// /********************************************************************************** * mozilla.cfg | Firefox * * * * https://github.com/quindecim/mozilla.cfg * *********************************************************************************/ // // Author : quindecim : https://github.com/quindecim/ // // // Based on : gHacks : https://github.com/ghacksuserjs/ghacks-user.js // Librefox : https://github.com/intika/Librefox // pyllyukko : https://github.com/pyllyukko/user.js // OrangeManBad : https://git.nixnet.xyz/OrangeManBad/user.js // CHEF-KOCH : https://github.com/CHEF-KOCH/FFCK/tree/master/user.js // // License : https://github.com/quindecim/mozilla.cfg/blob/master/LICENSE.txt // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // PROTECTION // >>>>>>>>>>>>>>>>>>>>> // Pref : Locking mozilla.cfg itself lockPref("general.config.filename", "mozilla.cfg"); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Startup // >>>>>>>>>>>>>>>>>>>>> // Pref : Disable default browser check lockPref("browser.shell.checkDefaultBrowser", false); // [DESKTOP] // ------------------------------------- // Pref : Set NEWTAB page // true=Activity Stream, false=blank page lockPref("browser.newtabpage.enabled", false); // [DESKTOP] lockPref("browser.newtab.url", "about:blank"); // [DESKTOP] // ------------------------------------- // Pref : Disable Extension Recommendations (CFR: "Contextual Feature Recommender" // https://support.mozilla.org/en-US/kb/extension-recommendations lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false); // [DESKTOP]) lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Activity Stream // https://wiki.mozilla.org/Firefox/Activity_Stream lockPref("browser.newtabpage.activity-stream.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Activity Stream Top Stories, Pocket-based and/or sponsored content lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.showSponsored", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [DESKTOP] // ------------------------------------- // Pref : Set HOME+NEWWINDOW page lockPref("browser.startup.homepage", "about:blank"); // [DESKTOP] // ------------------------------------- // Pref : Disable Activity Stream Snippets // Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server // https://abouthome-snippets-service.readthedocs.io/ lockPref("browser.aboutHomeSnippets.updateUrl", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.disableSnippets", true); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Activity Stream telemetry lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry.ut.events", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable Activity Stream feeds lockPref("browser.newtabpage.activity-stream.feeds.aboutpreferences", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.favicon", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.messagecenterfeed", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.migration", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.newtabinit", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.places", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.prefs", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.section.highlights", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.sections", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.systemtick", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.theme", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.feeds.topsites", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Activity Stream (others) lockPref("browser.newtabpage.activity-stream.messageCenterExperimentEnabled", false); lockPref("browser.newtabpage.activity-stream.prerender", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.showSearch", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.showTopSites", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.discoverystream.config", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.discoverystream.endpoints", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.discoverystream.rec.impressions", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.discoverystream.spoc.impressions", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false); // [DESKTOP] // ------------------------------------- // Pref : Disable new tab tile ads & preload // http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox // http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331 // https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping lockPref("browser.newtabpage.enhanced", false); // [DESKTOP] lockPref("browser.newtab.preload", false); // [DESKTOP] lockPref("browser.newtabpage.directory.ping", ""); // [DESKTOP] lockPref("browser.newtabpage.directory.source", "data:text/plain,{}"); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.aboutHome.enabled", false); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.asrouter.messageProviders", ""); // [DESKTOP] // ------------------------------------- // Pref : Don't reveal build ID // Value taken from Tor Browser // https://bugzilla.mozilla.org/show_bug.cgi?id=583181 lockPref("browser.startup.homepage_override.mstone", "ignore"); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Quiet Fox // >>>>>>>>>>>>>>>>>>>>> // Pref : Disable app from auto-update // lockPref("app.update.enabled", false); // lockPref("app.update.auto", false); // [DESKTOP] // lockPref("app.update.autodownload", ""); // [TEST] // lockPref("app.update.channel", ""); // [TEST] // lockPref("app.update.url", ""); // [DESKTOP] // lockPref("app.update.url.details", ""); // [DESKTOP] // lockPref("app.update.url.manual", ""); // [DESKTOP] // lockPref("app.update.url.android", ""); // [FENNEC] // lockPref("app.update.timerFirstInterval", 0); // lockPref("app.update.timerMinimumDelay", 0); // lockPref("app.update.url.android", "https://aus5.mozilla.org/update/4/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%MOZ_VERSION%/update.xml"); // [TEST] // lockPref("app.update.service.enabled", false); // [DESKTOP] // lockPref("app.update.silent", false); // [DESKTOP] // lockPref("app.update.staging.enabled", false); // [DESKTOP] lockPref("app.update.log.file", false); // [DESKTOP] // ------------------------------------- // Pref : Disable sync lockPref("sync.enabled", false); // [DEPRECATED] // [DESKTOP] lockPref("services.sync.enabled", false); // ------------------------------------- // Pref : Disable other sync settings (by prevention) lockPref("services.sync.maxResyncs", 0); // [DESKTOP] lockPref("services.sync.telemetry.maxPayloadCount", 0); // [DESKTOP] lockPref("services.sync.addons.ignoreUserEnabledChanges", true); // [DESKTOP] lockPref("services.sync.engine.addons", false); // [DESKTOP] lockPref("services.sync.engine.addresses", false); // [DESKTOP] lockPref("services.sync.engine.bookmarks", false); // [DESKTOP] lockPref("services.sync.engine.bookmarks.buffer", false); // [DESKTOP] lockPref("services.sync.engine.creditcards", false); // [DESKTOP] lockPref("services.sync.engine.creditcards.available", false); // [DESKTOP] lockPref("services.sync.engine.history", false); // [DESKTOP] lockPref("services.sync.engine.passwords", false); // [DESKTOP] lockPref("services.sync.engine.prefs", false); // [DESKTOP] lockPref("services.sync.engine.tabs", false); // [DESKTOP] lockPref("services.sync.log.appender.file.logOnError", false); // [DESKTOP] lockPref("services.sync.log.appender.file.logOnSuccess", false); // [DESKTOP] lockPref("services.sync.log.cryptoDebug", false); // [DESKTOP] lockPref("services.sync.sendVersionInfo", false); // [DESKTOP] lockPref("services.sync.syncedTabs.showRemoteIcons", true); // [DESKTOP] lockPref("services.sync.prefs.sync.accessibility.blockautorefresh", false); // [DESKTOP] lockPref("services.sync.prefs.sync.accessibility.browsewithcaret", false); // [DESKTOP] lockPref("services.sync.prefs.sync.accessibility.typeaheadfind", false); // [DESKTOP] lockPref("services.sync.prefs.sync.accessibility.typeaheadfind.linksonly", false); // [DESKTOP] lockPref("services.sync.prefs.sync.addons.ignoreUserEnabledChanges", true); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.contentblocking.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.ctrlTab.recentlyUsedOrder", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.download.useDownloadDir", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.formfill.enable", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.link.open_newwindow", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.pinned", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.offline-apps.notify", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.search.update", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.sessionstore.restore_on_demand", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.startup.homepage", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.startup.page", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.tabs.loadInBackground", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.tabs.warnOnClose", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.tabs.warnOnOpen", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.autocomplete.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.matchBuckets", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.maxRichResults", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.suggest.bookmark", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.suggest.history", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.suggest.history.onlyTyped", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.suggest.openpage", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.urlbar.suggest.searches", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.contentblocking.category", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.contentblocking.introCount", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.section.highlights", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.section.topstories", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.snippets", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.topsites", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includePocket", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.includeVisited", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.highlights.rows", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.section.topstories.rows", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showSearch", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.topSitesRows", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.taskbar.previews.enable", false); // [DESKTOP] lockPref("services.sync.prefs.sync.dom.disable_open_during_load", false); // [DESKTOP] lockPref("services.sync.prefs.sync.dom.disable_window_flip", false); // [DESKTOP] lockPref("services.sync.prefs.sync.dom.disable_window_move_resize", false); // [DESKTOP] lockPref("services.sync.prefs.sync.dom.event.contextmenu.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.extensions.personas.current", false); // [DESKTOP] lockPref("services.sync.prefs.sync.extensions.update.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.intl.accept_languages", false); // [DESKTOP] lockPref("services.sync.prefs.sync.layout.spellcheckDefault", false); // [DESKTOP] lockPref("services.sync.prefs.sync.lightweightThemes.selectedThemeID", false); // [DESKTOP] lockPref("services.sync.prefs.sync.lightweightThemes.usedThemes", false); // [DESKTOP] lockPref("services.sync.prefs.sync.network.cookie.cookieBehavior", false); // [DESKTOP] lockPref("services.sync.prefs.sync.network.cookie.lifetimePolicy", false); // [DESKTOP] lockPref("services.sync.prefs.sync.network.cookie.thirdparty.sessionOnly", false); // [DESKTOP] lockPref("services.sync.prefs.sync.permissions.default.image", false); // [DESKTOP] lockPref("services.sync.prefs.sync.pref.advanced.images.disable_button.view_image", false); // [DESKTOP] lockPref("services.sync.prefs.sync.pref.advanced.javascript.disable_button.advanced", false); // [DESKTOP] lockPref("services.sync.prefs.sync.pref.downloads.disable_button.edit_actions", false); // [DESKTOP] lockPref("services.sync.prefs.sync.pref.privacy.disable_button.cookie_exceptions", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.cache", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.cookies", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.downloads", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.formdata", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.history", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.offlineApps", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.sessions", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.clearOnShutdown.siteSettings", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.donottrackheader.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.reduceTimerPrecision", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.resistFingerprinting", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.microseconds", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.sanitize.sanitizeOnShutdown", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.trackingprotection.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.trackingprotection.pbmode.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.trackingprotection.cryptomining.annotate.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.trackingprotection.cryptomining.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.trackingprotection.fingerprinting.annotate.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.privacy.trackingprotection.fingerprinting.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.media.autoplay.default", false); // [DESKTOP] lockPref("services.sync.prefs.sync.security.OCSP.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.security.OCSP.require", false); // [DESKTOP] lockPref("services.sync.prefs.sync.security.default_personal_cert", false); // [DESKTOP] lockPref("services.sync.prefs.sync.security.tls.version.max", false); // [DESKTOP] lockPref("services.sync.prefs.sync.security.tls.version.min", false); // [DESKTOP] lockPref("services.sync.prefs.sync.services.sync.syncedTabs.showRemoteIcons", false); // [DESKTOP] lockPref("services.sync.prefs.sync.spellchecker.dictionary", false); // [DESKTOP] lockPref("services.sync.prefs.sync.xpinstall.whitelist.required", false); // [DESKTOP] lockPref("services.sync.declinedEngines", ""); // [DESKTOP] lockPref("services.sync.jpake.serverURL", ""); // [DEPRECATED] // [DESKTOP] lockPref("services.sync.migrated", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.safebrowsing.downloads.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.safebrowsing.malware.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.safebrowsing.passwords.enabled", false); // [DESKTOP] lockPref("services.sync.prefs.sync.browser.safebrowsing.phishing.enabled", false); // [DESKTOP] lockPref("services.sync.serverURL", ""); // [DESKTOP] lockPref("services.sync.fxa.privacyURL", ""); // [DESKTOP] lockPref("services.sync.fxa.termsURL", ""); // [DESKTOP] lockPref("services.sync.lastversion", ""); // [DESKTOP] lockPref("sync.serverURL", ""); // [DEPRECATED] // [DESKTOP] lockPref("sync.jpake.serverURL", ""); // [DEPRECATED] // [DESKTOP] // ------------------------------------- // Pref : Never check updates for search engines // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking lockPref("browser.search.update", false); lockPref("browser.search.update.log", false); // lockPref("browser.search.update.interval", 0); // ------------------------------------- // Pref : Tell the search service that we don't really expose the "current engine" lockPref("browser.search.noCurrentEngine", true); // [DEFAULT: true] // [FENNEC] // ------------------------------------- // Pref : Disable sending Flash Player crash reports lockPref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); // ------------------------------------- // Pref : Disable sending the URL of the website where a plugin crashed lockPref("dom.ipc.plugins.reportCrashURL", false); // ------------------------------------- // Pref : Disable SSDP (Simple Service Discovery Protocol) // https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol // https://bugzilla.mozilla.org/show_bug.cgi?id=1111967 lockPref("browser.casting.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable Telemetry // https://wiki.mozilla.org/Platform/Features/Telemetry // https://wiki.mozilla.org/Privacy/Reviews/Telemetry // https://wiki.mozilla.org/Telemetry // https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry // https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715 // https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry // https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html#id1 lockPref("toolkit.telemetry.enabled", false); lockPref("toolkit.telemetry.debugSlowSql", false); lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); lockPref("toolkit.telemetry.server", "data:,"); lockPref("toolkit.telemetry.server_owner", ""); lockPref("toolkit.telemetry.unified", false); lockPref("toolkit.telemetry.archive.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.cachedClientID", ""); // [DESKTOP] lockPref("toolkit.telemetry.newProfilePing.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.shutdownPingSender.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.updatePing.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.bhrPing.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.firstShutdownPing.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.hybridContent.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.previousBuildID", ""); // [DESKTOP] lockPref("toolkit.telemetry.prompted", 2); // [DESKTOP] lockPref("toolkit.telemetry.rejected", true); // [DESKTOP] // ------------------------------------- // Pref : Disable Telemetry Coverage // https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ lockPref("toolkit.coverage.enabled", false); // [DESKTOP] lockPref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] // [DESKTOP] lockPref("toolkit.coverage.opt-out", true); // [HIDDEN PREF] // [DESKTOP] lockPref("toolkit.coverage.endpoint.base", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable collection/sending of the health report (healthreport.sqlite*) lockPref("datareporting.healthreport.uploadEnabled", false); // [DESKTOP] lockPref("datareporting.healthreport.service.enabled", false); // [DESKTOP] lockPref("datareporting.healthreport.infoURL", ""); // [DESKTOP] lockPref("datareporting.policy.dataSubmissionEnabled", false); lockPref("datareporting.policy.currentPolicyVersion", 0); lockPref("datareporting.policy.currentPolicyAcceptedVersion", 0); lockPref("datareporting.policy.dataSubmissionPolicyAcceptedVersion", 0); lockPref("datareporting.policy.dataSubmissionPolicyBypassNotification", false); lockPref("datareporting.policy.dataSubmissionPolicyNotifiedTime", ""); lockPref("datareporting.policy.firstRunURL", ""); lockPref("datareporting.policy.minimumPolicyVersion", 0); lockPref("datareporting.policy.minimumPolicyVersion.channel-beta", 0); // ------------------------------------- // Pref : Disable In-Browser Feed Handling // https://wiki.mozilla.org/Feed_Handling // http://kb.mozillazine.org/Browser.contentHandlers.types.%2A.uri lockPref("browser.contentHandlers.types.0.title", ""); // [FENNEC] lockPref("browser.contentHandlers.types.0.type", ""); // [FENNEC] lockPref("browser.contentHandlers.types.0.uri", ""); // [FENNEC] lockPref("browser.contentHandlers.types.1.title", ""); // [FENNEC] lockPref("browser.contentHandlers.types.1.type", ""); // [FENNEC] lockPref("browser.contentHandlers.types.1.uri", ""); // [FENNEC] lockPref("browser.contentHandlers.types.2.title", ""); // [FENNEC] lockPref("browser.contentHandlers.types.2.type", ""); // [FENNEC] lockPref("browser.contentHandlers.types.2.uri", ""); // [FENNEC] lockPref("browser.contentHandlers.types.3.title", ""); // [FENNEC] lockPref("browser.contentHandlers.types.3.type", ""); // [FENNEC] lockPref("browser.contentHandlers.types.3.uri", ""); // [FENNEC] // ------------------------------------- // Pref : Disable personalized Extension Recommendations in about:addons and AMO // [NOTE] This pref has no effect when Health Reports are disabled // https://support.mozilla.org/kb/personalized-extension-recommendations lockPref("browser.discovery.enabled", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable Crash Reports lockPref("breakpad.reportURL", ""); lockPref("browser.tabs.crashReporting.sendReport", false); // [DESKTOP] lockPref("browser.crashReports.unsubmittedCheck.enabled", false); // [DESKTOP] lockPref("toolkit.crashreporter.infoURL", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable automatic captive portal detection // https://en.wikipedia.org/wiki/Captive_portal // https://wiki.mozilla.org/Necko/CaptivePortal // https://trac.torproject.org/projects/tor/ticket/21790 lockPref("captivedetect.canonicalURL", ""); lockPref("network.captive-portal-service.enabled", false); lockPref("network.captive-portal-service.backoffFactor", ""); // lockPref("network.captive-portal-service.maxInterval", 0); // lockPref("network.captive-portal-service.minInterval", 0); // ------------------------------------- // Pref : Disable Network Connectivity checks // https://bugzilla.mozilla.org/1460537 lockPref("network.connectivity-service.enabled", false); // [DEFAULT: true] lockPref("network.connectivity-service.IPv4.url", ""); lockPref("network.connectivity-service.IPv6.url", ""); lockPref("network.connectivity-service.DNSv4.domain", ""); lockPref("network.connectivity-service.DNSv6.domain", ""); // ------------------------------------- // Pref : Opt-out of themes (Persona) updates // https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287 lockPref("lightweightThemes.update.enabled",false); // [DESKTOP] // ------------------------------------- // Pref : Disable auto updating of lightweight themes (LWT) // Not to be confused with themes, which use the Theme API // Mozilla plan to convert existing LWTs and remove LWT support in the future // https://blog.mozilla.org/addons/2018/09/20/future-themes-here/ lockPref("lightweightThemes.persisted.headerURL", false); lockPref("lightweightThemes.persistedThemeID", ""); // [FENNEC] lockPref("lightweightThemes.selectedThemeID", ""); // [FENNEC] lockPref("lightweightThemes.getMoreURL", ""); // [DESKTOP] lockPref("lightweightThemes.persisted.footerURL", false); // [DESKTOP] lockPref("lightweightThemes.recommendedThemes", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable Studies and SHIELD // [NOTE] This pref has no effect when Health Reports are disabled lockPref("app.shield.optoutstudies.enabled", false); // [DESKTOP] lockPref("extensions.shield-recipe-client.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable backlogged Crash Reports lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Heartbeat (Mozilla user rating telemetry) // https://wiki.mozilla.org/Advocacy/heartbeat // https://trac.torproject.org/projects/tor/ticket/19047 lockPref("browser.selfsupport.url", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable about:addons Get Add-ons panel (uses Google Analytics) lockPref("extensions.getAddons.showPane", false); // [HIDDEN PREF] // [DESKTOP] lockPref("extensions.webservice.discoverURL", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable Firefox Hello metrics collection // https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion lockPref("loop.logDomains",false); // [DESKTOP] // ------------------------------------- // Pref : Disable Browser Error Reporter // https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection // https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html lockPref("browser.chrome.errorReporter.enabled", false); // [DESKTOP] lockPref("browser.chrome.errorReporter.submitUrl", ""); // [DESKTOP] lockPref("browser.chrome.errorReporter.infoURL", ""); // [DESKTOP] lockPref("browser.chrome.errorReporter.submitUrl", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable contentblocking reportBreakage lockPref("browser.contentblocking.reportBreakage.enabled", false); // [DESKTOP] lockPref("browser.contentblocking.reportBreakage.url", ""); // [DESKTOP] lockPref("browser.contentblocking.rejecttrackers.reportBreakage.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Onboarding // [NOTE] This setting is just in case it comeback // Onboarding is an interactive tour/setup for new installs/profiles and features. Every time // about:home or about:newtab is opened, the onboarding overlay is injected into that page // [NOTE] Onboarding uses Google Analytics, and leaks resource://URIs // https://wiki.mozilla.org/Firefox/Onboarding // https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf // https://bugzilla.mozilla.org/863246#c154 lockPref("browser.onboarding.enabled", false); // [DESKTOP] // [DEPRECATED] lockPref("browser.onboarding.notification.tour-ids-queue", ""); // [DESKTOP] // [DEPRECATED] // ------------------------------------- // Pref : Onboarding tour disable because of included telemetry // [NOTE] This setting is just in case it comeback lockPref("browser.onboarding.notification.finished", true); // [DESKTOP] // [DEPRECATED] lockPref("browser.onboarding.tour.onboarding-tour-customize.completed", true); // [DESKTOP] // [DEPRECATED] lockPref("browser.onboarding.tour.onboarding-tour-performance.completed", true); // [DESKTOP] // [DEPRECATED] lockPref("devtools.onboarding.telemetry.logged", false); // [DESKTOP] // ------------------------------------- // Pref : Disable check default browser on first run lockPref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", true); // [DESKTOP] // ------------------------------------- // Pref : Disable GCLI (Graphical Command Line Interface) // https://wiki.mozilla.org/DevTools/Features/GCLI lockPref("devtools.gcli.imgurUploadURL", ""); // [DESKTOP] lockPref("devtools.gcli.jquerySrc", ""); // [DESKTOP] lockPref("devtools.gcli.underscoreSrc", ""); // [DESKTOP] lockPref("devtools.gcli.lodashSrc", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable Firefox screenshot extension // https://support.mozilla.org/en-US/kb/firefox-screenshots lockPref("extensions.screenshots.disabled", true); // [DESKTOP] lockPref("extensions.screenshots.upload-disabled", true); // [DESKTOP] // ------------------------------------- // Pref : Disable spellchecker functionality by default // 0=none, 1-multi-line, 2=multi-line & single-line // http://kb.mozillazine.org/Layout.spellcheckDefault // https://support.mozilla.org/en-US/kb/how-do-i-use-firefox-spell-checker defaultPref("layout.spellcheckDefault", 0); // [DESKTOP] // ------------------------------------- // Pref : Disable "Savant" Shield study // https://bugzilla.mozilla.org/1457226 lockPref("shield.savant.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable social integration with FF lockPref("social.directories", ""); // [DEPRECATED] // [DESKTOP] lockPref("social.remote-install.enabled", false); // [DEPRECATED] // [DESKTOP] lockPref("social.whitelist", ""); // [DEPRECATED] // [DESKTOP] // ------------------------------------- // Pref : Disable Firefox warnings lockPref("network.warnOnAboutNetworking", false); lockPref("general.warnOnAboutConfig", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : IJWY To Shut Up // I Just Want You To Shut Up : Closing all non necessary communication to mozilla.org etc. // >>>>>>>>>>>>>>>>>>>>> // Pref : Block unwanted connections lockPref("app.feedback.baseURL", ""); lockPref("app.feedbackURL", ""); // [FENNEC] lockPref("app.channelURL", ""); // [FENNEC] lockPref("app.creditsURL", ""); // [FENNEC] lockPref("app.faqURL", ""); // [FENNEC] lockPref("app.privacyURL", ""); // [FENNEC] lockPref("app.releaseNotesURL", ""); lockPref("app.support.baseURL", ""); lockPref("app.supportURL", ""); // [FENNEC] lockPref("app.vendorURL", ""); // [DESKTOP] lockPref("media.decoder-doctor.new-issue-endpoint", ""); lockPref("network.trr.confirmationNS", ""); lockPref("services.settings.default_signer", ""); // [DESKTOP] lockPref("services.settings.server", ""); // [DESKTOP] lockPref("accessibility.support.url", ""); // [DESKTOP] lockPref("browser.dictionaries.download.url", ""); // [DESKTOP] lockPref("browser.geolocation.warning.infoURL", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.asrouter.providers.cfr", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.asrouter.providers.onboarding", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.fxaccounts.endpoint", ""); // [DESKTOP] lockPref("browser.search.searchEnginesURL", ""); // [DESKTOP] lockPref("extensions.getAddons.themes.browseURL", ""); // [DESKTOP] lockPref("security.content.signature.root_hash", ""); lockPref("urlclassifier.phishTable", ""); lockPref("urlclassifier.passwordAllowTable", ""); lockPref("identity.mobilepromo.android", ""); // [DESKTOP] lockPref("identity.mobilepromo.ios", ""); // [DESKTOP] lockPref("prio.publicKeyA", ""); // [DESKTOP] lockPref("prio.publicKeyB", ""); // [DESKTOP] lockPref("toolkit.datacollection.infoURL", ""); // [DESKTOP] lockPref("toolkit.telemetry.infoURL", ""); // [DESKTOP] lockPref("dom.keyboardevent.keypress.hack.dispatch_non_printable_keys", ""); lockPref("dom.keyboardevent.keypress.hack.use_legacy_keycode_and_charcode", ""); // ------------------------------------- // Pref : Devtools cleanup lockPref("devtools.devices.url", ""); lockPref("devtools.devedition.promo.url", ""); // [DESKTOP] lockPref("devtools.telemetry.supported_performance_marks", ""); // [DESKTOP] lockPref("devtools.performance.recording.ui-base-url", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable website protocol handlers lockPref("gecko.handlerService.schemes.irc.0.name", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.irc.0.uriTemplate", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.ircs.0.name", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.mailto.0.name", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.mailto.1.name", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", ""); // [DESKTOP] lockPref("gecko.handlerService.schemes.webcal.0.uriTemplate", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface) // https://wiki.mozilla.org/FlyWeb // https://wiki.mozilla.org/FlyWeb/Security_scenarios // https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit // http://www.ghacks.net/2016/07/26/firefox-flyweb lockPref("dom.flyweb.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable browser translate integration // https://www.ghacks.net/2018/09/09/mozilla-working-on-google-translate-integration-in-firefox/ lockPref("browser.translation.engine", ""); // [DESKTOP] lockPref("browser.translation.detectLanguage", false); // [DESKTOP] lockPref("browser.translation.neverForLanguages", ""); // [DESKTOP] lockPref("browser.translation.ui.show", false); // [DESKTOP] // ------------------------------------- // Pref : Disable useragent updates and site specific overrides lockPref("general.useragent.updates.enabled", false); // [FENNEC] lockPref("general.useragent.site_specific_overrides", false); // [DESKTOP] lockPref("general.useragent.updates.url", ""); // [FENNEC] // ------------------------------------- // Pref : Disable mailnews lockPref("mailnews.messageid_browser.url", ""); // [DESKTOP] lockPref("mailnews.mx_service_url", ""); // [DESKTOP] // ------------------------------------- // Pref : Remove pinned sites from searchbar lockPref("browser.newtabpage.activity-stream.default.sites", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", ""); // [DESKTOP] lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines", ""); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Miscellaneous // >>>>>>>>>>>>>>>>>>>>>> // Pref : Test mozilla.cfg in about:config lockPref("_config.applied", true); // [FENNEC] // ------------------------------------- // Pref : Updates addons automatically // https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/ lockPref("extensions.update.enabled", true); lockPref("extensions.autoupdate.enabled", true); // ------------------------------------- // Pref : Decrease system information leakage to Mozilla addons update servers lockPref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/%LOCALE%/android/search?q=%TERMS%"); // [URL SANITIZED] // ------------------------------------- // Pref : Disable Web Compatibility Reporter // Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla lockPref("extensions.webcompat-reporter.enabled", false); lockPref("extensions.webcompat-reporter.newIssueEndpoint", ""); // ------------------------------------- // Pref : Don't let XPIProvider install distribution add-ons lockPref("extensions.installDistroAddons", false); // [DEFAULT: false] // [FENNEC] // ------------------------------------- // Pref : Disable legacy extensions lockPref("extensions.legacy.enabled", false); // ------------------------------------- // Pref : Provide haptic feedback on longPress selection events lockPref("layout.accessiblecaret.hapticfeedback", false); // [DEFAULT: true] // ------------------------------------- // Pref : lockPref("dom.registerProtocolHandler.insecure.enabled", false); // ------------------------------------- // Pref : Disable Firefox Accounts and Sync lockPref("identity.fxaccounts.auth.uri", ""); lockPref("identity.fxaccounts.remote.oauth.uri", ""); lockPref("identity.fxaccounts.remote.profile.uri", ""); lockPref("identity.sync.tokenserver.uri", ""); lockPref("identity.fxaccounts.remote.webchannel.uri", ""); lockPref("identity.fxaccounts.remote.root", ""); // [DESKTOP] lockPref("identity.fxaccounts.pairing.enabled", false); // [DESKTOP] lockPref("identity.fxaccounts.remote.pairing.uri", ""); // [DESKTOP] lockPref("identity.fxaccounts.toolbar.accessed", false); // [DESKTOP] lockPref("identity.fxaccounts.toolbar.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable snippets lockPref("browser.snippets.enabled", false); // [FENNEC] lockPref("browser.snippets.firstrunHomepage.enabled", false); // [FENNEC] lockPref("browser.snippets.statsUrl", ""); // [FENNEC] lockPref("browser.snippets.updateUrl", ""); // [FENNEC] lockPref("browser.snippets.syncPromo.enabled", false); // [FENNEC] // lockPref("browser.snippets.updateInterval", 0); // [FENNEC] // ------------------------------------- // Pref : Disable Webextensions sync lockPref("webextensions.storage.sync.enabled", false); // [DESKTOP] lockPref("webextensions.storage.sync.serverURL", ""); // [DESKTOP] // ------------------------------------- // Pref : Force Punycode for Internationalized Domain Names // http://kb.mozillazine.org/Network.IDN_show_punycode // https://www.xudongz.com/blog/2017/idn-phishing/ // https://wiki.mozilla.org/IDN_Display_Algorithm // https://en.wikipedia.org/wiki/IDN_homograph_attack // https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ lockPref("network.IDN_show_punycode", true); // ------------------------------------- // Pref : Disable page thumbnail collection // Look in profile/thumbnails directory, you may want to clean that out lockPref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] // ------------------------------------- // Pref : Do not automatically send selection to clipboard on Linux and some UNIX-like platforms // http://kb.mozillazine.org/Clipboard.autocopy defaultPref("clipboard.autocopy", false); // ------------------------------------- // Pref : Disable "beacon" asynchronous HTTP transfers (used for analytics) // https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon lockPref("beacon.enabled", false); // ------------------------------------- // Pref : Disable speech recognition // https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition // https://wiki.mozilla.org/HTML5_Speech_API lockPref("media.webspeech.recognition.enable", false); // [DEFAULT: true] lockPref("media.webspeech.recognition.force_enable", false); // [DEFAULT: false] lockPref("media.webspeech.test.enable", false); // [DEFAULT: false] lockPref("media.webspeech.test.fake_fsm_events", false); // [DEFAULT: false] lockPref("media.webspeech.test.fake_recognition_service", false); // [DEFAULT: false] // ------------------------------------- // Pref : Don't use Mozilla-provided location-specific search engines lockPref("browser.search.geoSpecificDefaults", false); // ------------------------------------- // Pref : Don't monitor OS online/offline connection state // https://trac.torproject.org/projects/tor/ticket/18945 lockPref("network.manage-offline-status", false); // [DEFAULT: true] // ------------------------------------- // Pref : Set File URI Origin Policy // http://kb.mozillazine.org/Security.fileuri.strict_origin_policy lockPref("security.fileuri.strict_origin_policy", true); // ------------------------------------- // Pref : Disable SVG in OpenType fonts // https://wiki.mozilla.org/SVGOpenTypeFonts // https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle lockPref("gfx.font_rendering.opentype_svg.enabled", false); // ------------------------------------- // Pref : Ensure you have a security delay when installing add-ons (milliseconds) // http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox // http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ lockPref("security.dialog_enable_delay", 700); // ------------------------------------- // Pref : Disable WebIDE to prevent remote debugging and ADB extension download // https://developer.mozilla.org/docs/Tools/WebIDE // https://trac.torproject.org/projects/tor/ticket/16222 defaultPref("devtools.debugger.remote-enabled", false); lockPref("devtools.webide.enabled", false); // [DESKTOP] lockPref("devtools.webide.autoinstallADBExtension", false); // [DESKTOP] lockPref("devtools.webide.autoinstallADBHelper", false); // [DESKTOP] lockPref("devtools.webide.autoinstallFxdtAdapters", false); // [DESKTOP] lockPref("devtools.remote.adb.extensionURL", ""); // [DESKTOP] lockPref("devtools.remote.adb.extensionID", ""); // [DESKTOP] lockPref("devtools.webide.adaptersAddonURL", ""); // [DESKTOP] // [DEPRECATED] lockPref("devtools.webide.adbAddonURL", ""); // [DESKTOP] // [DEPRECATED] lockPref("devtools.webide.templatesURL", ""); // [DESKTOP] // ------------------------------------- // Pref : Force local debugging // https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop // https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings lockPref("devtools.debugger.force-local", true); // ------------------------------------- // Pref : Prevent accessibility services from accessing your browser // https://support.mozilla.org/kb/accessibility-services lockPref("accessibility.force_disabled", 1); // ------------------------------------- // Pref : Remove temp files opened with an external application // https://bugzilla.mozilla.org/302433 lockPref("browser.helperApps.deleteTempFileOnExit", true); // ------------------------------------- // Pref : Disable various developer tools in browser context // https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 defaultPref("devtools.chrome.enabled", false); // ------------------------------------- // Pref : Disable MathML (Mathematical Markup Language) // [TEST] http://browserspy.dk/mathml.php // https://bugzilla.mozilla.org/1173199 lockPref("mathml.disabled", true); // ------------------------------------- // Pref : Disable in-content SVG (Scalable Vector Graphics) // [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. // https://bugzilla.mozilla.org/1216893 // lockPref("svg.disabled", true); // ------------------------------------- // Pref : Disable middle mouse click paste // This preference determines how to handle middle clicks in text fields. // Useless on Android lockPref("middlemouse.paste", false); // ------------------------------------- // Pref : Disable middle mouse click opening links from clipboard // https://trac.torproject.org/projects/tor/ticket/10089 // http://kb.mozillazine.org/Middlemouse.contentLoadURL lockPref("middlemouse.contentLoadURL", false); // ------------------------------------- // Pref : Limit HTTP redirects (this does not control redirects with HTML meta tags or JS) // [NOTE] A low setting of 5 or under will probably break some sites (e.g. gmail logins). To control HTML Meta tag and JS redirects, use an extension. lockPref("network.http.redirection-limit", 15); // [DEFAULT: 20] // ------------------------------------- // Pref : Remove webchannel whitelist lockPref("webchannel.allowObject.urlWhitelist", ""); // ------------------------------------- // Pref : Disable exposure of system colors to CSS or canvas // [NOTE] May cause black on black for elements with undefined colors // https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 // lockPref("ui.use_native_colors", true); // Pref : Discourage downloading to desktop (0=desktop 1=downloads 2=last used) lockPref("browser.download.folderList", 2); // ------------------------------------- // Pref : Enforce user interaction for security by always asking the user where to download // [FENNEC] Fix for images not downloading defaultPref("browser.download.useDownloadDir", true); // ------------------------------------- // Pref : Disable adding downloads to the system's "recent documents" list lockPref("browser.download.manager.addToRecentDocs", false); // ------------------------------------- // Pref : Disable "open with" in download dialog // This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) in such a way that it is forbidden to run external applications. // [NOTE] This may interfere with some users' workflow or methods // https://bugzilla.mozilla.org/1281959 lockPref("browser.download.forbid_open_with", true); // ------------------------------------- // Pref : Lock down allowed extension directories // This will break extensions, language packs, themes and any other XPI files which are installed outside of profile directories // https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ // archived: https://archive.is/DYjAM lockPref("extensions.enabledScopes", 5); // [DEFAULT: 1] // [HIDDEN PREF] lockPref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] // ------------------------------------- // Pref : Enable warning when websites try to install add-ons lockPref("xpinstall.whitelist.required", true); // [DEFAULT: true] // ------------------------------------- // Pref : Enable CSP (Content Security Policy) // https://developer.mozilla.org/docs/Web/HTTP/CSP defaultPref("security.csp.enable", true); // [DEFAULT: true] // ------------------------------------- // Pref : Block top level window data: URIs // https://bugzilla.mozilla.org/1331351 // https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/ // https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ lockPref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true] // ------------------------------------- // Pref : Enable only whitelisted URL protocol handlers // http://kb.mozillazine.org/Network.protocol-handler.external-default // http://kb.mozillazine.org/Network.protocol-handler.warn-external-default // http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29 // https://news.ycombinator.com/item?id=13047883 // https://bugzilla.mozilla.org/show_bug.cgi?id=167475 // https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005 // [NOTE] Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols // If you want to enable a protocol, set network.protocol-handler.expose.(protocol) to true and network.protocol-handler.external.(protocol) to: // * true, if the protocol should be handled by an external application // * false, if the protocol should be handled internally by Firefox lockPref("network.protocol-handler.warn-external-default", true); lockPref("network.protocol-handler.external.javascript", false); lockPref("network.protocol-handler.external.data", false); lockPref("network.protocol-handler.external.about", false); // [DESKTOP] lockPref("network.protocol-handler.external.blob", false); // [DESKTOP] lockPref("network.protocol-handler.external.chrome", false); // [DESKTOP] lockPref("network.protocol-handler.external.file", false); // [DESKTOP] lockPref("network.protocol-handler.external.ftp", false); // [DESKTOP] lockPref("network.protocol-handler.external.http", false); // [DESKTOP] lockPref("network.protocol-handler.external.https", false); // [DESKTOP] lockPref("network.protocol-handler.external.moz-extension", false); // [DESKTOP] lockPref("network.protocol-handler.external.ms-windows-store", false); // [DESKTOP] lockPref("network.protocol-handler.expose-all", false); lockPref("network.protocol-handler.expose.http", true); lockPref("network.protocol-handler.expose.https", true); lockPref("network.protocol-handler.expose.javascript", true); lockPref("network.protocol-handler.expose.moz-extension", true); lockPref("network.protocol-handler.expose.ftp", true); lockPref("network.protocol-handler.expose.file", true); lockPref("network.protocol-handler.expose.about", true); lockPref("network.protocol-handler.expose.chrome", true); lockPref("network.protocol-handler.expose.blob", true); lockPref("network.protocol-handler.expose.data", true); // ------------------------------------- // Pref : Don't allow meta-refresh when backgrounded lockPref("browser.meta_refresh_when_inactive.disabled", true); // ------------------------------------- // Pref : Optimize images memory usage lockPref("image.downscale-during-decode.enabled", true); // ------------------------------------- // Pref : Disable firstrun showup lockPref("browser.firstrun.show.uidiscovery", false); // [DEFAULT: true] lockPref("browser.firstrun.show.localepicker", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable sending console to logcat on release builds. lockPref("consoleservice.logcat", false); // [FENNEC] // ------------------------------------- // Pref : Disable Pocket // https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox // https://github.com/pyllyukko/user.js/issues/143 lockPref("browser.pocket.enabled", false); // [DESKTOP] lockPref("extensions.pocket.enabled", false); // [DESKTOP] lockPref("extensions.pocket.api", ""); // [DESKTOP] lockPref("extensions.pocket.oAuthConsumerKey", ""); // [DESKTOP] lockPref("extensions.pocket.site", ""); // [DESKTOP] // ------------------------------------- // Pref : Lock web content in file processes // https://bugzilla.mozilla.org/1343184 lockPref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Displaying Javascript in History URLs // http://kb.mozillazine.org/Browser.urlbar.filter.javascript lockPref("browser.urlbar.filter.javascript", true); // [DESKTOP] // ------------------------------------- // Pref : Disable JAR from opening Unsafe File Types // https://bugzilla.mozilla.org/1427726 lockPref("network.jar.open-unsafe-types", false); // [DESKTOP] // ------------------------------------- // Pref : Disable remote JAR files being opened, regardless of content type // https://bugzilla.mozilla.org/1173171 // https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/ // https://bugzilla.mozilla.org/1427726 lockPref("network.jar.block-remote-files", true); // [DEPRECATED] // [DESKTOP] // ------------------------------------- // Pref : Disable Firefox's built-in PDF reader // This setting controls if the option "Display in Firefox" is available in the setting below and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") // PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) // Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly. // It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). // It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. // CONS: You may prefer a different pdf reader for security reasons // CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) defaultPref("pdfjs.disabled", true); // [DEFAULT: false] // [DESKTOP] lockPref("pdfjs.enabledCache.state", false); // [DESKTOP] lockPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); // [DESKTOP] // ------------------------------------- // Pref : Disable Scripting of Plugins by JavaScript // http://forums.mozillazine.org/viewtopic.php?f=7&t=153889 lockPref("security.xpconnect.plugin.unrestricted", false); // [DESKTOP] // ------------------------------------- // Pref : Disable exposure of system colors to CSS or canvas // [NOTE] See second listed bug: may cause black on black for elements with undefined colors // https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 lockPref("ui.use_standins_for_native_colors", true); // [DESKTOP] // ------------------------------------- // Pref : Close tab with double click action lockPref("browser.tabs.closeTabByDblclick", true); // [DESKTOP] // ------------------------------------- // Pref : Remove special permissions for certain mozilla domains // resource://app/defaults/permissions lockPref("permissions.manager.defaultsUrl", ""); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Web Workers // >>>>>>>>>>>>>>>>>>>>>> // Pref : Disable service workers // Service workers essentially act as proxy servers that sit between web apps, and the browser and network, are event driven, and can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources. // [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. // [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access. lockPref("dom.serviceWorkers.enabled", false); // ------------------------------------- // Pref : Disable push service // The upstream autopush endpoint must have the Google API key corresponding to the App's sender ID; we bake this assumption directly into the URL. lockPref("dom.push.enabled", false); lockPref("dom.push.serverURL", ""); // ------------------------------------- // Pref : Disable web notifications // https://developer.mozilla.org/docs/Web/API/Notifications_API lockPref("notification.feature.enabled", false); // [FENNEC] lockPref("dom.webnotifications.enabled", false); lockPref("dom.webnotifications.serviceworker.enabled", false); // ------------------------------------- // Pref : Prevent tooltips from showing up lockPref("browser.chrome.toolbar_tips", false); // ------------------------------------- // Pref : Disable push notifications // Web apps can receive messages pushed to them from a server, whether or not the web app is in the foreground, or even currently loaded // https://developer.mozilla.org/docs/Web/API/Push_API lockPref("dom.push.alwaysConnect", false); lockPref("dom.push.debug", false); lockPref("dom.push.connection.enabled", false); lockPref("dom.push.userAgentID", ""); lockPref("dom.push.udp.wakeupEnabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable hiding mime types not associated with a plugin lockPref("browser.download.hide_plugins_without_extensions", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : DOM (Document Object Model) & Javascript // >>>>>>>>>>>>>>>>>>>>>> // Pref : Disable right-click menu manipulation via JavaScript lockPref("dom.event.contextmenu.enabled", false); // ------------------------------------- // Pref : Disable website access to clipboard events/content // Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled lockPref("dom.event.clipboardevents.enabled", false); // ------------------------------------- // Pref : Disable "Confirm you want to leave" dialog on page close // Does not prevent JS leaks of the page close event. // https://developer.mozilla.org/docs/Web/Events/beforeunload // https://support.mozilla.org/questions/1043508 lockPref("dom.disable_beforeunload", true); // ------------------------------------- // Pref : Disable shaking the screen (Vibrator API) lockPref("dom.vibrator.enabled", false); // ------------------------------------- // Pref : Disable clipboard commands (cut/copy) from "non-privileged" content // This disables document.execCommand("cut"/"copy") to protect your clipboard // https://bugzilla.mozilla.org/1170911 // lockPref("dom.allow_cut_copy", false); // [HIDDEN PREF] // ------------------------------------- // Pref : Disable asm.js // http://asmjs.org/ // https://www.mozilla.org/security/advisories/mfsa2015-29/ // https://www.mozilla.org/security/advisories/mfsa2015-50/ // https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 // https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 // https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ lockPref("javascript.options.asmjs", false); // ------------------------------------- // Pref : Disable Ion and baseline JIT to help harden JS against exploits // If false, causes the odd site issue and there is also a performance loss // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 // lockPref("javascript.options.ion", false); // lockPref("javascript.options.baselinejit", false); // ------------------------------------- // Pref : Disable WebAssembly // https://webassembly.org/ // https://developer.mozilla.org/docs/WebAssembly // https://en.wikipedia.org/wiki/WebAssembly // https://trac.torproject.org/projects/tor/ticket/21549 lockPref("javascript.options.wasm", false); // ------------------------------------- // Pref : Disable Intersection Observer API // Almost a year to complete, three versions late to stable (as default false), number #1 cause of crashes in nightly numerous times, and is (primarily) an ad network API for "ad viewability checks" down to a pixel level // https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API // https://w3c.github.io/IntersectionObserver/ // https://bugzilla.mozilla.org/1243846 lockPref("dom.IntersectionObserver.enabled", false); // ------------------------------------- // Pref : Disable Shared Memory (Spectre mitigation) // https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md // https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ lockPref("javascript.options.shared_memory", false); // [DEFAULT: false] // ------------------------------------- // Pref : Enforce DOMHighResTimeStamp API // [WARNING] Required for normalization of timestamps and any timer resolution mitigations lockPref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true] // ------------------------------------- // Pref : Enable (limited but sufficient) window.opener protection // Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set lockPref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false] // ------------------------------------- // Pref : Don't reveal build ID // Value taken from Tor Browser // https://bugzilla.mozilla.org/show_bug.cgi?id=583181 lockPref("general.buildID.override", "20100101"); // [DESKTOP] lockPref("browser.startup.homepage_override.buildID", "20100101"); // [DESKTOP] // ------------------------------------- // Pref : Disable Archive API // https://wiki.mozilla.org/WebAPI/ArchiveAPI // https://bugzilla.mozilla.org/show_bug.cgi?id=1342361 lockPref("dom.archivereader.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable raw TCP socket support (mozTCPSocket) // https://trac.torproject.org/projects/tor/ticket/18863 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/ // https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket lockPref("dom.mozTCPSocket.enabled", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Media / Camera / Mic // >>>>>>>>>>>>>>>>>>>>>> // Pref : WebSockets is a technology that makes it possible to open an interactive communication session between the user's browser and a server. (May leak IP when using proxy/VPN) lockPref("media.peerconnection.enabled", false); // ------------------------------------- // Pref : Limit WebRTC IP leaks if using WebRTC // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416 // https://wiki.mozilla.org/Media/WebRTC/Privacy lockPref("media.peerconnection.ice.default_address_only", true); lockPref("media.peerconnection.ice.no_host", true); lockPref("media.peerconnection.use_document_iceservers", false); lockPref("media.peerconnection.identity.enabled", false); lockPref("media.peerconnection.turn.disable", true); lockPref("media.peerconnection.ice.tcp", false); lockPref("media.peerconnection.video.enabled", false); // lockPref("media.peerconnection.identity.timeout", 0); // ------------------------------------- // Pref : Disable WebGL I/II // [WARNING] WebGL introduce high fingerprinting... (webgl is direct hardware js) lockPref("webgl.disabled", true); lockPref("webgl.enable-webgl2", false); lockPref("webgl.min_capability_mode", true); lockPref("pdfjs.enableWebGL", false); lockPref("webgl.disable-extensions", true); // [DEFAULT: false] lockPref("webgl.disable-wgl", true); // [DEFAULT: false] lockPref("webgl.disable-fail-if-major-performance-caveat", true); lockPref("webgl.can-lose-context-in-foreground", false); // [DEFAULT: true] lockPref("webgl.force-enabled", false); // ------------------------------------- // Pref : Disable screensharing and audiocapture lockPref("media.getusermedia.screensharing.enabled", false); // [DESKTOP] lockPref("media.getusermedia.browser.enabled", false); lockPref("media.getusermedia.audiocapture.enabled", false); // ------------------------------------- // Pref : Disable camera support lockPref("device.camera.enabled", false); // [DEFAULT: true] // [FENNEC] lockPref("media.realtime_decoder.enabled", false); // [DEFAULT: true] // [FENNEC] // ------------------------------------- // Pref : Disable face detection lockPref("camera.control.face_detection.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable canvas capture stream // https://developer.mozilla.org/docs/Web/API/HTMLCanvasElement/captureStream lockPref("canvas.capturestream.enabled", false); // ------------------------------------- // Pref : Disable camera image capture // https://trac.torproject.org/projects/tor/ticket/16339 lockPref("dom.imagecapture.enabled", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable offscreen canvas // https://developer.mozilla.org/docs/Web/API/OffscreenCanvas lockPref("gfx.offscreencanvas.enabled", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable autoplay of HTML5 media // 0=Allowed, 1=Blocked, 2=Prompt // [NOTE] You can set exceptions under site permissions lockPref("media.autoplay.default", 1); lockPref("media.autoplay.allow-muted", false); // [DEFAULT: true] lockPref("media.autoplay.block-event.enabled", true); // [DEFAULT: false] lockPref("media.autoplay.block-webaudio", true); // [DEFAULT: false] // ------------------------------------- // Pref : Disable autoplay of HTML5 media if you interacted with the site lockPref("media.autoplay.enabled.user-gestures-needed", true); // [DEFAULT: true] // ------------------------------------- // Pref : Disable audio autoplay in non-active tabs // https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ lockPref("media.block-autoplay-until-in-foreground", true); // [DEFAULT: false] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Location Bar / Search Bar / Suggestions / History / Forms // >>>>>>>>>>>>>>>>>>>> // Pref : Do not submit invalid URIs entered in the address bar to the default search engine // http://kb.mozillazine.org/Keyword.enabled lockPref("keyword.enabled", true); // [DEFAULT: true] // ------------------------------------- // Pref : Don't try to guess domain names when entering an invalid domain name in URL bar // http://www-archive.mozilla.org/docs/end-user/domain-guessing.html lockPref("browser.fixup.alternate.enabled", false); // ------------------------------------- // Pref : Don't trim HTTP off of URLs in the address bar // https://bugzilla.mozilla.org/show_bug.cgi?id=665580 lockPref("browser.urlbar.trimURLs", false); // ------------------------------------- // Pref : Limit history leaks via enumeration (PER TAB: back/forward) // This is a PER TAB session history. You still have a full history stored under all history // Minimum=1=currentpage, 2 is the recommended minimum as some pages use it as a means of referral (e.g. hotlinking), 4 or 6 or 10 may be more practical lockPref("browser.sessionhistory.max_entries", 20); // [DEFAULT: 50] // ------------------------------------- // Pref : Disable CSS querying page history - CSS history leak // [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's only in 'certain circumstances' // [TEST] http://lcamtuf.coredump.cx/yahh/ (see github wiki APPENDIX C on how to use) // https://dbaron.org/mozilla/visited-privacy // https://bugzilla.mozilla.org/147777 // https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector lockPref("layout.css.visited_links_enabled", false); // ------------------------------------- // Pref : Disable search suggestions in the search bar // http://kb.mozillazine.org/Browser.search.suggest.enabled lockPref("browser.search.suggest.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable "Show search suggestions in location bar results" lockPref("browser.urlbar.suggest.searches", false); // [DESKTOP] // ------------------------------------- // Pref : Disable information entered in web page forms and the search bar // [NOTE] You can clear formdata on exiting Firefox defaultPref("browser.formfill.enable", false); // ------------------------------------- // Pref : Disable date/time picker // [WARNING] This can leak your locale if not en-US // https://trac.torproject.org/projects/tor/ticket/21787 // https://bugzilla.mozilla.org/show_bug.cgi?id=1287503 // lockPref("dom.forms.datetime", false); // ------------------------------------- // Pref : Disable Windows jumplist lockPref("browser.taskbar.lists.enabled", false); // [WINDOWS] // [DESKTOP] lockPref("browser.taskbar.lists.frequent.enabled", false); // [WINDOWS] // [DESKTOP] lockPref("browser.taskbar.lists.recent.enabled", false); // [WINDOWS] // [DESKTOP] lockPref("browser.taskbar.lists.tasks.enabled", false); // [WINDOWS] // [DESKTOP] // ------------------------------------- // Pref : Disable Windows taskbar preview lockPref("browser.taskbar.previews.enable", false); // [WINDOWS] // [DESKTOP] // ------------------------------------- // Pref : Disable UITour backend so there is no chance that a remote page can use it lockPref("browser.uitour.enabled", false); // [DESKTOP] lockPref("browser.uitour.url", ""); // [DESKTOP] lockPref("browser.uitour.themeOrigin", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable location bar making speculative connections // https://bugzilla.mozilla.org/1348275 lockPref("browser.urlbar.speculativeConnect.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable location bar suggesting "preloaded" top websites // https://bugzilla.mozilla.org/1211726 lockPref("browser.urlbar.usepreloadedtopurls.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Firefox Tips / Search suggestions lockPref("browser.urlbar.daysBeforeHidingSuggestionsPrompt", 0); // [DESKTOP] lockPref("browser.urlbar.searchSuggestionsChoice", false); // [DESKTOP] lockPref("browser.urlbar.timesBeforeHidingSuggestionsHint", 0); // [DESKTOP] // ------------------------------------- // Pref : Disable URL bar autocomplete and history/bookmarks suggestions dropdown // [NOTE] This does not cause privacy/leaking issue // lockPref("browser.urlbar.autocomplete.enabled", false); // [DESKTOP] // lockPref("browser.urlbar.suggest.history", false); // [DESKTOP] // lockPref("browser.urlbar.suggest.bookmark", false); // [DESKTOP] // lockPref("browser.urlbar.suggest.openpage", false); // [DESKTOP] // ------------------------------------- // Pref : Disable browsing and download history // lockPref("places.history.enabled", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Security // >>>>>>>>>>>>>>>>>>>> // Pref : Blocking GD Parking Scam Site defaultPref("network.dns.localDomains", ""); // ------------------------------------- // Pref : Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla) // https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List // https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security lockPref("network.stricttransportsecurity.preloadlist", true); // ------------------------------------- // Pref : Disable insecure TLS version fallback // https://bugzilla.mozilla.org/show_bug.cgi?id=1084025 // https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645 lockPref("security.tls.version.fallback-limit", 3); // ------------------------------------- // Pref : Enable CSP 1.1 script-nonce directive support // https://bugzilla.mozilla.org/show_bug.cgi?id=855326 defaultPref("security.csp.experimentalEnabled", true); // ------------------------------------- // Pref : Enable OCSP Must-Staple support // https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/ // https://www.entrust.com/ocsp-must-staple/ // https://github.com/schomery/privacy-settings/issues/40 // [NOTE] Firefox falls back on plain OCSP when must-staple is not configured on the host certificate lockPref("security.ssl.enable_ocsp_must_staple", true); // ------------------------------------- // Pref : Control remote debugging lockPref("devtools.remote.usb.enabled", false); // [DEFAULT: false] lockPref("devtools.remote.wifi.enabled", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable dump function // True if you always want dump() to work // On Android, you also need to do the following for the output to show up in logcat: // $ adb shell stop // $ adb shell setprop log.redirect-stdio true // $ adb shell start lockPref("browser.dom.window.dump.enabled", false); // [DEFAULT: true] lockPref("devtools.console.stdout.chrome", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable number linkification lockPref("browser.ui.linkify.phone", false); // [DEFAULT: false] // [FENNEC] // ------------------------------------- // Pref : Controls which bits of private data to clear. lockPref("privacy.item.cache", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.cookies", true); // [DEFAULT: true] lockPref("privacy.item.offlineApps", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.history", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.searchHistory", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.formdata", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.downloads", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.passwords", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.sessions", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.geolocation", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.siteSettings", true); // [DEFAULT: true] // [FENNEC] lockPref("privacy.item.syncAccount", true); // [DEFAULT: true] // [FENNEC] // ------------------------------------- // Pref : Disable tab hiding API by default defaultPref("extensions.webextensions.tabhide.enabled", false); // [DEFAULT: true] // [DESKTOP] // ------------------------------------- // Pref : WebSockets is a technology that makes it possible to open an interactive communication session between the user's browser and a server. (May leak IP when using proxy/VPN) // https://bugzilla.mozilla.org/show_bug.cgi?id=1091016 lockPref("network.websocket.enabled", false); // [HIDDEN PREF] // [DEPRECATED] // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Block Implicit Outbound // >>>>>>>>>>>>>>>>>>>> // Pref : Disable prefetching of URLs // Link prefetching is when a webpage hints to the browser that certain pages are likely to be visited, so the browser downloads them immediately so they can be displayed immediately when the user requests it. // http://kb.mozillazine.org/Network.prefetch-next // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F lockPref("network.prefetch-next", false); // ------------------------------------- // Pref : Disable DNS prefetching // http://kb.mozillazine.org/Network.dns.disablePrefetch // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching lockPref("network.dns.disablePrefetch", true); lockPref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF] // ------------------------------------- // Pref : Disable pinging URIs specified in HTML ping= attributes // http://kb.mozillazine.org/Browser.send_pings lockPref("browser.send_pings", false); // ------------------------------------- // Pref : When browser pings are enabled, only allow pinging the same host as the origin page // http://kb.mozillazine.org/Browser.send_pings.require_same_host lockPref("browser.send_pings.require_same_host", true); // ------------------------------------- // Pref : Disable speculative pre-connections // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections // https://bugzilla.mozilla.org/show_bug.cgi?id=814169 lockPref("network.http.speculative-parallel-limit", 0); // ------------------------------------- // Pref : Disable predictor / prefetching // Network predicator load pages before they are opened with mose hover for example lockPref("network.predictor.enabled", false); lockPref("network.predictor.cleaned-up", true); lockPref("network.predictor.enable-prefetch", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : HTTP* / TCP/IP / DNS / PROXY / SOCKS etc. // >>>>>>>>>>>>>>>>>>>> // Pref : Disable IPv6 // If your OS or ISP does not support IPv6, there is no reason to have this preference set to false. lockPref("network.dns.disableIPv6", true); // ------------------------------------- // Pref : Disable HTTP2 (which was based on SPDY which is now deprecated) // HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance privacy, and in fact opens up a number of server-side fingerprinting opportunities. // [SETUP-PERF] Relax this if you have FPI enabled and you understand the consequences. FPI isolates these, but it was designed with the Tor protocol in mind, and the Tor Browser has extra protection, including enhanced sanitizing per Identity. // https://http2.github.io/faq/ // https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html // https://queue.acm.org/detail.cfm?id=2716278 // https://github.com/ghacksuserjs/ghacks-user.js/issues/107 // lockPref("network.http.spdy.enabled", false); // lockPref("network.http.spdy.enabled.deps", false); // lockPref("network.http.spdy.enabled.http2", false); // lockPref("network.http.spdy.websockets", false); // ------------------------------------- // Pref : Enforce the proxy server to do any DNS lookups when using SOCKS // e.g. in Tor, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request // http://kb.mozillazine.org/Network.proxy.socks_remote_dns // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers defaultPref("network.proxy.socks_remote_dns", true); // ------------------------------------- // Pref : Remove paths when sending URLs to PAC scripts // https://bugzilla.mozilla.org/1255474 defaultPref("network.proxy.autoconfig_url.include_path", false); // [DEFAULT: false] // ------------------------------------- // Pref : Defaulting Proxy settings defaultPref("network.proxy.autoconfig_url", ""); // [DEFAULT: ""] defaultPref("network.proxy.socks_version", 5); // [DEFAULT: 5] // ------------------------------------- // Pref : Disable (or setup) DNS-over-HTTPS (DoH) // TRR = Trusted Recursive Resolver // .mode: 0=off, 1=race, 2=TRR first, 3=TRR only, 4=race for stats, but always use native result // [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare) // [BUG] This seem to disable socks_remote_dns ?! need to check with wireshark // If true, just settings urls to null should be enough to disable without impacting socks_remote_dns. // https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ // https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ lockPref("network.trr.mode", 0); lockPref("network.trr.bootstrapAddress", ""); lockPref("network.trr.uri", ""); // ------------------------------------- // Pref : Enable Subresource Integrity // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity // https://wiki.mozilla.org/Security/Subresource_Integrity lockPref("security.sri.enable", true); // [DEFAULT: true] // ------------------------------------- // Pref : Disable using UNC (Uniform Naming Convention) paths // https://trac.torproject.org/projects/tor/ticket/26424 lockPref("network.file.disable_unc_paths", true); // [HIDDEN PREF] // [DESKTOP] // ------------------------------------- // Pref : Disable HTTP Alternative Services // https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3970881 // https://www.mnot.net/blog/2016/03/09/alt-svc lockPref("network.http.altsvc.enabled", false); // [DESKTOP] lockPref("network.http.altsvc.oe", false); // [DESKTOP] // ------------------------------------- // Pref : Disallow NTLMv1 // https://bugzilla.mozilla.org/show_bug.cgi?id=828183 lockPref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // [DESKTOP] // It is still allowed through HTTPS. uncomment the following to disable it completely. // lockPref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : HTTPS (SSL/TLS / OCSP / Certs / HPKP / Ciphers) // >>>>>>>>>>>>>>>>>>>> // Pref : Disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack) // [SETUP-WEB] <2% of secure sites do NOT support the newer "secure" renegotiation // https://wiki.mozilla.org/Security:Renegotiation // https://www.ssllabs.com/ssl-pulse/ lockPref("security.ssl.require_safe_negotiation", true); // ------------------------------------- // Pref : Control TLS versions with min and max // 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 // [NOTE] Jul-2017: Telemetry indicates approx 2% of TLS web traffic uses 1.0 or 1.1 // http://kb.mozillazine.org/Security.tls.version.* // https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/ // archived: https://archive.is/hY2Mm lockPref("security.tls.version.min", 3); lockPref("security.tls.version.max", 4); // ------------------------------------- // Pref : Disable SSL Error Reporting // https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html lockPref("security.ssl.errorReporting.enabled", false); lockPref("security.ssl.errorReporting.automatic", false); lockPref("security.ssl.errorReporting.url", ""); // ------------------------------------- // Pref : Disable SSL session tracking // SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking // https://tools.ietf.org/html/rfc5077 // https://bugzilla.mozilla.org/967977 // https://arxiv.org/abs/1810.07304 lockPref("security.ssl.disable_session_identifiers", true); // [DEFAULT: true] // [HIDDEN PREF] // ------------------------------------- // Pref : Disable TLS1.3 0-RTT (round-trip time) // https://github.com/tlswg/tls13-spec/issues/1001 // https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ lockPref("security.tls.enable_0rtt_data", false); // ------------------------------------- // Pref : Require a valid OCSP response for OCSP enabled certificates // https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA // Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses // [NOTE] `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable // [NOTE] `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal) lockPref("security.OCSP.require", true); // ------------------------------------- // Pref : Enable OSCP (Online Certificate Status Protocol) // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol // https://www.imperialviolet.org/2014/04/19/revchecking.html // https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/ // https://wiki.mozilla.org/CA:RevocationPlan // https://wiki.mozilla.org/CA:ImprovingRevocation // https://wiki.mozilla.org/CA:OCSP-HardFail // https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html // https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html // [NOTE] OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host // [NOTE] OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder // [NOTE] OCSP adds latency (performance) // [NOTE] Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10) lockPref("security.OCSP.enabled", 0); // ------------------------------------- // Pref : Enable OCSP Stapling support // Stapling have the site itself proof that his certificate is good through the CA so apparently nothing is leaked in this case. // https://en.wikipedia.org/wiki/OCSP_stapling // https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ lockPref("security.ssl.enable_ocsp_stapling", true); // ------------------------------------- // Pref : Disallow SHA-1 // 0=all SHA1 certs are allowed // 1=all SHA1 certs are blocked // 2=deprecated option that now maps to 1 // 3=only allowed for locally-added roots (e.g. anti-virus) // 4=only allowed for locally-added roots or for certs in 2015 and earlier // https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ // https://bugzilla.mozilla.org/show_bug.cgi?id=1302140 // https://shattered.io/ lockPref("security.pki.sha1_enforcement_level", 1); // ------------------------------------- // Pref : Disable Windows 8.1's Microsoft Family Safety cert // 0=disable detecting Family Safety mode and importing the root // 1=only attempt to detect Family Safety mode (don't import the root) // 2=detect Family Safety mode and import the root // https://trac.torproject.org/projects/tor/ticket/21686 lockPref("security.family_safety.mode", 0); // ------------------------------------- // Pref : Enfore Public Key Pinning // https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning // 2= strict (pinning is always enforced) lockPref("security.cert_pinning.enforcement_level", 2); // ------------------------------------- // Pref : Disable insecure active content on https pages // https://trac.torproject.org/projects/tor/ticket/21323 lockPref("security.mixed_content.block_active_content", true); // [DEFAULT: true] // ------------------------------------- // Pref : Disable insecure passive content (such as images) on https pages lockPref("security.mixed_content.upgrade_display_content", true); lockPref("security.mixed_content.block_display_content", true); // ------------------------------------- // Pref : Block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks // https://bugzilla.mozilla.org/1190623 lockPref("security.mixed_content.block_object_subrequest", true); // ------------------------------------- // Pref : Disable 3DES (effective key size < 128) // https://en.wikipedia.org/wiki/3des#Security // http://en.citizendium.org/wiki/Meet-in-the-middle_attack // https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html lockPref("security.ssl3.rsa_des_ede3_sha", false); lockPref("security.ssl3.dhe_dss_des_ede3_sha", false); // [DESKTOP] lockPref("security.ssl3.dhe_rsa_des_ede3_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_rsa_des_ede3_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdhe_rsa_des_ede3_sha", false); // [DESKTOP] lockPref("security.ssl3.rsa_fips_des_ede3_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Disable 40/56/128-bit ciphers lockPref("security.ssl3.rsa_rc4_40_md5", false); // 40-bit // [DESKTOP] lockPref("security.ssl3.rsa_rc2_40_md5", false); // 40-bit // [DESKTOP] lockPref("security.ssl3.rsa_1024_rc4_56_sha", false); // 56-bit // [DESKTOP] lockPref("security.ssl3.rsa_camellia_128_sha", false); // 128-bit // [DESKTOP] lockPref("security.ssl3.ecdhe_rsa_aes_128_sha", false); // 128-bit lockPref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // 128-bit lockPref("security.ssl3.ecdh_rsa_aes_128_sha", false); // 128-bit // [DESKTOP] lockPref("security.ssl3.ecdh_ecdsa_aes_128_sha", false); // 128-bit // [DESKTOP] lockPref("security.ssl3.dhe_rsa_camellia_128_sha", false); // 128-bit // [DESKTOP] lockPref("security.ssl3.dhe_rsa_aes_128_sha", false); // 128-bit // [DESKTOP] // ------------------------------------- // Pref : Disable 256 bits ciphers without PFS lockPref("security.ssl3.rsa_camellia_256_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Disable SEED cipher // https://en.wikipedia.org/wiki/SEED lockPref("security.ssl3.rsa_seed_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Disable null ciphers lockPref("security.ssl3.rsa_null_sha", false); // [DESKTOP] lockPref("security.ssl3.rsa_null_md5", false); // [DESKTOP] lockPref("security.ssl3.ecdhe_rsa_null_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdhe_ecdsa_null_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_rsa_null_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_ecdsa_null_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Enable GCM ciphers (TLSv1.2 only) // https://en.wikipedia.org/wiki/Galois/Counter_Mode lockPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // [DEFAULT: true] lockPref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // [DEFAULT: true] // ------------------------------------- // Pref : Enable ciphers with ECDHE and key size > 128bits lockPref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // [DEFAULT: true] lockPref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // [DEFAULT: true] // ------------------------------------- // Pref : Enable ChaCha20 and Poly1305 // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/ // https://tools.ietf.org/html/rfc7905 // https://bugzilla.mozilla.org/show_bug.cgi?id=917571 // https://bugzilla.mozilla.org/show_bug.cgi?id=1247860 // https://cr.yp.to/chacha.html lockPref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true); lockPref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true); // ------------------------------------- // Pref : Disable DHE (Diffie-Hellman Key Exchange) // https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH lockPref("security.ssl3.dhe_rsa_aes_128_sha", false); // ------------------------------------- // Pref : Fallbacks due compatibility reasons lockPref("security.ssl3.rsa_aes_128_sha", true); lockPref("security.ssl3.rsa_aes_256_sha", true); // ------------------------------------- // Pref : Disable ciphers with DSA (max 1024 bits) lockPref("security.ssl3.dhe_dss_aes_128_sha", false); // [DESKTOP] lockPref("security.ssl3.dhe_dss_aes_256_sha", false); // [DESKTOP] lockPref("security.ssl3.dhe_dss_camellia_128_sha", false); // [DESKTOP] lockPref("security.ssl3.dhe_dss_camellia_256_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Disable ciphers susceptible to the logjam attack // https://weakdh.org/ lockPref("security.ssl3.dhe_rsa_camellia_256_sha", false); // [DESKTOP] lockPref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Disable ciphers with ECDH (non-ephemeral) lockPref("security.ssl3.ecdh_rsa_aes_256_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_ecdsa_aes_256_sha", false); // [DESKTOP] // ------------------------------------- // Pref : Disable RC4 // https://developer.mozilla.org/en-US/Firefox/Releases/38#Security // https://bugzilla.mozilla.org/show_bug.cgi?id=1138882 // https://rc4.io/ // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 lockPref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdh_rsa_rc4_128_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); // [DESKTOP] lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); // [DESKTOP] lockPref("security.ssl3.rsa_rc4_128_md5", false); // [DESKTOP] lockPref("security.ssl3.rsa_rc4_128_sha", false); // [DESKTOP] lockPref("security.tls.unrestricted_rc4_fallback", false); // [DESKTOP] // ------------------------------------- // Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // ------------------------------------- // Pref : Control "Add Security Exception" dialog on SSL warnings // 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default) // http://kb.mozillazine.org/Browser.ssl_override_behavior // https://github.com/pyllyukko/user.js/issues/210 lockPref("browser.ssl_override_behavior", 1); // ------------------------------------- // Pref : Display advanced information on Insecure Connection warning pages (only works when it's possible to add an exception), i.e. it doesn't work for HSTS discrepancies // https://subdomain.preloaded-hsts.badssl.com/ // [TEST] https://expired.badssl.com/ lockPref("browser.xul.error_pages.expert_bad_cert", true); // ------------------------------------- // Pref : Disable GIO as a potential proxy bypass vector // Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far. // https://bugzilla.mozilla.org/1433507 // https://trac.torproject.org/23044 // https://en.wikipedia.org/wiki/GVfs // https://en.wikipedia.org/wiki/GIO_(software) lockPref("network.gio.supported-protocols", ""); // [HIDDEN PREF] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : User Settings // >>>>>>>>>>>>>>>>>>>> // Pref : Set long press behaviour on "+ Tab" button to display container menu // 0=disables long press, 1=when clicked, the menu is shown // 2=the menu is shown after X milliseconds // [NOTE] The menu does not contain a non-container tab option // https://bugzilla.mozilla.org/1328756 defaultPref("privacy.userContext.longPressBehavior", 2); // ------------------------------------- // Pref : Enable Container Tabs setting in preferences // https://bugzilla.mozilla.org/1279029 defaultPref("privacy.userContext.ui.enabled", true); // ------------------------------------- // Pref : Enable Container Tabs defaultPref("privacy.userContext.enabled", true); // ------------------------------------- // Pref : Enable a private container for thumbnail loads defaultPref("privacy.usercontext.about_newtab_segregation.enabled", true); // [DEFAULT: true] // ------------------------------------- // Pref : Changing block list (Tracking protection) // Default value "test-track-simple,base-track-digest256" lockPref("urlclassifier.trackingTable", ""); // ------------------------------------- // Pref : Enable First Party Isolation // [SETUP-WEB] May break cross-domain logins and site functionality until perfected // https://bugzilla.mozilla.org/1260931 // Enabled via addons lockPref("privacy.firstparty.isolate", true); lockPref("privacy.firstparty.isolate.restrict_opener_access", true); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Passwords // >>>>>>>>>>>>>>>>>>>> // Pref : Disable autofilling saved passwords on HTTP pages and show warning // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 lockPref("signon.autofillForms.http", false); lockPref("security.insecure_field_warning.contextual.enabled", true); // ------------------------------------- // Pref : Disable password manager // [NOTE] This does not clear any passwords already saved lockPref("signon.rememberSignons", false); lockPref("signon.debug", false); // ------------------------------------- // Pref : Set how often Firefox should ask for the master password // 0=the first time (default), 1=every time it's needed, 2=every n minutes lockPref("security.ask_for_password", 2); // ------------------------------------- // Pref : Set how often in minutes Firefox should ask for the master password lockPref("security.password_lifetime", 1); // [DEFAULT: 30] // ------------------------------------- // Pref : Disable auto-filling username & password form fields // Can leak in cross-site forms AND be spoofed. // [NOTE] Password will still be auto-filled after a user name is manually entered // http://kb.mozillazine.org/Signon.autofillForms lockPref("signon.autofillForms", false); lockPref("signon.autofillForms.autocompleteOff", true); // ------------------------------------- // Pref : Disable websites autocomplete // Don't let sites dictate use of saved logins and passwords. lockPref("signon.storeWhenAutocompleteOff", false); // ------------------------------------- // Pref : Disable formless login capture // https://bugzilla.mozilla.org/show_bug.cgi?id=1166947 lockPref("signon.formlessCapture.enabled", false); // ------------------------------------- // Pref : Limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources // Hardens against potential credentials phishing // 0=don't allow sub-resources to open HTTP authentication credentials dialogs // 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs // 2=allow sub-resources to open HTTP authentication credentials dialogs (default) // https://www.fxsitecompat.com/en-CA/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ lockPref("network.auth.subresource-http-auth-allow", 1); // ------------------------------------- // Pref : Prevent cross-origin images from triggering an HTTP-Authentication prompt // https://bugzilla.mozilla.org/1357835 lockPref("network.auth.subresource-img-cross-origin-http-auth-allow", false); // [DEPRECATED] // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Window Meddling & Leaks / Popups // >>>>>>>>>>>>>>>>>>>> // Pref : Prevent websites from disabling new window features // http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features lockPref("dom.disable_window_open_feature.close", true); // [DEFAULT: false] lockPref("dom.disable_window_open_feature.location", true); // [DEFAULT: false] lockPref("dom.disable_window_open_feature.menubar", true); // [DEFAULT: false] lockPref("dom.disable_window_open_feature.minimizable", true); // [DEFAULT: false] lockPref("dom.disable_window_open_feature.personalbar", true); // [DEFAULT: false] lockPref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true] lockPref("dom.disable_window_open_feature.status", true); // [DEFAULT: true] lockPref("dom.disable_window_open_feature.titlebar", true); // [DEFAULT: false] lockPref("dom.disable_window_open_feature.toolbar", true); // [DEFAULT: false] // ------------------------------------- // Pref : Prevent scripts from moving and resizing open windows lockPref("dom.disable_window_move_resize", true); // [DEFAULT: true] // ------------------------------------- // Pref : Open links targeting new windows in a new tab instead // This stops malicious window sizes and some screen resolution leaks. // You can still right-click a link and open in a new window. // [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html // https://trac.torproject.org/projects/tor/ticket/9881 defaultPref("browser.link.open_newwindow", 3); // [DEFAULT: 3] defaultPref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0] // ------------------------------------- // Pref : Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks // [NOTE] You can still manually toggle the browser's fullscreen state, but this pref will disable embedded video fullscreen controls, e.g. youtube // [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen // lockPref("full-screen-api.enabled", false); // ------------------------------------- // Pref : Block popup windows defaultPref("dom.disable_open_during_load", true); // [DEFAULT: true] lockPref("privacy.popups.showBrowserMessage", true); // [DEFAULT: true] // ------------------------------------- // Pref : Set max popups from a single non-click event // [NOTE] Non-click events should never spawn a popup? // http://kb.mozillazine.org/Dom.popup_maximum lockPref("dom.popup_maximum", 0); // [DEFAULT: 20] // ------------------------------------- // Pref : Limit events that can cause a popup // http://kb.mozillazine.org/Dom.popup_allowed_events lockPref("dom.popup_allowed_events", "click dblclick"); // [DEFAULT: "change click dblclick mouseup pointerup notificationclick reset submit touchend"] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Cache / Session (Re)Store / Favicons // >>>>>>>>>>>>>>>>>>>> // [INTRO] ETAG and other cache tracking/fingerprinting techniques can be averted by disabling *BOTH* disk and memory cache. ETAGs can also be neutralized by modifying response headers. Another solution is to use a hardened configuration with Temporary Containers. Alternatively, you can *LIMIT* exposure by clearing cache on close. Or on a regular basis manually or with an extension. // https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags // https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/ // https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache // https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor // https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 // ------------------------------------- // Pref : Disable disk cache lockPref("browser.cache.disk.enable", false); lockPref("browser.cache.disk.smart_size.enabled", false); lockPref("browser.cache.disk.smart_size.first_run", false); // ------------------------------------- // Pref : Disable disk cache for SSL pages // http://kb.mozillazine.org/Browser.cache.disk_cache_ssl lockPref("browser.cache.disk_cache_ssl", false); // ------------------------------------- // Pref : Disable memory cache // [NOTE] Not recommended due to performance issues // lockPref("browser.cache.memory.enable", false); // lockPref("browser.cache.memory.capacity", 0); // ------------------------------------- // Pref : Disable fastback cache // To improve performance when pressing back/forward Firefox stores visited pages so they don't have to be re-parsed. This is not the same as memory cache. // 0=none, -1=auto (that's minus 1). // [WARNING] Not recommended unless you know what you're doing // http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers // lockPref("browser.sessionhistory.max_total_viewers", 0); // ------------------------------------- // Pref : Exclude "Undo Closed Tabs" in Session Restore lockPref("browser.sessionstore.max_tabs_undo", 0); // ------------------------------------- // Pref : Disable storing extra session data // Extra session data contains contents of forms, scrollbar positions, cookies and POST data // Define on which sites to save extra session data: // 0=everywhere, 1=unencrypted sites, 2=nowhere lockPref("browser.sessionstore.privacy_level", 2); // ------------------------------------- // Pref : Disable resuming session from crash // lockPref("browser.sessionstore.resume_from_crash", false); // ------------------------------------- // Pref : Set the minimum interval between session save operations // Increasing this can help on older machines and some websites, as well as reducing writes. Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc. // This can also affect entries in the "Recently Closed Tabs" feature: i.e. the longer the interval the more chance a quick tab open/close won't be captured. // This longer interval *may* affect history but we cannot replicate any history not recorded // https://bugzilla.mozilla.org/1304389 // lockPref("browser.sessionstore.interval", 30000); // ------------------------------------- // Pref : Disable favicons in web notifications lockPref("alerts.showFavicons", false); // ------------------------------------- // Pref : Delete Search and Form History lockPref("browser.formfill.expire_days", 0); // ------------------------------------- // Pref : Disable favicons in shortcuts // URL shortcuts use a cached randomly named .ico file which is stored in your profile/shortcutCache directory. The .ico remains after the shortcut is deleted. // false=shortcuts use a generic Firefox icon lockPref("browser.shell.shortcutFavicons", false); // [DESKTOP] // ------------------------------------- // Pref : Display "insecure" icon and "Not Secure" text on HTTP sites lockPref("security.insecure_connection_icon.enabled", true); // [DESKTOP] lockPref("security.insecure_connection_text.enabled", true); // [DESKTOP] lockPref("security.insecure_connection_icon.pbmode.enabled", true); // [DESKTOP] lockPref("security.insecure_connection_text.pbmode.enabled", true); // [DESKTOP] // ------------------------------------- // Pref : Enable insecure password warnings (login forms in non-HTTPS pages) // https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/ // https://bugzilla.mozilla.org/show_bug.cgi?id=1319119 // https://bugzilla.mozilla.org/show_bug.cgi?id=1217156 lockPref("security.insecure_password.ui.enabled", true); // [DESKTOP] // ------------------------------------- // Pref : Disable automatic Firefox start and session restore after reboot // https://bugzilla.mozilla.org/603903 lockPref("toolkit.winRegisterApplicationRestart", false); // [WINDOWS] // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Geolocation // >>>>>>>>>>>>>>>>>>>> // Pref : Disable geolocation lockPref("geo.enabled", false); lockPref("permissions.default.geo", 2); // [DESKTOP] // lockPref("geo.wifi.xhr.timeout", 0); // ------------------------------------- // Pref : Disable GeoIP lookup on your address to set default search engine region // https://trac.torproject.org/projects/tor/ticket/16254 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine lockPref("browser.search.countryCode", "US"); // [HIDDEN PREF] lockPref("browser.search.region", "US"); lockPref("browser.search.geoip.url", ""); lockPref("browser.search.geoSpecificDefaults.url", ""); lockPref("browser.snippets.geoUrl", ""); // lockPref("browser.search.geoip.timeout", 0); // ------------------------------------- // Pref : Set Accept-Language HTTP header defaultPref("intl.accept_languages", "en-US, en"); // ------------------------------------- // Pref : Use APP locale over OS locale in regional preferences // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1379420,1364789 lockPref("intl.regional_prefs.use_os_locales", false); // ------------------------------------- // Pref : Enforce US English locale regardless of the system locale // https://bugzilla.mozilla.org/867501 lockPref("javascript.use_us_english_locale", true); // [HIDDEN PREF] // ------------------------------------- // Pref : Disable using the OS's geolocation service lockPref("geo.provider.ms-windows-location", false); // [WINDOWS] // [DESKTOP] lockPref("geo.provider.use_corelocation", false); // [MAC] // [DESKTOP] lockPref("geo.provider.use_gpsd", false); // [LINUX] // [DESKTOP] lockPref("geo.wifi.uri", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable logging geolocation to the console lockPref("geo.wifi.logging.enabled", false); // [HIDDEN PREF] // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Fonts // >>>>>>>>>>>>>>>>>>>>>> // Pref : Disable websites choosing fonts (0=block, 1=allow) // If you disallow fonts, this drastically limits/reduces font enumeration (by JS) which is a high entropy fingerprinting vector. // [NOTE] You can do this with uBlock Origin // [NOTE] Disabling fonts can uglify the web a fair bit. // https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ // defaultPref("browser.display.use_document_fonts", 0); // ------------------------------------- // Pref : Set more legible default fonts // [NOTE] Example below for Windows/Western only // lockPref("font.name.serif.x-unicode", "Georgia"); // lockPref("font.name.serif.x-western", "Georgia"); // [DEFAULT: Times New Roman] // lockPref("font.name.sans-serif.x-unicode", "Arial"); // lockPref("font.name.sans-serif.x-western", "Arial"); // [DEFAULT: Arial] // lockPref("font.name.monospace.x-unicode", "Lucida Console"); // lockPref("font.name.monospace.x-western", "Lucida Console"); // [DEFAULT: Courier New] // ------------------------------------- // Pref : Disable icon fonts (glyphs) and local fallback rendering // [NOTE] You can do this with uBlock Origin // https://bugzilla.mozilla.org/789788 // https://trac.torproject.org/projects/tor/ticket/8455 // https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ // defaultPref("gfx.downloadable_fonts.enabled", false); // lockPref("gfx.downloadable_fonts.fallback_delay", 0); // ------------------------------------- // Pref : Disable WOFF2 (Web Open Font Format) defaultPref("gfx.downloadable_fonts.woff2.enabled", false); // ------------------------------------- // Pref : Disable CSS Font Loading API // [NOTE] Disabling fonts can uglify the web a fair bit. defaultPref("layout.css.font-loading-api.enabled", false); // ------------------------------------- // Pref : Disable special underline handling for a few fonts which you will probably never use // Any of these fonts on your system can be enumerated for fingerprinting. // http://kb.mozillazine.org/Font.blacklist.underline_offset lockPref("font.blacklist.underline_offset", ""); // ------------------------------------- // Pref : Disable graphite which turned back on by default // https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 lockPref("gfx.font_rendering.graphite.enabled", false); // ------------------------------------- // Pref : Limit system font exposure to a whitelist [RESTART] // If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed. // [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. Eventually privacy.resistFingerprinting will cover this. // https://bugzilla.mozilla.org/1121643 // lockPref("font.system.whitelist", ""); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Plugins // >>>>>>>>>>>>>>>>>>>> // Pref : Disable plugins lockPref("plugin.disable", true); // [DEFAULT: true] // [FENNEC] lockPref("dom.ipc.plugins.enabled", false); // [DEFAULT: false] // [FENNEC] lockPref("plugins.crash.supportUrl", ""); // [DESKTOP] // ------------------------------------- // Pref : Set default plugin state (i.e. new plugins on discovery) to never activate // 0=disabled, 1=ask to activate, 2=active - you can override individual plugins lockPref("plugin.default.state", 0); lockPref("plugin.defaultXpi.state", 0); // ------------------------------------- // Pref : Disable scanning for plugins lockPref("plugin.scan.plid.all", false); // [WINDOWS] // [DESKTOP] // ------------------------------------- // Pref : Enable plugins click-to-play // https://wiki.mozilla.org/Firefox/Click_To_Play // https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/ lockPref("plugins.click_to_play", true); lockPref("plugin.sessionPermissionNow.intervalInMinutes", 0); // ------------------------------------- // Pref : Disable all GMP (Gecko Media Plugins) lockPref("media.gmp-provider.enabled", false); lockPref("media.gmp-manager.certs.1.issuerName", ""); lockPref("media.gmp-manager.certs.1.commonName", ""); lockPref("media.gmp-manager.certs.2.issuerName", ""); lockPref("media.gmp-manager.certs.2.commonName", ""); lockPref("media.gmp-manager.url", ""); lockPref("media.gmp-manager.url.override", ""); lockPref("media.gmp-manager.updateEnabled", false); // [DESKTOP] lockPref("media.gmp.trial-create.enabled", false); // [WINDOWS] // [DESKTOP] // ------------------------------------- // Pref : Disable all DRM content (EME: Encryption Media Extension) // https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next defaultPref("media.eme.enabled", false); // ------------------------------------- // Pref : Disable Adobe Primetime lockPref("media.gmp-eme-adobe.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable the OpenH264 Video Codec by Cisco to "Never Activate". // This is the bundled codec used for video chat in WebRTC. lockPref("media.gmp-gmpopenh264.enabled", false); lockPref("media.gmp-gmpopenh264.autoupdate", false); // [DESKTOP] lockPref("media.gmp-gmpopenh264.visible", false); // ------------------------------------- // Pref : Disable widevine CDM (Content Decryption Module) lockPref("media.gmp-widevinecdm.enabled", false); // [DESKTOP] lockPref("media.gmp-widevinecdm.visible", false); // [DESKTOP] lockPref("media.mediadrm-widevinecdm.visible", false); // [DEFAULT: true] // [FENNEC] lockPref("media.gmp-widevinecdm.autoupdate", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Flash plugin // 0=deactivated, 1=ask, 2=enabled // [NOTE] You can still override individual sites via site permissions // https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ lockPref("plugin.state.flash", 0); // [DESKTOP] // ------------------------------------- // Pref : Disable Java plugin // 0=deactivated, 1=ask, 2=enabled // https://bugzilla.mozilla.org/1461243 lockPref("plugin.state.java", 0); // [DESKTOP] // ------------------------------------- // Pref : Disable Gnome Shell Integration NPAPI plugin lockPref("plugin.state.libgnome-shell-browser-plugin",0); // [DESKTOP] // ------------------------------------- // Pref : Enable Auto Notification of Outdated Plugins // https://wiki.mozilla.org/Firefox3.6/Plugin_Update_Awareness_Security_Review // https://hg.mozilla.org/mozilla-central/rev/304560 lockPref("plugins.update.notifyUser", true); // [DESKTOP] // ------------------------------------- // Pref : Disable Shumway (Mozilla Flash renderer) // https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway lockPref("shumway.disabled", true); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Blocklists / Safe Browsing / Tracking Protection // >>>>>>>>>>>>>>>>>>>> // Pref : Enable add-on and certificate blocklists (OneCRL) from Mozilla // https://wiki.mozilla.org/Blocklisting // https://blocked.cdn.mozilla.net/ // http://kb.mozillazine.org/Extensions.blocklist.enabled // http://kb.mozillazine.org/Extensions.blocklist.url // https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ lockPref("services.blocklist.update_enabled", true); // [DESKTOP] lockPref("extensions.blocklist.enabled", true); // ------------------------------------- // Pref : Decrease system information leakage to Mozilla blocklist update servers // https://trac.torproject.org/projects/tor/ticket/16931 // https://www.reddit.com/r/firefox/comments/9v5lue/firefox_tip_sanitize_firefox_blocklist_url_so_it/ lockPref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/"); // [URL SANITIZED] // ------------------------------------- // Pref : Opt-out of add-on metadata updates // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ lockPref("extensions.getAddons.cache.enabled", false) // ------------------------------------- // Pref : Disable Google Safe Browsing (Block dangerous and deceptive contents) lockPref("browser.safebrowsing.enabled", false); // [DESKTOP] lockPref("browser.safebrowsing.allowOverride", false); lockPref("browser.safebrowsing.blockedURIs.enabled", false); lockPref("browser.safebrowsing.debug", false); lockPref("browser.safebrowsing.downloads.enabled", false); // [DEFAULT: false] lockPref("browser.safebrowsing.downloads.remote.block_dangerous", false); lockPref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); lockPref("browser.safebrowsing.downloads.remote.enabled", false); lockPref("browser.safebrowsing.downloads.remote.url", ""); lockPref("browser.safebrowsing.id", ""); lockPref("browser.safebrowsing.malware.enabled", false); lockPref("browser.safebrowsing.passwords.enabled", false); lockPref("browser.safebrowsing.phishing.enabled", false); lockPref("browser.safebrowsing.provider.google.advisoryURL", ""); lockPref("browser.safebrowsing.provider.google.pver", ""); lockPref("browser.safebrowsing.provider.google.advisoryName", ""); lockPref("browser.safebrowsing.provider.google.gethashURL", ""); lockPref("browser.safebrowsing.provider.google.lastupdatetime", ""); // [DESKTOP] lockPref("browser.safebrowsing.provider.google.lists", ""); lockPref("browser.safebrowsing.provider.google.nextupdatetime", ""); // [DESKTOP] lockPref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); lockPref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); lockPref("browser.safebrowsing.provider.google.reportURL", ""); lockPref("browser.safebrowsing.provider.google.updateURL", ""); lockPref("browser.safebrowsing.provider.google4.advisoryName", ""); lockPref("browser.safebrowsing.provider.google4.advisoryURL", ""); lockPref("browser.safebrowsing.provider.google4.gethashURL", ""); lockPref("browser.safebrowsing.provider.google4.lastupdatetime", ""); // [DESKTOP] lockPref("browser.safebrowsing.provider.google4.lists", ""); lockPref("browser.safebrowsing.provider.google4.nextupdatetime", ""); // [DESKTOP] lockPref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); lockPref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); lockPref("browser.safebrowsing.provider.google4.reportURL", ""); lockPref("browser.safebrowsing.provider.google4.updateURL", ""); lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); lockPref("browser.safebrowsing.provider.google4.pver", ""); lockPref("browser.safebrowsing.provider.mozilla.gethashURL", ""); lockPref("browser.safebrowsing.provider.mozilla.lastupdatetime", ""); // [DESKTOP] lockPref("browser.safebrowsing.provider.mozilla.lists", ""); lockPref("browser.safebrowsing.provider.mozilla.lists.base", ""); lockPref("browser.safebrowsing.provider.mozilla.lists.content", ""); lockPref("browser.safebrowsing.provider.mozilla.nextupdatetime", ""); lockPref("browser.safebrowsing.provider.mozilla.pver", ""); lockPref("browser.safebrowsing.provider.mozilla.updateURL", ""); lockPref("browser.safebrowsing.reportPhishURL", ""); // lockPref("browser.safebrowsing.downloads.remote.timeout_ms", 0); // ------------------------------------- // Pref : Disable passive Tracking Protection // Passive TP annotates channels to lower the priority of network loads for resources on the tracking protection list. // [NOTE] It has no effect if TP is enabled, but keep in mind that by default TP is only enabled in Private Windows // This is included for people who want to completely disable Tracking Protection. // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1170190,1141814 lockPref("privacy.trackingprotection.annotate_channels", false); lockPref("privacy.trackingprotection.lower_network_priority", false); // ------------------------------------- // Pref : Disable passive Tracking Protection in all windows lockPref("privacy.trackingprotection.enabled", false); lockPref("privacy.trackingprotection.pbmode.enabled", false); lockPref("privacy.trackingprotection.introURL", ""); // [DESKTOP] // ------------------------------------- // Pref : Disable PingCentre telemetry (used in several System Add-ons) // Currently blocked by 'datareporting.healthreport.uploadEnabled' lockPref("browser.ping-centre.telemetry", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : System add-ons / Experiments // >>>>>>>>>>>>>>>>>>>> // Pref : Disable System Add-on updates // https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html // https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ // https://github.com/pyllyukko/user.js/issues/419 // https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1248-1257 // [NOTE] Disabling system add-on updates prevents Mozilla from "hotfixing" your browser to patch critical problems (one possible use case from the documentation) lockPref("extensions.systemAddon.update.enabled", false); // [DESKTOP] lockPref("extensions.systemAddon.update.url", ""); // ------------------------------------- // Pref : Disable Experiments // https://wiki.mozilla.org/Telemetry/Experiments // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801 lockPref("experiments.enabled", false); // [DESKTOP] lockPref("experiments.manifest.uri", ""); // [DESKTOP] lockPref("experiments.supported", false); // [DESKTOP] lockPref("experiments.activeExperiment", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Mozilla permission to silently opt you into tests // https://bugzilla.mozilla.org/1415625 lockPref("network.allow-experiments", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Normandy/Shield // Shield is an telemetry system (including Heartbeat) that can also push and test "recipes" // https://wiki.mozilla.org/Firefox/Shield // https://github.com/mozilla/normandy lockPref("app.normandy.enabled", false); // [DESKTOP] lockPref("app.normandy.api_url", ""); // [DESKTOP] lockPref("app.normandy.first_run", false); // [DESKTOP] lockPref("app.normandy.shieldLearnMoreUrl", ""); // [DESKTOP] lockPref("app.normandy.user_id", ""); // [DESKTOP] lockPref("features.normandy-remote-settings.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable Form Autofill // [NOTE] Stored data is NOT secure (uses a JSON file) // [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes // https://wiki.mozilla.org/Firefox/Features/Form_Autofill // https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ lockPref("extensions.formautofill.addresses.enabled", false); // [DESKTOP] lockPref("extensions.formautofill.available", "off"); // [DESKTOP] lockPref("extensions.formautofill.creditCards.enabled", false); // [DESKTOP] lockPref("extensions.formautofill.heuristics.enabled", false); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Persistent Storage // >>>>>>>>>>>>>>>>>>>> // Pref : Delete cookies and site data on close // 0=keep until they expire (default), 2=keep until you close Firefox // [NOTE] Use "Cookie AutoDelete" extension to manage your cookies // https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/ // lockPref("network.cookie.lifetimePolicy", 2); // ------------------------------------- // Pref : Disable 3rd-party cookies and site-data // [NOTE] Can breaks payment gateways defaultPref("network.cookie.cookieBehavior", 1); // ------------------------------------- // Pref : Set third-party cookies (i.e ALL) (if enabled) to session-only and set third-party non-secure (i.e HTTP) cookies to session-only // [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ // http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly lockPref("network.cookie.thirdparty.sessionOnly", true); lockPref("network.cookie.thirdparty.nonsecureSessionOnly", true); // ------------------------------------- // Pref : Disable HTTP sites setting cookies with the "secure" directive // https://developer.mozilla.org/Firefox/Releases/52#HTTP lockPref("network.cookie.leave-secure-alone", true); // [DEFAULT: true] // ------------------------------------- // Pref : Enable support for same-site cookies // https://bugzilla.mozilla.org/795346 // https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ // https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ lockPref("network.cookie.same-site.enabled", true); // [DEFAULT: true] // ------------------------------------- // Pref : Disable DOM (Document Object Model) Storage // [WARNING] This will break a LOT of sites' functionality AND extensions! // You are better off using an extension for more granular control // lockPref("dom.storage.enabled", false); // ------------------------------------- // Pref : Disable IndexedDB // https://developer.mozilla.org/en-US/docs/IndexedDB // https://en.wikipedia.org/wiki/Indexed_Database_API // https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review // http://forums.mozillazine.org/viewtopic.php?p=13842047 // https://github.com/pyllyukko/user.js/issues/8 // https://github.com/ghacksuserjs/ghacks-user.js/issues/80#issuecomment-294178018 // https://superuser.com/questions/1250944/how-can-this-website-reidentify-me-even-after-deleting-all-of-my-browsers-histo // [NOTE] IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), and breaks almost every webpage so is left enabled // lockPref("dom.indexedDB.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Do not download URLs for the offline cache // http://kb.mozillazine.org/Browser.cache.offline.enable lockPref("browser.cache.offline.enable", false); lockPref("browser.cache.offline.capacity", 0); // ------------------------------------- // Pref : Disable offline cache on insecure sites // https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ lockPref("browser.cache.offline.insecure.enable", false); // ------------------------------------- // Pref : Display a notification bar when websites offer data for offline use // http://kb.mozillazine.org/Browser.offline-apps.notify lockPref("browser.offline-apps.notify", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable service workers cache and cache storage // https://w3c.github.io/ServiceWorker/#privacy // lockPref("dom.caches.enabled", false); // ------------------------------------- // Pref : Disable Storage API // The API gives sites the ability to find out how much space they can use, how much they are already using, and even control whether or not they need to be alerted before the user agent disposes of site data in order to make room for other things. // https://developer.mozilla.org/docs/Web/API/StorageManager // https://developer.mozilla.org/docs/Web/API/Storage_API // https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ lockPref("dom.storageManager.enabled", false); // ------------------------------------- // Pref : Disable Storage Access API // https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API lockPref("dom.storage_access.enabled", false); // ------------------------------------- // Pref : Enforce websites to ask to store data for offline use // https://support.mozilla.org/questions/1098540 // https://bugzilla.mozilla.org/959985 lockPref("offline-apps.allow_by_default", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable download history lockPref("browser.download.manager.retention", 0); // [DESKTOP] // ------------------------------------- // Pref : When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs // https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851 lockPref("browser.fixup.hide_user_pass", true); // [DESKTOP] // ------------------------------------- // Pref : Enable Firefox to clear items on shutdown defaultPref("privacy.sanitize.sanitizeOnShutdown", true); // [DESKTOP] // ------------------------------------- // Pref : Set what items to clear when Firefox closes // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically // [NOTE] Installing user.js will remove your browsing history, caches and local storage. // [NOTE] Installing user.js **will remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) // [NOTE] Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945 // [NOTE] If 'history' is true, downloads will also be cleared regardless of the value defaultPref("privacy.clearOnShutdown.cache", true); // [DESKTOP] defaultPref("privacy.clearOnShutdown.cookies", false); // [DESKTOP] defaultPref("privacy.clearOnShutdown.downloads", true); // [DESKTOP] defaultPref("privacy.clearOnShutdown.formdata", true); // [DESKTOP] defaultPref("privacy.clearOnShutdown.history", true); // [DESKTOP] defaultPref("privacy.clearOnShutdown.offlineApps", true); // [DESKTOP] defaultPref("privacy.clearOnShutdown.sessions", true); // [DESKTOP] defaultPref("privacy.clearOnShutdown.siteSettings", false); // [DESKTOP] // lockPref("privacy.clearOnShutdown.openWindows", true); // [DESKTOP] // ------------------------------------- // Pref : Reset default 'Time range to clear' for 'Clear Recent History' // Firefox remembers your last choice. This will reset the value when you start Firefox. // 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today, 5=last five minutes, 6=last twenty-four hours // [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a blank value if they are used, but they do work as advertised defaultPref("privacy.sanitize.timeSpan", 0); // [DESKTOP] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Headers / Referers // >>>>>>>>>>>>>>>>>>>> // Pref : Control when images/links send a referer // 0=never, 1=send only when links are clicked, 2=for links and images (default) lockPref("network.http.sendRefererHeader", 2); // ------------------------------------- // Pref : Control the amount of information to send // 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port lockPref("network.http.referer.trimmingPolicy", 2); // ------------------------------------- // Pref : Control when to send a referer // 0=always (default), 1=only if base domains match, 2=only if hosts match lockPref("network.http.referer.XOriginPolicy", 2); // ------------------------------------- // Pref : Control the amount of information to send // 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port lockPref("network.http.referer.XOriginTrimmingPolicy", 2); // ------------------------------------- // Pref : Disable spoofing a referer lockPref("network.http.referer.spoofSource", true); // [DEFAULT: false] // ------------------------------------- // Pref : Set the default Referrer Policy // 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade // [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy // https://www.w3.org/TR/referrer-policy/ // https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy // https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ defaultPref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3] defaultPref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] defaultPref("network.http.referer.defaultPolicy.trackers", 3); // [DEFAULT: 3] defaultPref("network.http.referer.defaultPolicy.trackers.pbmode", 2); // [DEFAULT: 2] // ------------------------------------- // Pref : Hide (not spoof) referrer when leaving a .onion domain // [NOTE] Firefox cannot access .onion sites by default. We recommend you use the Tor Browser which is specifically designed for hidden services // https://bugzilla.mozilla.org/1305144 lockPref("network.http.referer.hideOnionSource", true); // [DEFAULT: false] // ------------------------------------- // Pref : Reject .onion hostnames before passing the to DNS // https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 lockPref("network.dns.blockDotOnion", true); // [DEFAULT: true] // ------------------------------------- // Pref : Disable the DNT (Do Not Track) HTTP header lockPref("privacy.donottrackheader.enabled", false); // [DEFAULT: true] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : RFP (Resist Fingerprinting) / RFP Alternatives / APIs // >>>>>>>>>>>>>>>>>>>> // Pref : Enable hardening against various fingerprinting vectors (Tor Uplift project) // https://wiki.mozilla.org/Security/Tor_Uplift/Tracking // https://bugzilla.mozilla.org/show_bug.cgi?id=1333933 lockPref("privacy.resistFingerprinting", true); // [DEFAULT: false] // ------------------------------------- // Pref : Disable mozAddonManager Web API // [NOTE] As a side-effect allowed extensions to work on AMO. You also need to sanitize or clear extensions.webextensions.restrictedDomains to keep that side-effect // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 lockPref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] // [DESKTOP] // ------------------------------------- // Pref : Enable RFP letterboxing // Dynamically resizes the inner window by applying letterboxing, using dimensions which waste the least content area, If you use the dimension pref, then it will only apply those resolutions. The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") // [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it // https://bugzilla.mozilla.org/1407366 // lockPref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] // [DESKTOP] // lockPref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] // [DESKTOP] // ------------------------------------- // Pref : Disable WebRTC, getUserMedia, screen sharing, audio capture, video capture // https://wiki.mozilla.org/Media/getUserMedia // https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/ // https://developer.mozilla.org/en-US/docs/Web/API/Navigator lockPref("media.navigator.enabled", false); lockPref("media.navigator.video.enabled", false); // ------------------------------------- // Pref : Spoof CPU Core // [NOTE] *may* affect core performance, will affect content. // Default settings seems to be the best // https://bugzilla.mozilla.org/1008453 // https://trac.torproject.org/projects/tor/ticket/21675 // https://trac.torproject.org/projects/tor/ticket/22127 // https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency // lockPref("dom.maxHardwareConcurrency", 2); // ------------------------------------- // Pref : Disable resource timing API // https://www.w3.org/TR/resource-timing/#privacy-security lockPref("dom.enable_resource_timing", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable DOM timing API // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI // https://www.w3.org/TR/navigation-timing/#privacy lockPref("dom.enable_performance", false); // [DEFAULT: true] lockPref("dom.enable_performance_navigation_timing", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable sensor API // https://trac.torproject.org/projects/tor/ticket/15758 // https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 lockPref("device.sensors.enabled", false); // [DEFAULT: true] lockPref("device.sensors.ambientLight.enabled", false); // [DEFAULT: false] lockPref("device.sensors.motion.enabled", false); // [DEFAULT: true] lockPref("device.sensors.orientation.enabled", false); // [DEFAULT: true] lockPref("device.sensors.proximity.enabled", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable gamepad API - USB device ID enumeration // Optional protection depending on your connected devices // https://trac.torproject.org/projects/tor/ticket/13023 lockPref("dom.gamepad.enabled", false); // [DEFAULT: true] lockPref("dom.gamepad.extensions.enabled", false); // [DEFAULT: true] lockPref("dom.gamepad.haptic_feedback.enabled", false); // [DEFAULT: false] lockPref("dom.gamepad.test.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable giving away network info // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none // https://developer.mozilla.org/docs/Web/API/Network_Information_API // https://wicg.github.io/netinfo/ // https://bugzilla.mozilla.org/960426 lockPref("dom.netinfo.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API // https://developer.mozilla.org/docs/Web/API/Web_Speech_API // https://developer.mozilla.org/docs/Web/API/SpeechSynthesis // https://wiki.mozilla.org/HTML5_Speech_API lockPref("media.webspeech.synth.enabled", false); // [DEFAULT: true] lockPref("media.webspeech.synth_force_global_queue", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable video statistics - JS performance fingerprinting // https://trac.torproject.org/projects/tor/ticket/15757 // https://bugzilla.mozilla.org/654550 lockPref("media.video_stats.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Force touch events enabled by default // Fingerprinting attack vector - leaks screen res & actual screen coordinates. // 0=disabled, 1=enabled, 2=autodetect // This pref is set to 2 by default, which results in the Touch API being exposed only when touch hardware is present. So we should either set it to "1" (enable) or "0" (disable) to ensure that JS code can't fingerprint the user's hardware. // [FENNEC - BUG] If disabled, unables you to copy or paste any text. // https://developer.mozilla.org/docs/Web/API/Touch_events // https://trac.torproject.org/projects/tor/ticket/10286 defaultPref("dom.w3c_touch_events.enabled", 0); // [DEFAULT: 2] // ------------------------------------- // Pref : Disable MediaDevices change detection // https://developer.mozilla.org/docs/Web/Events/devicechange // https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange lockPref("media.ondevicechange.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable WebGL debug info being available to websites // https://bugzilla.mozilla.org/1171228 // https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info lockPref("webgl.enable-debug-renderer-info", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable PointerEvents // https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent lockPref("dom.w3c_pointer_events.enabled", false); // [DEFAULT: false] // ------------------------------------- // Pref : Disable Battery Status API // Initially a Linux issue (high precision readout) that was fixed. // However, it is still another metric for fingerprinting, used to raise entropy. // e.g. do you have a battery or not, current charging status, charge level, times remaining etc // https://bugzilla.mozilla.org/1313580 lockPref("dom.battery.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable virtual reality devices APIs // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM // https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API lockPref("dom.vr.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable hardware acceleration to reduce graphics fingerprinting // [SETUP-PERF] Affects text rendering (fonts will look different), impacts video performance, and parts of Quantum that utilize the GPU will also be affected as they are rolled out // https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration // defaultPref("layers.acceleration.disabled", true); // [DEFAULT: false] // ------------------------------------- // Pref : Disable Web Audio API // https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 lockPref("dom.webaudio.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable Media Capabilities API // [SETUP-PERF] This *may* affect media performance if disabled, no one is sure // https://github.com/WICG/media-capabilities // https://wicg.github.io/media-capabilities/#security-privacy-considerations // lockPref("media.media-capabilities.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable showing about:blank as soon as possible during startup // true=no longer masks the RFP chrome resizing activity // https://bugzilla.mozilla.org/1448423 lockPref("browser.startup.blankWindow", false); // [DESKTOP] // ------------------------------------- /// Pref : Disable network API // https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange // https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses lockPref("dom.network.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable telephony API // https://wiki.mozilla.org/WebAPI/Security/WebTelephony lockPref("dom.telephony.enabled", false); // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : UI (User Interface) // >>>>>>>>>>>>>>>>>>>>> // Pref : Disable third-party cookie UI lockPref("browser.contentblocking.rejecttrackers.ui.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable tracking protection UI list editing under url bar popup lockPref("browser.contentblocking.trackingprotection.control-center.ui.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable tracking protection UI list editing under preferences lockPref("browser.contentblocking.trackingprotection.ui.enabled", false); // [DESKTOP] // ------------------------------------- // Pref : Disable auto hide download button defaultPref("browser.download.autohideButton", false); // [DESKTOP] // ------------------------------------- // Pref : Disable browser animation // https://bugzilla.mozilla.org/show_bug.cgi?id=1352069 defaultPref("toolkit.cosmeticAnimations.enabled", false); // [DESKTOP] defaultPref("browser.tabs.animate", false); // [DESKTOP] // [DEPRECATED] defaultPref("browser.fullscreen.animate", false); // [DESKTOP] // [DEPRECATED] defaultPref("browser.download.animateNotifications", false); // [DESKTOP] // [DEPRECATED] defaultPref("alerts.disableSlidingEffect", false); // [DESKTOP] // [DEPRECATED] // // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Personal // >>>>>>>>>>>>>>>>>>>> // Pref : Enable "Always enable zoom" feature by default // When true, zooming will be enabled on all sites, even ones that declare user-scalable=no defaultPref("browser.ui.zoom.force-user-scalable", true); // [DEFAULT: false] // ------------------------------------- // Pref : Disable location bar autocomplete and suggestion types // https://bugzilla.mozilla.org/1502392 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 lockPref("browser.urlbar.autocomplete.enabled", false); // [DEFAULT: true] // ------------------------------------- // Pref : Disable inline autocomplete in URL bar // http://kb.mozillazine.org/Inline_autocomplete defaultPref("browser.urlbar.autoFill", false); // [DESKTOP] defaultPref("browser.urlbar.autoFill.typed", false); // [DESKTOP] // ------------------------------------- // Pref : Set bookmarks backups // To compensate for the case of bookmarks being lost due to a system crash. // http://kb.mozillazine.org/Browser.bookmarks.max_backups lockPref("browser.bookmarks.max_backups", 0); // [DEFAULT: 5] // ------------------------------------- // Pref : Set home provider syncing only on wifi // 0=sync always, 1=sync only when on wifi lockPref("home.sync.updateMode", 1); // [DEFAULT: 0] // [FENNEC] // lockPref("home.sync.checkIntervalSecs", 3600); // [FENNEC] // ------------------------------------- // Pref : Middle-click mouse enabling auto-scrolling defaultPref("general.autoScroll",true); // [DESKTOP] // ------------------------------------- // Pref : Displaying small density by default defaultPref("browser.uidensity", 1); // [DEFAULT: 0] // [DESKTOP] // ------------------------------------- // Pref : Disable buttons lockPref("pref.general.disable_button.default_browser", true); // [DESKTOP] lockPref("pref.privacy.disable_button.view_passwords", true); // [DESKTOP] // ------------------------------------- // Pref : Disable Reader mode defaultPref("reader.parse-on-load.enabled", false); // ------------------------------------- // Pref : Disable dark theme on forms defaultPref("widget.content.gtk-theme-override", "Adwaita"); // [DESKTOP] // ------------------------------------- // Pref : Disable ctrl+tab back to the old one lockPref("browser.ctrlTab.recentlyUsedOrder", false); // [DESKTOP] // ------------------------------------- // Pref : Display long lines in view-source page defaultPref("view_source.wrap_long_lines", true); // ------------------------------------- // Pref : Enable dark mode in all "about:" pages defaultPref("browser.in-content.dark-mode", true); // //