From f0a2d5d70657cc87348282d6faaf72edff8bf304 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Tue, 2 Nov 2021 01:05:50 +0100 Subject: [PATCH] enable TP strict mode, update uBO, allow master psw --- distribution/policies.json | 3 +- docs/Changelog.md | 44 +++++++++++- librewolf.cfg | 139 +++++++++++++++++-------------------- 3 files changed, 108 insertions(+), 78 deletions(-) diff --git a/distribution/policies.json b/distribution/policies.json index 8141c6a..e31a2f0 100644 --- a/distribution/policies.json +++ b/distribution/policies.json @@ -8,7 +8,6 @@ "DisableSystemAddonUpdate": true, "DisableFirefoxAccounts": true, "DisableProfileImport": false, - "DisableMasterPasswordCreation": true, "DisableFirefoxStudies": true, "DisableTelemetry": true, "DisableFeedbackCommands": true, @@ -31,7 +30,7 @@ }, "Extensions": { "Install": [ - "https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.38.2-an+fx.xpi" + "https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.38.6-an+fx.xpi" ], "Uninstall": [ "google@search.mozilla.org", diff --git a/docs/Changelog.md b/docs/Changelog.md index 244d0e6..bf21ae4 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,8 +1,48 @@ This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. +## 3.0 + +**target commit**: + +**base librewolf version**: 94.x + +**References**: +- as reported in #95 and discussed [here](https://gitlab.com/librewolf-community/browser/linux/-/issues/246) we are re-enabling TP by default, setting it to strict. +- the sponsored shortcuts in about:preferences#home were already locked, now they are properly hidden. + +**Notes**: all the removed preferences were either related to disabling TP, or unecessary when using strict mode. as a result of this trimming the tracking protection section of the .cfg file doesn't need to exist anymore. + +#### Added preferences +``` +defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button from about:preferences#home +defaultPref("privacy.resistFingerprinting.letterboxing", false); // expose hidden letterboxing pref, but do not enable by default +``` + +#### Removed preferences +``` +lockPref("privacy.trackingprotection.enabled", false); +lockPref("privacy.trackingprotection.pbmode.enabled", false); +lockPref("privacy.trackingprotection.annotate_channels", false); +defaultPref("browser.safebrowsing.provider.mozilla.updateURL", ""); +defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", ""); +defaultPref("privacy.trackingprotection.cryptomining.enabled", false); +defaultPref("privacy.trackingprotection.fingerprinting.enabled", false); +defaultPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); +defaultPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); +``` + +#### Changed preferences +``` +pref("browser.contentblocking.category", "strict"); +``` + ## 2.0 +**target commit**: from 6451faa167568313e5ed065fcb3ee2bb76132063 to b17a1ed657e22ac61b4399699223d36724b842e7 + +**base librewolf version**: 92.x + **References**: - [web content can no longer access the battery api](https://bugzilla.mozilla.org/show_bug.cgi?id=1313580). - http alternative services are [isolated by network partitioning and FPI](https://github.com/arkenfox/user.js/blob/269cf965bd51022ca69823f8f66a8e402280d856/user.js#L1350) and they are unchanged even in tor browser. from a security standpoint, the alternate service will need to provide the certificate of the origin in order to be considered trusthworthy. @@ -120,7 +160,7 @@ defaultPref("browser.download.useDownloadDir", false); // force user interaction pref("browser.urlbar.quicksuggest.scenario", ""); // disable firefox suggests and hide its UI ``` -#### Commented prefs +#### Commented preferences ``` // pref("network.trr.mode", 2); // previously uncommented defaultPref with value 5 // pref("network.trr.uri", "https://dns.quad9.net/dns-query"); // previously uncommented defaultPref with empty value @@ -173,7 +213,7 @@ defaultPref("browser.safebrowsing.downloads.enabled", false); ## 1.6 -**target commit**: +**target commit**: 192f51abe21e9aeb9b01d396079e9b8533cab7bb **base librewolf version**: 91.x diff --git a/librewolf.cfg b/librewolf.cfg index cc6752f..a68b028 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -9,13 +9,23 @@ */ -defaultPref("librewolf.cfg.version", "2.0"); +defaultPref("librewolf.cfg.version", "3.0"); -// ------------------------------------------- -// # SANITIZING COOKIES AND HISTORY, SESSIONS -// ------------------------------------------- +// ------------------------------- +// # SANITIZING, TP, SESSIONS +// ------------------------------- -defaultPref("network.cookie.cookieBehavior", 5); // dFPI, same as strict mode +/** + strict mode includes: + - dFPI for both normal and private browsing + - strict blocking lists for trackers, including crypto, fping and socialtracking + - shims to avoid breakage caused by blocking lists + - stricter policies for xorigin referrers + - cookie cleaning mechanism specific to dFPI +*/ +pref("browser.contentblocking.category", "strict"); + +defaultPref("network.cookie.cookieBehavior", 5); // dFPI is default for strict mode, but enforce defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until the browser is closed then delete everything minus exceptions // make third party and http cookies session-only @@ -141,6 +151,8 @@ defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prev defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP +defaultPref("privacy.resistFingerprinting.letterboxing", false); // expose hidden letterboxing pref, but do not enable by default + // librewolf specifc pref that prevents rfp from forcing light theme, review lockPref("privacy.override_rfp_for_color_scheme", false); @@ -161,7 +173,7 @@ defaultPref("security.OCSP.enabled", 0); // disable OCSP fetching // safe negotiation defaultPref("security.ssl.require_safe_negotiation", true); // block websites that do not support safe negotiation, occasional breakage -defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // show warning when safe negotiation is not enable and website is accessed +defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // show warning when safe negotiation is not enable and website is accessed // tls behavior lockPref("security.tls.enable_0rtt_data", false); // disable 0 round trip time to improve tls 1.3 security @@ -302,36 +314,6 @@ defaultPref("browser.download.autohideButton", false); // hide download button a defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents defaultPref("browser.tabs.loadBookmarksInTabs", true); // always open bookmarks in new tab -// ----------------------------------- -// # TRACKING PROTECTION -// ----------------------------------- - -pref("browser.contentblocking.category", "custom"); // set tracking protection category, using pref solves the UI bug - -// enable / disable TP in normal and private browsing -lockPref("privacy.trackingprotection.enabled", false); -lockPref("privacy.trackingprotection.pbmode.enabled", false); - -lockPref("privacy.trackingprotection.annotate_channels", false); // reduce priority of trackers, remove if TP is on - -// remove urls to fetch contentblocking lists. -// without these urls TP cannot work. the lists are not shipped with the browser but download on first launch. -defaultPref("browser.safebrowsing.provider.mozilla.updateURL", ""); -defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", ""); - -// disable blocking lists and hide ui elements in custom mode UI, if TP is enabled revert to true -defaultPref("privacy.trackingprotection.cryptomining.enabled", false); -defaultPref("privacy.trackingprotection.fingerprinting.enabled", false); -defaultPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false); -defaultPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false); - -// hide annoying ui elements from about:protections -defaultPref("browser.contentblocking.report.lockwise.enabled", false); -defaultPref("browser.contentblocking.report.monitor.enabled", false); -lockPref("browser.contentblocking.report.hide_vpn_banner", true); -lockPref("browser.contentblocking.report.vpn.enabled", false); -lockPref("browser.contentblocking.report.show_mobile_app", false); - // -------------------------------------- // # EXTENSIONS // -------------------------------------- @@ -340,41 +322,41 @@ lockPref("browser.contentblocking.report.show_mobile_app", false); allow extensions to work on all domains. default is "debug-notes.log" */ - defaultPref("extensions.webextensions.restrictedDomains", ""); +defaultPref("extensions.webextensions.restrictedDomains", ""); - // set extensions scopes - defaultPref("extensions.enabledScopes", 5); - defaultPref("extensions.autoDisableScopes", 11); - - defaultPref("extensions.postDownloadThirdPartyPrompt", false); // force install prompt for thrid party extensions - - /** - prevent users from adding lang packs, which would cause leaks. - default is https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION% - */ - defaultPref("extensions.getAddons.langpacks.url", ""); - - // about:addons ui - defaultPref("extensions.getAddons.showPane", false); // disable recommendations section - defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false); // disable recommendations from addons list - defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes - - // background checking and updating of extensions - defaultPref("extensions.update.enabled", false); // disable automatic checks for extension updates - defaultPref("extensions.update.autoUpdateDefault", false); // disable automatic installs of extension updates - defaultPref("extensions.getAddons.cache.enabled", false); // disable fetching of extension metadata - - // extension firewall, disabled by default - // defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';"); - // defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';"); - - // report site issue, disable button and url for in depth defense - lockPref("extensions.webcompat-reporter.enabled", false); - lockPref("extensions.webcompat-reporter.newIssueEndpoint", ""); - - // system addons, prevent updates and strip url for in depth defense - defaultPref("extensions.systemAddon.update.enabled", false); - defaultPref("extensions.systemAddon.update.url", ""); +// set extensions scopes +defaultPref("extensions.enabledScopes", 5); +defaultPref("extensions.autoDisableScopes", 11); + +defaultPref("extensions.postDownloadThirdPartyPrompt", false); // force install prompt for thrid party extensions + +/** + prevent users from adding lang packs, which would cause leaks. + default is https://services.addons.mozilla.org/api/v3/addons/language-tools/?app=firefox&type=language&appversion=%VERSION% +*/ +defaultPref("extensions.getAddons.langpacks.url", ""); + +// about:addons ui +defaultPref("extensions.getAddons.showPane", false); // disable recommendations section +defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false); // disable recommendations from addons list +defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes + +// background checking and updating of extensions +defaultPref("extensions.update.enabled", false); // disable automatic checks for extension updates +defaultPref("extensions.update.autoUpdateDefault", false); // disable automatic installs of extension updates +defaultPref("extensions.getAddons.cache.enabled", false); // disable fetching of extension metadata + +// extension firewall, disabled by default +// defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';"); +// defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';"); + +// report site issue, disable button and url for in depth defense +lockPref("extensions.webcompat-reporter.enabled", false); +lockPref("extensions.webcompat-reporter.newIssueEndpoint", ""); + +// system addons, prevent updates and strip url for in depth defense +defaultPref("extensions.systemAddon.update.enabled", false); +defaultPref("extensions.systemAddon.update.url", ""); // -------------------------------- // # URLS AND ANNOYANCES @@ -401,7 +383,7 @@ lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); lockPref("gecko.handlerService.schemes.ircs.0.name", ""); lockPref("browser.translation.engine", ""); -// disable welcome, what's new pages and ui tour +// disable welcome, what is new pages and ui tour defaultPref("browser.startup.homepage_override.mstone", "ignore"); defaultPref("startup.homepage_override_url", "about:blank"); defaultPref("startup.homepage_welcome_url", "about:blank"); @@ -410,6 +392,15 @@ lockPref("browser.messaging-system.whatsNewPanel.enabled", false); lockPref("browser.uitour.enabled", false); lockPref("browser.uitour.url", ""); +// hide annoying ui elements from about:protections +defaultPref("browser.contentblocking.report.lockwise.enabled", false); +defaultPref("browser.contentblocking.report.monitor.enabled", false); +lockPref("browser.contentblocking.report.hide_vpn_banner", true); +lockPref("browser.contentblocking.report.vpn.enabled", false); +lockPref("browser.contentblocking.report.show_mobile_app", false); + +defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button from about:preferences#home + // ------------------------------------ // # NEW TAB PAGE // ------------------------------------ @@ -417,11 +408,11 @@ lockPref("browser.uitour.url", ""); defaultPref("browser.newtab.preload", false); defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false); defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false); -defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false); +defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false); // hide pocket and sponsored content, from new tab page and search bar -lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false); -lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false); +lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false); +lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false); lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false); lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}"); // hide buggy pocket section from about:preferences#home lockPref("browser.newtabpage.activity-stream.showSponsored", false);