librewolf-bot/settings
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

knock down some more reordering

Browse source
This commit is contained in:
fxbrit 2022-02-06 21:21:55 +01:00
parent 5035c4446d
commit 624708acdc
2 changed files with 159 additions and 106 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docs/Changelog.md
View file

@ -1,6 +1,23 @@
This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.
# 5.5
#### Removed preferences
```
defaultPref("security.insecure_connection_text.enabled", true); // display http websites as insecure in the ui
```
#### Added preferences
```
defaultPref("browser.places.speculativeConnect.enabled", false);
```
### Changed preferences
```
pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only
```
## 5.4
**target commit**:

246
librewolf.cfg
View file

@ -7,12 +7,32 @@ defaultPref("librewolf.cfg.version", "5.5");
/**
* the file is organized in categories, and each one has a number of sections
* the file is organized in categories, and each one has a number of sections:
*
* - PRIVACY
* - ISOLATION
* - SANITIZING
* - CACHE AND STORAGE
* - HISTORY AND SESSION RESTORE
* - QUERY STRIPPING
*
* - NETWORKING
* - HTTPS
* - IPv6
* - REFERERS
* - WEBRTC
* - PROXY
* - DNS
* - PREFETCHING
*
* - FINGERPRINTING
* - RFP
* - WEBGL
*
* - SECURITY
* - SITE ISOLATION
* - CERTIFICATES
* - TLS/SSL
*/
@ -44,6 +64,16 @@ defaultPref("privacy.clearOnShutdown.cookies", false);
defaultPref("privacy.sanitize.sanitizeOnShutdown", true);
defaultPref("privacy.sanitize.timeSpan", 0);
/** [SECTION] CACHE AND STORAGE */
defaultPref("browser.cache.disk.enable", false); // disable disk cache
/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true);
defaultPref("media.memory_cache_max_size", 65536);
// disable favicons in profile folder and page thumbnail capturing
defaultPref("browser.shell.shortcutFavicons", false);
defaultPref("browser.pagethumbnails.capturing_disabled", true);
defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps
/** [SECTION] HISTORY AND SESSION RESTORE */
defaultPref("browser.formfill.enable", false); // disable form history
defaultPref("browser.sessionstore.privacy_level", 2); // prevent websites from storing session data like cookies and forms
@ -62,138 +92,123 @@ defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hse
*/
defaultPref("librewolf.uBO.assetsBootstrapLocation", "https://gitlab.com/librewolf-community/browser/source/-/raw/main/assets/uBOAssets.json");
// ----------------------
// # NETWORKING
// ----------------------
// https and mixed content
/** [CATEGORY] NETWORKING */
/** [SECTION] HTTPS */
defaultPref("dom.security.https_only_mode", true); // only allow https in all windows, including private browsing
defaultPref("network.auth.subresource-http-auth-allow", 1); // stop cross-origin resources from using HTTP authentication
defaultPref("security.insecure_connection_text.enabled", true); // display http websites as insecure in the ui
defaultPref("network.auth.subresource-http-auth-allow", 1); // block HTTP authentication credential dialogs
defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content
defaultPref("network.dns.disableIPv6", true); // disable ipv6
/** [SECTION] IPv6
* privacy extension isn't the default for all linux distros, so we disable ipv6.
*/
defaultPref("network.dns.disableIPv6", true);
// always send xorigin referer but trim them
defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2
/** [SECTION] REFERERS
* to enhance privacy but keep a certain level of usability we trim cross-origin
* referers, instead of completely avoid sending them.
* as a general rule, the behavior of referes which are not cross-origin should not
* be changed.
*/
defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2 to stop sending them completely
defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); // trim referer to only send scheme, host and port
defaultPref("network.file.disable_unc_paths", true); // hidden, disable using uniform naming convention
defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
// proxy
defaultPref("network.proxy.socks_remote_dns", true); // forces dns query through the proxy when using one
defaultPref("network.gio.supported-protocols", ""); // disable gio as it could bypass proxy
// doh
defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection
/**
0 = default
1 = browser picks faster
2 = DoH with system dns fallback
3 = DoH without fallback
5 = DoH is off, default currently
below prefs must be applied with pref in order to work
/** [SECTION] WEBRTC
* there's no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
* with the below preference we protect the value even in trusted environments and for win7/8 users,
* although this will likely cause breakage.
*/
// pref("network.trr.mode", 2);
// pref("network.trr.uri", "https://dns.quad9.net/dns-query");
// prefetching
defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
lockPref("network.predictor.enabled", false); // disable predictor
lockPref("network.prefetch-next", false); // disable link prefetching
lockPref("network.http.speculative-parallel-limit", 0); // disable prefetching on mouse over
defaultPref("network.manage-offline-status", false); // let user control the offline behavior
// ------------
// # DOM
// ------------
// pop-ups and window related preferences
defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups on close
defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); // limit events that cause pop-ups
defaultPref("dom.disable_window_move_resize", true); // block scripts from resizing windows
defaultPref("browser.link.open_newwindow", 3); // open 'new windows' targeted links in 'new tab'
defaultPref("browser.link.open_newwindow.restriction", 0); // ignore the size when applying the above pref
// --------------------------------
// # CACHE AND TEMPORARY FILES
// --------------------------------
defaultPref("browser.cache.disk.enable", false); // disable disk cache
defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true); // block media cache from writing to disk in pb mode
defaultPref("media.memory_cache_max_size", 65536); // increase max cache size to avoid playback issues caused by above setting
defaultPref("browser.shell.shortcutFavicons", false); // disable shortcut favicons from being stored in profile
defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps
defaultPref("browser.pagethumbnails.capturing_disabled", true); // disable page thumbnails capturing
// ----------------------
// # MEDIA
// ----------------------
/**
* limit potential private IP leaks for webrtc users.
* mDNS protects the value on linux, osx and win10+.
* these prefs protect the value when allowing mic and camera access, and for win7/8.x.
* */
defaultPref("media.peerconnection.ice.no_host", true); // don't use any private IPs for ICE candidate
defaultPref("media.peerconnection.ice.default_address_only", true); // use a single interface for ICE candidates, the vpn one when a vpn is used
defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy, when one is used
// autoplay
defaultPref("media.autoplay.blocking_policy", 2); // only allow to play when a certain element is clicked
defaultPref("media.autoplay.default", 5); // personal preference, currently apply blocking policy to all autplay including muted
/** [SECTION] PROXY */
defaultPref("network.gio.supported-protocols", ""); // disable gio as it could bypass proxy
defaultPref("network.file.disable_unc_paths", true); // hidden, disable using uniform naming convention to prevent proxy bypass
defaultPref("network.proxy.socks_remote_dns", true); // forces dns query through the proxy when using one
defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy when one is used
// --------------------------------------
// # FINGERPRINTING
// --------------------------------------
/** [SECTION] DNS */
defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection
defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
/**
* librewolf doesn't use DoH, but it can be enabled with the following prefs:
* pref("network.trr.mode", 2);
* pref("network.trr.uri", "https://dns.quad9.net/dns-query");
*
* the possible modes are:
* 0 = default
* 1 = browser picks faster
* 2 = DoH with system dns fallback
* 3 = DoH without fallback
* 5 = DoH is off, default currently
*/
defaultPref("privacy.resistFingerprinting", true); // master switch
/** [SECTION] PREFETCHING
* disable prefecthing for different things such as links, bookmarks and predictors.
*/
lockPref("network.predictor.enabled", false);
lockPref("network.prefetch-next", false);
lockPref("network.http.speculative-parallel-limit", 0);
defaultPref("browser.places.speculativeConnect.enabled", false);
// rfp compatibility settings
// TODO
defaultPref("network.manage-offline-status", false); // let user control the offline behavior
/** [CATEGORY] FINGERPRINTING */
/** [SECTION] RFP
* librewolf should stick to RFP for fingerprinting. we should not set prefs that interfere with it
* and disabling API for no good reason will be counter productive, so it should also be avoided.
*/
defaultPref("privacy.resistFingerprinting", true);
// rfp related settings
defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO
defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing
defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP
defaultPref("privacy.resistFingerprinting.letterboxing", false); // expose hidden letterboxing pref, but do not enable by default
/**
* increase the size of new RFP windows for better usability, while still using a rounded value.
* if the screen resolution is lower it will stretch to the biggest possible rounded value.
* */
* also, expose hidden letterboxing pref but do not enable it for now.
*/
defaultPref("privacy.window.maxInnerWidth", 1600);
defaultPref("privacy.window.maxInnerHeight", 900);
defaultPref("privacy.resistFingerprinting.letterboxing", false);
defaultPref("webgl.disabled", true); // master switch, disable webgl
/** [SECTION] WEBGL */
defaultPref("webgl.disabled", true);
// --------------------------------
// # SECURITY
// --------------------------------
defaultPref("fission.autostart", true); // enable fission by default
/** [CATEGORY] SECURITY */
// certificates
defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning
/** [SECTION] SITE ISOLATION
* https://wiki.mozilla.org/Project_Fission
*/
defaultPref("fission.autostart", true);
/** [SECTION] CERTIFICATES */
defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs
defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certificates
/**
* enable safe negotiation and show warning when it is not supported. might cause breakage.
*/
defaultPref("security.ssl.require_safe_negotiation", true);
defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
/**
* our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use
* CRL instead, particularly the CRLite solution with no OCSP fallback.
*/
defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching
// crl with no ocsp fallback
defaultPref("security.remote_settings.crlite_filters.enabled", true);
defaultPref("security.pki.crlite_mode", 2);
defaultPref("security.pki.crlite_mode", 2); // mode 2 means no fallback
// safe negotiation
defaultPref("security.ssl.require_safe_negotiation", true); // block websites that do not support safe negotiation, occasional breakage
defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // show warning when safe negotiation is not enable and website is accessed
// tls behavior
lockPref("security.tls.enable_0rtt_data", false); // disable 0 round trip time to improve tls 1.3 security
defaultPref("security.tls.version.enable-deprecated", false); // default but helps resetting the preference
defaultPref("browser.ssl_override_behavior", 1); // prepopulate url on ssl warning screens
defaultPref("browser.xul.error_pages.expert_bad_cert", true); // advanced ui infos for broken connections
/** [SECTION] TLS/SSL */
lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only
// show relevant and advanced issues on warnings and error screens
defaultPref("browser.ssl_override_behavior", 1);
defaultPref("browser.xul.error_pages.expert_bad_cert", true);
// permissions
lockPref("permissions.delegation.enabled", false); // force permission request to show the real origin
@ -204,6 +219,7 @@ defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg ope
defaultPref("browser.download.useDownloadDir", false); // force user interaction on downloads, by always asking location
lockPref("security.csp.enable", true); // default
defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
// ---------------------------------
// # SAFE BROWSING
@ -230,6 +246,28 @@ lockPref("browser.safebrowsing.passwords.enabled", false);
lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
lockPref("browser.safebrowsing.provider.google4.dataSharingURL", "");
// ------------
// # DOM - TODO
// ------------
// pop-ups and window related preferences
defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups on close
defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); // limit events that cause pop-ups
defaultPref("dom.disable_window_move_resize", true); // block scripts from resizing windows
defaultPref("browser.link.open_newwindow", 3); // open 'new windows' targeted links in 'new tab'
defaultPref("browser.link.open_newwindow.restriction", 0); // ignore the size when applying the above pref
// ----------------------
// # MEDIA - TODO
// ----------------------
// autoplay
defaultPref("media.autoplay.blocking_policy", 2); // only allow to play when a certain element is clicked
defaultPref("media.autoplay.default", 5); // personal preference, currently apply blocking policy to all autplay including muted
// -----------------------
// # DRM
// -----------------------
@ -287,8 +325,6 @@ defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
defaultPref("browser.urlbar.speculativeConnect.enabled", false);
lockPref("browser.fixup.alternate.enabled", false);
defaultPref("browser.places.speculativeConnect.enabled", false); // speculative connections for history and bookmarks
// ----------------------------------
// # BROWSER BEHAVIOR
// ----------------------------------