From 21a6c1bcc121d6ca8034803e7a2f3ebf37f31d32 Mon Sep 17 00:00:00 2001 From: ohfp <1813007-ohfp@users.noreply.gitlab.com> Date: Sat, 7 Mar 2020 16:20:10 +0100 Subject: [PATCH 1/2] Relax/unlock some preferences MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is basically backporting some changes that have been already implemented with my earlier Arch builds. Mostly it's about keeping some of the settings most often causing "issues" unlocked, to make it easier to change them once needed. Cookie handling, for example, can be handled via [Cookie AutoDelete](https://addons.mozilla.org/de/firefox/addon/cookie-autodelete/) more comfortably, allowing exceptions for websites and a more granular retention / rejection. Having the option to actually keep a history or autofill forms can also be desired, when the tradeoff with regards to privacy implications is understood and accepted, so while keeping those options off by default, it might be helpful to have them easily modifiable. `resistFingerprinting` can cause issues (rarely), so it might be desired to at least temporarily disable it in some cases. The predefined useragent and other overrides sometimes cause issues with certain websites, so being able to modify can be required as well. The webextensions-CSP needs to be slightly modified to allow some addons (especially μBlock Origin) to function. Furthermore, options to allow re-enabling installing (and, optionally, updating) extensions from the official extension store might be a good thing, albeit somewhat of a tradeoff between privacy and security: Basically keeping extensions up to date is crucial from a security point of view, and the official extension store is at least a somewhat trusted source of extensions. This also indirectly can be a good thing for privacy, as in keeping relevant addons current with regards to privacy enhancing techniques. Of course, extensions can be kept up to date separately as well, but from my experience this is often not taken care of properly and quite a lot of extra work. In a comparable vein, the `xpinstall.signatures.required` option might be a good thing, but also undesired – so it's just kept unlocked. --- librewolf.cfg | 62 +++++++++++++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 27 deletions(-) diff --git a/librewolf.cfg b/librewolf.cfg index a20f664..afaa67b 100644 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -93,11 +93,11 @@ defaultPref("extensions.enabledAddons", "librefox.http.watcher.tor%40intika.be:2 // User Settings : Cookies settings // -------------------------------- -lockPref("network.cookie.cookieBehavior", 1); -lockPref("network.cookie.lifetimePolicy", 2); +defaultPref("network.cookie.cookieBehavior", 1); +defaultPref("network.cookie.lifetimePolicy", 2); lockPref("network.cookie.same-site.enabled", true); lockPref("network.cookie.leave-secure-alone", true); -lockPref("network.cookie.thirdparty.sessionOnly", true); +defaultPref("network.cookie.thirdparty.sessionOnly", true); lockPref("network.cookie.thirdparty.nonsecureSessionOnly", true); // ----------------------------------- @@ -161,6 +161,9 @@ defaultPref("privacy.sanitize.timeSpan", 0); defaultPref("browser.formfill.enable", false); defaultPref("privacy.sanitize.sanitizeOnShutdown", true); defaultPref("places.history.enabled", false); +# the following can be safely set here, as it should not have any effect, +# unless the above defaultPref("places.history.enabled", false); is set to true +defaultPref("places.history.expiration.max_pages", 2147483647); defaultPref("privacy.history.custom", true); //defaultPref("privacy.cpd.openWindows", true); // Clear session data //defaultPref("privacy.clearOnShutdown.openWindows", true); @@ -179,10 +182,10 @@ lockPref("browser.sessionstore.interval", 60000); // User Settings : Autofill settings // --------------------------------- -lockPref("extensions.formautofill.addresses.enabled", false); -lockPref("extensions.formautofill.available", "off"); -lockPref("extensions.formautofill.creditCards.enabled", false); -lockPref("extensions.formautofill.heuristics.enabled", false); +defaultPref("extensions.formautofill.addresses.enabled", false); +defaultPref("extensions.formautofill.available", "off"); +defaultPref("extensions.formautofill.creditCards.enabled", false); +defaultPref("extensions.formautofill.heuristics.enabled", false); lockPref("signon.autofillForms", false); lockPref("signon.autofillForms.http", false); @@ -349,8 +352,8 @@ lockPref("dom.w3c_pointer_events.enabled", false); // Bench Diff : +0/5000 // >>>>>>>>>>>>>>>>>>>> -lockPref("privacy.resistFingerprinting", true); -lockPref("privacy.resistFingerprinting.block_mozAddonManager", true); +defaultPref("privacy.resistFingerprinting", true); +defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Locale/Time/UserAgent @@ -360,12 +363,12 @@ lockPref("privacy.resistFingerprinting.block_mozAddonManager", true); lockPref("dom.forms.datetime", false); lockPref("javascript.use_us_english_locale", true); lockPref("intl.regional_prefs.use_os_locales", false); -lockPref("intl.locale.requested", "en-US"); -lockPref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0, 45"); -lockPref("general.appname.override", "Netscape"); -lockPref("general.appversion.override", "5.0 (Windows)"); -lockPref("general.platform.override", "Win32"); -lockPref("general.oscpu.override", "Windows NT 6.1"); +defaultPref("intl.locale.requested", "en-US"); +defaultPref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0, 45"); +defaultPref("general.appname.override", "Netscape"); +defaultPref("general.appversion.override", "5.0 (Windows)"); +defaultPref("general.platform.override", "Win32"); +defaultPref("general.oscpu.override", "Windows NT 6.1"); // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> // Section : Ghacks-user Selection @@ -469,7 +472,7 @@ lockPref("extensions.webextensions.identity.redirectDomain", ""); // Pref : CSP Settings For Extensions I/II : Extension Firewall Feature // Uncomment to disable network for the extensions // Enable-Firewall-Feature-In-The-Next-Line extensions-firewall >>>>>> -lockPref("extensions.webextensions.base-content-security-policy", "default-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; object-src 'self' moz-extension: blob: filesystem:;"); +defaultPref("extensions.webextensions.base-content-security-policy", "script-src 'self' https://* moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; object-src 'self' https://* moz-extension: blob: filesystem:;"); // Pref : CSP Settings For Extensions II/II : Extension Firewall Feature // This value is applied after the first one (just ignore this) @@ -815,22 +818,22 @@ lockPref("extensions.getAddons.compatOverides.url", ""); // https://services.addons.mozilla.org/api/v3/addons/compat-override/?guid=%IDS%&lang=%LOCALE% // Pref : -lockPref("extensions.getAddons.get.url", ""); +defaultPref("extensions.getAddons.get.url", ""); // Default Value // https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE% // Pref : -lockPref("extensions.getAddons.langpacks.url", ""); +defaultPref("extensions.getAddons.langpacks.url", ""); // Default Value // https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION% // Pref : -lockPref("extensions.getAddons.link.url", ""); +defaultPref("extensions.getAddons.link.url", ""); // Default Value // https://addons.mozilla.org/%LOCALE%/firefox/ // Pref : -lockPref("extensions.getAddons.search.browseURL", ""); +defaultPref("extensions.getAddons.search.browseURL", ""); // Default Value // https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION% @@ -865,7 +868,7 @@ lockPref("browser.newtabpage.activity-stream.fxaccounts.endpoint", ""); // https://accounts.firefox.com/ // Pref : -lockPref("extensions.update.url", ""); +defaultPref("extensions.update.url", ""); // Default Value // https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion= // %REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion= @@ -1461,7 +1464,7 @@ lockPref("app.releaseNotesURL", ""); // Pref : lockPref("app.update.auto", false); -lockPref("extensions.update.autoUpdateDefault", false); +defaultPref("extensions.update.autoUpdateDefault", false); lockPref("app.update.staging.enabled", false); lockPref("app.update.silent", false); lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0); @@ -1574,10 +1577,10 @@ lockPref("extensions.blocklist.itemURL", ""); lockPref("extensions.blocklist.url", ""); // Pref : -lockPref("extensions.update.background.url", ""); +defaultPref("extensions.update.background.url", ""); // Pref : -lockPref("extensions.getAddons.showPane", false); +defaultPref("extensions.getAddons.showPane", false); // Pref : lockPref("extensions.webservice.discoverURL", ""); @@ -1869,7 +1872,7 @@ lockPref("security.dialog_enable_delay", 700); // Pref : Opt-out of add-on metadata updates // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ -lockPref("extensions.getAddons.cache.enabled", false); +defaultPref("extensions.getAddons.cache.enabled", false); // Pref : Opt-out of theme (Persona) updates // https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287 @@ -1902,7 +1905,7 @@ lockPref("plugin.sessionPermissionNow.intervalInMinutes", 0); // Pref : Update addons automatically // https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/ -lockPref("extensions.update.enabled", false); +defaultPref("extensions.update.enabled", false); // Pref : Enable add-on and certificate blocklists (OneCRL) from Mozilla // Updated at interval defined in extensions.blocklist.interval (default: 86400) @@ -2626,4 +2629,9 @@ lockPref("security.tls.unrestricted_rc4_fallback", false); //lockPref("toolkit.telemetry.unifiedIsOptIn", true); //lockPref("ui.key.menuAccessKey", 0); //lockPref("view_source.tab", false); -lockPref("xpinstall.signatures.required", false); + +defaultPref("xpinstall.signatures.required", true); + +// https://www.ghacks.net/2019/05/24/firefox-69-userchrome-css-and-usercontent-css-disabled-by-default/ +// might increase startup time, so keep it disabled, but modifiable by default +defaultPref("toolkit.legacyUserProfileCustomizations.stylesheets", false); From 9a8d1ca822b2328efc082fd671458eefab608c15 Mon Sep 17 00:00:00 2001 From: ohfp <1813007-ohfp@users.noreply.gitlab.com> Date: Sat, 7 Mar 2020 16:51:29 +0100 Subject: [PATCH 2/2] also add fix for linux#80 --- librewolf.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/librewolf.cfg b/librewolf.cfg index afaa67b..ed5b707 100644 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -2635,3 +2635,6 @@ defaultPref("xpinstall.signatures.required", true); // https://www.ghacks.net/2019/05/24/firefox-69-userchrome-css-and-usercontent-css-disabled-by-default/ // might increase startup time, so keep it disabled, but modifiable by default defaultPref("toolkit.legacyUserProfileCustomizations.stylesheets", false); + +# needs to be set for the console to work, see https://gitlab.com/librewolf-community/browser/linux/-/issues/80: +defaultPref("devtools.selfxss.count", 0);