From ed9334d258d20830deafe1a02b87b0cea678236d Mon Sep 17 00:00:00 2001 From: fxbrit <8320298-fxbrit@users.noreply.gitlab.com> Date: Wed, 21 Sep 2022 11:59:15 +0200 Subject: [PATCH 1/4] enable APS --- docs/Changelog.md | 15 +++++++++++++++ librewolf.cfg | 3 ++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 1c3d06e..6457d1f 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,6 +1,21 @@ This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. +# 6.10 + +**target commit**: + +**base librewolf version**: 104.x + +**References**: + +- [enable APS](https://github.com/arkenfox/user.js/issues/1530#issuecomment-1242850653); + +#### Added preferences +``` +defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); +``` + # 6.9 **target commit**: diff --git a/librewolf.cfg b/librewolf.cfg index a43262e..d92a42e 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -6,7 +6,7 @@ * * WARNING: please make sure the first line of this file is empty. this is a known bug. */ -defaultPref("librewolf.cfg.version", "6.9"); +defaultPref("librewolf.cfg.version", "6.10"); /** INDEX @@ -43,6 +43,7 @@ defaultPref("librewolf.cfg.version", "6.9"); */ pref("browser.contentblocking.category", "strict"); defaultPref("privacy.partition.serviceWorkers", true); // isolate service workers, default v105+ +defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); /** [SECTION] SANITIZING * all the cleaning prefs true by default except for siteSetting and offlineApps, From 4445fa8ee9ba6cbd0b6c44ec296500ac92ca991a Mon Sep 17 00:00:00 2001 From: fxbrit <8320298-fxbrit@users.noreply.gitlab.com> Date: Wed, 21 Sep 2022 12:05:07 +0200 Subject: [PATCH 2/4] add comments --- librewolf.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/librewolf.cfg b/librewolf.cfg index d92a42e..a44add5 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -42,8 +42,8 @@ defaultPref("librewolf.cfg.version", "6.10"); * the UI that allows to change mode manually is hidden. */ pref("browser.contentblocking.category", "strict"); -defaultPref("privacy.partition.serviceWorkers", true); // isolate service workers, default v105+ -defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); +defaultPref("privacy.partition.serviceWorkers", true); // default v105+ +defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // enable APS /** [SECTION] SANITIZING * all the cleaning prefs true by default except for siteSetting and offlineApps, From 2f9f56d8ffb07bad6deaee20ae1556acee87597c Mon Sep 17 00:00:00 2001 From: fxbrit <8320298-fxbrit@users.noreply.gitlab.com> Date: Wed, 5 Oct 2022 10:40:49 +0200 Subject: [PATCH 3/4] minimize number of prefs, fix accessibility issues --- docs/Changelog.md | 27 +++++++++++++++++++++++++-- librewolf.cfg | 36 +++++++++++++----------------------- 2 files changed, 38 insertions(+), 25 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 6457d1f..7b499e2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,19 +1,42 @@ This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. -# 6.10 +# 7.0 **target commit**: -**base librewolf version**: 104.x +**base librewolf version**: 105.x **References**: - [enable APS](https://github.com/arkenfox/user.js/issues/1530#issuecomment-1242850653); +- trim unnecessary or default NTP prefs, tidy existing ones; +- stick to default session restore interval for writes; +- remove a bunch of default prefs that have been that way for the longest; +- offer accessibility by default. #### Added preferences ``` defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); +defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); +``` + +#### Removed preferences +``` +defaultPref("browser.newtab.preload", false); +lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); +lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false); +lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default +lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false); +defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves +defaultPref("network.http.windows-sso.enabled", false); // default +defaultPref("privacy.partition.serviceWorkers", true); // default v105+ +defaultPref("accessibility.force_disabled", 1); // block accessibility services +lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // default +lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default +defaultPref("network.http.referer.XOriginPolicy", 0); // default +lockPref("browser.safebrowsing.passwords.enabled", false); // default +lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); // default ``` # 6.9 diff --git a/librewolf.cfg b/librewolf.cfg index a44add5..a99f6ac 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -6,7 +6,7 @@ * * WARNING: please make sure the first line of this file is empty. this is a known bug. */ -defaultPref("librewolf.cfg.version", "6.10"); +defaultPref("librewolf.cfg.version", "7.0"); /** INDEX @@ -42,8 +42,9 @@ defaultPref("librewolf.cfg.version", "6.10"); * the UI that allows to change mode manually is hidden. */ pref("browser.contentblocking.category", "strict"); -defaultPref("privacy.partition.serviceWorkers", true); // default v105+ -defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // enable APS +// enable APS +defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); +defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); /** [SECTION] SANITIZING * all the cleaning prefs true by default except for siteSetting and offlineApps, @@ -72,7 +73,6 @@ pref("privacy.history.custom", true); pref("browser.privatebrowsing.autostart", false); defaultPref("browser.formfill.enable", false); // disable form history defaultPref("browser.sessionstore.privacy_level", 2); // prevent websites from storing session data like cookies and forms -defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves /** [SECTION] QUERY STRIPPING * currently we set the same query stripping list that brave uses: @@ -100,7 +100,6 @@ defaultPref("security.mixed_content.block_display_content", true); // block inse * as a general rule, the behavior of referes which are not cross-origin should not * be changed. */ -defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2 to stop sending them completely defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); // trim referer to only send scheme, host and port /** [SECTION] WEBRTC @@ -160,7 +159,7 @@ defaultPref("privacy.resistFingerprinting", true); // rfp related settings defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing -defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP +defaultPref("browser.display.use_system_colors", false); // default except Windows /** * increase the size of new RFP windows for better usability, while still using a rounded value. * if the screen resolution is lower it will stretch to the biggest possible rounded value. @@ -228,10 +227,7 @@ lockPref("browser.safebrowsing.downloads.remote.enabled", false); lockPref("browser.safebrowsing.downloads.remote.url", ""); lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); -// other safe browsing options, all default but enforce -lockPref("browser.safebrowsing.passwords.enabled", false); -lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); -lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); +lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); // empty for defense in depth /** [SECTION] OTHERS */ defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing @@ -386,7 +382,6 @@ defaultPref("devtools.selfxss.count", 0); // required for devtools console to wo /** [SECTION] OTHERS */ lockPref("browser.translation.engine", ""); // remove translation engine -defaultPref("accessibility.force_disabled", 1); // block accessibility services defaultPref("webchannel.allowObject.urlWhitelist", ""); // do not receive objects through webchannels defaultPref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code) @@ -420,24 +415,22 @@ lockPref("browser.uitour.url", ""); defaultPref("browser.shell.checkDefaultBrowser", false); /** [SECTION] NEW TAB PAGE - * we want the new tab page to display nothing but the search bar without anything distracting. + * we want NTP to display nothing but the search bar without anything distracting. + * the three prefs below are just for minimalism and they should be easy to revert for users. */ -defaultPref("browser.newtab.preload", false); defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false); defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false); -// hide pocket and sponsored content, from new tab page and search bar +// hide stories and sponsored content from Firefox Home lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false); -lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false); -lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false); -lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}"); // hide buggy pocket section from about:preferences#home lockPref("browser.newtabpage.activity-stream.showSponsored", false); lockPref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); +// disable telemetry in Firefox Home +lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false); lockPref("browser.newtabpage.activity-stream.telemetry", false); +// hide stories UI in about:preferences#home, empty highlights list +lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}"); lockPref("browser.newtabpage.activity-stream.default.sites", ""); -lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); -lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false); -lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default /** [SECTION] ABOUT * remove annoying ui elements from the about pages, including about:protections @@ -480,9 +473,7 @@ lockPref("toolkit.telemetry.newProfilePing.enabled", false); lockPref("toolkit.telemetry.updatePing.enabled", false); lockPref("toolkit.telemetry.firstShutdownPing.enabled", false); lockPref("toolkit.telemetry.shutdownPingSender.enabled", false); -lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // default lockPref("toolkit.telemetry.bhrPing.enabled", false); -lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default lockPref("toolkit.telemetry.cachedClientID", ""); lockPref("toolkit.telemetry.previousBuildID", ""); lockPref("toolkit.telemetry.server_owner", ""); @@ -530,7 +521,6 @@ lockPref("default-browser-agent.enabled", false); // disable windows specific te defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert -defaultPref("network.http.windows-sso.enabled", false); // disable MS auto authentication via sso From 1bdfd333e31c3d119c0bf5506a56b2026ead3583 Mon Sep 17 00:00:00 2001 From: fxbrit <8320298-fxbrit@users.noreply.gitlab.com> Date: Wed, 5 Oct 2022 11:17:56 +0200 Subject: [PATCH 4/4] change autoplay policy, allow svg opentype fonts --- docs/Changelog.md | 10 +++++++--- librewolf.cfg | 13 +++++-------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 7b499e2..4600604 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,10 +10,12 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl **References**: - [enable APS](https://github.com/arkenfox/user.js/issues/1530#issuecomment-1242850653); -- trim unnecessary or default NTP prefs, tidy existing ones; +- trim unnecessary or default NTP prefs, then tidy existing ones; - stick to default session restore interval for writes; - remove a bunch of default prefs that have been that way for the longest; -- offer accessibility by default. +- offer accessibility by default; +- remove hardcore svg security pref since CVEs are very old and irrelevant, see [this discussion](https://github.com/arkenfox/user.js/issues/1529); +- improve [autoplay behavior](https://gitlab.com/librewolf-community/settings/-/issues/213). #### Added preferences ``` @@ -37,11 +39,13 @@ lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default defaultPref("network.http.referer.XOriginPolicy", 0); // default lockPref("browser.safebrowsing.passwords.enabled", false); // default lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); // default +defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts +defaultPref("media.autoplay.blocking_policy", 2); ``` # 6.9 -**target commit**: +**target commit**: 49a705f835e1438372fbdf1a779fbc5846212a68 **base librewolf version**: 104.x diff --git a/librewolf.cfg b/librewolf.cfg index a99f6ac..7c03b95 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -15,7 +15,7 @@ defaultPref("librewolf.cfg.version", "7.0"); * PRIVACY [ISOLATION, SANITIZING, CACHE AND STORAGE, HISTORY AND SESSION RESTORE, QUERY STRIPPING] * NETWORKING [HTTPS, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS, OFFLINE] * FINGERPRINTING [RFP, WEBGL] - * SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, FONTS, SAFE BROWSING, OTHERS] + * SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, SAFE BROWSING, OTHERS] * REGION [LOCATION, LANGUAGE] * BEHAVIOR [DRM, SEARCH AND URLBAR, DOWNLOADS, AUTOPLAY, POP-UPS AND WINDOWS, MOUSE] * EXTENSIONS [USER INSTALLED, SYSTEM, EXTENSION FIREWALL] @@ -204,9 +204,6 @@ defaultPref("browser.xul.error_pages.expert_bad_cert", true); lockPref("permissions.delegation.enabled", false); // force permission request to show real origin lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains -/** [SECTION] FONTS */ -defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts - /** [SECTION] SAFE BROWSING * disable safe browsing, including the fetch of updates. reverting the 7 prefs below * allows to perform local checks and to fetch updated lists from google. @@ -290,10 +287,10 @@ defaultPref("browser.download.manager.addToRecentDocs", false); // do not add do defaultPref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu for every download, we already have enough interaction /** [SECTION] AUTOPLAY - * block autoplay unless element is clicked, and apply the policy to all elements - * including muted ones. + * block autoplay unless element is right-clicked. this means background videos, videos in a different tab, + * or media opened while other media is played will not start automatically. + * thumbnails will not autoplay unless hovered. exceptions can be set. */ -defaultPref("media.autoplay.blocking_policy", 2); defaultPref("media.autoplay.default", 5); /** [SECTION] POP-UPS AND WINDOWS @@ -376,7 +373,7 @@ defaultPref("privacy.userContext.ui.enabled", true); * disable chrome and remote debugging. */ defaultPref("devtools.chrome.enabled", false); -defaultPref("devtools.debugger.remote-enabled", false); +defaultPref("devtools.debugger.remote-enabled", false); // default defaultPref("devtools.remote.adb.extensionURL", ""); defaultPref("devtools.selfxss.count", 0); // required for devtools console to work