0);
|
||||
// lockPref("app.update.url.android", "https://aus5.mozilla.org/update/4/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%MOZ_VERSION%/update.xml"); // [TEST]
|
||||
// lockPref("app.update.service.enabled", false); // [DESKTOP]
|
||||
// lockPref("app.update.silent", false); // [DESKTOP]
|
||||
lockPref("app.update.silent", false); // [DESKTOP]
|
||||
// lockPref("app.update.staging.enabled", false); // [DESKTOP]
|
||||
lockPref("app.update.log.file", false); // [DESKTOP]
|
||||
// -------------------------------------
|
||||
|
@ -701,11 +700,6 @@ defaultPref("devtools.chrome.enabled", false);
|
|||
// https://bugzilla.mozilla.org/1173199
|
||||
lockPref("mathml.disabled", true);
|
||||
// -------------------------------------
|
||||
// Pref : Disable in-content SVG (Scalable Vector Graphics)
|
||||
// [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
|
||||
// https://bugzilla.mozilla.org/1216893
|
||||
// lockPref("svg.disabled", true);
|
||||
// -------------------------------------
|
||||
// Pref : Disable middle mouse click paste
|
||||
// This preference determines how to handle middle clicks in text fields.
|
||||
// Useless on Android
|
||||
|
@ -865,6 +859,12 @@ lockPref("browser.tabs.closeTabByDblclick", true); // [DESKTOP]
|
|||
// Pref : Remove special permissions for certain mozilla domains
|
||||
// resource://app/defaults/permissions
|
||||
lockPref("permissions.manager.defaultsUrl", ""); // [DESKTOP]
|
||||
// -------------------------------------
|
||||
// Pref : Disable in-content SVG rendering
|
||||
// Disabling SVG support breaks many UI elements on many sites incl. youtube player controls
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
|
||||
// https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16
|
||||
// lockPref("svg.disabled", true);
|
||||
//
|
||||
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
||||
// Section : Web Workers
|
||||
|
@ -935,11 +935,13 @@ lockPref("dom.vibrator.enabled", false);
|
|||
// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
|
||||
lockPref("javascript.options.asmjs", false);
|
||||
// -------------------------------------
|
||||
// Pref : Disable Ion and baseline JIT to help harden JS against exploits
|
||||
// Pref : Disable Ion, baseline JIT and RegExp to help harden JS against exploits
|
||||
// If false, causes the odd site issue and there is also a performance loss
|
||||
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
|
||||
// https://trac.torproject.org/projects/tor/ticket/26019
|
||||
// lockPref("javascript.options.ion", false);
|
||||
// lockPref("javascript.options.baselinejit", false);
|
||||
// lockPref("javascript.options.native_regexp", false);
|
||||
// -------------------------------------
|
||||
// Pref : Disable WebAssembly
|
||||
// https://webassembly.org/
|
||||
|
@ -971,8 +973,11 @@ lockPref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false]
|
|||
// Pref : Don't reveal build ID
|
||||
// Value taken from Tor Browser
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=583181
|
||||
lockPref("general.buildID.override", "20100101"); // [DESKTOP]
|
||||
lockPref("browser.startup.homepage_override.buildID", "20100101"); // [DESKTOP]
|
||||
lockPref("general.buildID.override", "20100101");
|
||||
lockPref("browser.startup.homepage_override.buildID", "20100101");
|
||||
lockPref("media.gmp-manager.buildID", "20190307010101"); // [DESKTOP]
|
||||
lockPref("extensions.lastAppBuildID", "20190307010101");
|
||||
lockPref("browser.sessionstore.upgradeBackup.latestBuildID", "20190307010101"); // [DESKTOP]
|
||||
// -------------------------------------
|
||||
// Pref : Disable Archive API
|
||||
// https://wiki.mozilla.org/WebAPI/ArchiveAPI
|
||||
|
@ -1761,10 +1766,9 @@ lockPref("geo.wifi.logging.enabled", false); // [HIDDEN PREF] // [DESKTOP]
|
|||
// >>>>>>>>>>>>>>>>>>>>>>
|
||||
// Pref : Disable websites choosing fonts (0=block, 1=allow)
|
||||
// If you disallow fonts, this drastically limits/reduces font enumeration (by JS) which is a high entropy fingerprinting vector.
|
||||
// [NOTE] You can do this with uBlock Origin
|
||||
// [NOTE] Disabling fonts can uglify the web a fair bit.
|
||||
// https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
|
||||
// defaultPref("browser.display.use_document_fonts", 0);
|
||||
defaultPref("browser.display.use_document_fonts", 0);
|
||||
// -------------------------------------
|
||||
// Pref : Set more legible default fonts
|
||||
// [NOTE] Example below for Windows/Western only
|
||||
|
@ -1965,6 +1969,29 @@ lockPref("privacy.trackingprotection.enabled", false);
|
|||
lockPref("privacy.trackingprotection.pbmode.enabled", false);
|
||||
lockPref("privacy.trackingprotection.introURL", ""); // [DESKTOP]
|
||||
// -------------------------------------
|
||||
// Pref : Disable cryptomining trackingprotection
|
||||
// [NOTE] uBlock is far superior and you can customize the lists as you wish
|
||||
// https://m.wiki.mozilla.org/Security/Tracking_protection#Lists
|
||||
// https://github.com/AdroitAdorKhan/EnergizedProtection
|
||||
// https://github.com/theel0ja/firefox-recommendations/blob/master/README.md
|
||||
// https://github.com/hoshsadiq/adblock-nocoin-list
|
||||
lockPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); // [DESKTOP]
|
||||
lockPref("privacy.trackingprotection.cryptomining.annotate.enabled", false);
|
||||
lockPref("privacy.trackingprotection.cryptomining.enabled", false);
|
||||
lockPref("urlclassifier.features.cryptomining.blacklistTables", "");
|
||||
lockPref("urlclassifier.features.cryptomining.whitelistTables", "");
|
||||
// -------------------------------------
|
||||
// Pref : Disable fingerprinting trackingprotection
|
||||
// [NOTE] uBlock is far superior and you can customize the lists as you wish
|
||||
// https://m.wiki.mozilla.org/Security/Tracking_protection#Lists
|
||||
// https://github.com/AdroitAdorKhan/EnergizedProtection
|
||||
// https://github.com/theel0ja/firefox-recommendations/blob/master/README.md
|
||||
lockPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); // [DESKTOP]
|
||||
lockPref("privacy.trackingprotection.fingerprinting.annotate.enabled", false);
|
||||
lockPref("privacy.trackingprotection.fingerprinting.enabled", false);
|
||||
lockPref("urlclassifier.features.fingerprinting.blacklistTables", "");
|
||||
lockPref("urlclassifier.features.fingerprinting.whitelistTables", "");
|
||||
// -------------------------------------
|
||||
// Pref : Disable PingCentre telemetry (used in several System Add-ons)
|
||||
// Currently blocked by 'datareporting.healthreport.uploadEnabled'
|
||||
lockPref("browser.ping-centre.telemetry", false); // [DESKTOP]
|
||||
|
@ -2144,7 +2171,13 @@ lockPref("network.http.referer.XOriginPolicy", 2);
|
|||
// 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port
|
||||
lockPref("network.http.referer.XOriginTrimmingPolicy", 2);
|
||||
// -------------------------------------
|
||||
// Pref : Disable spoofing a referer
|
||||
// Pref : Send a referer header with the target URI as the source
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=822869
|
||||
// https://github.com/pyllyukko/user.js/issues/227
|
||||
// https://github.com/pyllyukko/user.js/issues/94
|
||||
// [NOTE] Spoofing referers breaks functionality on websites relying on authentic referer headers
|
||||
// [NOTE] Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
|
||||
// [NOTE] Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
|
||||
lockPref("network.http.referer.spoofSource", true); // [DEFAULT: false]
|
||||
// -------------------------------------
|
||||
// Pref : Set the default Referrer Policy
|
||||
|
@ -2378,7 +2411,7 @@ lockPref("pref.general.disable_button.default_browser", true); // [DESKTOP]
|
|||
lockPref("pref.privacy.disable_button.view_passwords", true); // [DESKTOP]
|
||||
// -------------------------------------
|
||||
// Pref : Disable Reader mode
|
||||
defaultPref("reader.parse-on-load.enabled", false);
|
||||
// defaultPref("reader.parse-on-load.enabled", false);
|
||||
// -------------------------------------
|
||||
// Pref : Disable dark theme on forms
|
||||
defaultPref("widget.content.gtk-theme-override", "Adwaita"); // [DESKTOP]
|
||||
|
@ -2389,7 +2422,7 @@ lockPref("browser.ctrlTab.recentlyUsedOrder", false); // [DESKTOP]
|
|||
// Pref : Display long lines in view-source page
|
||||
defaultPref("view_source.wrap_long_lines", true);
|
||||
// -------------------------------------
|
||||
// Pref : Enable dark mode in all "about:" pages
|
||||
// Pref : Enable dark mode in all about:* pages
|
||||
defaultPref("browser.in-content.dark-mode", true);
|
||||
//
|
||||
//
|
||||
|
|
Reference in New Issue