From 1a3c869ce6e9ba15b2bdef9eba5e88fb6368d579 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Mon, 26 Apr 2021 01:25:55 +0200 Subject: [PATCH] re-organized and reviewed --- Changelog.md | 41 ++++ librewolf.cfg | 559 +++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 592 insertions(+), 8 deletions(-) diff --git a/Changelog.md b/Changelog.md index 8c0c02c..e9d3184 100755 --- a/Changelog.md +++ b/Changelog.md @@ -14,8 +14,12 @@ lockPref("browser.contentblocking.report.vpn.url", ""); lockPref("browser.contentblocking.report.vpn-promo.url", ""); lockPref("browser.contentblocking.report.vpn-ios.url", ""); lockPref("browser.contentblocking.report.vpn-android.url", ""); +<<<<<<< HEAD lockPref("browser.contentblocking.category", "custom"); >>>>>>> 034d451 (reorganized tracking section + 3rd set of changes) +======= +lockPref("browser.contentblocking.category", "custom"); // changing to other options is currently broken anyway +>>>>>>> a35eb4b (re-organized and reviewed) lockPref("browser.contentblocking.cfr-milestone.enabled", false); lockPref("browser.contentblocking.database.enabled", false); lockPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); @@ -65,7 +69,11 @@ defaultPref("media.memory_cache_max_size", 65536); // previously lockPref("media lockPref("devtools.performance.recording.ui-base-url", ""); // Previously redirected to localhost lockPref("services.settings.security.onecrl.signer", ""); // Previously services.blocklist.onecrl.signer lockPref("browser.contentblocking.report.lockwise.howitworks.url", ""); +<<<<<<< HEAD >>>>>>> 034d451 (reorganized tracking section + 3rd set of changes) +======= +defaultPref("media.autoplay.blocking_policy", 2); // Previously media.autoplay.enabled.user-gestures-needed +>>>>>>> a35eb4b (re-organized and reviewed) ``` #### Removed @@ -125,12 +133,16 @@ lockPref("app.productInfo.baseURL", ""); // Deprecated lockPref("devtools.webide.adbAddonURL", ""); // Deprecated lockPref("lightweightThemes.recommendedThemes", ""); // Deprecated <<<<<<< HEAD +<<<<<<< HEAD +======= +>>>>>>> a35eb4b (re-organized and reviewed) defaultPref("media.gmp-gmpopenh264.autoupdate", false); // Adroid FF only lockPref("browser.newtabpage.activity-stream.prerender", false); // Deprecated lockPref("browser.newtabpage.activity-stream.aboutHome.enabled", false); // Deprecated lockPref("browser.newtabpage.activity-stream.disableSnippets", true); // Deprecated lockPref("privacy.donottrackheader.value", 1); // Deprecated defaultPref("privacy.userContext.longPressBehavior", 2); // Deprecated +<<<<<<< HEAD defaultPref("browser.tabs.closeWindowWithLastTab", true); // Already default lockPref("dom.forms.datetime", false); // Deprecated lockPref("browser.download.hide_plugins_without_extensions", false); // Deprecated @@ -424,6 +436,11 @@ lockPref("identity.fxaccounts.remote.oauth.uri", ""); lockPref("identity.fxaccounts.remote.profile.uri", ""); lockPref("identity.fxaccounts.service.monitorLoginUrl", ""); ======= +======= +defaultPref("accessibility.typeaheadfind", false); // Already default +defaultPref("browser.tabs.closeWindowWithLastTab", true); // Already default +lockPref("dom.forms.datetime", false); // Deprecated +>>>>>>> a35eb4b (re-organized and reviewed) ``` #### Commented @@ -434,6 +451,7 @@ Active prefs that were commented in order to address them before removing them // lockPref("privacy.storagePrincipal.enabledForTrackers", false); >>>>>>> 034d451 (reorganized tracking section + 3rd set of changes) +<<<<<<< HEAD // all handled by lockPref("services.settings.server", "") lockPref("services.blocklist.addons.collection", ""); lockPref("services.blocklist.plugins.collection", ""); @@ -558,6 +576,13 @@ lockPref("services.sync.prefs.sync.browser.safebrowsing.malware.enabled", false) lockPref("services.sync.prefs.sync.browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); lockPref("services.sync.prefs.sync.browser.safebrowsing.phishing.enabled", false); lockPref("services.sync.tabs.lastSync", "0"); +======= +// redudant with RFP and javascript.use_us_english_locale +// defaultPref("privacy.spoof_english", 2); + +// Likely deprecated +// lockPref("dom.indexedDB.enabled", true); +>>>>>>> a35eb4b (re-organized and reviewed) // useless as ui elements are not in the report page lockPref("browser.contentblocking.report.cookie.url", ""); @@ -623,11 +648,19 @@ Open points: // GEO - review to allow easier re-enabling // evaluate certificate handling (oscp, crlite, blocklist) +<<<<<<< HEAD missing from arkenfox in need of discussion: security.pki.crlite_mode -> DISCUSS security.remote_settings.crlite_filters.enabled -> DISCUSS dom.security.https_only_mode_send_http_background_request -> DISCUSS browser.download.useDownloadDir -> do we want to ask for download location each time? +======= +defaultPref("extensions.getAddons.themes.browseURL", "") + +defaultPref("pdfjs.enableWebGL", false); +defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); +defaultPref("pdfjs.enabledCache.state", false); +>>>>>>> a35eb4b (re-organized and reviewed) ``` ## How to... @@ -666,6 +699,7 @@ security.OCSP.enabled = 1 ``` you probably also want `security.OCSP.require = true` +<<<<<<< HEAD #### Hardened setup ``` defaultPref("javascript.options.asmjs", false); // disable asm.js @@ -673,4 +707,11 @@ defaultPref("javascript.options.wasm", false); // disable web assembly defaultPref("webgl.disabled", true); // disable webgl defaultPref("privacy.resistFingerprinting.letterboxing", true); // enable letterboxing defaultPref("dom.event.clipboardevents.enabled", false); // disable user triggered clipboard access +======= +// In the future consider switching to network.cookie.cookieBehavior=5 to enable dFPI +defaultPref("network.cookie.cookieBehavior", 1); + +// What should we do with this pref +//defaultPref("network.http.sendRefererHeader", 1); +>>>>>>> a35eb4b (re-organized and reviewed) ``` \ No newline at end of file diff --git a/librewolf.cfg b/librewolf.cfg index 496d27a..f8c45ae 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -109,6 +109,7 @@ defaultPref("general.config.filename", "librewolf.cfg"); // Bench Diff : +0/5000 // >>>>>>>>>>>>>>>>>>>>>>> +<<<<<<< HEAD // -------------------------------- // User Settings : Cookies settings // -------------------------------- @@ -122,13 +123,18 @@ lockPref("network.cookie.thirdparty.nonsecureSessionOnly", true); // ----------------------------------- // # TRACKING PROTECTION +======= + +// ----------------------------------- +// TRACKING PROTECTION +>>>>>>> a35eb4b (re-organized and reviewed) // ----------------------------------- <<<<<<< HEAD defaultPref("browser.contentblocking.category", "custom"); // do not lock as it breaks UI even more ======= // set custom mode -lockPref("browser.contentblocking.category", "custom"); // Changing to other options is currently broken anyway +lockPref("browser.contentblocking.category", "custom"); // changing to other options is currently broken anyway // disabling tracking protection >>>>>>> 034d451 (reorganized tracking section + 3rd set of changes) @@ -211,14 +217,22 @@ lockPref("pref.privacy.disable_button.change_blocklist", true); lockPref("pref.privacy.disable_button.tracking_protection_exceptions", true); // ---------------------------------- +<<<<<<< HEAD // # AUTOPLAY +======= +// AUTOPLAY +>>>>>>> a35eb4b (re-organized and reviewed) // ---------------------------------- defaultPref("media.autoplay.default", 5); defaultPref("media.autoplay.blocking_policy", 2); // ----------------------------------------- +<<<<<<< HEAD // # PASSWORD MANAGER +======= +// PASSWORD MANAGER +>>>>>>> a35eb4b (re-organized and reviewed) // ----------------------------------------- lockPref("signon.rememberSignons", false); @@ -228,6 +242,7 @@ defaultPref("signon.management.page.breachAlertUrl", ""); lockPref("signon.formlessCapture.enabled", false); // -------------------------------- +<<<<<<< HEAD // # SEARCH AND URLBAR // -------------------------------- @@ -254,34 +269,93 @@ defaultPref("privacy.clearOnShutdown.cookies", false); defaultPref("privacy.clearOnShutdown.offlineApps", false); defaultPref("privacy.cpd.cookies", false); // just for consistency to avoid accidental logout defaultPref("privacy.cpd.offlineApps", false); // just for consistency to avoid accidental logout +======= +// SEARCH +// -------------------------------- + +lockPref("browser.urlbar.filter.javascript", true); + +// -------------------------------- +// SANITIZING, COOKIES AND HISTORY +// -------------------------------- + +defaultPref("network.cookie.cookieBehavior", 1); // in the future consider switching to network.cookie.cookieBehavior=5 to enable dFPI +defaultPref("network.cookie.lifetimePolicy", 2); +defaultPref("network.cookie.thirdparty.sessionOnly", true); +lockPref("network.cookie.thirdparty.nonsecureSessionOnly", true); + +// includes new cookie behavior that works with exceptions +defaultPref("privacy.clearOnShutdown.siteSettings", false); +defaultPref("privacy.clearOnShutdown.cache", true); +defaultPref("privacy.clearOnShutdown.cookies", false); +defaultPref("privacy.clearOnShutdown.downloads", true); +defaultPref("privacy.clearOnShutdown.formdata", true); +defaultPref("privacy.clearOnShutdown.history", true); +defaultPref("privacy.clearOnShutdown.offlineApps", false); +defaultPref("privacy.clearOnShutdown.sessions", true); +defaultPref("privacy.cpd.siteSettings", false); +defaultPref("privacy.cpd.downloads", true); +defaultPref("privacy.cpd.cache", true); +defaultPref("privacy.cpd.cookies", false); // just for consistency to avoid accidental logout +defaultPref("privacy.cpd.formdata", true); +defaultPref("privacy.cpd.history", true); +defaultPref("privacy.cpd.offlineApps", false); // just for consistency to avoid accidental logout +defaultPref("privacy.cpd.passwords", false); +defaultPref("privacy.cpd.sessions", true); +>>>>>>> a35eb4b (re-organized and reviewed) defaultPref("privacy.sanitize.timeSpan", 0); defaultPref("browser.formfill.enable", false); defaultPref("privacy.sanitize.sanitizeOnShutdown", true); defaultPref("places.history.enabled", false); defaultPref("privacy.history.custom", true); +lockPref("browser.sessionhistory.max_entries", 20); +<<<<<<< HEAD // -------------------------------------------------------------------- // # SESSIONS +======= +// this sets a cookie jar for 3rd party origin which is the same as dFPI +// and probably redundant when 3rd party cookies are disabled +// lockPref("privacy.storagePrincipal.enabledForTrackers", false); + +// -------------------------------------------------------------------- +// SESSIONS +>>>>>>> a35eb4b (re-organized and reviewed) // -------------------------------------------------------------------- lockPref("browser.sessionstore.privacy_level", 2); lockPref("browser.sessionstore.interval", 60000); // --------------------------------- +<<<<<<< HEAD // # AUTOFILL +======= +// AUTOFILL +>>>>>>> a35eb4b (re-organized and reviewed) // --------------------------------- defaultPref("extensions.formautofill.section.enabled", false); defaultPref("extensions.formautofill.available", "off"); defaultPref("extensions.formautofill.addresses.enabled", false); +<<<<<<< HEAD +======= +defaultPref("extensions.formautofill.addresses.capture.enabled", false); +>>>>>>> a35eb4b (re-organized and reviewed) defaultPref("extensions.formautofill.creditCards.enabled", false); defaultPref("extensions.formautofill.creditCards.available", false); defaultPref("extensions.formautofill.heuristics.enabled", false); lockPref("signon.autofillForms", false); +<<<<<<< HEAD // ----------------------- // # DRM +======= +lockPref("signon.autofillForms.http", false); + +// ----------------------- +// DRM +>>>>>>> a35eb4b (re-organized and reviewed) // ----------------------- // includes new DRM implementation for easily re-enabling it @@ -293,14 +367,34 @@ defaultPref("media.gmp-widevinecdm.enabled", false); defaultPref("media.gmp-provider.enabled", false); defaultPref("media.gmp-manager.url", "data:text/plain,"); // had to re-add to prevent connections +<<<<<<< HEAD defaultPref("media.gmp-gmpopenh264.enabled", false); // ---------------------- // # WEBRTC +======= +defaultPref("media.gmp.trial-create.enabled", false); +defaultPref("media.gmp-gmpopenh264.enabled", false); + +// ---------------------- +// WebRTC +>>>>>>> a35eb4b (re-organized and reviewed) // ---------------------- defaultPref("media.navigator.enabled", false); defaultPref("media.peerconnection.enabled", false); +<<<<<<< HEAD +======= +defaultPref("media.navigator.video.enabled", false); +defaultPref("media.getusermedia.browser.enabled", false); +defaultPref("media.getusermedia.screensharing.enabled", false); +defaultPref("media.getusermedia.audiocapture.enabled", false); +defaultPref("media.peerconnection.use_document_iceservers", false); +defaultPref("media.peerconnection.identity.enabled", false); +defaultPref("media.peerconnection.identity.timeout", 1); // 10000 per default +defaultPref("media.peerconnection.turn.disable", true); +defaultPref("media.peerconnection.ice.tcp", false); +>>>>>>> a35eb4b (re-organized and reviewed) defaultPref("media.peerconnection.ice.default_address_only", true); defaultPref("media.peerconnection.ice.no_host", true); defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); @@ -322,7 +416,11 @@ defaultPref("media.getusermedia.screensharing.enabled", false); defaultPref("media.getusermedia.audiocapture.enabled", false); // ---------------------------- +<<<<<<< HEAD // # DNS +======= +// DNS +>>>>>>> a35eb4b (re-organized and reviewed) // ---------------------------- lockPref("network.trr.mode", 5); @@ -333,7 +431,11 @@ defaultPref("network.dns.disableIPv6", true); lockPref("network.dns.disablePrefetch", true); // ------------------------------------ +<<<<<<< HEAD // # NEW TAB PAGE +======= +// NEW TAB PAGE +>>>>>>> a35eb4b (re-organized and reviewed) // ------------------------------------ lockPref("browser.newtab.preload", false); @@ -375,6 +477,7 @@ lockPref("browser.newtabpage.activity-stream.discoverystream.engagementLabelEnab lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts", false); lockPref("browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar", false); <<<<<<< HEAD +<<<<<<< HEAD lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines", ""); lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", ""); lockPref("browser.newtabpage.activity-stream.fxaccounts.endpoint", ""); @@ -407,17 +510,134 @@ lockPref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); // ------------------------------------------- // # DO NOT TRACK +======= +lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines", ""); +lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", ""); + +// ------------------------------------------- +// DO NOT TRACK +>>>>>>> a35eb4b (re-organized and reviewed) // ------------------------------------------- // Unlocked as some think it increases fingerprint, they can now disable it defaultPref("privacy.donottrackheader.enabled", true); // -------------------------------- +<<<<<<< HEAD // # DOM +======= +// DOM +>>>>>>> a35eb4b (re-organized and reviewed) // -------------------------------- lockPref("dom.disable_beforeunload", true); defaultPref("dom.disable_open_during_load", true); +<<<<<<< HEAD +======= + +// -------------------------------- +// PERMISSIONS +// -------------------------------- + +lockPref("permissions.delegation.enabled", false); +defaultPref("permissions.default.geo", 2); // unlocked as some think it increases fingerprint, they can now disable it + +// -------------------------------- +// REFERERS +// -------------------------------- + +defaultPref("network.http.referer.defaultPolicy", 2); +defaultPref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2 +lockPref("network.http.referer.XOriginTrimmingPolicy", 2); +lockPref("network.http.referer.XOriginPolicy", 2); +lockPref("network.http.referer.spoofSource", false); +//defaultPref("network.http.sendRefererHeader", 1); + +// -------------------------------- +// PROXY +// -------------------------------- + +defaultPref("network.proxy.autoconfig_url", ""); +defaultPref("network.proxy.autoconfig_url.include_path", false); +defaultPref("network.proxy.socks_remote_dns", true); +defaultPref("network.proxy.socks_version", 5); + +// -------------------------------- +// MISC +// -------------------------------- + +defaultPref("browser.tabs.drawInTitlebar", true); +lockPref("browser.shell.checkDefaultBrowser", false); +defaultPref("startup.homepage_override_url", "about:blank"); +defaultPref("startup.homepage_welcome_url", "about:blank"); +defaultPref("startup.homepage_welcome_url.additional", ""); +defaultPref("privacy.userContext.ui.enabled", true); +defaultPref("privacy.userContext.enabled", true); +defaultPref("browser.aboutConfig.showWarning", false); +defaultPref("browser.download.autohideButton", false); +defaultPref("browser.ctrlTab.recentlyUsedOrder", false); +defaultPref("browser.link.open_newwindow", 3); +defaultPref("browser.link.open_newwindow.restriction", 0); +defaultPref("layout.spellcheckDefault", 2); +defaultPref("general.autoScroll", false); +defaultPref("clipboard.autocopy", false); +defaultPref("pdfjs.disabled", false); +defaultPref("pdfjs.enableScripting", false); +defaultPref("pdfjs.enableWebGL", false); +defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); +defaultPref("pdfjs.enabledCache.state", false); +defaultPref("browser.tabs.loadBookmarksInTabs", true); +defaultPref("devtools.debugger.remote-enabled", false); +defaultPref("devtools.chrome.enabled", false); +defaultPref("extensions.ui.experiment.hidden", false); + +// -------------------------------------- +// RFP +// -------------------------------------- + +defaultPref("privacy.resistFingerprinting", true); +defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); + +// -------------------------------------- +// LANGUAGE AND REGION +// -------------------------------------- + +//defaultPref("privacy.spoof_english", 2); // redudant with RFP and javascript.use_us_english_locale +lockPref("javascript.use_us_english_locale", true); +lockPref("intl.regional_prefs.use_os_locales", false); +defaultPref("intl.locale.requested", "en-US"); +defaultPref("intl.accept_languages", "en-US, en"); + +// -------------------------------------- +// USER AGENT +// -------------------------------------- + +defaultPref("general.useragent.override", "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"); +defaultPref("general.appname.override", "Netscape"); +defaultPref("general.appversion.override", "5.0 (Windows)"); +defaultPref("general.platform.override", "Win32"); +defaultPref("general.oscpu.override", "Windows NT 6.1"); + +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// Section : Ghacks-user Selection +// Bench Diff : +100/5000 +// >>>>>>>>>>>>>>>>>>>>>> + +lockPref("toolkit.coverage.endpoint.base", ""); +lockPref("toolkit.coverage.opt-out", true); +lockPref("browser.download.manager.addToRecentDocs", false); +lockPref("browser.download.hide_plugins_without_extensions", false); +lockPref("webchannel.allowObject.urlWhitelist", ""); +lockPref("browser.cache.offline.storage.enable", false); +lockPref("network.http.redirection-limit", 10); +lockPref("extensions.enabledScopes", 5); + +// Is there any reason to change the default value? +// lockPref("extensions.autoDisableScopes", 11); + +lockPref("xpinstall.whitelist.required", true); // default: true + +>>>>>>> a35eb4b (re-organized and reviewed) lockPref("dom.push.enabled", false); lockPref("dom.push.connection.enabled", false); lockPref("dom.push.serverURL", ""); //default "wss://push.services.mozilla.com/" @@ -452,9 +672,15 @@ lockPref("network.http.referer.XOriginPolicy", 0); // # PROXY // -------------------------------- +<<<<<<< HEAD defaultPref("network.proxy.autoconfig_url", ""); defaultPref("network.proxy.socks_remote_dns", true); defaultPref("network.proxy.socks_version", 5); +======= + +lockPref("plugin.default.state", 1); +lockPref("plugin.defaultXpi.state", 1); +>>>>>>> a35eb4b (re-organized and reviewed) // -------------------------------------- // # HTTP(S) @@ -645,6 +871,9 @@ defaultPref("extensions.update.url", ""); // %APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%¤tAppVersion= // %CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE% +lockPref("extensions.getAddons.discovery.api_url", ""); +lockPref("extensions.htmlaboutaddons.recommendations.enabled", false); + // Other Sync Settings - Disabling By Prevention --------------------------------------------------------- lockPref("services.sync.maxResyncs", 0); //5 @@ -739,6 +968,7 @@ lockPref("services.sync.prefs.sync.security.tls.version.min", false); //true lockPref("services.sync.prefs.sync.services.sync.syncedTabs.showRemoteIcons", false); //true lockPref("services.sync.prefs.sync.spellchecker.dictionary", false); //true lockPref("services.sync.prefs.sync.xpinstall.whitelist.required", false); //true +lockPref("services.sync.prefs.sync.signon.rememberSignons", false); // Testing ----------------------------------------------------------------------------------------------- @@ -1112,7 +1342,7 @@ lockPref("webgl.min_capability_mode", true); // Bench Diff : 0/5000 // Pref : Disable webGL II/II // WebGL introduces high fingerprinting (WebGL is a js API for directly accessing hardware) -lockPref("pdfjs.enableWebGL", false); + lockPref("webgl.disable-extensions", true); lockPref("webgl.disable-fail-if-major-performance-caveat", true); lockPref("webgl.enable-debug-renderer-info", false); //Deprecated Active @@ -1174,12 +1404,6 @@ lockPref("services.sync.engine.addresses.available", false); // Pref : lockPref("browser.bookmarks.restore_default_bookmarks", false); -// Pref : -lockPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); - -// Pref : Caching for integrated PDF -lockPref("pdfjs.enabledCache.state", false); - // Pref : lockPref("pref.general.disable_button.default_browser", false); lockPref("pref.privacy.disable_button.view_passwords", false); @@ -1493,11 +1717,109 @@ lockPref("toolkit.telemetry.ecosystemtelemetry.enabled", false); lockPref("security.protectionspopup.recordEventTelemetry", false); lockPref("datareporting.healthreport.uploadEnabled", false); lockPref("datareporting.policy.dataSubmissionEnabled", false); +<<<<<<< HEAD lockPref("toolkit.coverage.endpoint.base", ""); lockPref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] lockPref("toolkit.coverage.opt-out", true); lockPref("toolkit.coverage.enabled", false); lockPref("app.shield.optoutstudies.enabled", false); +======= + +// Pref : Disable right-click menu manipulation via JavaScript (disabled) +defaultPref("dom.event.contextmenu.enabled", false); + +// Pref : Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript +// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in +// JS-based web applications (Google Docs etc.) +// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled +lockPref("dom.event.clipboardevents.enabled", false); + +// Pref : Force Punycode for Internationalized Domain Names +// http://kb.mozillazine.org/Network.IDN_show_punycode +// https://www.xudongz.com/blog/2017/idn-phishing/ +// https://wiki.mozilla.org/IDN_Display_Algorithm +// https://en.wikipedia.org/wiki/IDN_homograph_attack +// https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ +// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6 +lockPref("network.IDN_show_punycode", true); + +// Pref : Disable Pocket +// https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox +// https://github.com/pyllyukko/user.js/issues/143 +lockPref("extensions.pocket.enabled", false); +lockPref("extensions.pocket.site", ""); +lockPref("extensions.pocket.oAuthConsumerKey", ""); +lockPref("extensions.pocket.api", ""); + +// Pref : Disable downloading homepage snippets/messages from Mozilla +// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content +// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service +lockPref("browser.aboutHomeSnippets.updateUrl", ""); + +// Pref : Don't reveal build ID +// Value taken from Tor Browser +// https://bugzilla.mozilla.org/show_bug.cgi?id=583181 +// Already enforced with 'privacy.resistFingerprinting' ? +lockPref("general.buildID.override", "20100101"); +lockPref("browser.startup.homepage_override.buildID", "20100101"); + +// Pref : Disable pinging URIs specified in HTML ping= attributes +// http://kb.mozillazine.org/Browser.send_pings +lockPref("browser.send_pings", false); + +// Pref : When browser pings are enabled, only allow pinging the origin page's host +// http://kb.mozillazine.org/Browser.send_pings.require_same_host +lockPref("browser.send_pings.require_same_host", true); + +// Pref : Do not download URLs for the offline cache +// http://kb.mozillazine.org/Browser.cache.offline.enable +lockPref("browser.cache.offline.enable", false); + +/* 1007: disable media cache from writing to disk in Private Browsing + * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB */ +lockPref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] +lockPref("media.memory_cache_max_size", 16384); + +// Pref : Disable prefetching of URLs +// http://kb.mozillazine.org/Network.prefetch-next +// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F +// Link prefetching is when a webpage hints to the browser that certain pages are likely to be visited, +// so the browser downloads them immediately so they can be displayed immediately when the user requests it. +lockPref("network.prefetch-next", false); + +// Pref : Disable speculative pre-connections +// Disable prefetch link on hover. +// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections +// https://bugzilla.mozilla.org/show_bug.cgi?id=814169 +lockPref("network.http.speculative-parallel-limit", 0); + +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// Section : General Settings 3/3 +// Bench Diff : -40/5000 +// >>>>>>>>>>>>>>>>>>>>> + +// Pref : Disable DOM timing API +// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI +// https://www.w3.org/TR/navigation-timing/#privacy +lockPref("dom.enable_performance", false); //Deprecated Active +lockPref("dom.enable_performance_navigation_timing", false); + +// Pref : Make sure the User Timing API does not provide a new high resolution timestamp +// https://trac.torproject.org/projects/tor/ticket/16336 +// https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security +lockPref("dom.enable_user_timing", false); + +// Pref : Disable Web Audio API +// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 +// Avoid fingerprinting +defaultPref("dom.webaudio.enabled", false); + +// Pref : When geolocation is enabled, don't log geolocation requests to the console +lockPref("geo.wifi.logging.enabled", false); + +// Pref : Disable "beacon" asynchronous HTTP transfers (used for analytics) +// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon +>>>>>>> a35eb4b (re-organized and reviewed) lockPref("beacon.enabled", false); lockPref("browser.ping-centre.telemetry", false); @@ -1516,9 +1838,230 @@ lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); lockPref("network.captive-portal-service.enabled", false); lockPref("captivedetect.canonicalURL", ""); +<<<<<<< HEAD // -------------------------------- // # WINDOWS // -------------------------------- +======= +lockPref("network.netlink.route.check.IPv4", "127.0.0.1"); +lockPref("network.netlink.route.check.IPv6", "::1"); + +// Pref : Disallow NTLMv1 +// https://bugzilla.mozilla.org/show_bug.cgi?id=828183 +lockPref("network.negotiate-auth.allow-insecure-ntlm-v1", false); +// it is still allowed through HTTPS. +lockPref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false); + +// Pref : Disable formless login capture +// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947 +lockPref("signon.formlessCapture.enabled", false); + +// Pref : Delete temporary files on exit +// https://bugzilla.mozilla.org/show_bug.cgi?id=238789 +lockPref("browser.helperApps.deleteTempFileOnExit", true); + +// Pref : Do not create screenshots of visited pages (relates to the "new tab page" feature) +// https://support.mozilla.org/en-US/questions/973320 +// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled +lockPref("browser.pagethumbnails.capturing_disabled", true); + +// - Disabled - Section ON ------------------------------------------------------------------ + +// Pref : Tor settings +// This browser is not meant for tor +// Enabling those settings for user torifying their whole connection +defaultPref("network.dns.blockDotOnion", true); +lockPref("network.http.referer.hideOnionSource", true); + +// Pref : 1603 : CROSS ORIGIN: control when to send a referer +// 0=always (default), 1=only if base domains match, 2=only if hosts match +// Can break some important site... (payment... ) +lockPref("network.http.referer.XOriginPolicy", 1); + +// Pref : Only allow TLS 1.[0-3] +lockPref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3 + +// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +// Section : Disabled - Deprecated Active +// Deprecated settings but left active for various reasons +// Bench Diff : +0/5000 +// >>>>>>>>>>>>>>>>>>>> + +// Pref : 0516 : disable Onboarding (FF55+) +// Onboarding is an interactive tour/setup for new installs/profiles and features. Every time +// about:home or about:newtab is opened, the onboarding overlay is injected into it +// [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3] +// [1] https://wiki.mozilla.org/Firefox/Onboarding +// [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf +// [3] https://bugzilla.mozilla.org/863246#c154 +lockPref("browser.onboarding.enabled", false); // Removed in v64 //Deprecated Active + +// Pref : Disable WebIDE Web Debug Extension +// https://trac.torproject.org/projects/tor/ticket/16222 +// https://developer.mozilla.org/docs/Tools/WebIDE +lockPref("devtools.webide.autoinstallADBHelper", false); +// Replaced by "devtools.webide.autoinstallADBExtension" in 64 + +// Pref : Disable raw TCP socket support (mozTCPSocket) +// https://trac.torproject.org/projects/tor/ticket/18863 +// https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/ +// https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket +// is only exposed to chrome ( https://trac.torproject.org/projects/tor/ticket/27268#comment:2 ) +// Not important +lockPref("dom.mozTCPSocket.enabled", false); + +// Pref : Enforce checking for Firefox updates +lockPref("app.update.enabled", false); + +// Pref : Disable bookmark backups (default: 15) +// http://kb.mozillazine.org/Browser.bookmarks.max_backups +lockPref("browser.bookmarks.max_backups", 2); + +// Pref : Disable SSDP +// https://bugzilla.mozilla.org/show_bug.cgi?id=1111967 +lockPref("browser.casting.enabled", false); + +// Pref : +lockPref("browser.newtabpage.activity-stream.enabled", false); +lockPref("browser.newtabpage.directory.ping", "data:text/plain,"); +lockPref("browser.newtabpage.directory.source", "data:text/plain,"); +lockPref("browser.newtabpage.enhanced", false); + +// Pref : +lockPref("browser.pocket.enabled", false); + +// Pref : Disable Heartbeat (Mozilla user rating telemetry) +// https://wiki.mozilla.org/Advocacy/heartbeat +// https://trac.torproject.org/projects/tor/ticket/19047 +lockPref("browser.selfsupport.url", ""); + +// Pref : Don't reveal build ID +// Value taken from Tor Browser +// https://bugzilla.mozilla.org/show_bug.cgi?id=583181 +// Already enforced with 'privacy.resistFingerprinting' ? +lockPref("browser.startup.homepage_override.mstone", "ignore"); + +// Pref : Disable face detection +lockPref("camera.control.face_detection.enabled", false); + +// Pref : +lockPref("datareporting.healthreport.about.reportUrl", "data:,"); +lockPref("datareporting.healthreport.service.enabled", false); + +// Pref : +lockPref("device.sensors.enabled", false); + +// Pref : Disable WebIDE Web Debug +// https://trac.torproject.org/projects/tor/ticket/16222 +// https://developer.mozilla.org/docs/Tools/WebIDE +lockPref("devtools.webide.autoinstallFxdtAdapters", false); +lockPref("devtools.webide.adaptersAddonURL", ""); + +// Pref : Disable resource timing API +// https://www.w3.org/TR/resource-timing/#privacy-security +lockPref("dom.enable_resource_timing", false); + +// Pref : Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface) +// https://wiki.mozilla.org/FlyWeb +// https://wiki.mozilla.org/FlyWeb/Security_scenarios +// https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit +// http://www.ghacks.net/2016/07/26/firefox-flyweb +lockPref("dom.flyweb.enabled", false); + +// Pref : +lockPref("dom.gamepad.enabled", false); + +// Pref : Disable leaking network/browser connection information via Javascript +// Network Information API provides general information about the system's connection type (WiFi, cellular, etc.) +// https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API +// https://wicg.github.io/netinfo/#privacy-considerations +// https://bugzilla.mozilla.org/show_bug.cgi?id=960426 +lockPref("dom.netinfo.enabled", false); + +// Pref : 2306: disable push notifications (FF44+) +// web apps can receive messages pushed to them from a server, whether or +// not the web app is in the foreground, or even currently loaded +// [1] https://developer.mozilla.org/docs/Web/API/Push_API +lockPref("dom.push.udp.wakeupEnabled", false); //UDP Wake-up + +// Pref : Disable telephony API +// https://wiki.mozilla.org/WebAPI/Security/WebTelephony +lockPref("dom.telephony.enabled", false); + +// Pref : Disable SHIELD +// https://support.mozilla.org/en-US/kb/shield +// https://bugzilla.mozilla.org/show_bug.cgi?id=1370801 +lockPref("extensions.shield-recipe-client.enabled", false); + +// Pref : Disable Firefox Hello metrics collection +// https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion +lockPref("loop.logDomains", false); + +// Pref : Disable video stats to reduce fingerprinting threat +// https://bugzilla.mozilla.org/show_bug.cgi?id=654550 +// https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785 +// https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065 +lockPref("media.video_stats.enabled", false); + +// Pref : WebSockets is a technology that makes it possible to open an interactive communication +// session between the user's browser and a server. (May leak IP when using proxy/VPN) +lockPref("network.websocket.enabled", false); + +// Pref : Disable Reader +// Not deprecated but useful to be located here +lockPref("reader.parse-on-load.enabled", false); + +// CIS 2.7.4 Disable Scripting of Plugins by JavaScript +// http://forums.mozillazine.org/viewtopic.php?f=7&t=153889 +lockPref("security.xpconnect.plugin.unrestricted", false); + +// Pref : +lockPref("social.directories", ""); + +// Pref : +lockPref("social.remote-install.enabled", false); + +// Pref : +lockPref("social.whitelist", ""); + +// Pref : Disable RC4 +// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security +// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882 +// https://rc4.io/ +// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 +lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); +lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); +lockPref("security.ssl3.rsa_rc4_128_md5", false); +lockPref("security.ssl3.rsa_rc4_128_sha", false); +lockPref("security.tls.unrestricted_rc4_fallback", false); + + + +defaultPref("xpinstall.signatures.required", true); + +// https://www.ghacks.net/2019/05/24/firefox-69-userchrome-css-and-usercontent-css-disabled-by-default/ +// might increase startup time, so keep it disabled, but modifiable by default +defaultPref("toolkit.legacyUserProfileCustomizations.stylesheets", false); + +// to be set for the console to work, see https://gitlab.com/librewolf-community/browser/linux/-/issues/80: +defaultPref("devtools.selfxss.count", 0); + +// enable HTTPS only mode by default +defaultPref("dom.security.https_only_mode", true); +defaultPref("dom.security.https_only_mode_ever_enabled", true); + +// JS in PDF + + + + + + + + + + +>>>>>>> a35eb4b (re-organized and reviewed) // disable links launching Windows Store [WINDOWS] lockPref("network.protocol-handler.external.ms-windows-store", false);