diff --git a/Changelog.md b/Changelog.md index 3100ba1..0065ffc 100755 --- a/Changelog.md +++ b/Changelog.md @@ -58,6 +58,7 @@ defaultPref("extensions.postDownloadThirdPartyPrompt", false); defaultPref("general.warnOnAboutConfig", false); defaultPref("network.auth.subresource-http-auth-allow", 1); defaultPref("browser.display.use_system_colors", false); +<<<<<<< HEAD ======= defaultPref("intl.accept_languages", "en-US, en"); ======= @@ -105,6 +106,8 @@ defaultPref("extensions.postDownloadThirdPartyPrompt", false); defaultPref("general.warnOnAboutConfig", false); defaultPref("network.auth.subresource-http-auth-allow", 1); >>>>>>> 0267245 (added some new prefs from arkenfox) +======= +>>>>>>> e7a5601 (more good stuff) ``` #### Modified @@ -128,6 +131,7 @@ defaultPref("privacy.cpd.offlineApps", false); // For consistency with new cooki lockPref("devtools.performance.recording.ui-base-url", "http://localhost:55555"); // Previously redirected to localhost:4242 defaultPref("media.autoplay.blocking_policy", 2); // Previously media.autoplay.enabled.user-gestures-needed defaultPref("media.memory_cache_max_size", 65536); // previously lockPref("media.memory_cache_max_size", 16384); +<<<<<<< HEAD ======= lockPref("devtools.performance.recording.ui-base-url", ""); // Previously redirected to localhost ======= @@ -150,6 +154,8 @@ lockPref("services.sync.prefs.sync.browser.contentblocking.category", false); // ======= defaultPref("media.autoplay.blocking_policy", 2); // Previously media.autoplay.enabled.user-gestures-needed >>>>>>> 269747e (fixed lang fp, relaxed xorigin) +======= +>>>>>>> e7a5601 (more good stuff) ``` #### Removed @@ -577,10 +583,14 @@ defaultPref("layers.acceleration.force-enabled", true); // out of scope, not wor lockPref("privacy.trackingprotection.testing.report_blocked_node", false); // default false and we have tracking protection disabled lockPref("privacy.trackingprotection.origin_telemetry.enabled", false); // default false and we have tracking protection disabled <<<<<<< HEAD +<<<<<<< HEAD lockPref("privacy.trackingprotection.lower_network_priority", false); // default ======= lockPref("privacy.trackingprotection.lower_network_priority", false); // default false and we have tracking protection disabled >>>>>>> 48fecfd (removed redundant stuff) +======= +lockPref("privacy.trackingprotection.lower_network_priority", false); // default +>>>>>>> e7a5601 (more good stuff) lockPref("telemetry.origin_telemetry_test_mode.enabled", false); // default false and we have tracking protection disabled lockPref("signon.storeSignons", false); // Deprecated lockPref("browser.urlbar.filter.javascript", true); // default @@ -1060,6 +1070,7 @@ defaultPref("general.oscpu.override", "Windows NT 6.1"); // no benefit over RFP, lockPref("general.buildID.override", "20100101"); // no benefit over RFP lockPref("browser.startup.homepage_override.buildID", "20100101"); // no benefit over RFP defaultPref("general.useragent.override", "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"); // no benefit over RFP and without may increase FP +<<<<<<< HEAD >>>>>>> 934010b (removed overrides for spoofing) ``` @@ -1370,6 +1381,29 @@ dom.storage.next_gen -> DISCUSS javascript.options.wasm -> DISCUSS security.pki.crlite_mode -> DISCUSS security.remote_settings.crlite_filters.enabled -> DISCUSS +======= +lockPref("security.insecure_connection_icon.enabled", true); // Default +lockPref("security.insecure_connection_icon.pbmode.enabled", true); // Default +lockPref("browser.bookmarks.restore_default_bookmarks", false); // Default +lockPref("browser.contentblocking.cfr-milestone.enabled", false); // not needed with contenblocking disabled +lockPref("app.normandy.first_run", false); // default +lockPref("browser.send_pings", false); // default +lockPref("browser.send_pings.require_same_host", true); // default +defaultPref("browser.tabs.closeTabByDblclick", true); // why? +lockPref("devtools.debugger.force-local", true); // default +lockPref("gfx.offscreencanvas.enabled", false); // default +lockPref("media.webspeech.recognition.enable", false); // default +lockPref("network.auth.subresource-img-cross-origin-http-auth-allow", false); // default +lockPref("remote.force-local", true); // default +lockPref("security.data_uri.block_toplevel_data_uri_navigations", true); // default +lockPref("security.fileuri.strict_origin_policy", true); // default +lockPref("security.insecure_field_warning.contextual.enabled", true); // default +defaultPref("security.remote_settings.intermediates.enabled", true); // default +lockPref("xpinstall.whitelist.required", true); // default +lockPref("browser.sessionhistory.max_entries", 20); // why? +lockPref("extensions.webapi.testing", false); // hidden but default false +lockPref("canvas.capturestream.enabled", false); // any real benefit? +>>>>>>> e7a5601 (more good stuff) ``` <<<<<<< HEAD >>>>>>> 0267245 (added some new prefs from arkenfox) @@ -1547,4 +1581,132 @@ lockPref("browser.contentblocking.report.vpn-ios.url", ""); lockPref("browser.contentblocking.report.vpn-android.url", ""); */ ``` +<<<<<<< HEAD >>>>>>> 48fecfd (removed redundant stuff) +======= + +#### Unlocked +Locked prefs that were unlocked, more should be unlocked probably +``` +lockPref("general.config.filename", "librewolf.cfg"); + +// Unlocked as some think it increases fingerprint, they can now disable it +defaultPref("privacy.donottrackheader.enabled", true); + +// Unlocked as some think it increases fingerprint, they can now disable it +defaultPref("permissions.default.geo", 2); + +defaultPref("extensions.getAddons.themes.browseURL", "") + +defaultPref("pdfjs.enableWebGL", false); +defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); +defaultPref("pdfjs.enabledCache.state", false); + +defaultPref("alerts.showFavicons", false); // default: false + +defaultPref("security.remote_settings.intermediates.enabled", true); + +// Unlocked as some think it increases fingerprint, they can now disable it +defaultPref("dom.battery.enabled", false); + +defaultPref("browser.tabs.closeTabByDblclick", true); + +// Unlocked as known to cause breakage +defaultPref("dom.event.clipboardevents.enabled", false); + +// already default and no reason to lock it +lockPref("network.http.referer.trimmingPolicy", 0); + +defaultPref("extensions.blocklist.enabled", false); +defaultPref("extensions.blocklist.detailsURL", ""); +defaultPref("extensions.blocklist.itemURL", ""); + +// someone might want to have it on for security concerns +defaultPref("security.OCSP.enabled", 0); +defaultPref("security.OCSP.require", false); + +defaultPref("reader.parse-on-load.enabled", false); +``` + +#### Made default +Prefs that were user set and are now default +``` +defaultPref("signon.management.page.breach-alerts.enabled", false); +defaultPref("signon.management.page.breachAlertUrl", ""); +defaultPref("startup.homepage_override_url", "about:blank"); +defaultPref("startup.homepage_welcome_url", "about:blank"); +defaultPref("startup.homepage_welcome_url.additional", ""); +defaultPref("identity.sendtabpromo.url", ""); +``` +#### To discuss +Prefs that need to be addressed and potential roadmap +``` +Open points: +// How much should we lock? +// How in depth should we go with urls +// SB - make re-enabling easier, test connections +// GEO - review to allow easier re-enabling +// evaluate certificate handling (oscp, crlite, blocklist) + +missing from arkenfox in need of discussion: +security.pki.crlite_mode -> DISCUSS +security.remote_settings.crlite_filters.enabled -> DISCUSS +dom.security.https_only_mode_send_http_background_request -> DISCUSS +browser.download.useDownloadDir -> do we want to ask for download location each time? +``` + +#### Commented +Prefs that need to be addressed and that were disabled for now +``` +// all covered by previous prefs +// defaultPref("media.navigator.video.enabled", false); +// defaultPref("media.peerconnection.use_document_iceservers", false); +// defaultPref("media.peerconnection.identity.enabled", false); +// defaultPref("media.peerconnection.identity.timeout", 1); +// defaultPref("media.peerconnection.turn.disable", true); +// defaultPref("media.peerconnection.ice.tcp", false); +``` + +## How to... +#### Stay logged +Add website to exceptions before login, both http and https link +#### Enable DRM content +``` +media.eme.enabled = true +media.gmp-widevinecdm.visible = true +media.gmp-widevinecdm.enabled = true +media.gmp-provider.enabled = true +media.gmp-manager.url = https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml +``` +#### Use video conferencing +``` +media.peerconnection.enabled = true +media.peerconnection.ice.no_host = true +dom.webaudio.enabled = true +``` +screensharing `media.getusermedia.screensharing.enabled = true` +#### Enable addons search +``` +extensions.getAddons.search.browseURL = "https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%" +``` +#### Enable addons manual updates +``` +extensions.update.url = "https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion= +%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion= +%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS= +%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%¤tAppVersion= +%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%" +``` +#### Enable OCSP certificate checking +``` +security.OCSP.enabled = 1 +``` +you probably also want `security.OCSP.require = true` + +#### Hardened setup +``` +defaultPref("javascript.options.asmjs", false); defaultPref("javascript.options.wasm", false); +defaultPref("webgl.disabled", true); +defaultPref("privacy.resistFingerprinting.letterboxing", true); +``` +>>>>>>> e7a5601 (more good stuff) diff --git a/librewolf.cfg b/librewolf.cfg index f69dfef..9092f96 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -187,6 +187,7 @@ if (home_directory) { >>>>>>> 01804b5 (add tags for .md rendering) // ----------------------------------- +<<<<<<< HEAD <<<<<<< HEAD <<<<<<< HEAD lockPref("browser.contentblocking.category", "custom"); // changing to other options is currently broken anyway @@ -197,6 +198,9 @@ defaultPref("browser.contentblocking.category", "custom"); // changing to other ======= defaultPref("browser.contentblocking.category", "custom"); // do not lock as it breaks UI >>>>>>> 48fecfd (removed redundant stuff) +======= +defaultPref("browser.contentblocking.category", "custom"); // do not lock as it breaks UI even more +>>>>>>> e7a5601 (more good stuff) lockPref("privacy.trackingprotection.enabled", false); lockPref("privacy.trackingprotection.pbmode.enabled", false); lockPref("privacy.trackingprotection.socialtracking.enabled", false); @@ -237,7 +241,6 @@ lockPref("browser.contentblocking.database.enabled", false); lockPref("browser.contentblocking.reportBreakage.url", ""); // hide ui elements -lockPref("browser.contentblocking.cfr-milestone.enabled", false); lockPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); lockPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); lockPref("browser.contentblocking.report.hide_vpn_banner", true); @@ -247,6 +250,7 @@ lockPref("browser.contentblocking.report.monitor.enabled", false); lockPref("browser.contentblocking.report.proxy.enabled", false); lockPref("browser.contentblocking.report.vpn.enabled", false); +<<<<<<< HEAD // Windows only? lockPref("default-browser-agent.enabled", false); >>>>>>> 034d451 (reorganized tracking section + 3rd set of changes) @@ -257,6 +261,10 @@ lockPref("default-browser-agent.enabled", false); ======= // AUTOPLAY >>>>>>> a35eb4b (re-organized and reviewed) +======= +// ---------------------------------- +// # AUTOPLAY +>>>>>>> e7a5601 (more good stuff) // ---------------------------------- defaultPref("media.autoplay.default", 5); @@ -264,10 +272,14 @@ defaultPref("media.autoplay.blocking_policy", 2); // ----------------------------------------- <<<<<<< HEAD +<<<<<<< HEAD // # PASSWORD MANAGER ======= // PASSWORD MANAGER >>>>>>> a35eb4b (re-organized and reviewed) +======= +// # PASSWORD MANAGER +>>>>>>> e7a5601 (more good stuff) // ----------------------------------------- lockPref("signon.rememberSignons", false); @@ -295,6 +307,7 @@ lockPref("browser.search.update", false); >>>>>>> 45bf63e (processed everything up to EOF) // -------------------------------- +<<<<<<< HEAD // # SANITIZING, COOKIES AND HISTORY // -------------------------------- @@ -313,6 +326,9 @@ defaultPref("privacy.cpd.offlineApps", false); // just for consistency to avoid ======= // SEARCH AND URLBAR >>>>>>> 653a6ed (knocked out some more prefs) +======= +// # SEARCH AND URLBAR +>>>>>>> e7a5601 (more good stuff) // -------------------------------- defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); @@ -350,7 +366,6 @@ defaultPref("browser.formfill.enable", false); defaultPref("privacy.sanitize.sanitizeOnShutdown", true); defaultPref("places.history.enabled", false); defaultPref("privacy.history.custom", true); -lockPref("browser.sessionhistory.max_entries", 20); <<<<<<< HEAD <<<<<<< HEAD @@ -720,7 +735,6 @@ lockPref("security.tls.enable_0rtt_data", false); lockPref("security.tls.version.enable-deprecated", false); lockPref("security.tls.version.fallback-limit", 3); lockPref("browser.xul.error_pages.expert_bad_cert", true); // advanced ui infos -lockPref("security.insecure_field_warning.contextual.enabled", true); // to check lockPref("network.stricttransportsecurity.preloadlist", false); @@ -933,9 +947,12 @@ lockPref("extensions.systemAddon.update.enabled", false); lockPref("xpinstall.signatures.devInfoURL", ""); <<<<<<< HEAD +<<<<<<< HEAD ======= lockPref("extensions.webapi.testing", false); // hidden prefs // default false >>>>>>> 48fecfd (removed redundant stuff) +======= +>>>>>>> e7a5601 (more good stuff) lockPref("extensions.webservice.discoverURL", ""); lockPref("webextensions.storage.sync.serverURL", ""); lockPref("extensions.screenshots.upload-disabled", true); @@ -943,10 +960,13 @@ lockPref("lightweightThemes.getMoreURL", ""); defaultPref("extensions.postDownloadThirdPartyPrompt", false); <<<<<<< HEAD <<<<<<< HEAD +<<<<<<< HEAD ======= ======= lockPref("xpinstall.whitelist.required", true); // default >>>>>>> 7732277 (imrpoved referers and language settings) +======= +>>>>>>> e7a5601 (more good stuff) <<<<<<< HEAD // to check @@ -1239,6 +1259,7 @@ lockPref("dom.ipc.plugins.reportCrashURL", false); lockPref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); lockPref("plugin.state.flash", 0); +<<<<<<< HEAD // more important stuff lockPref("browser.shell.shortcutFavicons", false); defaultPref("alerts.showFavicons", false); @@ -1386,21 +1407,18 @@ lockPref("gfx.font_rendering.opentype_svg.enabled", false); // # MISC // -------------------------------- +======= +>>>>>>> e7a5601 (more good stuff) // more important stuff lockPref("browser.shell.shortcutFavicons", false); defaultPref("alerts.showFavicons", false); defaultPref("browser.link.open_newwindow", 3); defaultPref("browser.link.open_newwindow.restriction", 0); -lockPref("security.data_uri.block_toplevel_data_uri_navigations", true); lockPref("network.file.disable_unc_paths", true); // (hidden pref) lockPref("network.gio.supported-protocols", ""); // (hidden pref) -lockPref("network.auth.subresource-img-cross-origin-http-auth-allow", false); lockPref("plugin.default.state", 1); -lockPref("plugin.state.flash", 0); -lockPref("gfx.offscreencanvas.enabled", false); // default: false -lockPref("canvas.capturestream.enabled", false); lockPref("network.IDN_show_punycode", true); -lockPref("security.fileuri.strict_origin_policy", true); +defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP // pocket, to check if we can remove lockPref("extensions.pocket.enabled", false); @@ -1416,7 +1434,6 @@ defaultPref("pdfjs.enabledCache.state", false); // remote agent lockPref("remote.enabled", false); -lockPref("remote.force-local", true); // settings and behavior lockPref("browser.shell.checkDefaultBrowser", false); @@ -1434,14 +1451,11 @@ lockPref("accessibility.force_disabled", 1); lockPref("browser.uitour.enabled", false); lockPref("middlemouse.contentLoadURL", false); defaultPref("accessibility.typeaheadfind", false); -lockPref("browser.bookmarks.restore_default_bookmarks", false); -defaultPref("browser.tabs.closeTabByDblclick", true); -lockPref("media.webspeech.recognition.enable", false); lockPref("network.manage-offline-status", false); lockPref("browser.helperApps.deleteTempFileOnExit", true); lockPref("browser.pagethumbnails.capturing_disabled", true); lockPref("browser.bookmarks.max_backups", 2); -lockPref("reader.parse-on-load.enabled", false); +defaultPref("reader.parse-on-load.enabled", false); // devtools defaultPref("devtools.debugger.remote-enabled", false); @@ -1450,7 +1464,6 @@ lockPref("devtools.performance.recording.ui-base-url", "http://localhost:55555") lockPref("devtools.devices.url", ""); lockPref("devtools.remote.adb.extensionURL", ""); // [FF64+] lockPref("devtools.remote.adb.extensionID", ""); // default adb@mozilla.org [FF64+] -lockPref("devtools.debugger.force-local", true); defaultPref("devtools.selfxss.count", 0); // see https://gitlab.com/librewolf-community/browser/linux/-/issues/80 // ui @@ -1479,7 +1492,6 @@ lockPref("accessibility.support.url", ""); lockPref("app.support.baseURL", ""); lockPref("browser.uitour.url", ""); lockPref("webchannel.allowObject.urlWhitelist", ""); -lockPref("browser.chrome.errorReporter.infoURL", ""); lockPref("browser.dictionaries.download.url", ""); lockPref("browser.geolocation.warning.infoURL", ""); lockPref("browser.search.searchEnginesURL", ""); @@ -1502,7 +1514,7 @@ lockPref("gecko.handlerService.schemes.webcal.0.uriTemplate", ""); lockPref("browser.cache.offline.storage.enable", false); lockPref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] -lockPref("media.memory_cache_max_size", 16384); +defaultPref("media.memory_cache_max_size", 65536); // -------------------------------- // # WEBGL AND PERFORMANCE @@ -1694,11 +1706,14 @@ lockPref("app.shield.optoutstudies.enabled", false); lockPref("beacon.enabled", false); lockPref("browser.ping-centre.telemetry", false); +<<<<<<< HEAD // ping lockPref("browser.send_pings", false); lockPref("browser.send_pings.require_same_host", true); >>>>>>> 8b7a898 (updated and started editing external protocols) +======= +>>>>>>> e7a5601 (more good stuff) // discovery lockPref("browser.discovery.enabled", false); lockPref("browser.discovery.containers.enabled", false); @@ -1777,6 +1792,7 @@ lockPref("browser.tabs.crashReporting.sendReport", false); lockPref("browser.crashReports.unsubmittedCheck.enabled", false); lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); <<<<<<< HEAD +<<<<<<< HEAD >>>>>>> 8b7a898 (updated and started editing external protocols) ======= lockPref("dom.ipc.plugins.reportCrashURL", false); @@ -1876,6 +1892,8 @@ lockPref("breakpad.reportURL", ""); lockPref("browser.tabs.crashReporting.sendReport", false); lockPref("browser.crashReports.unsubmittedCheck.enabled", false); lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); +======= +>>>>>>> e7a5601 (more good stuff) // captive portal lockPref("network.captive-portal-service.enabled", false); @@ -2229,6 +2247,9 @@ lockPref("toolkit.winRegisterApplicationRestart", false); lockPref("security.family_safety.mode", 0); <<<<<<< HEAD +<<<<<<< HEAD +======= +>>>>>>> e7a5601 (more good stuff) // Windows only? lockPref("default-browser-agent.enabled", false);