From 6451faa167568313e5ed065fcb3ee2bb76132063 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Thu, 26 Aug 2021 17:40:35 +0200 Subject: [PATCH 1/7] all done except review, tp and ntp --- docs/Changelog.md | 132 +++++++ librewolf.cfg | 921 +++++++++++++++++++++------------------------- 2 files changed, 543 insertions(+), 510 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index b10e1e3..599967a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -123,3 +123,135 @@ defaultPref("dom.targetBlankNoOpener.enabled", true); // default since v79.0 defaultPref("webgl.enable-webgl2", false); lockPref("browser.newtabpage.activity-stream.feeds.section.highlights", false); // default ``` + +## 2.0 + +**References**: +- [web content can no longer access the battery api](https://bugzilla.mozilla.org/show_bug.cgi?id=1313580). +- http alternative services are [isolated by network partitioning and FPI](https://github.com/arkenfox/user.js/blob/269cf965bd51022ca69823f8f66a8e402280d856/user.js#L1350) and they are unchanged even in tor browser. from a security standpoint, the alternate service will need to provide the certificate of the origin in order to be considered trusthworthy. +- let the user decide what to manually clear, including the timespan. +- drm prefs have been trimmed as a quality of life improvement. the end result is the same, with less hassle for users who want to access drm-protected content. +- DNT header has been proved to not work and it is used to fingerprint. +- VR access is behind a prompt and, despite being unlikely, it could be fingerprinted. with all this on the table it's just not worth and overkill. +- vibrator API is so nieche that even tor does not change it. best to trim where possible. +- `extensions.getAddons.link.url"` is showed only when no extension is installed and it's not a bad suggestion to get addons from addons.mozilla.org so we can remove it. +- `browser.safebrowsing.downloads.remote.*` are all controlled by the 3 prefs already in the .cfg, which is the same approach taken by tor browser. +- graphite [is no longer as concerning](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite) and blocking it is likely fingerprintable. +- the pdf prefs and the bookmark backup are not really relevant to librewolf. +- as reported [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1606624) the shared memory pref is no longer needed, so we can switch it back to default. + +**Notes** +Recent changes in the category `MISC > set librewolf support and releases urls` require to create a couple header for the landing page page. + +#### Removed preferences +``` +defaultPref("general.warnOnAboutConfig", false); // deprecated +defaultPref("dom.battery.enabled", false); +lockPref("network.http.altsvc.enabled", false); +lockPref("network.http.altsvc.oe", false); +lockPref("signon.storeWhenAutocompleteOff", false); // we do not suggest lockwise in the first place +defaultPref("signon.management.page.breach-alerts.enabled", false); // no harm for lockwise users +defaultPref("signon.management.page.breachAlertUrl", ""); // no harm for lockwise users +defaultPref("privacy.history.custom", true); // redundant +defaultPref("privacy.cpd.cookies", false); +defaultPref("privacy.cpd.offlineApps", false); // default +defaultPref("privacy.sanitize.timeSpan", 0); +defaultPref("media.gmp-widevinecdm.visible", false); +defaultPref("media.gmp-widevinecdm.enabled", false); +defaultPref("privacy.donottrackheader.enabled", true); +defaultPref("dom.vr.enabled", false); +defaultPref("dom.vibrator.enabled", false); +defaultPref("dom.push.connection.enabled", false); // redundant +defaultPref("dom.security.https_only_mode_pbm", true); // redundant +defaultPref("security.tls.version.fallback-limit", 3); // default is for, no need to enforce further +lockPref("extensions.webextensions.identity.redirectDomain", ""); // outdated and unchanged even in tor +defaultPref("extensions.getAddons.link.url", ""); // https://addons.mozilla.org/%LOCALE%/firefox/ +defaultPref("extensions.getAddons.get.url", ""); // redundant +lockPref("extensions.getAddons.discovery.api_url", ""); // redundant +lockPref("webextensions.storage.sync.serverURL", ""); // sync not supported +lockPref("extensions.webservice.discoverURL", ""); // deprecated +defaultPref("xpinstall.signatures.devInfoURL", ""); // link to wiki page +lockPref("app.normandy.user_id", ""); // redundant +lockPref("app.normandy.shieldLearnMoreUrl", ""); // redundant +lockPref("security.mixed_content.block_active_content", true); // default +defaultPref("security.insecure_connection_text.pbmode.enabled", true); // redundant +lockPref("browser.safebrowsing.downloads.remote.block_dangerous", false); +lockPref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); +lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); +lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); +lockPref("gfx.font_rendering.graphite.enabled", false); // consider removing +defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); +defaultPref("pdfjs.enabledCache.state", false); +lockPref("remote.enabled", false); // removed in FF90 +lockPref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", true); // redundant +defaultPref("browser.bookmarks.max_backups", 2); +defaultPref("devtools.performance.recording.ui-base-url", "http://localhost:55555"); // unharmful +defaultPref("devtools.devices.url", ""); // unharmful +lockPref("media.decoder-doctor.new-issue-endpoint", ""); // redundant +lockPref("identity.sync.tokenserver.uri", ""); // redundant +defaultPref("accessibility.support.url", ""); // redundant +lockPref("browser.dictionaries.download.url", ""); // dictionaries are hidden already +lockPref("browser.uitour.themeOrigin", ""); // redundant +lockPref("toolkit.datacollection.infoURL", ""); // redundant +lockPref("identity.mobilepromo.android", ""); // redundant +lockPref("identity.mobilepromo.ios", ""); // redundant +defaultPref("identity.sendtabpromo.url", ""); // redundant +lockPref("datareporting.healthreport.infoURL", ""); // redundant +lockPref("browser.chrome.errorReporter.infoURL", ""); // redundant +lockPref("datareporting.policy.firstRunURL", ""); // redundant +lockPref("javascript.options.shared_memory", false); +lockPref("app.update.staging.enabled", false); // not relevant +lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0); // redundant +lockPref("network.connectivity-service.IPv6.url", "http://0.0.0.0"); // redundant +lockPref("network.connectivity-service.IPv4.url", "http://0.0.0.0"); // redundant +lockPref("network.connectivity-service.DNSv6.domain", ""); // redundant +lockPref("network.connectivity-service.DNSv4.domain", ""); // redundant +lockPref("browser.crashReports.unsubmittedCheck.enabled", false); // default +lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // default +``` + +#### Commented prefs +``` +// pref("network.trr.mode", 2); // previously uncommented defaultPref with value 5 +// pref("network.trr.uri", "https://dns.quad9.net/dns-query"); // previously uncommented defaultPref with empty value +``` + +#### Changed preferences +previously empty, set to proper value +``` +defaultPref("network.trr.confirmationNS", "skip"); +defaultPref("browser.search.searchEnginesURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#search"); +defaultPref("browser.geolocation.warning.infoURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#location"); +defaultPref("app.feedback.baseURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support"); +defaultPref("app.releaseNotesURL", "https://gitlab.com/librewolf-community/browser"); +defaultPref("app.releaseNotesURL.aboutDialog", "https://gitlab.com/librewolf-community/browser"); +``` + +#### Unlocked preferences +``` +defaultPref("signon.rememberSignons", false); +defaultPref("signon.autofillForms", false); +defaultPref("signon.formlessCapture.enabled", false); +defaultPref("browser.urlbar.speculativeConnect.enabled", false); +defaultPref("browser.contentblocking.report.lockwise.enabled", false); +defaultPref("browser.contentblocking.report.monitor.enabled", false); +defaultPref("network.dns.disablePrefetch", true); +defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); +defaultPref("browser.startup.blankWindow", false); +defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false); +defaultPref("extensions.systemAddon.update.enabled", false); +defaultPref("extensions.systemAddon.update.url", ""); +defaultPref("security.mixed_content.block_display_content", true); +defaultPref("security.insecure_connection_text.enabled", true); +defaultPref("gfx.font_rendering.opentype_svg.enabled", false); +defaultPref("browser.shell.shortcutFavicons", false); +defaultPref("network.gio.supported-protocols", ""); +defaultPref("network.IDN_show_punycode", true); +defaultPref("browser.shell.checkDefaultBrowser", false); +defaultPref("middlemouse.contentLoadURL", false); +defaultPref("browser.pagethumbnails.capturing_disabled", true); +defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true); +defaultPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser"); +defaultPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser"); +defaultPref("network.protocol-handler.external.ms-windows-store", false); +``` \ No newline at end of file diff --git a/librewolf.cfg b/librewolf.cfg index a3db0d3..7892204 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -23,147 +23,410 @@ // | // ================================================================================================================================| -// ----------------------------------- -// # SETTINGS VERSION -// ----------------------------------- +defaultPref("librewolf.cfg.version", "2.0"); -defaultPref("librewolf.cfg.version", "1.6"); +// ------------------------------------------- +// # SANITIZING COOKIES AND HISTORY, SESSIONS +// ------------------------------------------- -// ----------------------------------- -// # TRACKING PROTECTION -// ----------------------------------- +defaultPref("network.cookie.cookieBehavior", 5); // dFPI, same as strict mode +defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until the browser is closed then delete everything not in exceptions -defaultPref("browser.contentblocking.category", "custom"); // do not lock as it breaks UI even more -lockPref("privacy.trackingprotection.enabled", false); -lockPref("privacy.trackingprotection.pbmode.enabled", false); -defaultPref("privacy.trackingprotection.cryptomining.enabled", false); -defaultPref("privacy.trackingprotection.fingerprinting.enabled", false); -lockPref("privacy.trackingprotection.annotate_channels", false); +// make third party and http cookies session-only +defaultPref("network.cookie.thirdparty.sessionOnly", true); +defaultPref("network.cookie.thirdparty.nonsecureSessionOnly", true); -// remove urls -defaultPref("browser.safebrowsing.provider.mozilla.updateURL", ""); -defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", ""); +/** + this way of sanitizing would override the exceptions set by the users and just delete everything, + therefore we tell it to delete everything but ignore data needed to stay logged into websites set + manually as exceptions. +*/ +defaultPref("privacy.clearOnShutdown.cookies", false); +defaultPref("privacy.clearOnShutdown.offlineApps", false); +defaultPref("privacy.sanitize.sanitizeOnShutdown", true); -// hide ui elements -defaultPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); -defaultPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); -lockPref("browser.contentblocking.report.hide_vpn_banner", true); -lockPref("browser.contentblocking.report.show_mobile_app", false); -lockPref("browser.contentblocking.report.lockwise.enabled", false); -lockPref("browser.contentblocking.report.monitor.enabled", false); -lockPref("browser.contentblocking.report.vpn.enabled", false); +// disable browsing, search and form history +defaultPref("places.history.enabled", false); +defaultPref("browser.formfill.enable", false); -// ---------------------------------- -// # AUTOPLAY -// ---------------------------------- +// prevent websites from storing session data like cookies and forms, increase time between session saves +defaultPref("browser.sessionstore.privacy_level", 2); +defaultPref("browser.sessionstore.interval", 60000); -defaultPref("media.autoplay.default", 5); -defaultPref("media.autoplay.blocking_policy", 2); +// ------------- +// # NETWORKING +// ------------- -// ----------------------------------------- -// # PASSWORD MANAGER -// ----------------------------------------- +// https and mixed content +defaultPref("dom.security.https_only_mode", true); // enforce https in all windows, including private browsing +defaultPref("network.auth.subresource-http-auth-allow", 1); // stop cross-origin resources from using HTTP authentication +defaultPref("security.insecure_connection_text.enabled", true); // display http websites as insecure in the ui +defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content -lockPref("signon.rememberSignons", false); -lockPref("signon.storeWhenAutocompleteOff", false); -lockPref("signon.formlessCapture.enabled", false); -lockPref("signon.autofillForms", false); -defaultPref("signon.management.page.breach-alerts.enabled", false); -defaultPref("signon.management.page.breachAlertUrl", ""); +defaultPref("network.dns.disableIPv6", true); // disable ipv6 + +// always send xorigin referer but trim them +defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2 +defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); // trim referer to only send scheme, host and port + +defaultPref("network.file.disable_unc_paths", true); // hidden, disable using uniform naming convention +defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing + +// proxy +defaultPref("network.proxy.socks_remote_dns", true); // forces dns query through the proxy when using one +defaultPref("network.gio.supported-protocols", ""); // disable gio as it could bypass proxy + +// doh +defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection +/** + 0 = default + 1 = browser picks faster + 2 = DoH with system dns fallback + 3 = DoH without fallback + 5 = DoH is off, default currently + + below prefs must be applied with pref in order to work +*/ +// pref("network.trr.mode", 2); +// pref("network.trr.uri", "https://dns.quad9.net/dns-query"); + +// prefetching +defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching +lockPref("network.predictor.enabled", false); // disable predictor +lockPref("network.prefetch-next", false); // disable link prefetching +lockPref("network.http.speculative-parallel-limit", 0); // disable prefetching on mouse over + +defaultPref("network.manage-offline-status", false); // let user control the offline behavior + +// ------ +// # DOM +// ------ + +// pop-ups and window related preferences +defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups on close +defaultPref("dom.disable_open_during_load", true); // block pop-ups windows +defaultPref("dom.popup_maximum", 4); // limit maximum number of pop-ups +defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); // limit events that cause pop-ups +defaultPref("dom.disable_window_move_resize", true); // block scripts from resizing windows +defaultPref("browser.link.open_newwindow", 3); // open 'new windows' targeted links in 'new tab' +defaultPref("browser.link.open_newwindow.restriction", 0); // ignore the size when applying the above pref + +// push notifications and service workeers +defaultPref("dom.push.enabled", false); // disable push notifications +defaultPref("dom.push.serverURL", ""); // default "wss://push.services.mozilla.com/" +defaultPref("dom.push.userAgentID", ""); +defaultPref("dom.serviceWorkers.enabled", false); // disable service workers, must enable for push notifications + +defaultPref("dom.storage.next_gen", true); // will be default from v92.0, keep and eye on + +// -------------------------------- +// # CACHE AND TEMPORARY FILES +// -------------------------------- + +defaultPref("browser.cache.disk.enable", false); // disable disk cache +defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true); // block media cache from writing to disk in pb mode +defaultPref("media.memory_cache_max_size", 65536); // increase max cache size to avoid playback issues caused by above setting + +defaultPref("browser.shell.shortcutFavicons", false); // disable shortcut favicons from being stored in profile +defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps +defaultPref("browser.pagethumbnails.capturing_disabled", true); // disable page thumbnails capturing + +// ---------------------- +// # MEDIA +// ---------------------- + +// disable webrtc +defaultPref("media.peerconnection.enabled", false); // master switch + +// limit potential IP leaks for webrtc users +defaultPref("media.peerconnection.ice.default_address_only", true); +defaultPref("media.peerconnection.ice.no_host", true); +defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); + +// screensharing, review +defaultPref("media.getusermedia.browser.enabled", false); +defaultPref("media.getusermedia.screensharing.enabled", false); +defaultPref("media.getusermedia.audiocapture.enabled", false); + +// autoplay +defaultPref("media.autoplay.blocking_policy", 2); // only allow to play when a certain element is clicked +defaultPref("media.autoplay.default", 5); // personal preference, currently apply blocking policy to all autplay including muted + +// -------------------------------------- +// # FINGERPRINTING +// -------------------------------------- + +defaultPref("privacy.resistFingerprinting", true); // master switch + +// rfp compatibility settings +defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO +defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing +defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP + +// librewolf specifc pref, prevents rfp from forcing light theme +lockPref("privacy.override_rfp_for_color_scheme", false); + +defaultPref("webgl.disabled", true); // master switch, disable webgl + +// -------------------------------- +// # SECURITY +// -------------------------------- + +// certificates +defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, review as could be deprecated +defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certificates +defaultPref("security.OCSP.enabled", 0); // disable OCSP fetching + +// safe negotiation +defaultPref("security.ssl.require_safe_negotiation", true); // block websites that do not support safe negotiation, occasional breakage +defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // show warning when safe negotiation is not enable and website is accessed + +// tls behavior +lockPref("security.tls.enable_0rtt_data", false); // disable 0 round trip time to improve tls 1.3 security +defaultPref("security.tls.version.enable-deprecated", false); // default but helps resetting the preference +defaultPref("browser.ssl_override_behavior", 1); // prepopulate url on ssl warning screens +defaultPref("browser.xul.error_pages.expert_bad_cert", true); // advanced ui infos for broken connections + +// permissions +lockPref("permissions.delegation.enabled", false); // force permission request to show the real origin +lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions from some mozilla domains + +defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts + +lockPref("security.csp.enable", true); // default + +// ------------------------------------------------------- +// # SAFE BROWSING +// ------------------------------------------------------- + +// disable safe browsing, including the fetch of updates and all outgoing connections +defaultPref("browser.safebrowsing.malware.enabled", false); +defaultPref("browser.safebrowsing.phishing.enabled", false); +defaultPref("browser.safebrowsing.blockedURIs.enabled", false); +defaultPref("browser.safebrowsing.provider.google4.gethashURL", ""); +defaultPref("browser.safebrowsing.provider.google4.updateURL", ""); +defaultPref("browser.safebrowsing.provider.google.gethashURL", ""); +defaultPref("browser.safebrowsing.provider.google.updateURL", ""); + +// disable safe browsing checks on downloads, both local and remote +defaultPref("browser.safebrowsing.downloads.enabled", false); +defaultPref("browser.safebrowsing.downloads.remote.enabled", false); +defaultPref("browser.safebrowsing.downloads.remote.url", ""); + +// other safe browsing options, all default but security in depth +lockPref("browser.safebrowsing.passwords.enabled", false); +lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); +lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); + +// ----------------------- +// # DRM +// ----------------------- + +defaultPref("media.eme.enabled", false); // disable drm content, master switch that also controls widevine plugin +defaultPref("media.gmp-manager.url", "data:text/plain,"); // prevent outgoing connections when DRM is disabled + +// disable the openh264 plugin +defaultPref("media.gmp-provider.enabled", false); +defaultPref("media.gmp-gmpopenh264.enabled", false); + +// --------------------------------------------- +// # LOCATION, LANGUAGE AND REGION +// --------------------------------------------- + +defaultPref("geo.enabled", false); // block geo api, behind a prompt so review +defaultPref("permissions.default.geo", 2); // review as well + +// use mozilla geo service as deault +defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); + +// prevent use of OS location services +lockPref("geo.provider.ms-windows-location", false); // [WINDOWS] +lockPref("geo.provider.use_corelocation", false); // [MAC] +lockPref("geo.provider.use_gpsd", false); // [LINUX] + +// show language as en-US for all users, regardless of their OS language and local version, to avoid leaking +defaultPref("javascript.use_us_english_locale", true); +defaultPref("intl.locale.requested", "en-US"); +defaultPref("privacy.spoof_english", 2); + +// disable region updates +lockPref("browser.region.network.url", ""); +lockPref("browser.region.update.enabled", false); // -------------------------------- // # SEARCH AND URLBAR // -------------------------------- -defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); -lockPref("browser.urlbar.speculativeConnect.enabled", false); -defaultPref("browser.urlbar.trimURLs", false); -defaultPref("browser.search.suggest.enabled", false); -defaultPref("browser.search.region", "US"); -lockPref("browser.fixup.alternate.enabled", false); +// disable search suggestions defaultPref("browser.urlbar.suggest.searches", false); -defaultPref("browser.search.update", false); +defaultPref("browser.search.suggest.enabled", false); -// -------------------------------- -// # SANITIZING, COOKIES AND HISTORY -// -------------------------------- +defaultPref("browser.search.region", "US"); // set a default search region for all users +defaultPref("browser.search.update", false); // do not update open search search engines +defaultPref("browser.urlbar.trimURLs", false); // do not trim urls in the urlbar -defaultPref("network.cookie.cookieBehavior", 5); // dFPI, previously set to 1 -defaultPref("network.cookie.lifetimePolicy", 2); -defaultPref("network.cookie.thirdparty.sessionOnly", true); -defaultPref("network.cookie.thirdparty.nonsecureSessionOnly", true); +// urlbar-dns interactions, avoid unwanted and speculative connections +defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); +defaultPref("browser.urlbar.speculativeConnect.enabled", false); +lockPref("browser.fixup.alternate.enabled", false); -// includes new cookie behavior that allows to stay logged with exceptions -defaultPref("privacy.clearOnShutdown.cookies", false); -defaultPref("privacy.clearOnShutdown.offlineApps", false); -defaultPref("privacy.cpd.cookies", false); // just for consistency to avoid accidental logout -defaultPref("privacy.cpd.offlineApps", false); // just for consistency to avoid accidental logout +// ---------------------------------- +// # BROWSER BEHAVIOR +// ---------------------------------- -defaultPref("privacy.sanitize.timeSpan", 0); -defaultPref("browser.formfill.enable", false); -defaultPref("privacy.sanitize.sanitizeOnShutdown", true); -defaultPref("places.history.enabled", false); -defaultPref("privacy.history.custom", true); +lockPref("app.update.auto", false); // disable update auto installs -// -------------------------------------------------------------------- -// # SESSIONS -// -------------------------------------------------------------------- - -defaultPref("browser.sessionstore.privacy_level", 2); -defaultPref("browser.sessionstore.interval", 60000); - -// --------------------------------- -// # AUTOFILL -// --------------------------------- +// password manager +defaultPref("signon.rememberSignons", false); // disable saving passwords in the browser +defaultPref("signon.autofillForms", false); // disable username and password autofills +defaultPref("signon.formlessCapture.enabled", false); // disable formless login capture +// autofill defaultPref("extensions.formautofill.available", "off"); defaultPref("extensions.formautofill.addresses.enabled", false); defaultPref("extensions.formautofill.creditCards.enabled", false); defaultPref("extensions.formautofill.creditCards.available", false); defaultPref("extensions.formautofill.heuristics.enabled", false); -// ----------------------- -// # DRM -// ----------------------- +// mouse and input +defaultPref("general.autoScroll", false); // prevent mouse middle click from triggering scrolling +defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click from opening links +defaultPref("clipboard.autocopy", false); // disable autocopy to clibpboard -defaultPref("media.eme.enabled", false); -defaultPref("media.gmp-widevinecdm.visible", false); -defaultPref("media.gmp-widevinecdm.enabled", false); -defaultPref("media.gmp-provider.enabled", false); -defaultPref("media.gmp-manager.url", "data:text/plain,"); // had to re-add to prevent connections +// containers +defaultPref("privacy.userContext.enabled", true); // enable containers +defaultPref("privacy.userContext.ui.enabled", true); // enable containers ui -defaultPref("media.gmp-gmpopenh264.enabled", false); +defaultPref("pdfjs.enableScripting", false); // block pdf js scripting -// ---------------------- -// # WEBRTC -// ---------------------- +defaultPref("accessibility.force_disabled", 1); // block accessibility services -defaultPref("media.peerconnection.enabled", false); -defaultPref("media.peerconnection.ice.default_address_only", true); -defaultPref("media.peerconnection.ice.no_host", true); -defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); +// devtools +defaultPref("devtools.chrome.enabled", false); // disable chrome debugging tools +defaultPref("devtools.debugger.remote-enabled", false); // default, disable remote debugging +defaultPref("devtools.remote.adb.extensionURL", ""); // url to download ad extension +defaultPref("devtools.selfxss.count", 0); // see https://gitlab.com/librewolf-community/browser/linux/-/issues/80 -// ---------------------- -// # SHARING -// ---------------------- +// misc +defaultPref("browser.shell.checkDefaultBrowser", false); // do not check if default browser +defaultPref("browser.tabs.drawInTitlebar", true); // hide titlebar +defaultPref("browser.aboutConfig.showWarning", false); // disable about:config warning +defaultPref("browser.download.autohideButton", false); // hide download button automatically +defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents +defaultPref("browser.tabs.loadBookmarksInTabs", true); // always open bookmarks in new tab -defaultPref("media.getusermedia.browser.enabled", false); -defaultPref("media.getusermedia.screensharing.enabled", false); -defaultPref("media.getusermedia.audiocapture.enabled", false); +// ----------------------------------- +// # TRACKING PROTECTION +// ----------------------------------- -// ---------------------------- -// # DNS -// ---------------------------- +// review entire section -defaultPref("network.trr.mode", 5); -defaultPref("network.trr.uri", ""); -defaultPref("network.dns.disableIPv6", true); -lockPref("network.dns.disablePrefetch", true); +pref("browser.contentblocking.category", "custom"); // do not lock as it breaks UI even more, using pref solves the UI bug +lockPref("privacy.trackingprotection.enabled", false); +lockPref("privacy.trackingprotection.pbmode.enabled", false); +defaultPref("privacy.trackingprotection.cryptomining.enabled", false); +defaultPref("privacy.trackingprotection.fingerprinting.enabled", false); +lockPref("privacy.trackingprotection.annotate_channels", false); + +// remove urls to fetch contentblocking lists. +// without these urls TP cannot work. the lists are not shipped with the browser but download on first launch. +defaultPref("browser.safebrowsing.provider.mozilla.updateURL", ""); +defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", ""); + +// hide ui elements for blocking lists in custom mode UI +defaultPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); +defaultPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); + +// hide ui elements from about:protections +lockPref("browser.contentblocking.report.hide_vpn_banner", true); +lockPref("browser.contentblocking.report.show_mobile_app", false); +defaultPref("browser.contentblocking.report.lockwise.enabled", false); +defaultPref("browser.contentblocking.report.monitor.enabled", false); +lockPref("browser.contentblocking.report.vpn.enabled", false); + +// -------------------------------------- +// # EXTENSIONS +// -------------------------------------- + +/** + allow extensions to work on all domains. + default is "debug-notes.log" + */ + defaultPref("extensions.webextensions.restrictedDomains", ""); + + // set extensions scopes + defaultPref("extensions.enabledScopes", 5); + defaultPref("extensions.autoDisableScopes", 11); + + defaultPref("extensions.postDownloadThirdPartyPrompt", false); // force install prompt for thrid party extensions + + /** + prevent users from adding lang packs, which would cause leaks. + default is https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION% + */ + defaultPref("extensions.getAddons.langpacks.url", ""); + + // about:addons ui + defaultPref("extensions.getAddons.showPane", false); // disable recommendations section + defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false); // disable recommendations from addons list + defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes + + // background checking and updating of extensions + defaultPref("extensions.update.enabled", false); // disable automatic checks for extension updates + defaultPref("extensions.update.autoUpdateDefault", false); // disable automatic installs of extension updates + defaultPref("extensions.getAddons.cache.enabled", false); // disable fetching of extension metadata + + // extension firewall, disabled by default + // defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';"); + // defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';"); + + // report site issue, disable button and url for in depth defense + lockPref("extensions.webcompat-reporter.enabled", false); + lockPref("extensions.webcompat-reporter.newIssueEndpoint", ""); + + // system addons, prevent updates and strip url for in depth defense + defaultPref("extensions.systemAddon.update.enabled", false); + defaultPref("extensions.systemAddon.update.url", ""); + +// -------------------------------- +// # URLS AND ANNOYANCES +// -------------------------------- + +// set librewolf support and releases urls +defaultPref("app.support.baseURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#"); +defaultPref("browser.search.searchEnginesURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#search"); +defaultPref("browser.geolocation.warning.infoURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#location"); +defaultPref("app.feedback.baseURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support"); +defaultPref("app.releaseNotesURL", "https://gitlab.com/librewolf-community/browser"); +defaultPref("app.releaseNotesURL.aboutDialog", "https://gitlab.com/librewolf-community/browser"); +defaultPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser"); +defaultPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser"); + +// remove default handlers and translation engine +lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.mailto.0.name", ""); +lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.mailto.1.name", ""); +lockPref("gecko.handlerService.schemes.irc.0.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.irc.0.name", ""); +lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.ircs.0.name", ""); +lockPref("browser.translation.engine", ""); + +// disable welcome, what's new pages and ui tour +defaultPref("browser.startup.homepage_override.mstone", "ignore"); +defaultPref("startup.homepage_override_url", "about:blank"); +defaultPref("startup.homepage_welcome_url", "about:blank"); +defaultPref("startup.homepage_welcome_url.additional", ""); +lockPref("browser.messaging-system.whatsNewPanel.enabled", false); +lockPref("browser.uitour.enabled", false); +lockPref("browser.uitour.url", ""); // ------------------------------------ // # NEW TAB PAGE // ------------------------------------ +// review full section lockPref("browser.newtab.preload", false); lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); lockPref("browser.newtabpage.activity-stream.feeds.newtabinit", false); @@ -203,443 +466,81 @@ lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcut lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", ""); lockPref("browser.newtabpage.activity-stream.fxaccounts.endpoint", ""); -// ------------------------------------------- -// # DO NOT TRACK -// ------------------------------------------- - -// Unlocked as some think it increases fingerprint, they can now disable it -defaultPref("privacy.donottrackheader.enabled", true); - // -------------------------------- -// # DOM +// # TELEMETRY // -------------------------------- -defaultPref("dom.disable_beforeunload", true); -defaultPref("dom.disable_open_during_load", true); -defaultPref("dom.push.enabled", false); -defaultPref("dom.push.connection.enabled", false); -defaultPref("dom.push.serverURL", ""); //default "wss://push.services.mozilla.com/" -defaultPref("dom.push.userAgentID", ""); -defaultPref("dom.disable_window_move_resize", true); -defaultPref("dom.serviceWorkers.enabled", false); -defaultPref("dom.battery.enabled", false); -defaultPref("dom.popup_maximum", 4); -defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); -defaultPref("dom.vr.enabled", false); // fingerprintable -defaultPref("dom.vibrator.enabled", false); -defaultPref("dom.storage.next_gen", true); // will be default from v92.0, keep and eye on - -// -------------------------------- -// # PERMISSIONS -// -------------------------------- - -lockPref("permissions.delegation.enabled", false); -defaultPref("permissions.default.geo", 2); // unlocked as some think it increases fingerprint, they can now disable it -lockPref("permissions.manager.defaultsUrl", ""); - -// -------------------------------- -// # REFERERS -// -------------------------------- - -defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); -defaultPref("network.http.referer.XOriginPolicy", 0); - -// -------------------------------- -// # PROXY -// -------------------------------- - -defaultPref("network.proxy.socks_remote_dns", true); - -// -------------------------------------- -// # HTTP(S) -// -------------------------------------- - -lockPref("network.http.altsvc.enabled", false); -lockPref("network.http.altsvc.oe", false); -defaultPref("dom.security.https_only_mode", true); -defaultPref("dom.security.https_only_mode_pbm", true); -defaultPref("network.auth.subresource-http-auth-allow", 1); - -// -------------------------------------- -// # TLS -// -------------------------------------- - -defaultPref("security.ssl.require_safe_negotiation", true); -lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true); -defaultPref("security.tls.version.enable-deprecated", false); // default but helps resetting the preference -defaultPref("browser.ssl_override_behavior", 1); -lockPref("security.tls.enable_0rtt_data", false); -defaultPref("security.tls.version.fallback-limit", 3); -defaultPref("browser.xul.error_pages.expert_bad_cert", true); // advanced ui infos - -// -------------------------------------- -// # RFP -// -------------------------------------- - -defaultPref("privacy.resistFingerprinting", true); -defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); -lockPref("browser.startup.blankWindow", false); // breaks RFP windows resizing -lockPref("privacy.override_rfp_for_color_scheme", false); // librewolf specifc pref, prevents rfp from overriding your theme - -// -------------------------------------- -// # FISSION -// -------------------------------------- - -// commented out for now, keep an eye on -// defaultPref("fission.autostart", true); - -// -------------------------------------- -// # LANGUAGE AND REGION -// -------------------------------------- - -defaultPref("javascript.use_us_english_locale", true); -defaultPref("intl.locale.requested", "en-US"); -defaultPref("privacy.spoof_english", 2); - -// ------------------------------------------------------- -// # EXTENSIONS - check readme section "Extensions Firewall" -// ------------------------------------------------------- - -// handle default restricted domains -defaultPref("extensions.webextensions.restrictedDomains", ""); // This will allow extensions to work everywhere, default "debug-notes.log" -lockPref("extensions.webextensions.identity.redirectDomain", ""); // Redirect basedomain used by identity api, default "extensions.allizom.org" - -// extension firewall, disabled by default -// defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';"); -// defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';"); - -// set extensions scopes -defaultPref("extensions.enabledScopes", 5); -defaultPref("extensions.autoDisableScopes", 11); - -// Relevant for lang packs search -defaultPref("extensions.getAddons.langpacks.url", ""); // https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION% - -// other urls -defaultPref("extensions.getAddons.get.url", ""); // https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE% -defaultPref("extensions.getAddons.link.url", ""); // https://addons.mozilla.org/%LOCALE%/firefox/ - -// ui -defaultPref("extensions.getAddons.showPane", false); -lockPref("extensions.getAddons.discovery.api_url", ""); -lockPref("extensions.htmlaboutaddons.recommendations.enabled", false); -lockPref("extensions.webcompat-reporter.enabled", false); -lockPref("extensions.webcompat-reporter.newIssueEndpoint", "");// https://webcompat.com/issues/new - -// background checking and updating -defaultPref("extensions.update.enabled", false); -defaultPref("extensions.update.autoUpdateDefault", false); -defaultPref("extensions.getAddons.cache.enabled", false); - -// system addons -lockPref("extensions.systemAddon.update.url", ""); -lockPref("extensions.systemAddon.update.enabled", false); - -defaultPref("xpinstall.signatures.devInfoURL", ""); -lockPref("extensions.webservice.discoverURL", ""); -lockPref("webextensions.storage.sync.serverURL", ""); -lockPref("lightweightThemes.getMoreURL", ""); -defaultPref("extensions.postDownloadThirdPartyPrompt", false); - -// ------------------------------------------------------- -// # NORMANDY -// ------------------------------------------------------- - -lockPref("app.normandy.enabled", false); -lockPref("app.normandy.api_url", ""); -lockPref("app.normandy.user_id", ""); -lockPref("app.normandy.shieldLearnMoreUrl", ""); - -// -------------------------------- -// # SECURITY -// -------------------------------- - -// certificates -defaultPref("security.cert_pinning.enforcement_level", 2); -defaultPref("security.OCSP.enabled", 0); -defaultPref("security.pki.sha1_enforcement_level", 1); - -// mixed content -lockPref("security.mixed_content.block_display_content", true); -lockPref("security.mixed_content.block_active_content", true); - -// ui -lockPref("security.insecure_connection_text.enabled", true); -lockPref("security.insecure_connection_text.pbmode.enabled", true); - -lockPref("security.csp.enable", true); - -// ------------------------------------------------------- -// # SAFE BROWSING -// ------------------------------------------------------- - -// re-enabling -defaultPref("browser.safebrowsing.malware.enabled", false); -defaultPref("browser.safebrowsing.phishing.enabled", false); -defaultPref("browser.safebrowsing.blockedURIs.enabled", false); -defaultPref("browser.safebrowsing.provider.google4.gethashURL", ""); -defaultPref("browser.safebrowsing.provider.google4.updateURL", ""); -defaultPref("browser.safebrowsing.provider.google.gethashURL", ""); -defaultPref("browser.safebrowsing.provider.google.updateURL", ""); - -// downloads -lockPref("browser.safebrowsing.downloads.enabled", false); - -// remote downloads, unwanted software, data sharing -lockPref("browser.safebrowsing.passwords.enabled", false); -lockPref("browser.safebrowsing.downloads.remote.enabled", false); -lockPref("browser.safebrowsing.downloads.remote.block_dangerous", false); -lockPref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); -lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); -lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); -lockPref("browser.safebrowsing.downloads.remote.url", ""); -lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); -lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); - -// commented all below as they do no harm and make enabling SB painful -// could potentially at some point -// defaultPref("browser.safebrowsing.id", ""); -// defaultPref("browser.safebrowsing.provider.google4.pver", ""); -// defaultPref("browser.safebrowsing.provider.google4.advisoryName", ""); -// defaultPref("browser.safebrowsing.provider.google4.advisoryURL", ""); -// defaultPref("browser.safebrowsing.provider.google4.lists", ""); -// defaultPref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); -// defaultPref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); -// defaultPref("browser.safebrowsing.provider.google4.reportURL", ""); -// defaultPref("browser.safebrowsing.provider.google4.lastupdatetime", ""); -// defaultPref("browser.safebrowsing.provider.google4.nextupdatetime", ""); -// defaultPref("browser.safebrowsing.provider.google.advisoryName", ""); -// defaultPref("browser.safebrowsing.provider.google.advisoryURL", ""); -// defaultPref("browser.safebrowsing.provider.google.lastupdatetime", ""); -// defaultPref("browser.safebrowsing.provider.google.lists", ""); -// defaultPref("browser.safebrowsing.provider.google.nextupdatetime", ""); -// defaultPref("browser.safebrowsing.provider.google.pver", ""); -// defaultPref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); -// defaultPref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); -// defaultPref("browser.safebrowsing.provider.google.reportURL", ""); -// defaultPref("browser.safebrowsing.reportPhishURL", ""); - -// -------------------------------- -// # FONTS -// -------------------------------- - -lockPref("gfx.font_rendering.graphite.enabled", false); -lockPref("gfx.font_rendering.opentype_svg.enabled", false); - -// -------------------------------- -// # MISC -// -------------------------------- - -// more important stuff -lockPref("browser.shell.shortcutFavicons", false); -defaultPref("browser.link.open_newwindow", 3); -defaultPref("browser.link.open_newwindow.restriction", 0); -defaultPref("network.file.disable_unc_paths", true); // (hidden pref) -lockPref("network.gio.supported-protocols", ""); // (hidden pref) -lockPref("network.IDN_show_punycode", true); -defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP - -// pdf reader -defaultPref("pdfjs.disabled", false); -defaultPref("pdfjs.enableScripting", false); -defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); -defaultPref("pdfjs.enabledCache.state", false); - -// remote agent -lockPref("remote.enabled", false); - -// settings and behavior -lockPref("browser.shell.checkDefaultBrowser", false); -lockPref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", true); -defaultPref("startup.homepage_override_url", "about:blank"); -defaultPref("startup.homepage_welcome_url", "about:blank"); -defaultPref("startup.homepage_welcome_url.additional", ""); -lockPref("browser.startup.homepage_override.mstone", "ignore"); -defaultPref("privacy.userContext.enabled", true); -defaultPref("general.autoScroll", false); // OS specific -defaultPref("clipboard.autocopy", false); // OS specific -defaultPref("browser.tabs.loadBookmarksInTabs", true); // OS specific -defaultPref("browser.download.manager.addToRecentDocs", false); -defaultPref("accessibility.force_disabled", 1); -lockPref("browser.uitour.enabled", false); -lockPref("middlemouse.contentLoadURL", false); -defaultPref("network.manage-offline-status", false); -defaultPref("browser.helperApps.deleteTempFileOnExit", true); -lockPref("browser.pagethumbnails.capturing_disabled", true); -lockPref("browser.bookmarks.max_backups", 2); - -// devtools -defaultPref("devtools.debugger.remote-enabled", false); -defaultPref("devtools.chrome.enabled", false); -defaultPref("devtools.performance.recording.ui-base-url", "http://localhost:55555"); // Default Value : https://profiler.firefox.com -defaultPref("devtools.devices.url", ""); -defaultPref("devtools.remote.adb.extensionURL", ""); // [FF64+] -defaultPref("devtools.remote.adb.extensionID", ""); // default adb@mozilla.org [FF64+] -defaultPref("devtools.selfxss.count", 0); // see https://gitlab.com/librewolf-community/browser/linux/-/issues/80 - -// ui -defaultPref("browser.tabs.drawInTitlebar", true); // OS specific -defaultPref("browser.aboutConfig.showWarning", false); -defaultPref("general.warnOnAboutConfig", false); -defaultPref("browser.download.autohideButton", false); -defaultPref("privacy.userContext.ui.enabled", true); -lockPref("browser.messaging-system.whatsNewPanel.enabled", false); - -// urls and handlers -lockPref("media.decoder-doctor.new-issue-endpoint", ""); -lockPref("identity.sync.tokenserver.uri", ""); -lockPref("network.trr.confirmationNS", ""); -lockPref("browser.translation.engine", ""); // default Google -lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.mailto.0.name", ""); // default Yahoo! Mail -lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.mailto.1.name", ""); // default Gmail -lockPref("gecko.handlerService.schemes.irc.0.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.irc.0.name", ""); -lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.ircs.0.name", ""); -lockPref("services.settings.server", ""); -lockPref("accessibility.support.url", ""); -defaultPref("app.support.baseURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#"); -lockPref("browser.uitour.url", ""); -lockPref("webchannel.allowObject.urlWhitelist", ""); -lockPref("browser.dictionaries.download.url", ""); -lockPref("browser.geolocation.warning.infoURL", ""); -lockPref("browser.search.searchEnginesURL", ""); -lockPref("browser.uitour.themeOrigin", ""); -lockPref("toolkit.datacollection.infoURL", ""); -lockPref("identity.mobilepromo.android", ""); -lockPref("identity.mobilepromo.ios", ""); -defaultPref("identity.sendtabpromo.url", ""); -lockPref("datareporting.healthreport.infoURL", ""); -lockPref("app.feedback.baseURL", ""); -lockPref("app.releaseNotesURL", ""); -lockPref("app.releaseNotesURL.aboutDialog", ""); -lockPref("browser.chrome.errorReporter.infoURL", ""); -lockPref("datareporting.policy.firstRunURL", ""); - -// -------------------------------- -// # CACHE -// -------------------------------- - -lockPref("browser.privatebrowsing.forceMediaMemoryCache", true); -defaultPref("media.memory_cache_max_size", 65536); -defaultPref("browser.cache.disk.enable", false); - -// -------------------------------- -// # WEBGL AND PERFORMANCE -// -------------------------------- - -defaultPref("webgl.disabled", true); - -// -------------------------------- -// # JS -// -------------------------------- - -lockPref("javascript.options.shared_memory", false); - -// -------------------------------- -// # GEO -// -------------------------------- - -defaultPref("geo.enabled", false); -lockPref("geo.provider.ms-windows-location", false); // [WINDOWS] -lockPref("geo.provider.use_corelocation", false); // [MAC] -lockPref("geo.provider.use_gpsd", false); // [LINUX] -defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); -lockPref("browser.region.network.url", ""); -lockPref("browser.region.update.enabled", false); - -// -------------------------------- -// # PREFETCHING -// -------------------------------- - -lockPref("network.predictor.enabled", false); -lockPref("network.prefetch-next", false); -lockPref("network.http.speculative-parallel-limit", 0); - -// -------------------------------- -// # OUTGOING CONNECTIONS -// -------------------------------- - -// updates -lockPref("app.update.auto", false); -lockPref("app.update.staging.enabled", false); -lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0); -lockPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser"); -lockPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser"); - -// connectivity service -lockPref("network.connectivity-service.enabled", false); -lockPref("network.connectivity-service.IPv6.url", "http://0.0.0.0"); -lockPref("network.connectivity-service.IPv4.url", "http://0.0.0.0"); -lockPref("network.connectivity-service.DNSv6.domain", ""); -lockPref("network.connectivity-service.DNSv4.domain", ""); - -// telemetry -lockPref("toolkit.crashreporter.infoURL", ""); -lockPref("toolkit.telemetry.archive.enabled", false); -lockPref("toolkit.telemetry.updatePing.enabled", false); -lockPref("toolkit.telemetry.bhrPing.enabled", false); -lockPref("toolkit.telemetry.cachedClientID", ""); -lockPref("toolkit.telemetry.enabled", false); -lockPref("toolkit.telemetry.firstShutdownPing.enabled", false); -lockPref("toolkit.telemetry.newProfilePing.enabled", false); -lockPref("toolkit.telemetry.previousBuildID", ""); -lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default +lockPref("toolkit.telemetry.unified", false); // master switch +lockPref("toolkit.telemetry.enabled", false); // master switch lockPref("toolkit.telemetry.server", "data:,"); -lockPref("toolkit.telemetry.server_owner", ""); +lockPref("toolkit.telemetry.archive.enabled", false); +lockPref("toolkit.telemetry.newProfilePing.enabled", false); +lockPref("toolkit.telemetry.updatePing.enabled", false); +lockPref("toolkit.telemetry.firstShutdownPing.enabled", false); lockPref("toolkit.telemetry.shutdownPingSender.enabled", false); lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // default -lockPref("toolkit.telemetry.unified", false); -lockPref("security.protectionspopup.recordEventTelemetry", false); -lockPref("datareporting.healthreport.uploadEnabled", false); -lockPref("datareporting.policy.dataSubmissionEnabled", false); -lockPref("toolkit.coverage.endpoint.base", ""); -lockPref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] +lockPref("toolkit.telemetry.bhrPing.enabled", false); +lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default +lockPref("toolkit.telemetry.cachedClientID", ""); +lockPref("toolkit.telemetry.previousBuildID", ""); +lockPref("toolkit.telemetry.server_owner", ""); lockPref("toolkit.coverage.opt-out", true); // [HIDDEN PREF] lockPref("toolkit.coverage.enabled", false); -lockPref("app.shield.optoutstudies.enabled", false); -lockPref("beacon.enabled", false); +lockPref("toolkit.coverage.endpoint.base", ""); +lockPref("toolkit.crashreporter.infoURL", ""); +lockPref("datareporting.healthreport.uploadEnabled", false); +lockPref("datareporting.policy.dataSubmissionEnabled", false); +lockPref("security.protectionspopup.recordEventTelemetry", false); lockPref("browser.ping-centre.telemetry", false); -// discovery -lockPref("browser.discovery.enabled", false); -lockPref("browser.discovery.containers.enabled", false); -lockPref("browser.discovery.sites", ""); - // crash report lockPref("breakpad.reportURL", ""); lockPref("browser.tabs.crashReporting.sendReport", false); -lockPref("browser.crashReports.unsubmittedCheck.enabled", false); -lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); + +// normandy and studies +lockPref("app.normandy.enabled", false); +lockPref("app.normandy.api_url", ""); +lockPref("app.shield.optoutstudies.enabled", false); + +// personalized extension recommendations +lockPref("browser.discovery.enabled", false); +lockPref("browser.discovery.containers.enabled", false); +lockPref("browser.discovery.sites", ""); + +// connectivity checks +lockPref("network.connectivity-service.enabled", false); // captive portal lockPref("network.captive-portal-service.enabled", false); lockPref("captivedetect.canonicalURL", ""); +// prevent sending server side analytics +lockPref("beacon.enabled", false); + // -------------------------------- // # WINDOWS // -------------------------------- -// disable links launching Windows Store [WINDOWS] -lockPref("network.protocol-handler.external.ms-windows-store", false); - -// disable background update service [WINDOWS] +// disable windows specific background update service lockPref("app.update.service.enabled", false); defaultPref("app.update.background.scheduling.enabled", false); -// disable automatic Firefox start and session restore after reboot [WINDOWS] -lockPref("toolkit.winRegisterApplicationRestart", false); +defaultPref("network.protocol-handler.external.ms-windows-store", false); // disable links launching windows store -// disable Windows 8.1 Family Safety cert [WINDOWS] -lockPref("security.family_safety.mode", 0); +lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic Firefox start and session restore after reboot -// Windows only? -lockPref("default-browser-agent.enabled", false); +lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert -// disable MS auto authentication via SSO -defaultPref("network.http.windows-sso.enabled", false); +lockPref("default-browser-agent.enabled", false); // disable windows specific telemetry + +defaultPref("network.http.windows-sso.enabled", false); // disable MS auto authentication via sso + +// ----------------- +// # REVIEW +// ----------------- + +lockPref("services.settings.server", ""); +lockPref("webchannel.allowObject.urlWhitelist", ""); // ----------------------------------- // # OVERRIDES From d2672a6b6ccc4808f20e987ff16f009cbb39699b Mon Sep 17 00:00:00 2001 From: fxbrit Date: Fri, 27 Aug 2021 02:50:07 +0200 Subject: [PATCH 2/7] re-organize order, finish ntp and tp, add 2 prefs --- docs/Changelog.md | 283 +++++++++++++++++++++++++--------------------- librewolf.cfg | 139 +++++++++-------------- 2 files changed, 211 insertions(+), 211 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 599967a..e89467c 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,129 +1,6 @@ This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. -## 1.0 -**target commit**: 2b8dc4ac6d7fb6fdf8f172d04c27912098268257 - -**base librewolf version**: 89.x - -This is the initial release from which we start tagging and versioning settings. - -## 1.1 -**target commit**: cf0a2cc88acdbc51b138228353a0d7c9ea0db7c3 - -**base librewolf version**: 89.x - -**References**: -- issue [#54](https://gitlab.com/librewolf-community/settings/-/issues/54) from settings -- merge request [#5](https://gitlab.com/librewolf-community/browser/common/-/merge_requests/5) from common - -#### Removed preferences -``` -defaultPref("security.OCSP.require", false); // default value -defaultPref("extensions.update.url", ""); -defaultPref("extensions.update.background.url", ""); -defaultPref("extensions.getAddons.search.browseURL", ""); -``` - -#### Changed preferences -``` -defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); -``` - -#### Added preferences -``` -lockPref("privacy.override_rfp_for_color_scheme", false); -``` - -## 1.2 -**target commit**: 294724fae38ffa4ebcf6dfb0854787fb7022d1e6 - -**base librewolf version**: 89.x - -**References**: -- issue [#65](https://gitlab.com/librewolf-community/settings/-/issues/65) from settings -- issue [#22](https://gitlab.com/librewolf-community/browser/common/-/issues/22) from common - -#### Removed preferences -``` -defaultPref("dom.webaudio.enabled", false); -defaultPref("media.navigator.enabled", false); -``` - -#### Changed preferences -``` -defaultPref("app.support.baseURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#"); -``` - -## 1.3 -**target commit**: 60e75e30c6018a5c909a2f00f40831ed3f1948a6 - -**base librewolf version**: 90.x - -#### Added preferences -``` -defaultPref("network.http.windows-sso.enabled", false); -``` - -#### Removed preferences -``` -lockPref("browser.cache.offline.storage.enable", false); // pref does not exist anymore as it became default behavior -``` - -## 1.4 -**target commit**: 2e21db4c3018321a077d9af2ec44b29675c57adf - -**base librewolf version**: 90.x - -#### Removed preferences -``` -lockPref("security.tls.version.enable-deprecated", false); // default -``` - -## 1.5 - -**target commit**: 23d1bff4f4ae3456df8e50e67f657ea6288eef29 - -**base librewolf version**: 91.x - -**References**: -- [comment](https://github.com/arkenfox/user.js/commit/3bb9fc713f141d794fc4adfb38d3fcf86c9307ab#commitcomment-53916786) from arkenfox's maintainer regarding tls version pref -- [mozilla update service](https://support.mozilla.org/en-US/kb/enable-background-updates-firefox-windows) -- extension firewall has been revisited - -#### Removed preferences -``` -lockPref("security.dialog_enable_delay", 700); // default 1000, no need to enforce this -``` - -#### Added preferences -``` -defaultPref("app.update.background.scheduling.enabled", false); // Win specific update service -defaultPref("security.tls.version.enable-deprecated", false); // default but helps resetting the preference -// defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';"); -``` - -#### Changed preferences -``` -// defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';"); -``` - -## 1.6 - -**target commit**: - -**base librewolf version**: 91.x - -**References**: -- [reasoning on webgl2](https://github.com/arkenfox/user.js/commit/41c3c0ec26ef4392169fa1d04fd5783ac03bfc8e) from arkenfox's maintainer, basically disabling webgl is enough for those who don't need it. users who want it have one less pref to change. - -#### Removed preferences -``` -defaultPref("dom.targetBlankNoOpener.enabled", true); // default since v79.0 -defaultPref("webgl.enable-webgl2", false); -lockPref("browser.newtabpage.activity-stream.feeds.section.highlights", false); // default -``` - ## 2.0 **References**: @@ -139,6 +16,9 @@ lockPref("browser.newtabpage.activity-stream.feeds.section.highlights", false); - graphite [is no longer as concerning](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite) and blocking it is likely fingerprintable. - the pdf prefs and the bookmark backup are not really relevant to librewolf. - as reported [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1606624) the shared memory pref is no longer needed, so we can switch it back to default. +- new tab page section now includes a new design and no longer an empty page. all the unnecessary preferences have been removed and users can also customize as the most essential ones have been unlocked. +- UI bug in tracking protection section is fixed. +- a bunch of dead links are fixed. **Notes** Recent changes in the category `MISC > set librewolf support and releases urls` require to create a couple header for the landing page page. @@ -177,8 +57,6 @@ lockPref("security.mixed_content.block_active_content", true); // default defaultPref("security.insecure_connection_text.pbmode.enabled", true); // redundant lockPref("browser.safebrowsing.downloads.remote.block_dangerous", false); lockPref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); -lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); -lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); lockPref("gfx.font_rendering.graphite.enabled", false); // consider removing defaultPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); defaultPref("pdfjs.enabledCache.state", false); @@ -208,6 +86,31 @@ lockPref("network.connectivity-service.DNSv6.domain", ""); // redundant lockPref("network.connectivity-service.DNSv4.domain", ""); // redundant lockPref("browser.crashReports.unsubmittedCheck.enabled", false); // default lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // default +lockPref("browser.newtabpage.activity-stream.feeds.newtabinit", false); +lockPref("browser.newtabpage.activity-stream.feeds.places", false); +lockPref("browser.newtabpage.activity-stream.feeds.systemtick", false); +lockPref("browser.newtabpage.activity-stream.feeds.system.topsites", false); +lockPref("browser.newtabpage.activity-stream.asrouter.providers.messaging-experiments", ""); +lockPref("browser.newtabpage.activity-stream.asrouter.providers.message-groups", ""); +lockPref("browser.newtabpage.activity-stream.asrouter.providers.cfr-fxa", ""); +lockPref("browser.newtabpage.activity-stream.asrouter.providers.cfr", ""); +lockPref("browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel", "{\"id\":\"whats-new-panel\",\"enabled\":false}"); +lockPref("browser.newtabpage.activity-stream.asrouter.devtoolsEnableds", true); +lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint", ""); +lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts", false); +lockPref("browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar", false); +lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines", ""); +lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", ""); +defaultPref("dom.push.userAgentID", ""); // push notifications are already disabled +lockPref("services.settings.server", ""); // redundant with patches +lockPref("webchannel.allowObject.urlWhitelist", ""); // deprecated +``` + +#### Added preferences +``` +defaultPref("browser.download.useDownloadDir", false); // force user interaction on downloads, by always asking location +// defaultPref("security.remote_settings.crlite_filters.enabled", true); +// defaultPref("security.pki.crlite_mode", 2); ``` #### Commented prefs @@ -254,4 +157,132 @@ defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true); defaultPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser"); defaultPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser"); defaultPref("network.protocol-handler.external.ms-windows-store", false); -``` \ No newline at end of file +defaultPref("browser.newtab.preload", false); +defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); +defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false); +defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false); +``` + +## 1.6 + +**target commit**: + +**base librewolf version**: 91.x + +**References**: +- [reasoning on webgl2](https://github.com/arkenfox/user.js/commit/41c3c0ec26ef4392169fa1d04fd5783ac03bfc8e) from arkenfox's maintainer, basically disabling webgl is enough for those who don't need it. users who want it have one less pref to change. + +#### Removed preferences +``` +defaultPref("dom.targetBlankNoOpener.enabled", true); // default since v79.0 +defaultPref("webgl.enable-webgl2", false); +lockPref("browser.newtabpage.activity-stream.feeds.section.highlights", false); // default +``` + +## 1.5 + +**target commit**: 23d1bff4f4ae3456df8e50e67f657ea6288eef29 + +**base librewolf version**: 91.x + +**References**: +- [comment](https://github.com/arkenfox/user.js/commit/3bb9fc713f141d794fc4adfb38d3fcf86c9307ab#commitcomment-53916786) from arkenfox's maintainer regarding tls version pref +- [mozilla update service](https://support.mozilla.org/en-US/kb/enable-background-updates-firefox-windows) +- extension firewall has been revisited + +#### Removed preferences +``` +lockPref("security.dialog_enable_delay", 700); // default 1000, no need to enforce this +``` + +#### Added preferences +``` +defaultPref("app.update.background.scheduling.enabled", false); // Win specific update service +defaultPref("security.tls.version.enable-deprecated", false); // default but helps resetting the preference +// defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';"); +``` + +#### Changed preferences +``` +// defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';"); +``` + +## 1.4 +**target commit**: 2e21db4c3018321a077d9af2ec44b29675c57adf + +**base librewolf version**: 90.x + +#### Removed preferences +``` +lockPref("security.tls.version.enable-deprecated", false); // default +``` + +## 1.3 +**target commit**: 60e75e30c6018a5c909a2f00f40831ed3f1948a6 + +**base librewolf version**: 90.x + +#### Added preferences +``` +defaultPref("network.http.windows-sso.enabled", false); +``` + +#### Removed preferences +``` +lockPref("browser.cache.offline.storage.enable", false); // pref does not exist anymore as it became default behavior +``` + +## 1.2 +**target commit**: 294724fae38ffa4ebcf6dfb0854787fb7022d1e6 + +**base librewolf version**: 89.x + +**References**: +- issue [#65](https://gitlab.com/librewolf-community/settings/-/issues/65) from settings +- issue [#22](https://gitlab.com/librewolf-community/browser/common/-/issues/22) from common + +#### Removed preferences +``` +defaultPref("dom.webaudio.enabled", false); +defaultPref("media.navigator.enabled", false); +``` + +#### Changed preferences +``` +defaultPref("app.support.baseURL", "https://gitlab.com/librewolf-community/settings/-/wikis/support#"); +``` + +## 1.1 +**target commit**: cf0a2cc88acdbc51b138228353a0d7c9ea0db7c3 + +**base librewolf version**: 89.x + +**References**: +- issue [#54](https://gitlab.com/librewolf-community/settings/-/issues/54) from settings +- merge request [#5](https://gitlab.com/librewolf-community/browser/common/-/merge_requests/5) from common + +#### Removed preferences +``` +defaultPref("security.OCSP.require", false); // default value +defaultPref("extensions.update.url", ""); +defaultPref("extensions.update.background.url", ""); +defaultPref("extensions.getAddons.search.browseURL", ""); +``` + +#### Changed preferences +``` +defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); +``` + +#### Added preferences +``` +lockPref("privacy.override_rfp_for_color_scheme", false); +``` + + +## 1.0 +**target commit**: 2b8dc4ac6d7fb6fdf8f172d04c27912098268257 + +**base librewolf version**: 89.x + +This is the initial release from which we start tagging and versioning settings. diff --git a/librewolf.cfg b/librewolf.cfg index 7892204..3d4a5c9 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -1,27 +1,13 @@ -//---------------| -// LibreWolf | -//---------------| -// Glossary: | -// ================================================================================================================================| -// | -// "Section" : Description of the settings section separated by "----" | -// "Pref" : Preference/Settings name and or description followed by links or documentations | -// and some time explanation why the setting is commented and ignored. | -// "lockPref" : Locked preference can not be changed on firefox, nor by extensions, can only be changed here | -// lockPref is used to lock preferences so they cannot be changed through the GUI or about:config. | -// In many cases the GUI will change to reflect this, graying out or removing options. Appears | -// in about:config as "locked". Some config items require lockPref to be set, such as app.update.enabled. | -// It will not work if it set with just pref. | -// "pref" : Sets the preference as if a user had set it, every time you start the browser. So users can make changes, | -// but they will be erased on restart. If you set a particular preference this way, | -// it shows up in about:config as "user set". | -// "defaultPref" : Defaulting : Is used to alter the default value, though users can set it normally and their changes will | -// be saved between sessions. If preferences are reset to default through the GUI or some other method, | -// this is what they will go back to. Appears in about:config as "default". | -// "clearPref" : Can be used to "blank" certain preferences. This can be useful e.g. to disable functions | -// that rely on comparing version numbers. | -// | -// ================================================================================================================================| +//----------------------| +// LibreWolf settings | +//----------------------| + +/** + + NOTE: please take the time to read and understand, but also to customize the settings to find your own setup. + the answers to the most common questions are at this link https://gitlab.com/librewolf-community/settings/-/wikis/FAQ + + */ defaultPref("librewolf.cfg.version", "2.0"); @@ -30,7 +16,7 @@ defaultPref("librewolf.cfg.version", "2.0"); // ------------------------------------------- defaultPref("network.cookie.cookieBehavior", 5); // dFPI, same as strict mode -defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until the browser is closed then delete everything not in exceptions +defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until the browser is closed then delete everything minus exceptions // make third party and http cookies session-only defaultPref("network.cookie.thirdparty.sessionOnly", true); @@ -53,12 +39,12 @@ defaultPref("browser.formfill.enable", false); defaultPref("browser.sessionstore.privacy_level", 2); defaultPref("browser.sessionstore.interval", 60000); -// ------------- +// ---------------------- // # NETWORKING -// ------------- +// ---------------------- // https and mixed content -defaultPref("dom.security.https_only_mode", true); // enforce https in all windows, including private browsing +defaultPref("dom.security.https_only_mode", true); // only allow https in all windows, including private browsing defaultPref("network.auth.subresource-http-auth-allow", 1); // stop cross-origin resources from using HTTP authentication defaultPref("security.insecure_connection_text.enabled", true); // display http websites as insecure in the ui defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content @@ -98,9 +84,9 @@ lockPref("network.http.speculative-parallel-limit", 0); // disable prefetching o defaultPref("network.manage-offline-status", false); // let user control the offline behavior -// ------ +// ------------ // # DOM -// ------ +// ------------ // pop-ups and window related preferences defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups on close @@ -114,7 +100,6 @@ defaultPref("browser.link.open_newwindow.restriction", 0); // ignore the size wh // push notifications and service workeers defaultPref("dom.push.enabled", false); // disable push notifications defaultPref("dom.push.serverURL", ""); // default "wss://push.services.mozilla.com/" -defaultPref("dom.push.userAgentID", ""); defaultPref("dom.serviceWorkers.enabled", false); // disable service workers, must enable for push notifications defaultPref("dom.storage.next_gen", true); // will be default from v92.0, keep and eye on @@ -177,6 +162,10 @@ defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict publ defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certificates defaultPref("security.OCSP.enabled", 0); // disable OCSP fetching +// crl with no OCSP fallback. commented for now but review +// defaultPref("security.remote_settings.crlite_filters.enabled", true); +// defaultPref("security.pki.crlite_mode", 2); + // safe negotiation defaultPref("security.ssl.require_safe_negotiation", true); // block websites that do not support safe negotiation, occasional breakage defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // show warning when safe negotiation is not enable and website is accessed @@ -193,11 +182,13 @@ lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions f defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts +defaultPref("browser.download.useDownloadDir", false); // force user interaction on downloads, by always asking location + lockPref("security.csp.enable", true); // default -// ------------------------------------------------------- +// --------------------------------- // # SAFE BROWSING -// ------------------------------------------------------- +// --------------------------------- // disable safe browsing, including the fetch of updates and all outgoing connections defaultPref("browser.safebrowsing.malware.enabled", false); @@ -209,11 +200,13 @@ defaultPref("browser.safebrowsing.provider.google.gethashURL", ""); defaultPref("browser.safebrowsing.provider.google.updateURL", ""); // disable safe browsing checks on downloads, both local and remote -defaultPref("browser.safebrowsing.downloads.enabled", false); -defaultPref("browser.safebrowsing.downloads.remote.enabled", false); -defaultPref("browser.safebrowsing.downloads.remote.url", ""); +lockPref("browser.safebrowsing.downloads.enabled", false); +lockPref("browser.safebrowsing.downloads.remote.enabled", false); +lockPref("browser.safebrowsing.downloads.remote.url", ""); +lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); +lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); -// other safe browsing options, all default but security in depth +// other safe browsing options, all default but enforce lockPref("browser.safebrowsing.passwords.enabled", false); lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); @@ -319,30 +312,31 @@ defaultPref("browser.tabs.loadBookmarksInTabs", true); // always open bookmarks // # TRACKING PROTECTION // ----------------------------------- -// review entire section +pref("browser.contentblocking.category", "custom"); // set tracking protection category, using pref solves the UI bug -pref("browser.contentblocking.category", "custom"); // do not lock as it breaks UI even more, using pref solves the UI bug +// enable / disable TP in normal and private browsing lockPref("privacy.trackingprotection.enabled", false); lockPref("privacy.trackingprotection.pbmode.enabled", false); -defaultPref("privacy.trackingprotection.cryptomining.enabled", false); -defaultPref("privacy.trackingprotection.fingerprinting.enabled", false); -lockPref("privacy.trackingprotection.annotate_channels", false); + +lockPref("privacy.trackingprotection.annotate_channels", false); // reduce priority of trackers, remove if TP is on // remove urls to fetch contentblocking lists. // without these urls TP cannot work. the lists are not shipped with the browser but download on first launch. defaultPref("browser.safebrowsing.provider.mozilla.updateURL", ""); defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", ""); -// hide ui elements for blocking lists in custom mode UI +// disable blocking lists and hide ui elements in custom mode UI, if TP is enabled revert to true +defaultPref("privacy.trackingprotection.cryptomining.enabled", false); +defaultPref("privacy.trackingprotection.fingerprinting.enabled", false); defaultPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); defaultPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); -// hide ui elements from about:protections -lockPref("browser.contentblocking.report.hide_vpn_banner", true); -lockPref("browser.contentblocking.report.show_mobile_app", false); +// hide annoying ui elements from about:protections defaultPref("browser.contentblocking.report.lockwise.enabled", false); defaultPref("browser.contentblocking.report.monitor.enabled", false); +lockPref("browser.contentblocking.report.hide_vpn_banner", true); lockPref("browser.contentblocking.report.vpn.enabled", false); +lockPref("browser.contentblocking.report.show_mobile_app", false); // -------------------------------------- // # EXTENSIONS @@ -426,45 +420,27 @@ lockPref("browser.uitour.url", ""); // # NEW TAB PAGE // ------------------------------------ -// review full section -lockPref("browser.newtab.preload", false); -lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); -lockPref("browser.newtabpage.activity-stream.feeds.newtabinit", false); -lockPref("browser.newtabpage.activity-stream.feeds.places", false); -lockPref("browser.newtabpage.activity-stream.feeds.systemtick", false); +defaultPref("browser.newtab.preload", false); +defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); +defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false); +defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false); + +// hide pocket and sponsored content, from new tab page and search bar lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false); -lockPref("browser.newtabpage.activity-stream.feeds.topsites", false); -lockPref("browser.newtabpage.activity-stream.feeds.system.topsites", false); lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false); lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false); -lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default -lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", ""); -lockPref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false); -lockPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); -lockPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false); -lockPref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); +lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}"); // hide buggy pocket section from about:preferences#home lockPref("browser.newtabpage.activity-stream.showSponsored", false); lockPref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); +lockPref("browser.newtabpage.activity-stream.telemetry", false); +lockPref("browser.newtabpage.activity-stream.default.sites", ""); +lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); +lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false); +lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default + +// disable recommend as you browse lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); -lockPref("browser.newtabpage.activity-stream.asrouter.providers.messaging-experiments", ""); -lockPref("browser.newtabpage.activity-stream.asrouter.providers.message-groups", ""); -lockPref("browser.newtabpage.activity-stream.asrouter.providers.cfr-fxa", ""); -lockPref("browser.newtabpage.activity-stream.asrouter.providers.cfr", ""); -lockPref("browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel", "{\"id\":\"whats-new-panel\",\"enabled\":false}"); -lockPref("browser.newtabpage.activity-stream.asrouter.devtoolsEnableds", true); -lockPref("browser.newtabpage.activity-stream.telemetry", false); -lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint", ""); -lockPref("browser.newtabpage.activity-stream.default.sites", ""); -lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false); -lockPref("browser.newtabpage.activity-stream.discoverystream.config", "{\"collapsible\":true,\"enabled\":false,\"personalized\":false,\"layout_endpoint\":\"\"}"); -lockPref("browser.newtabpage.activity-stream.discoverystream.endpoints", ""); -lockPref("browser.newtabpage.activity-stream.discoverystream.engagementLabelEnabled", false); // default -lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts", false); -lockPref("browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar", false); -lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines", ""); -lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", ""); -lockPref("browser.newtabpage.activity-stream.fxaccounts.endpoint", ""); // -------------------------------- // # TELEMETRY @@ -535,13 +511,6 @@ lockPref("default-browser-agent.enabled", false); // disable windows specific te defaultPref("network.http.windows-sso.enabled", false); // disable MS auto authentication via sso -// ----------------- -// # REVIEW -// ----------------- - -lockPref("services.settings.server", ""); -lockPref("webchannel.allowObject.urlWhitelist", ""); - // ----------------------------------- // # OVERRIDES // ----------------------------------- From d1f1d475e3b68ffd35de6a7c4da3f56e9ff6aef1 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Sun, 29 Aug 2021 10:58:10 +0200 Subject: [PATCH 3/7] review screensharing --- docs/Changelog.md | 4 ++++ librewolf.cfg | 5 ----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index e89467c..7550dfd 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,7 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl - new tab page section now includes a new design and no longer an empty page. all the unnecessary preferences have been removed and users can also customize as the most essential ones have been unlocked. - UI bug in tracking protection section is fixed. - a bunch of dead links are fixed. +- for screensharing see [testing provided at this link](https://github.com/arkenfox/user.js/issues/1245) **Notes** Recent changes in the category `MISC > set librewolf support and releases urls` require to create a couple header for the landing page page. @@ -104,6 +105,9 @@ lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcut defaultPref("dom.push.userAgentID", ""); // push notifications are already disabled lockPref("services.settings.server", ""); // redundant with patches lockPref("webchannel.allowObject.urlWhitelist", ""); // deprecated +defaultPref("media.getusermedia.browser.enabled", false); +defaultPref("media.getusermedia.screensharing.enabled", false); +defaultPref("media.getusermedia.audiocapture.enabled", false); ``` #### Added preferences diff --git a/librewolf.cfg b/librewolf.cfg index 3d4a5c9..662b4db 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -128,11 +128,6 @@ defaultPref("media.peerconnection.ice.default_address_only", true); defaultPref("media.peerconnection.ice.no_host", true); defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); -// screensharing, review -defaultPref("media.getusermedia.browser.enabled", false); -defaultPref("media.getusermedia.screensharing.enabled", false); -defaultPref("media.getusermedia.audiocapture.enabled", false); - // autoplay defaultPref("media.autoplay.blocking_policy", 2); // only allow to play when a certain element is clicked defaultPref("media.autoplay.default", 5); // personal preference, currently apply blocking policy to all autplay including muted From 174bd0c152084b25a63bb27eb0253200c84e16aa Mon Sep 17 00:00:00 2001 From: fxbrit Date: Sun, 29 Aug 2021 11:00:37 +0200 Subject: [PATCH 4/7] unlock one more pref for new settings UI patch --- docs/Changelog.md | 1 + librewolf.cfg | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 7550dfd..86f952a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -165,6 +165,7 @@ defaultPref("browser.newtab.preload", false); defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false); defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false); +defaultPref("browser.safebrowsing.downloads.enabled", false); ``` ## 1.6 diff --git a/librewolf.cfg b/librewolf.cfg index 662b4db..40b199d 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -195,7 +195,7 @@ defaultPref("browser.safebrowsing.provider.google.gethashURL", ""); defaultPref("browser.safebrowsing.provider.google.updateURL", ""); // disable safe browsing checks on downloads, both local and remote -lockPref("browser.safebrowsing.downloads.enabled", false); +defaultPref("browser.safebrowsing.downloads.enabled", false); lockPref("browser.safebrowsing.downloads.remote.enabled", false); lockPref("browser.safebrowsing.downloads.remote.url", ""); lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); From c16c0911f36114b0bf1621b155635873a33ffc14 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Thu, 23 Sep 2021 12:17:54 +0200 Subject: [PATCH 5/7] improve descriptions, trim one more pref --- docs/Changelog.md | 3 ++- librewolf.cfg | 12 +++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 86f952a..65e6431 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -12,7 +12,7 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl - VR access is behind a prompt and, despite being unlikely, it could be fingerprinted. with all this on the table it's just not worth and overkill. - vibrator API is so nieche that even tor does not change it. best to trim where possible. - `extensions.getAddons.link.url"` is showed only when no extension is installed and it's not a bad suggestion to get addons from addons.mozilla.org so we can remove it. -- `browser.safebrowsing.downloads.remote.*` are all controlled by the 3 prefs already in the .cfg, which is the same approach taken by tor browser. +- `browser.safebrowsing.downloads.remote.*` are all controlled by the prefs already in the .cfg, which is the same approach taken by tor browser. - graphite [is no longer as concerning](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite) and blocking it is likely fingerprintable. - the pdf prefs and the bookmark backup are not really relevant to librewolf. - as reported [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1606624) the shared memory pref is no longer needed, so we can switch it back to default. @@ -108,6 +108,7 @@ lockPref("webchannel.allowObject.urlWhitelist", ""); // deprecated defaultPref("media.getusermedia.browser.enabled", false); defaultPref("media.getusermedia.screensharing.enabled", false); defaultPref("media.getusermedia.audiocapture.enabled", false); +defaultPref("dom.storage.next_gen", true); // default from v92.0 ``` #### Added preferences diff --git a/librewolf.cfg b/librewolf.cfg index 40b199d..5a963b3 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -102,8 +102,6 @@ defaultPref("dom.push.enabled", false); // disable push notifications defaultPref("dom.push.serverURL", ""); // default "wss://push.services.mozilla.com/" defaultPref("dom.serviceWorkers.enabled", false); // disable service workers, must enable for push notifications -defaultPref("dom.storage.next_gen", true); // will be default from v92.0, keep and eye on - // -------------------------------- // # CACHE AND TEMPORARY FILES // -------------------------------- @@ -124,9 +122,9 @@ defaultPref("browser.pagethumbnails.capturing_disabled", true); // disable page defaultPref("media.peerconnection.enabled", false); // master switch // limit potential IP leaks for webrtc users -defaultPref("media.peerconnection.ice.default_address_only", true); -defaultPref("media.peerconnection.ice.no_host", true); -defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); +defaultPref("media.peerconnection.ice.default_address_only", true); // use public IP for ICE candidates +defaultPref("media.peerconnection.ice.no_host", true); // don't use local IP for ICE candidates +defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy for proxy users // autoplay defaultPref("media.autoplay.blocking_policy", 2); // only allow to play when a certain element is clicked @@ -143,7 +141,7 @@ defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prev defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP -// librewolf specifc pref, prevents rfp from forcing light theme +// librewolf specifc pref that prevents rfp from forcing light theme, review lockPref("privacy.override_rfp_for_color_scheme", false); defaultPref("webgl.disabled", true); // master switch, disable webgl @@ -153,7 +151,7 @@ defaultPref("webgl.disabled", true); // master switch, disable webgl // -------------------------------- // certificates -defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, review as could be deprecated +defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certificates defaultPref("security.OCSP.enabled", 0); // disable OCSP fetching From 9014c24b79ec01eaeeda2fe6a1b96eca05db3ad3 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Fri, 24 Sep 2021 11:53:51 +0200 Subject: [PATCH 6/7] disable firefox suggests --- docs/Changelog.md | 4 +++- librewolf.cfg | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 65e6431..be923bf 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,9 +20,10 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl - UI bug in tracking protection section is fixed. - a bunch of dead links are fixed. - for screensharing see [testing provided at this link](https://github.com/arkenfox/user.js/issues/1245) +- disable new firefox suggests feature **Notes** -Recent changes in the category `MISC > set librewolf support and releases urls` require to create a couple header for the landing page page. +Recent changes in the category `MISC > set librewolf support and releases urls` require to create a couple header for the landing page. #### Removed preferences ``` @@ -116,6 +117,7 @@ defaultPref("dom.storage.next_gen", true); // default from v92.0 defaultPref("browser.download.useDownloadDir", false); // force user interaction on downloads, by always asking location // defaultPref("security.remote_settings.crlite_filters.enabled", true); // defaultPref("security.pki.crlite_mode", 2); +defaultPref("browser.urlbar.quicksuggest.enabled", false); // disable firefox suggests and hide its UI ``` #### Commented prefs diff --git a/librewolf.cfg b/librewolf.cfg index 5a963b3..667a558 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -246,6 +246,7 @@ lockPref("browser.region.update.enabled", false); // disable search suggestions defaultPref("browser.urlbar.suggest.searches", false); defaultPref("browser.search.suggest.enabled", false); +defaultPref("browser.urlbar.quicksuggest.enabled", false); // disable firefox suggests and hide its UI defaultPref("browser.search.region", "US"); // set a default search region for all users defaultPref("browser.search.update", false); // do not update open search search engines From b17a1ed657e22ac61b4399699223d36724b842e7 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Fri, 24 Sep 2021 12:42:32 +0200 Subject: [PATCH 7/7] proper fix for firefox suggests feature --- docs/Changelog.md | 2 +- librewolf.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index be923bf..244d0e6 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -117,7 +117,7 @@ defaultPref("dom.storage.next_gen", true); // default from v92.0 defaultPref("browser.download.useDownloadDir", false); // force user interaction on downloads, by always asking location // defaultPref("security.remote_settings.crlite_filters.enabled", true); // defaultPref("security.pki.crlite_mode", 2); -defaultPref("browser.urlbar.quicksuggest.enabled", false); // disable firefox suggests and hide its UI +pref("browser.urlbar.quicksuggest.scenario", ""); // disable firefox suggests and hide its UI ``` #### Commented prefs diff --git a/librewolf.cfg b/librewolf.cfg index 667a558..cc6752f 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -246,7 +246,7 @@ lockPref("browser.region.update.enabled", false); // disable search suggestions defaultPref("browser.urlbar.suggest.searches", false); defaultPref("browser.search.suggest.enabled", false); -defaultPref("browser.urlbar.quicksuggest.enabled", false); // disable firefox suggests and hide its UI +pref("browser.urlbar.quicksuggest.scenario", ""); // disable firefox suggests and hide its UI defaultPref("browser.search.region", "US"); // set a default search region for all users defaultPref("browser.search.update", false); // do not update open search search engines