librewolf-bot/settings
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

remove most lockPref, trim devtools prefs

Browse source
This commit is contained in:
fxbrit 2022-10-08 16:34:42 +02:00
parent 1bdfd333e3
commit 33e1ec1cb9
2 changed files with 62 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
docs/Changelog.md
View file

@ -1,9 +1,28 @@
This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.
# 7.1
**target commit**:
**base librewolf version**:
**References**:
- change most `lockPref()` to `pref()` or `defaultPref()`, see https://gitlab.com/librewolf-community/settings/-/issues/204;
- offline autodetection is mature enough and it is used by some APIs;
- if someone wants to get the mozilla extension for USB debugging, that's fine.
#### Removed preferences
```
defaultPref("network.manage-offline-status", false);
defaultPref("devtools.remote.adb.extensionURL", "");
defaultPref("devtools.chrome.enabled", false); // default
```
# 7.0 # 7.0
**target commit**: **target commit**: from ed9334d258d20830deafe1a02b87b0cea678236d to 1bdfd333e31c3d119c0bf5506a56b2026ead3583
**base librewolf version**: 105.x **base librewolf version**: 105.x

88
librewolf.cfg
View file

@ -1,19 +1,19 @@
/** LIBREWOLF SETTINGS /** LIBREWOLF SETTINGS
* *
* please take the time to read and understand, but also to customize the settings to find your own setup. * take the time to read and understand, but also to customize the settings to find your own setup.
* the answers to the most common questions are at this link https://librewolf.net/docs/faq/ * the answers to the most common questions can be found at https://librewolf.net/docs/faq/.
* *
* WARNING: please make sure the first line of this file is empty. this is a known bug. * WARNING: make sure the first line of this file is empty. this is a known bug.
*/ */
defaultPref("librewolf.cfg.version", "7.0"); lockpref("librewolf.cfg.version", "7.1");
/** INDEX /** INDEX
* the file is organized in categories, and each one has a number of sections: * the file is organized in categories, and each one has a number of sections:
* *
* PRIVACY [ISOLATION, SANITIZING, CACHE AND STORAGE, HISTORY AND SESSION RESTORE, QUERY STRIPPING] * PRIVACY [ISOLATION, SANITIZING, CACHE AND STORAGE, HISTORY AND SESSION RESTORE, QUERY STRIPPING]
* NETWORKING [HTTPS, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS, OFFLINE] * NETWORKING [HTTPS, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS]
* FINGERPRINTING [RFP, WEBGL] * FINGERPRINTING [RFP, WEBGL]
* SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, SAFE BROWSING, OTHERS] * SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, SAFE BROWSING, OTHERS]
* REGION [LOCATION, LANGUAGE] * REGION [LOCATION, LANGUAGE]
@ -96,11 +96,11 @@ defaultPref("security.mixed_content.block_display_content", true); // block inse
/** [SECTION] REFERERS /** [SECTION] REFERERS
* to enhance privacy but keep a certain level of usability we trim cross-origin * to enhance privacy but keep a certain level of usability we trim cross-origin
* referers, instead of completely avoid sending them. * referers to only send scheme, host and port, instead of completely avoid sending them.
* as a general rule, the behavior of referes which are not cross-origin should not * as a general rule, the behavior of referes which are not cross-origin should not
* be changed. * be changed.
*/ */
defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); // trim referer to only send scheme, host and port defaultPref("network.http.referer.XOriginTrimmingPolicy", 2);
/** [SECTION] WEBRTC /** [SECTION] WEBRTC
* there's no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+. * there's no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
@ -120,7 +120,7 @@ defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // for
defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection
defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
/** /**
* librewolf doesn't use DoH, but it can be enabled with the following prefs: * librewolf does not use DoH, but it can be enabled with the following prefs:
* pref("network.trr.mode", 2); * pref("network.trr.mode", 2);
* pref("network.trr.uri", "https://dns.quad9.net/dns-query"); * pref("network.trr.uri", "https://dns.quad9.net/dns-query");
* *
@ -133,20 +133,15 @@ defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
*/ */
/** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS /** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
* disable prefecthing for different things such as links, bookmarks and predictors. * disable prefecthing for different things such as links, bookmarks and predictions.
*/ */
lockPref("network.predictor.enabled", false); pref("network.predictor.enabled", false);
lockPref("network.prefetch-next", false); pref("network.prefetch-next", false);
lockPref("network.http.speculative-parallel-limit", 0); pref("network.http.speculative-parallel-limit", 0);
defaultPref("browser.places.speculativeConnect.enabled", false); defaultPref("browser.places.speculativeConnect.enabled", false);
// disable speculative connections and domain guessing from the urlbar // disable speculative connections and domain guessing from the urlbar
defaultPref("browser.urlbar.speculativeConnect.enabled", false); defaultPref("browser.urlbar.speculativeConnect.enabled", false);
/** [SECTION] OFFLINE
* let users set the browser as offline, without the browser trying to guess.
*/
defaultPref("network.manage-offline-status", false);
/** [CATEGORY] FINGERPRINTING */ /** [CATEGORY] FINGERPRINTING */
@ -159,7 +154,7 @@ defaultPref("privacy.resistFingerprinting", true);
// rfp related settings // rfp related settings
defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO
defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing
defaultPref("browser.display.use_system_colors", false); // default except Windows defaultPref("browser.display.use_system_colors", false); // default, except Win
/** /**
* increase the size of new RFP windows for better usability, while still using a rounded value. * increase the size of new RFP windows for better usability, while still using a rounded value.
* if the screen resolution is lower it will stretch to the biggest possible rounded value. * if the screen resolution is lower it will stretch to the biggest possible rounded value.
@ -179,7 +174,9 @@ defaultPref("webgl.disabled", true);
/** [SECTION] CERTIFICATES */ /** [SECTION] CERTIFICATES */
defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs
/** /**
* enable safe negotiation and show warning when it is not supported. might cause breakage. * enable safe negotiation and show warning when it is not supported. might cause breakage
* if the the server does not support RFC 5746, in tha case SSL_ERROR_UNSAFE_NEGOTIATION
* will be shown.
*/ */
defaultPref("security.ssl.require_safe_negotiation", true); defaultPref("security.ssl.require_safe_negotiation", true);
defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
@ -191,18 +188,18 @@ defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
* in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check. * in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check.
*/ */
defaultPref("security.remote_settings.crlite_filters.enabled", true); defaultPref("security.remote_settings.crlite_filters.enabled", true);
defaultPref("security.OCSP.require", true); // set to hard-fail defaultPref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
/** [SECTION] TLS/SSL */ /** [SECTION] TLS/SSL */
lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security pref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref() pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref()
// show relevant and advanced issues on warnings and error screens // show relevant and advanced issues on warnings and error screens
defaultPref("browser.ssl_override_behavior", 1); defaultPref("browser.ssl_override_behavior", 1);
defaultPref("browser.xul.error_pages.expert_bad_cert", true); defaultPref("browser.xul.error_pages.expert_bad_cert", true);
/** [SECTION] PERMISSIONS */ /** [SECTION] PERMISSIONS */
lockPref("permissions.delegation.enabled", false); // force permission request to show real origin pref("permissions.delegation.enabled", false); // force permission request to show real origin
lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains pref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
/** [SECTION] SAFE BROWSING /** [SECTION] SAFE BROWSING
* disable safe browsing, including the fetch of updates. reverting the 7 prefs below * disable safe browsing, including the fetch of updates. reverting the 7 prefs below
@ -216,15 +213,16 @@ defaultPref("browser.safebrowsing.provider.google4.updateURL", "");
defaultPref("browser.safebrowsing.provider.google.gethashURL", ""); defaultPref("browser.safebrowsing.provider.google.gethashURL", "");
defaultPref("browser.safebrowsing.provider.google.updateURL", ""); defaultPref("browser.safebrowsing.provider.google.updateURL", "");
/** /**
* disable safe browsing checks on downloads, both local and remote. the locked prefs * disable safe browsing checks on downloads, both local and remote. the resetting prefs
* control remote checks, while the first one is for local checks only. * control remote checks, while the first one is for local checks only.
*/ */
defaultPref("browser.safebrowsing.downloads.enabled", false); defaultPref("browser.safebrowsing.downloads.enabled", false);
lockPref("browser.safebrowsing.downloads.remote.enabled", false); pref("browser.safebrowsing.downloads.remote.enabled", false);
lockPref("browser.safebrowsing.downloads.remote.url", ""); pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); // empty for defense in depth
lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); // empty for defense in depth pref("browser.safebrowsing.downloads.remote.url", "");
pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
/** [SECTION] OTHERS */ /** [SECTION] OTHERS */
defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
@ -238,9 +236,9 @@ defaultPref("pdfjs.enableScripting", false); // disable js scripting in the buil
* replace google with mozilla as the default geolocation provide and prevent use of OS location services * replace google with mozilla as the default geolocation provide and prevent use of OS location services
*/ */
defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
lockPref("geo.provider.ms-windows-location", false); // [WINDOWS] defaultPref("geo.provider.ms-windows-location", false); // [WINDOWS]
lockPref("geo.provider.use_corelocation", false); // [MAC] defaultPref("geo.provider.use_corelocation", false); // [MAC]
lockPref("geo.provider.use_gpsd", false); // [LINUX] defaultPref("geo.provider.use_gpsd", false); // [LINUX]
defaultPref("geo.provider.use_geoclue", false); // [LINUX] defaultPref("geo.provider.use_geoclue", false); // [LINUX]
/** [SECTION] LANGUAGE /** [SECTION] LANGUAGE
@ -250,8 +248,8 @@ defaultPref("geo.provider.use_geoclue", false); // [LINUX]
pref("javascript.use_us_english_locale", true); pref("javascript.use_us_english_locale", true);
pref("intl.accept_languages", "en-US, en"); pref("intl.accept_languages", "en-US, en");
// disable region specific updates from mozilla // disable region specific updates from mozilla
lockPref("browser.region.network.url", ""); pref("browser.region.network.url", "");
lockPref("browser.region.update.enabled", false); pref("browser.region.update.enabled", false);
@ -289,7 +287,7 @@ defaultPref("browser.download.alwaysOpenPanel", false); // do not expand toolbar
/** [SECTION] AUTOPLAY /** [SECTION] AUTOPLAY
* block autoplay unless element is right-clicked. this means background videos, videos in a different tab, * block autoplay unless element is right-clicked. this means background videos, videos in a different tab,
* or media opened while other media is played will not start automatically. * or media opened while other media is played will not start automatically.
* thumbnails will not autoplay unless hovered. exceptions can be set. * thumbnails will not autoplay unless hovered. exceptions can be set from the UI.
*/ */
defaultPref("media.autoplay.default", 5); defaultPref("media.autoplay.default", 5);
@ -370,16 +368,14 @@ defaultPref("privacy.userContext.enabled", true);
defaultPref("privacy.userContext.ui.enabled", true); defaultPref("privacy.userContext.ui.enabled", true);
/** [SECTION] DEVTOOLS /** [SECTION] DEVTOOLS
* disable chrome and remote debugging. * disable remote debugging.
*/ */
defaultPref("devtools.chrome.enabled", false); pref("devtools.debugger.remote-enabled", false); // default, but subject to branding so keep it
defaultPref("devtools.debugger.remote-enabled", false); // default
defaultPref("devtools.remote.adb.extensionURL", "");
defaultPref("devtools.selfxss.count", 0); // required for devtools console to work defaultPref("devtools.selfxss.count", 0); // required for devtools console to work
/** [SECTION] OTHERS */ /** [SECTION] OTHERS */
lockPref("browser.translation.engine", ""); // remove translation engine pref("browser.translation.engine", ""); // remove translation engine
defaultPref("webchannel.allowObject.urlWhitelist", ""); // do not receive objects through webchannels pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
defaultPref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code) defaultPref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
@ -495,12 +491,12 @@ lockPref("browser.discovery.sites", "");
lockPref("browser.tabs.crashReporting.sendReport", false); lockPref("browser.tabs.crashReporting.sendReport", false);
lockPref("breakpad.reportURL", ""); lockPref("breakpad.reportURL", "");
// disable connectivity checks // disable connectivity checks
lockPref("network.connectivity-service.enabled", false); pref("network.connectivity-service.enabled", false);
// disable captive portal // disable captive portal
lockPref("network.captive-portal-service.enabled", false); pref("network.captive-portal-service.enabled", false);
lockPref("captivedetect.canonicalURL", ""); pref("captivedetect.canonicalURL", "");
// prevent sending server side analytics // prevent sending server side analytics
lockPref("beacon.enabled", false); pref("beacon.enabled", false);
/** [CATEGORY] WINDOWS /** [CATEGORY] WINDOWS
* the prefs in this section only apply to windows installations and they don't have any * the prefs in this section only apply to windows installations and they don't have any
@ -516,7 +512,7 @@ defaultPref("app.update.background.scheduling.enabled", false);
/** [SECTION] OTHERS */ /** [SECTION] OTHERS */
lockPref("default-browser-agent.enabled", false); // disable windows specific telemetry lockPref("default-browser-agent.enabled", false); // disable windows specific telemetry
defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot pref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot
lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert