diff --git a/Changelog.md b/Changelog.md index c85d306..2953315 100755 --- a/Changelog.md +++ b/Changelog.md @@ -416,6 +416,9 @@ defaultPref("extensions.webextensions.tabhide.enabled", false); // Deprecated lockPref("dom.enable_performance", false); // conflicting with RFP lockPref("dom.enable_performance_navigation_timing", false); // conflicting with RFP <<<<<<< HEAD +<<<<<<< HEAD +======= +>>>>>>> 4041ab1 (reorganized and improved some entries) lockPref("security.mixed_content.upgrade_display_content", true); // not worth having https://github.com/arkenfox/user.js/issues/754 lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); // Deprecated lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); // Deprecated @@ -429,6 +432,7 @@ lockPref("security.ssl3.rsa_des_ede3_sha", false); // known to leak and increase lockPref("security.ssl3.rsa_aes_256_sha", false); // known to leak and increase fingerprint lockPref("security.ssl3.rsa_aes_128_sha", false); // known to leak and increase fingerprint lockPref("browser.safebrowsing.allowOverride", false); // we do not have SB enabled so we don't care if the bypass button is shown +<<<<<<< HEAD defaultPref("browser.ctrlTab.recentlyUsedOrder", false); // why should be disable this? lockPref("services.blocklist.onecrl.collection", ""); // Deprecated lockPref("font.blacklist.underline_offset", ""); // knwown to increase fingerprint @@ -856,6 +860,11 @@ lockPref("identity.fxaccounts.service.sendLoginUrl", ""); // Deprecated >>>>>>> 55c94dc (reorganized, revisited) ======= >>>>>>> c16522a (added re-enabling guides) +======= +defaultPref("browser.ctrlTab.recentlyUsedOrder", false); // why? +lockPref("services.blocklist.onecrl.collection", ""); // Deprecated + +>>>>>>> 4041ab1 (reorganized and improved some entries) ``` #### Unlocked @@ -933,7 +942,14 @@ lockPref("network.http.referer.trimmingPolicy", 0); defaultPref("extensions.blocklist.enabled", false); defaultPref("extensions.blocklist.detailsURL", ""); defaultPref("extensions.blocklist.itemURL", ""); +<<<<<<< HEAD >>>>>>> c16522a (added re-enabling guides) +======= + +// someone might want to have it on for security concerns +defaultPref("security.OCSP.enabled", 0); +defaultPref("security.OCSP.require", false); +>>>>>>> 4041ab1 (reorganized and improved some entries) ``` ## How to... @@ -1097,5 +1113,14 @@ extensions.update.url = "https://versioncheck.addons.mozilla.org/update/VersionC %ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS= %APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%¤tAppVersion= %CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%" +<<<<<<< HEAD >>>>>>> c16522a (added re-enabling guides) -``` \ No newline at end of file +``` +======= +``` +#### Enable OCSP certificate checking +``` +security.OCSP.enabled = 1 +``` +you probably also want `security.OCSP.require = true` +>>>>>>> 4041ab1 (reorganized and improved some entries) diff --git a/librewolf.cfg b/librewolf.cfg index 4f9c595..3b2c844 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -660,6 +660,7 @@ lockPref("network.http.altsvc.enabled", false); lockPref("network.http.altsvc.oe", false); defaultPref("dom.security.https_only_mode", true); defaultPref("dom.security.https_only_mode_pbm", true); +lockPref("network.http.redirection-limit", 10); // -------------------------------------- // TLS @@ -685,6 +686,7 @@ lockPref("network.stricttransportsecurity.preloadlist", false); defaultPref("privacy.resistFingerprinting", true); defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); +lockPref("browser.startup.blankWindow", false); // breaks RFP windows resizing // -------------------------------------- // LANGUAGE AND REGION @@ -1027,27 +1029,18 @@ lockPref("app.normandy.dev_mode", false); // SECURITY // -------------------------------- -// certs +// certificates lockPref("security.cert_pinning.enforcement_level", 2); -lockPref("security.OCSP.enabled", 0); -lockPref("security.OCSP.require", false); +defaultPref("security.OCSP.enabled", 0); +defaultPref("security.OCSP.require", false); lockPref("security.ssl.enable_ocsp_stapling", true); +lockPref("security.pki.sha1_enforcement_level", 1); // mixed content -lockPref("security.mixed_content.upgrade_display_content", true); lockPref("security.mixed_content.block_object_subrequest", true); lockPref("security.mixed_content.block_display_content", true); lockPref("security.mixed_content.block_active_content", true); -// ciphers -lockPref("security.pki.sha1_enforcement_level", 1); -lockPref("security.ssl3.rsa_des_ede3_sha", false); -lockPref("security.ssl3.rsa_aes_256_sha", false); -lockPref("security.ssl3.rsa_aes_128_sha", false); -lockPref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); -lockPref("security.ssl3.ecdh_rsa_rc4_128_sha", false); -lockPref("security.ssl3.rsa_seed_sha", false); - // reduce breakage defaultPref("security.remote_settings.intermediates.enabled", true); @@ -1084,7 +1077,12 @@ lockPref("security.insecure_connection_text.pbmode.enabled", true); lockPref("browser.safebrowsing.malware.enabled", false); lockPref("browser.safebrowsing.passwords.enabled", false); lockPref("browser.safebrowsing.phishing.enabled", false); +<<<<<<< HEAD >>>>>>> 55c94dc (reorganized, revisited) +======= + +// downloads and unwanted software +>>>>>>> 4041ab1 (reorganized and improved some entries) lockPref("browser.safebrowsing.downloads.enabled", false); lockPref("browser.safebrowsing.downloads.remote.enabled", false); lockPref("browser.safebrowsing.downloads.remote.block_dangerous", false); @@ -1093,6 +1091,7 @@ lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", fal lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); lockPref("browser.safebrowsing.downloads.remote.url", ""); <<<<<<< HEAD +<<<<<<< HEAD // could try re-enabling some of these urls to see if it causes connections lockPref("browser.safebrowsing.id", ""); @@ -1100,6 +1099,11 @@ lockPref("browser.safebrowsing.id", ""); lockPref("browser.safebrowsing.id", ""); lockPref("browser.safebrowsing.allowOverride", false); >>>>>>> 55c94dc (reorganized, revisited) +======= + +// could try re-enabling some of these urls to see if it causes connections +lockPref("browser.safebrowsing.id", ""); +>>>>>>> 4041ab1 (reorganized and improved some entries) lockPref("browser.safebrowsing.blockedURIs.enabled", false); lockPref("browser.safebrowsing.provider.google4.pver", ""); lockPref("browser.safebrowsing.provider.google4.advisoryName", ""); @@ -1286,48 +1290,45 @@ lockPref("javascript.options.shared_memory", false); // MISC // -------------------------------- -lockPref("app.update.auto", false); -lockPref("app.update.staging.enabled", false); -lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0); -lockPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser"); -lockPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser"); +// ui defaultPref("browser.tabs.drawInTitlebar", true); -lockPref("browser.shell.checkDefaultBrowser", false); +defaultPref("browser.aboutConfig.showWarning", false); +defaultPref("browser.download.autohideButton", false); +defaultPref("privacy.userContext.ui.enabled", true); + +// more important stuff lockPref("browser.shell.shortcutFavicons", false); -defaultPref("alerts.showFavicons", false); // default: false +defaultPref("alerts.showFavicons", false); +defaultPref("browser.link.open_newwindow", 3); +defaultPref("browser.link.open_newwindow.restriction", 0); +lockPref("security.data_uri.block_toplevel_data_uri_navigations", true); + +// settings +lockPref("browser.shell.checkDefaultBrowser", false); defaultPref("startup.homepage_override_url", "about:blank"); defaultPref("startup.homepage_welcome_url", "about:blank"); defaultPref("startup.homepage_welcome_url.additional", ""); -lockPref("browser.startup.blankWindow", false); -defaultPref("privacy.userContext.ui.enabled", true); defaultPref("privacy.userContext.enabled", true); -defaultPref("browser.aboutConfig.showWarning", false); -defaultPref("browser.download.autohideButton", false); -defaultPref("browser.ctrlTab.recentlyUsedOrder", false); -defaultPref("browser.link.open_newwindow", 3); -defaultPref("browser.link.open_newwindow.restriction", 0); defaultPref("layout.spellcheckDefault", 2); defaultPref("general.autoScroll", false); defaultPref("clipboard.autocopy", false); +defaultPref("browser.tabs.loadBookmarksInTabs", true); +lockPref("browser.download.manager.addToRecentDocs", false); +lockPref("webchannel.allowObject.urlWhitelist", ""); + +// pdf reader defaultPref("pdfjs.disabled", false); defaultPref("pdfjs.enableScripting", false); defaultPref("pdfjs.enableWebGL", false); defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); defaultPref("pdfjs.enabledCache.state", false); -defaultPref("browser.tabs.loadBookmarksInTabs", true); + defaultPref("devtools.debugger.remote-enabled", false); defaultPref("devtools.chrome.enabled", false); -lockPref("toolkit.coverage.endpoint.base", ""); -lockPref("toolkit.coverage.opt-out", true); -lockPref("toolkit.coverage.enabled", false); -lockPref("webchannel.allowObject.urlWhitelist", ""); -lockPref("browser.download.manager.addToRecentDocs", false); -lockPref("network.http.redirection-limit", 10); -lockPref("security.data_uri.block_toplevel_data_uri_navigations", true); -lockPref("services.blocklist.onecrl.collection", ""); // could it be replaced by services.settings.security.onecrl.collection ? lockPref("services.blocklist.addons.collection", ""); lockPref("services.blocklist.plugins.collection", ""); lockPref("services.blocklist.gfx.collection", ""); + lockPref("network.file.disable_unc_paths", true); // (hidden pref) lockPref("network.gio.supported-protocols", ""); // (hidden pref) lockPref("network.auth.subresource-img-cross-origin-http-auth-allow", false); @@ -1610,7 +1611,17 @@ lockPref("network.http.speculative-parallel-limit", 0); // OUTGOING CONNECTIONS // -------------------------------- +<<<<<<< HEAD >>>>>>> 653a6ed (knocked out some more prefs) +======= +// updates +lockPref("app.update.auto", false); +lockPref("app.update.staging.enabled", false); +lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0); +lockPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser"); +lockPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser"); + +>>>>>>> 4041ab1 (reorganized and improved some entries) // connectivity service lockPref("network.connectivity-service.enabled", false); lockPref("network.connectivity-service.IPv6.url", "http://0.0.0.0"); @@ -1661,6 +1672,7 @@ lockPref("security.protectionspopup.recordEventTelemetry", false); lockPref("datareporting.healthreport.uploadEnabled", false); lockPref("datareporting.policy.dataSubmissionEnabled", false); <<<<<<< HEAD +<<<<<<< HEAD lockPref("toolkit.coverage.endpoint.base", ""); lockPref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] lockPref("toolkit.coverage.opt-out", true); @@ -1696,6 +1708,11 @@ lockPref("security.protectionspopup.recordEventTelemetry", false); lockPref("datareporting.healthreport.uploadEnabled", false); lockPref("datareporting.policy.dataSubmissionEnabled", false); >>>>>>> 7887469 (reviewed and reorganized up to extensions) +======= +lockPref("toolkit.coverage.endpoint.base", ""); +lockPref("toolkit.coverage.opt-out", true); +lockPref("toolkit.coverage.enabled", false); +>>>>>>> 4041ab1 (reorganized and improved some entries) // pocket >>>>>>> 653a6ed (knocked out some more prefs) @@ -2045,19 +2062,6 @@ lockPref("social.remote-install.enabled", false); // Pref : lockPref("social.whitelist", ""); -// Pref : Disable RC4 -// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security -// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882 -// https://rc4.io/ -// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 -lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); -lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); -lockPref("security.ssl3.rsa_rc4_128_md5", false); -lockPref("security.ssl3.rsa_rc4_128_sha", false); -lockPref("security.tls.unrestricted_rc4_fallback", false); - - - defaultPref("xpinstall.signatures.required", true); // https://www.ghacks.net/2019/05/24/firefox-69-userchrome-css-and-usercontent-css-disabled-by-default/