reorganized and improved some entries

Changelog.md

@@ -416,6 +416,9 @@ defaultPref("extensions.webextensions.tabhide.enabled", false); // Deprecated
 lockPref("dom.enable_performance", false); // conflicting with RFP
 lockPref("dom.enable_performance_navigation_timing", false);  // conflicting with RFP
 <<<<<<< HEAD
+<<<<<<< HEAD
+=======
+>>>>>>> 4041ab1 (reorganized and improved some entries)
 lockPref("security.mixed_content.upgrade_display_content", true); // not worth having https://github.com/arkenfox/user.js/issues/754
 lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); // Deprecated
 lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); // Deprecated
@@ -429,6 +432,7 @@ lockPref("security.ssl3.rsa_des_ede3_sha", false); // known to leak and increase
 lockPref("security.ssl3.rsa_aes_256_sha", false); // known to leak and increase fingerprint
 lockPref("security.ssl3.rsa_aes_128_sha", false); // known to leak and increase fingerprint
 lockPref("browser.safebrowsing.allowOverride", false); // we do not have SB enabled so we don't care if the bypass button is shown
+<<<<<<< HEAD
 defaultPref("browser.ctrlTab.recentlyUsedOrder", false); // why should be disable this?
 lockPref("services.blocklist.onecrl.collection", ""); // Deprecated
 lockPref("font.blacklist.underline_offset", ""); // knwown to increase fingerprint
@@ -856,6 +860,11 @@ lockPref("identity.fxaccounts.service.sendLoginUrl", ""); // Deprecated
 >>>>>>> 55c94dc (reorganized, revisited)
 =======
 >>>>>>> c16522a (added re-enabling guides)
+=======
+defaultPref("browser.ctrlTab.recentlyUsedOrder", false); // why?
+lockPref("services.blocklist.onecrl.collection", ""); // Deprecated
+
+>>>>>>> 4041ab1 (reorganized and improved some entries)
 ```
 
 #### Unlocked
@@ -933,7 +942,14 @@ lockPref("network.http.referer.trimmingPolicy", 0);
 defaultPref("extensions.blocklist.enabled", false);
 defaultPref("extensions.blocklist.detailsURL", "");
 defaultPref("extensions.blocklist.itemURL", "");
+<<<<<<< HEAD
 >>>>>>> c16522a (added re-enabling guides)
+=======
+
+// someone might want to have it on for security concerns
+defaultPref("security.OCSP.enabled", 0);
+defaultPref("security.OCSP.require", false);
+>>>>>>> 4041ab1 (reorganized and improved some entries)
 ```
 
 ## How to...
@@ -1097,5 +1113,14 @@ extensions.update.url = "https://versioncheck.addons.mozilla.org/update/VersionC
 %ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=
 %APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%&currentAppVersion=
 %CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%"
+<<<<<<< HEAD
 >>>>>>> c16522a (added re-enabling guides)
-```
+```
+=======
+```
+#### Enable OCSP certificate checking
+```
+security.OCSP.enabled = 1
+```
+you probably also want `security.OCSP.require = true`
+>>>>>>> 4041ab1 (reorganized and improved some entries)

librewolf.cfg

@@ -660,6 +660,7 @@ lockPref("network.http.altsvc.enabled", false);
 lockPref("network.http.altsvc.oe", false);
 defaultPref("dom.security.https_only_mode", true);
 defaultPref("dom.security.https_only_mode_pbm", true);
+lockPref("network.http.redirection-limit", 10);
 
 // --------------------------------------
 // TLS
@@ -685,6 +686,7 @@ lockPref("network.stricttransportsecurity.preloadlist",	false);
 
 defaultPref("privacy.resistFingerprinting", true);
 defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true);
+lockPref("browser.startup.blankWindow", false); // breaks RFP windows resizing
 
 // --------------------------------------
 // LANGUAGE AND REGION
@@ -1027,27 +1029,18 @@ lockPref("app.normandy.dev_mode", false);
 // SECURITY
 // --------------------------------
 
-// certs
+// certificates
 lockPref("security.cert_pinning.enforcement_level", 2);
-lockPref("security.OCSP.enabled", 0);
+defaultPref("security.OCSP.enabled", 0);
-lockPref("security.OCSP.require", false);
+defaultPref("security.OCSP.require", false);
 lockPref("security.ssl.enable_ocsp_stapling", true);
+lockPref("security.pki.sha1_enforcement_level", 1);
 
 // mixed content
-lockPref("security.mixed_content.upgrade_display_content", true);
 lockPref("security.mixed_content.block_object_subrequest", true);
 lockPref("security.mixed_content.block_display_content", true);
 lockPref("security.mixed_content.block_active_content", true);
 
-// ciphers
-lockPref("security.pki.sha1_enforcement_level", 1);
-lockPref("security.ssl3.rsa_des_ede3_sha", false);
-lockPref("security.ssl3.rsa_aes_256_sha", false);
-lockPref("security.ssl3.rsa_aes_128_sha", false);
-lockPref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
-lockPref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
-lockPref("security.ssl3.rsa_seed_sha", false);
-
 // reduce breakage
 defaultPref("security.remote_settings.intermediates.enabled", true);
 
@@ -1084,7 +1077,12 @@ lockPref("security.insecure_connection_text.pbmode.enabled", true);
 lockPref("browser.safebrowsing.malware.enabled", false);
 lockPref("browser.safebrowsing.passwords.enabled", false);
 lockPref("browser.safebrowsing.phishing.enabled", false);
+<<<<<<< HEAD
 >>>>>>> 55c94dc (reorganized, revisited)
+=======
+
+// downloads and unwanted software
+>>>>>>> 4041ab1 (reorganized and improved some entries)
 lockPref("browser.safebrowsing.downloads.enabled", false);
 lockPref("browser.safebrowsing.downloads.remote.enabled", false);
 lockPref("browser.safebrowsing.downloads.remote.block_dangerous", false);
@@ -1093,6 +1091,7 @@ lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", fal
 lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false);
 lockPref("browser.safebrowsing.downloads.remote.url", "");
 <<<<<<< HEAD
+<<<<<<< HEAD
 
 // could try re-enabling some of these urls to see if it causes connections
 lockPref("browser.safebrowsing.id", "");
@@ -1100,6 +1099,11 @@ lockPref("browser.safebrowsing.id", "");
 lockPref("browser.safebrowsing.id", "");
 lockPref("browser.safebrowsing.allowOverride", false);
 >>>>>>> 55c94dc (reorganized, revisited)
+=======
+
+// could try re-enabling some of these urls to see if it causes connections
+lockPref("browser.safebrowsing.id", "");
+>>>>>>> 4041ab1 (reorganized and improved some entries)
 lockPref("browser.safebrowsing.blockedURIs.enabled", false);
 lockPref("browser.safebrowsing.provider.google4.pver", "");
 lockPref("browser.safebrowsing.provider.google4.advisoryName", "");
@@ -1286,48 +1290,45 @@ lockPref("javascript.options.shared_memory", false);
 // MISC
 // --------------------------------
 
-lockPref("app.update.auto", false);
+// ui
-lockPref("app.update.staging.enabled", false);
-lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0);
-lockPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser");
-lockPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser");
 defaultPref("browser.tabs.drawInTitlebar", true);
-lockPref("browser.shell.checkDefaultBrowser", false);
+defaultPref("browser.aboutConfig.showWarning", false);
+defaultPref("browser.download.autohideButton", false);
+defaultPref("privacy.userContext.ui.enabled", true);
+
+// more important stuff
 lockPref("browser.shell.shortcutFavicons", false);
-defaultPref("alerts.showFavicons", false); // default: false
+defaultPref("alerts.showFavicons", false);
+defaultPref("browser.link.open_newwindow", 3);
+defaultPref("browser.link.open_newwindow.restriction", 0);
+lockPref("security.data_uri.block_toplevel_data_uri_navigations", true);
+
+// settings
+lockPref("browser.shell.checkDefaultBrowser", false);
 defaultPref("startup.homepage_override_url", "about:blank");
 defaultPref("startup.homepage_welcome_url", "about:blank");
 defaultPref("startup.homepage_welcome_url.additional", "");
-lockPref("browser.startup.blankWindow", false);
-defaultPref("privacy.userContext.ui.enabled", true);
 defaultPref("privacy.userContext.enabled", true);
-defaultPref("browser.aboutConfig.showWarning", false);
-defaultPref("browser.download.autohideButton", false);
-defaultPref("browser.ctrlTab.recentlyUsedOrder", false);
-defaultPref("browser.link.open_newwindow", 3);
-defaultPref("browser.link.open_newwindow.restriction", 0);
 defaultPref("layout.spellcheckDefault", 2);
 defaultPref("general.autoScroll", false);
 defaultPref("clipboard.autocopy", false);
+defaultPref("browser.tabs.loadBookmarksInTabs", true);
+lockPref("browser.download.manager.addToRecentDocs", false);
+lockPref("webchannel.allowObject.urlWhitelist", "");
+
+// pdf reader
 defaultPref("pdfjs.disabled", false);
 defaultPref("pdfjs.enableScripting", false);
 defaultPref("pdfjs.enableWebGL", false);
 defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true);
 defaultPref("pdfjs.enabledCache.state", false);
-defaultPref("browser.tabs.loadBookmarksInTabs", true);
+
 defaultPref("devtools.debugger.remote-enabled", false);
 defaultPref("devtools.chrome.enabled", false);
-lockPref("toolkit.coverage.endpoint.base", "");
-lockPref("toolkit.coverage.opt-out", true);
-lockPref("toolkit.coverage.enabled", false);
-lockPref("webchannel.allowObject.urlWhitelist", "");
-lockPref("browser.download.manager.addToRecentDocs", false);
-lockPref("network.http.redirection-limit", 10);
-lockPref("security.data_uri.block_toplevel_data_uri_navigations", true);
-lockPref("services.blocklist.onecrl.collection", ""); // could it be replaced by services.settings.security.onecrl.collection ?
 lockPref("services.blocklist.addons.collection", "");
 lockPref("services.blocklist.plugins.collection", "");
 lockPref("services.blocklist.gfx.collection", "");
+
 lockPref("network.file.disable_unc_paths", true); // (hidden pref)
 lockPref("network.gio.supported-protocols", ""); // (hidden pref)
 lockPref("network.auth.subresource-img-cross-origin-http-auth-allow", false);
@@ -1610,7 +1611,17 @@ lockPref("network.http.speculative-parallel-limit", 0);
 // OUTGOING CONNECTIONS
 // --------------------------------
 
+<<<<<<< HEAD
 >>>>>>> 653a6ed (knocked out some more prefs)
+=======
+// updates
+lockPref("app.update.auto", false);
+lockPref("app.update.staging.enabled", false);
+lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0);
+lockPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser");
+lockPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser");
+
+>>>>>>> 4041ab1 (reorganized and improved some entries)
 // connectivity service
 lockPref("network.connectivity-service.enabled", false);
 lockPref("network.connectivity-service.IPv6.url", "http://0.0.0.0");
@@ -1661,6 +1672,7 @@ lockPref("security.protectionspopup.recordEventTelemetry", false);
 lockPref("datareporting.healthreport.uploadEnabled", false);
 lockPref("datareporting.policy.dataSubmissionEnabled", false);
 <<<<<<< HEAD
+<<<<<<< HEAD
 lockPref("toolkit.coverage.endpoint.base", "");
 lockPref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
 lockPref("toolkit.coverage.opt-out", true);
@@ -1696,6 +1708,11 @@ lockPref("security.protectionspopup.recordEventTelemetry", false);
 lockPref("datareporting.healthreport.uploadEnabled", false);
 lockPref("datareporting.policy.dataSubmissionEnabled", false);
 >>>>>>> 7887469 (reviewed and reorganized up to extensions)
+=======
+lockPref("toolkit.coverage.endpoint.base", "");
+lockPref("toolkit.coverage.opt-out", true);
+lockPref("toolkit.coverage.enabled", false);
+>>>>>>> 4041ab1 (reorganized and improved some entries)
 
 // pocket
 >>>>>>> 653a6ed (knocked out some more prefs)
@@ -2045,19 +2062,6 @@ lockPref("social.remote-install.enabled", false);
 // Pref :
 lockPref("social.whitelist", "");
 
-// Pref : Disable RC4
-// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
-// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
-// https://rc4.io/
-// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
-lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
-lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
-lockPref("security.ssl3.rsa_rc4_128_md5", false);
-lockPref("security.ssl3.rsa_rc4_128_sha", false);
-lockPref("security.tls.unrestricted_rc4_fallback", false);
-
-
-
 defaultPref("xpinstall.signatures.required", true);
 
 // https://www.ghacks.net/2019/05/24/firefox-69-userchrome-css-and-usercontent-css-disabled-by-default/