From 7c52bbde49e858367865991614acf54b730905d9 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Mon, 7 Mar 2022 11:59:11 +0100 Subject: [PATCH 1/5] update fission description --- librewolf.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/librewolf.cfg b/librewolf.cfg index 239a1b2..a9e8800 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -186,6 +186,7 @@ defaultPref("webgl.disabled", true); /** [SECTION] SITE ISOLATION * https://wiki.mozilla.org/Project_Fission + * this has been rolled out and is now a default on most FF releases */ defaultPref("fission.autostart", true); From 47bdeaae866756f725f30a191e54576280d16325 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Mon, 7 Mar 2022 12:01:19 +0100 Subject: [PATCH 2/5] improve documenting of crl and ocsp --- librewolf.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/librewolf.cfg b/librewolf.cfg index a9e8800..c933666 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -201,6 +201,8 @@ defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); /** * our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use * CRL instead, particularly the CRLite solution with no OCSP fallback. + * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. this would require + * enabling OCSP and setting it to hard-fail. OCSP is stapled by default. */ defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching defaultPref("security.remote_settings.crlite_filters.enabled", true); From 8304e043913d147606a96cd294746fbff193adc5 Mon Sep 17 00:00:00 2001 From: fxbrit Date: Tue, 8 Mar 2022 16:13:58 +0100 Subject: [PATCH 3/5] change history prefs --- docs/Changelog.md | 15 +++++++++++++++ librewolf.cfg | 10 ++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 66a1e87..4691c7e 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,6 +1,21 @@ This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. +# 5.6 + +**target commit**: + +**base librewolf version**: 98.x + +**References**: +- we are going to force history to custom mode and hide the UI for always on PB mode, a bunch of pointers are collected in [this MR](https://gitlab.com/librewolf-community/browser/source/-/merge_requests/21). + +#### Added preferences +``` +pref("privacy.history.custom", true); +pref("browser.privatebrowsing.autostart", false); +``` + # 5.5 **target commit**: diff --git a/librewolf.cfg b/librewolf.cfg index c933666..ecf3137 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -6,7 +6,7 @@ * * WARNING: please make sure the first line of this file is empty. this is a known bug. */ -defaultPref("librewolf.cfg.version", "5.5"); +defaultPref("librewolf.cfg.version", "5.6"); /** INDEX @@ -38,6 +38,7 @@ defaultPref("librewolf.cfg.version", "5.5"); * 5. dFPI specific cookie cleaning mechanism * * the desired category must be set with pref() otherwise it won't stick. + * the UI that allows to change mode manually is hidden. */ pref("browser.contentblocking.category", "strict"); defaultPref("network.cookie.cookieBehavior", 5); // enforce dFPI @@ -67,7 +68,12 @@ defaultPref("browser.shell.shortcutFavicons", false); defaultPref("browser.pagethumbnails.capturing_disabled", true); defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps -/** [SECTION] HISTORY AND SESSION RESTORE */ +/** [SECTION] HISTORY AND SESSION RESTORE + * since we hide the UI for modes other than custom we want to reset it for + * everyone. same thing for always on PB mode. + */ +pref("privacy.history.custom", true); +pref("browser.privatebrowsing.autostart", false); defaultPref("browser.formfill.enable", false); // disable form history defaultPref("browser.sessionstore.privacy_level", 2); // prevent websites from storing session data like cookies and forms defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves From 4fd96942aa3abb94ccc5fdc23361e1e5abcfd13e Mon Sep 17 00:00:00 2001 From: fxbrit Date: Tue, 8 Mar 2022 16:59:17 +0100 Subject: [PATCH 4/5] add mfM pref, remove handler prefs --- docs/Changelog.md | 19 ++++++++++++++++++- librewolf.cfg | 14 ++------------ 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index 4691c7e..e760f9f 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,16 +9,33 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl **References**: - we are going to force history to custom mode and hide the UI for always on PB mode, a bunch of pointers are collected in [this MR](https://gitlab.com/librewolf-community/browser/source/-/merge_requests/21). +- [handlers prefs are deprecated](https://bugzilla.mozilla.org/show_bug.cgi?id=1733497). #### Added preferences ``` pref("privacy.history.custom", true); pref("browser.privatebrowsing.autostart", false); +defaultPref("browser.preferences.moreFromMozilla", false); // hide about:preferences#moreFromMozilla +``` + +#### Removed preferences +``` +/** [SECTION] HANDLERS + * remove the default handlers for several tipe of files and services. + */ +lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.mailto.0.name", ""); +lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.mailto.1.name", ""); +lockPref("gecko.handlerService.schemes.irc.0.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.irc.0.name", ""); +lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); +lockPref("gecko.handlerService.schemes.ircs.0.name", ""); ``` # 5.5 -**target commit**: +**target commit**: 0fc1ff53c99379d9d4625de65ea51287d57a0a3a **base librewolf version**: 97.x diff --git a/librewolf.cfg b/librewolf.cfg index ecf3137..f66d593 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -434,18 +434,6 @@ defaultPref("app.releaseNotesURL.aboutDialog", "https://gitlab.com/librewolf-com defaultPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser"); defaultPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser"); -/** [SECTION] HANDLERS - * remove the default handlers for several tipe of files and services. - */ -lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.mailto.0.name", ""); -lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.mailto.1.name", ""); -lockPref("gecko.handlerService.schemes.irc.0.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.irc.0.name", ""); -lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.ircs.0.name", ""); - /** [SECTION] FIRST LAUNCH * disable what's new and ui tour on first start and updates. the browser * should also not stress user about being the default one. @@ -496,6 +484,8 @@ defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more t defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button // ...and about:config defaultPref("browser.aboutConfig.showWarning", false); +// hide about:preferences#moreFromMozilla +defaultPref("browser.preferences.moreFromMozilla", false); /** [SECTION] RECOMMENDED * disable all "recommend as you browse" activity. From a96d3f711017ac31331ae28653cc1e1cbbc0c5ab Mon Sep 17 00:00:00 2001 From: fxbrit Date: Wed, 9 Mar 2022 15:22:45 +0100 Subject: [PATCH 5/5] add OCSP stapled and hard-fail as backup --- docs/Changelog.md | 9 ++++++++- librewolf.cfg | 15 ++++++++------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index e760f9f..1b1b657 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. -# 5.6 +# 6.0 **target commit**: @@ -10,12 +10,14 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl **References**: - we are going to force history to custom mode and hide the UI for always on PB mode, a bunch of pointers are collected in [this MR](https://gitlab.com/librewolf-community/browser/source/-/merge_requests/21). - [handlers prefs are deprecated](https://bugzilla.mozilla.org/show_bug.cgi?id=1733497). +- for OCSP see [this issue](https://gitlab.com/librewolf-community/settings/-/issues/150). #### Added preferences ``` pref("privacy.history.custom", true); pref("browser.privatebrowsing.autostart", false); defaultPref("browser.preferences.moreFromMozilla", false); // hide about:preferences#moreFromMozilla +defaultPref("security.OCSP.require", true); // set to hard-fail ``` #### Removed preferences @@ -33,6 +35,11 @@ lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); lockPref("gecko.handlerService.schemes.ircs.0.name", ""); ``` +#### Changed preferences +``` +defaultPref("security.OCSP.enabled", 1); +``` + # 5.5 **target commit**: 0fc1ff53c99379d9d4625de65ea51287d57a0a3a diff --git a/librewolf.cfg b/librewolf.cfg index f66d593..8525c82 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -6,7 +6,7 @@ * * WARNING: please make sure the first line of this file is empty. this is a known bug. */ -defaultPref("librewolf.cfg.version", "5.6"); +defaultPref("librewolf.cfg.version", "6.0"); /** INDEX @@ -205,14 +205,15 @@ defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certific defaultPref("security.ssl.require_safe_negotiation", true); defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); /** - * our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use - * CRL instead, particularly the CRLite solution with no OCSP fallback. - * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. this would require - * enabling OCSP and setting it to hard-fail. OCSP is stapled by default. + * our strategy with revocation is to perform all possible checks with CRL, but when a cert + * cannot be checked with it we use OCSP stapled with hard-fail, to still keep privacy and + * increase security. + * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. */ -defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching defaultPref("security.remote_settings.crlite_filters.enabled", true); -defaultPref("security.pki.crlite_mode", 2); // mode 2 means no fallback +defaultPref("security.pki.crlite_mode", 2); // mode 2 means enforce CRL checks +defaultPref("security.OCSP.enabled", 1); // default +defaultPref("security.OCSP.require", true); // set to hard-fail /** [SECTION] TLS/SSL */ lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security