librewolf-bot/settings
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: librewolf-bot:master
Branches Tags
librewolf-bot:master
librewolf-bot:logging
librewolf-bot:allow_google
librewolf-bot:v7.3
librewolf-bot:7.2
librewolf-bot:7.3
librewolf-bot:7.2-hotfix
librewolf-bot:7.2
librewolf-bot:7.1
librewolf-bot:7.0
librewolf-bot:6.9
librewolf-bot:6.8
librewolf-bot:6.7
librewolf-bot:6.6
librewolf-bot:6.5
librewolf-bot:6.4
librewolf-bot:6.3
librewolf-bot:6.2.1
librewolf-bot:6.2
librewolf-bot:6.1
librewolf-bot:6.0
librewolf-bot:5.5
librewolf-bot:5.4
librewolf-bot:5.3
librewolf-bot:5.2
librewolf-bot:5.1
librewolf-bot:4.0
librewolf-bot:3.2
librewolf-bot:3.0
librewolf-bot:2.1
librewolf-bot:2.0
librewolf-bot:1.6
librewolf-bot:1.5
librewolf-bot:1.4
librewolf-bot:1.3
librewolf-bot:1.1
librewolf-bot:1.0
librewolf-bot:v88.0.1-1
..
compare: librewolf-bot:6.2.1
Branches Tags
librewolf-bot:master
librewolf-bot:logging
librewolf-bot:allow_google
librewolf-bot:v7.3
librewolf-bot:7.2
librewolf-bot:7.3
librewolf-bot:7.2-hotfix
librewolf-bot:7.2
librewolf-bot:7.1
librewolf-bot:7.0
librewolf-bot:6.9
librewolf-bot:6.8
librewolf-bot:6.7
librewolf-bot:6.6
librewolf-bot:6.5
librewolf-bot:6.4
librewolf-bot:6.3
librewolf-bot:6.2.1
librewolf-bot:6.2
librewolf-bot:6.1
librewolf-bot:6.0
librewolf-bot:5.5
librewolf-bot:5.4
librewolf-bot:5.3
librewolf-bot:5.2
librewolf-bot:5.1
librewolf-bot:4.0
librewolf-bot:3.2
librewolf-bot:3.0
librewolf-bot:2.1
librewolf-bot:2.0
librewolf-bot:1.6
librewolf-bot:1.5
librewolf-bot:1.4
librewolf-bot:1.3
librewolf-bot:1.1
librewolf-bot:1.0
librewolf-bot:v88.0.1-1

No commits in common. "master" and "6.2.1" have entirely different histories.
master ... 6.2.1

6 changed files with 147 additions and 458 deletions
Show stats Expand all files Collapse all files

6
.gitlab-ci.yml
View file

@ -1,6 +0,0 @@
stages:
- dummy
dummy-job:
stage: dummy
script:
- echo "Hello, world!"

26
.gitlab/issue_templates/Default.md
View file

@ -1,26 +0,0 @@
### pre-requisites
<!--
if you ignore the pre-requisites and the template the issue might be closed.
issues that have the `provide info` label need user input or they will be quarantined after a week,
and closed after ten days.
suggestions are appreciated in the form of merge requests or alternatively well documented issues.
make sure you are in the right repository:
https://librewolf.net/docs/faq/#i-have-a-problem-where-do-i-open-a-new-issue
-->
- [ ] I've read and followed the [contribution guidelines](https://librewolf.net/docs/faq/#do-you-have-any-contribution-guidelines);
- [ ] I've reproduced the issue in a new LibreWolf profile;
- [ ] I've checked that the problem is not present in a stock Firefox profile;
### details
- browser version & OS:
- steps to reproduce:
- expected result:
- actual result:
- console errors and warnings:
- others:

8
README.md
View file

@ -8,13 +8,11 @@ we encourage users to find **their own setup** and to use our default configurat
- [website](https://librewolf.net/): read the docs.
- [faq](https://librewolf.net/docs/faq/): for any question you might have, and to help you creating your own pref file.
- [all releases](https://gitlab.com/librewolf-community/browser).
- [issue tracker](https://gitlab.com/librewolf-community/settings/-/issues).
- if you ignore the pre-requisites and the template the issues might be closed.
- issues that have the `provide info` label need user input or they will be quarantined after a week, and closed after ten days.
- [issue tracker](https://gitlab.com/librewolf-community/settings/-/issues). issues that have the `provide info` label need user input or they will be quarantined after a week, and closed after ten days.
- find us on [gitter](https://gitter.im/librewolf-community/librewolf) / [matrix](https://matrix.to/#/#librewolf:matrix.org) / [reddit](https://www.reddit.com/r/LibreWolf/) / [lemmy](https://lemmy.ml/c/librewolf).
## Notes and thanks
- this repository benefits from the knowledge and research provided by [arkenfox](https://github.com/arkenfox), so special thanks to the project.
we do not use arkenfox's `user.js` but we try to keep up with it, and we also consider it a great resource for users who want to find their own setup.
- many thanks to the firefox team and to the people working on [bugzilla](https://bugzilla.mozilla.org/home);
we do not use arkenfox's user.js but we try to keep up with it, and we also consider it a great resource for users who want to find their own setup.
- some of the older prefs in this project were taken from [pyllyukko](https://github.com/pyllyukko/user.js/) and many more were investigated on [bugzilla](https://bugzilla.mozilla.org/home);
- thanks to the whole LibreWolf community and to all the contributors of this repo.

8
distribution/policies.json
View file

File diff suppressed because one or more lines are too long

327
docs/Changelog.md
View file

@ -1,328 +1,9 @@
This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.
# 7.7
# 6.2.1
**base librewolf version**: 115.x
**References**:
- https://gitlab.com/librewolf-community/settings/-/issues/262
#### Added preferences
```
defaultPref("browser.urlbar.suggest.weather", false);
defaultPref("extensions.quarantinedDomains.enabled", false);
```
# 7.6
**base librewolf version**: 111.x - 114.x
**References**:
- the prefs added in the `LOGGING` section are off by default in the official Mozilla builds, so we are just acting like Firefox here;
#### Removed preferences
```
defaultPref("browser.contentblocking.report.monitor.enabled", false); // default
```
#### Changed preferences
```
defaultPref("app.support.baseURL", "https://support.librewolf.net/");
```
#### Added preferences
```
pref("browser.dom.window.dump.enabled", false);
pref("devtools.console.stdout.chrome", false);
```
# 7.5
**target commit**: from 71a20c6fff90e7fbcb216f1d644ca1b40b32b8e2 to 6fe09c63cbfb83ebfb6a17f5e624248f2501b97e
**base librewolf version**: 109.x and 110.x
**References**:
- thumbnails are only used in privileged code to populate New Tab Page and Ctrl+Tab previews.
- the startup blank window doesn't break anything and the perceived performance boost is irrelevant on modern hardware.
- reset popup events to default as it's mostly a non-issue.
#### Removed preferences
```
defaultPref("browser.pagethumbnails.capturing_disabled", true);
defaultPref("browser.startup.blankWindow", false);
defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
```
# 7.4
**target commit**: b0d277a77b36e3bcc5c0f7a1b0eca7a54a388d9d
**base librewolf version**: 108.x
**References**:
- win7/8.x don't need this pref thanks to Firefox's own implementation of mDNS.
#### Removed preferences
```
defaultPref("media.peerconnection.ice.no_host", true); // don't use any private IPs for ICE candidate
```
# 7.3
**target commit**: from 9395f5c0e061250acbcbcb523d2270d57136d411 to 240e184b785e4e46c09ca6881111f7c2d4d31a3f
**base librewolf version**: 107.x
**References**:
- mixed content is already covered by HTTPS-only-mode;
- [dom.disable_beforeunload is no longer necessary](https://github.com/arkenfox/user.js/issues/1575);
- [beacon API is fine](https://gitlab.com/librewolf-community/settings/-/issues/229);
- [Firefox Vew pref was removed in previous commit](https://gitlab.com/librewolf-community/settings/-/commit/9395f5c0e061250acbcbcb523d2270d57136d411), adding reference to the changelog;
#### Removed preferences
```
defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content
defaultPref("dom.disable_beforeunload", true);
defaultPref("dom.disable_open_during_load", true); // default
defaultPref("browser.tabs.firefox-view", false);
pref("beacon.enabled", false);
```
# 7.2
**target commit**: from 7211e954b82da3cde5c5cf2d613fe1f84288e635 to eb51b4785e5b67fc388bcbd06a8324d5a54f5850
**base librewolf version**: 106.x
**References**:
- hide Firefox View til reviewed, see https://gitlab.com/librewolf-community/browser/source/-/issues/78;
- hotfix for syntax error;
#### Removed preferences
```
defaultPref("browser.ssl_override_behavior", 1); // deprecated
```
#### Added preferences
```
defaultPref("browser.tabs.firefox-view", false);
```
# 7.1
**target commit**: 33e1ec1cb97d1f16a696057fe9007ae8391def6b
**base librewolf version**: 106.x
**References**:
- change most `lockPref()` to `pref()` or `defaultPref()`, see https://gitlab.com/librewolf-community/settings/-/issues/204;
- offline autodetection is mature enough and it is used by some APIs;
- if someone wants to get the mozilla extension for USB debugging, that's fine.
#### Removed preferences
```
defaultPref("network.manage-offline-status", false);
defaultPref("devtools.remote.adb.extensionURL", "");
defaultPref("devtools.chrome.enabled", false); // default
```
# 7.0
**target commit**: from ed9334d258d20830deafe1a02b87b0cea678236d to 1bdfd333e31c3d119c0bf5506a56b2026ead3583
**base librewolf version**: 105.x
**References**:
- [enable APS](https://github.com/arkenfox/user.js/issues/1530#issuecomment-1242850653);
- trim unnecessary or default NTP prefs, then tidy existing ones;
- stick to default session restore interval for writes;
- remove a bunch of default prefs that have been that way for the longest;
- offer accessibility by default;
- remove hardcore svg security pref since CVEs are very old and irrelevant, see [this discussion](https://github.com/arkenfox/user.js/issues/1529);
- improve [autoplay behavior](https://gitlab.com/librewolf-community/settings/-/issues/213).
#### Added preferences
```
defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
```
#### Removed preferences
```
defaultPref("browser.newtab.preload", false);
lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default
lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false);
defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves
defaultPref("network.http.windows-sso.enabled", false); // default
defaultPref("privacy.partition.serviceWorkers", true); // default v105+
defaultPref("accessibility.force_disabled", 1); // block accessibility services
lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // default
lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default
defaultPref("network.http.referer.XOriginPolicy", 0); // default
lockPref("browser.safebrowsing.passwords.enabled", false); // default
lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); // default
defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts
defaultPref("media.autoplay.blocking_policy", 2);
```
# 6.9
**target commit**: 49a705f835e1438372fbdf1a779fbc5846212a68
**base librewolf version**: 104.x
**References**:
- autofill prefs have been replaced in a migration, we now only keep the bare minimum;
#### Removed preferences
```
defaultPref("browser.fixup.alternate.enabled", false); // default v104+
defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // default v104+
defaultPref("extensions.formautofill.available", "off"); // deprecated
defaultPref("extensions.formautofill.creditCards.available", false); // deprecated
defaultPref("extensions.formautofill.heuristics.enabled", false);
```
# 6.8
**target commit**: 381cbed42c98d2376faf7e4ec449623bb99b0be1
**base librewolf version**: 103.x
**References**:
- [geoclue](https://github.com/arkenfox/user.js/issues/1504);
#### Added preferences
```
defaultPref("geo.provider.use_geoclue", false); // [LINUX]
```
#### Removed preferences
```
defaultPref("network.cookie.cookieBehavior", 5); // default
```
# 6.7
**target commit**: from e505ddbf0242aec1017a565a74ff9ff5aa458fe5 to 02212c3f44e7aa68b22c8febd9158580d7e4b74f
**base librewolf version**: 103.x
**References**:
- the cookie lifetime policy pref has been deprecated, see https://gitlab.com/librewolf-community/settings/-/issues/199;
- stop disabling IPv6, see https://gitlab.com/librewolf-community/settings/-/issues/96;
- discussion about domain guessing is available at https://gitlab.com/librewolf-community/settings/-/issues/197.
#### Removed preferences
```
defaultPref("network.cookie.lifetimePolicy", 2); // deprecated
defaultPref("network.dns.disableIPv6", true);
```
#### Unlocked preferences
```
defaultPref("browser.fixup.alternate.enabled", false); // default v104+
```
# 6.6
**target commit**: from bc16f4f14185e8791d819a69b7d798082ace67f8 to c983fcc8bea8fab31265bc345217b59ce5128de2
**base librewolf version**: 102.x
**References**:
- sha1 certificates: https://bugzilla.mozilla.org/1767489 and https://bugzilla.mozilla.org/1766687.
- trimming only applies to http websites so it's very minimal.
- crlite: https://bugzilla.mozilla.org/show_bug.cgi?id=1773371, we can stick to default 3 till v103, then the value will be changed to 2 which is the best possible if mozilla feels like it's ready usability wise.
- add more entries to the native query stripping list, to [get in line with brave](https://github.com/brave/brave-core/blob/master/browser/net/brave_site_hacks_network_delegate_helper.cc).
- `services.settings.server` can now be used as a pref, see: https://gitlab.com/librewolf-community/browser/source/-/merge_requests/37
#### Added preferences
```
defaultPref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
```
#### Removed preferences
```
defaultPref("security.pki.sha1_enforcement_level", 1); // default
defaultPref("browser.urlbar.trimURLs", false);
defaultPref("security.pki.crlite_mode", 3); // default
defaultPref("security.OCSP.enabled", 1); // default
```
#### Changed preferences
```
defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hsenc _openstat dclid fbclid gbraid gclid hsCtaTracking igshid mc_eid ml_subscriber ml_subscriber_hash msclkid oft_c oft_ck oft_d oft_id oft_ids oft_k oft_lk oft_sk oly_anon_id oly_enc_id rb_clickid s_cid twclid vero_conv vero_id wbraid wickedid yclid");
```
# 6.5
**target commit**: b10dcbdd84e63787c4f2f6d34d41724b437df5be
**base librewolf version**: 101.x
**References**:
- query stripping is now [part of strict mode](https://hg.mozilla.org/mozilla-central/rev/9d9425eb1ded).
- session cookie prefs are useless given that we sanitize on close, [more details at arkenfox](https://github.com/arkenfox/user.js/pull/1443/commits/3207478033fefc19e933dab4eef6445125341ec4).
- fission has been a default for the longest now.
#### Removed preferences
```
defaultPref("privacy.query_stripping.enabled", true);
defaultPref("network.cookie.thirdparty.sessionOnly", true);
defaultPref("network.cookie.thirdparty.nonsecureSessionOnly", true);
defaultPref("fission.autostart", true);
```
# 6.4
**target commit**: eea09ca07333dc166213fa9c873e4916d979e97f
**base librewolf version**: 100.x
**References**:
- hide Firefox Focus promo in private tabs.
- double checking revoked certificates with both CRL and OCSP allows to detect false positives and it is also [the default](https://hg.mozilla.org/mozilla-central/rev/a6ba7b4ee17).
- [clearOnShutdown prefs now respect exceptions](https://github.com/arkenfox/user.js/issues/1441) so we can tick all boxes in that UI as well.
#### Added preferences
```
lockPref("browser.promo.focus.enabled", false);
defaultPref("privacy.clearOnShutdown.offlineApps", true);
```
#### Changed preferences
```
defaultPref("security.pki.crlite_mode", 3); // prev 2
```
#### Removed preferences
```
defaultPref("privacy.clearOnShutdown.cookies", false);
```
# 6.3
**target commit**: e84fc950bfd7c3542cb974e9d545b9b8e18c010d
**target commit**:
**base librewolf version**: 99.x
@ -331,13 +12,13 @@ defaultPref("privacy.clearOnShutdown.cookies", false);
# 6.2
**target commit**: ac95f5195ed82ca6bcec48acf9d1241e3c683b25
**target commit**:
**base librewolf version**: 99.x
**References**:
- vpn pref was set to the wrong value by mistake.
- offscreencanvas cannot be read back using JS, plus it is being tracked upstream. see [this comment](https://github.com/arkenfox/user.js/issues/1418#issuecomment-1093390017), which solves doubts from 6.1 changelog.
- offscreancanvas cannot be read back using JS, plus it is being tracked upstreadm. see [this comment](https://github.com/arkenfox/user.js/issues/1418#issuecomment-1093390017), which solves doubts from 6.1 changelog.
#### Removed preferences
```

222
librewolf.cfg
View file

@ -1,21 +1,21 @@
/** LIBREWOLF SETTINGS
*
* take the time to read and understand, but also to customize the settings to find your own setup.
* the answers to the most common questions can be found at https://librewolf.net/docs/faq/.
* please take the time to read and understand, but also to customize the settings to find your own setup.
* the answers to the most common questions are at this link https://librewolf.net/docs/faq/
*
* WARNING: make sure the first line of this file is empty. this is a known bug.
* WARNING: please make sure the first line of this file is empty. this is a known bug.
*/
lockPref("librewolf.cfg.version", "7.7");
defaultPref("librewolf.cfg.version", "6.3");
/** INDEX
* the file is organized in categories, and each one has a number of sections:
*
* PRIVACY [ISOLATION, SANITIZING, CACHE AND STORAGE, HISTORY AND SESSION RESTORE, QUERY STRIPPING]
* NETWORKING [HTTPS, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS]
* NETWORKING [HTTPS, IPv6, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS, OFFLINE]
* FINGERPRINTING [RFP, WEBGL]
* SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, SAFE BROWSING, OTHERS]
* SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, FONTS, SAFE BROWSING, OTHERS]
* REGION [LOCATION, LANGUAGE]
* BEHAVIOR [DRM, SEARCH AND URLBAR, DOWNLOADS, AUTOPLAY, POP-UPS AND WINDOWS, MOUSE]
* EXTENSIONS [USER INSTALLED, SYSTEM, EXTENSION FIREWALL]
@ -36,22 +36,25 @@ lockPref("librewolf.cfg.version", "7.7");
* 3. shims to avoid breakage caused by blocking lists
* 4. stricter policies for xorigin referrers
* 5. dFPI specific cookie cleaning mechanism
* 6. query stripping
*
* the desired category must be set with pref() otherwise it won't stick.
* the UI that allows to change mode manually is hidden.
*/
pref("browser.contentblocking.category", "strict");
// enable APS
defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
defaultPref("network.cookie.cookieBehavior", 5); // enforce dFPI
defaultPref("privacy.partition.serviceWorkers", true); // isolate service workers
/** [SECTION] SANITIZING
* all the cleaning prefs true by default except for siteSetting and offlineApps,
* which is what we want. users should set manual exceptions in the UI if there
* are cookies they want to keep.
/** [SECTION] SANITIZING */
defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until end of the session, then clear
// make third party and http cookies session-only
defaultPref("network.cookie.thirdparty.sessionOnly", true);
defaultPref("network.cookie.thirdparty.nonsecureSessionOnly", true);
/**
* this way of sanitizing cookies would override the exceptions set by the users and just delete everything,
* we disable it but cookies and site data are still cleared per session unless exceptions are set.
* all the cleaning prefs true by default except for siteSetting and offlineApps, which is what we want.
*/
defaultPref("privacy.clearOnShutdown.offlineApps", true);
defaultPref("privacy.clearOnShutdown.cookies", false);
defaultPref("privacy.sanitize.sanitizeOnShutdown", true);
defaultPref("privacy.sanitize.timeSpan", 0);
@ -60,7 +63,9 @@ defaultPref("browser.cache.disk.enable", false); // disable disk cache
/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true);
defaultPref("media.memory_cache_max_size", 65536);
defaultPref("browser.shell.shortcutFavicons", false); // disable favicons in profile folder
// disable favicons in profile folder and page thumbnail capturing
defaultPref("browser.shell.shortcutFavicons", false);
defaultPref("browser.pagethumbnails.capturing_disabled", true);
defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps
/** [SECTION] HISTORY AND SESSION RESTORE
@ -71,26 +76,21 @@ pref("privacy.history.custom", true);
pref("browser.privatebrowsing.autostart", false);
defaultPref("browser.formfill.enable", false); // disable form history
defaultPref("browser.sessionstore.privacy_level", 2); // prevent websites from storing session data like cookies and forms
defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves
/** [SECTION] QUERY STRIPPING
* currently we set the same query stripping list that brave uses:
* enable query stripping and set the strip list.
* currently we use the same one that brave uses:
* https://github.com/brave/brave-core/blob/f337a47cf84211807035581a9f609853752a32fb/browser/net/brave_site_hacks_network_delegate_helper.cc#L29
*/
defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hsenc _openstat dclid fbclid gbraid gclid hsCtaTracking igshid mc_eid ml_subscriber ml_subscriber_hash msclkid oft_c oft_ck oft_d oft_id oft_ids oft_k oft_lk oft_sk oly_anon_id oly_enc_id rb_clickid s_cid twclid vero_conv vero_id wbraid wickedid yclid");
defaultPref("privacy.query_stripping.enabled", true);
defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hsenc _openstat dclid fbclid gbraid gclid hsCtaTracking igshid mc_eid ml_subscriber ml_subscriber_hash msclkid oly_anon_id oly_enc_id rb_clickid s_cid twclid vero_conv vero_id wbraid wickedid yclid");
/**
* librewolf specific pref that allows to include the query stripping lists in uBO by default.
* the asset file is fetched every 7 days.
*/
defaultPref("librewolf.uBO.assetsBootstrapLocation", "https://gitlab.com/librewolf-community/browser/source/-/raw/main/assets/uBOAssets.json");
/** [SECTION] LOGGING
* these prefs are off by default in the official Mozilla builds,
* so it only makes sense that we also disable them.
* See https://gitlab.com/librewolf-community/settings/-/issues/240
*/
pref("browser.dom.window.dump.enabled", false);
pref("devtools.console.stdout.chrome", false);
/** [CATEGORY] NETWORKING */
@ -98,19 +98,28 @@ pref("devtools.console.stdout.chrome", false);
/** [SECTION] HTTPS */
defaultPref("dom.security.https_only_mode", true); // only allow https in all windows, including private browsing
defaultPref("network.auth.subresource-http-auth-allow", 1); // block HTTP authentication credential dialogs
defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content
/** [SECTION] IPv6
* privacy extension isn't the default for all linux distros, so we disable ipv6.
*/
defaultPref("network.dns.disableIPv6", true);
/** [SECTION] REFERERS
* to enhance privacy but keep a certain level of usability we trim cross-origin
* referers to only send scheme, host and port, instead of completely avoid sending them.
* referers, instead of completely avoid sending them.
* as a general rule, the behavior of referes which are not cross-origin should not
* be changed.
*/
defaultPref("network.http.referer.XOriginTrimmingPolicy", 2);
defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2 to stop sending them completely
defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); // trim referer to only send scheme, host and port
/** [SECTION] WEBRTC
* there is no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
* the private IP address is only used in trusted environments, eg. allowed camera and mic access.
* there's no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
* with the below preference we protect the value even in trusted environments and for win7/8 users,
* although this will likely cause breakage.
*/
defaultPref("media.peerconnection.ice.no_host", true); // don't use any private IPs for ICE candidate
defaultPref("media.peerconnection.ice.default_address_only", true); // use a single interface for ICE candidates, the vpn one when a vpn is used
/** [SECTION] PROXY */
@ -123,7 +132,7 @@ defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // for
defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection
defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
/**
* librewolf does not use DoH, but it can be enabled with the following prefs:
* librewolf doesn't use DoH, but it can be enabled with the following prefs:
* pref("network.trr.mode", 2);
* pref("network.trr.uri", "https://dns.quad9.net/dns-query");
*
@ -136,14 +145,21 @@ defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
*/
/** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
* disable prefecthing for different things such as links, bookmarks and predictions.
* disable prefecthing for different things such as links, bookmarks and predictors.
*/
pref("network.predictor.enabled", false);
pref("network.prefetch-next", false);
pref("network.http.speculative-parallel-limit", 0);
lockPref("network.predictor.enabled", false);
lockPref("network.prefetch-next", false);
lockPref("network.http.speculative-parallel-limit", 0);
defaultPref("browser.places.speculativeConnect.enabled", false);
// disable speculative connections and domain guessing from the urlbar
defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
defaultPref("browser.urlbar.speculativeConnect.enabled", false);
lockPref("browser.fixup.alternate.enabled", false);
/** [SECTION] OFFLINE
* let users set the browser as offline, without the browser trying to guess.
*/
defaultPref("network.manage-offline-status", false);
@ -156,7 +172,8 @@ defaultPref("browser.urlbar.speculativeConnect.enabled", false);
defaultPref("privacy.resistFingerprinting", true);
// rfp related settings
defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO
defaultPref("browser.display.use_system_colors", false); // default, except Win
defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing
defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP
/**
* increase the size of new RFP windows for better usability, while still using a rounded value.
* if the screen resolution is lower it will stretch to the biggest possible rounded value.
@ -173,12 +190,17 @@ defaultPref("webgl.disabled", true);
/** [CATEGORY] SECURITY */
/** [SECTION] SITE ISOLATION
* https://wiki.mozilla.org/Project_Fission
* this has been rolled out and is now a default on most FF releases
*/
defaultPref("fission.autostart", true);
/** [SECTION] CERTIFICATES */
defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs
defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certificates
/**
* enable safe negotiation and show warning when it is not supported. might cause breakage
* if the the server does not support RFC 5746, in tha case SSL_ERROR_UNSAFE_NEGOTIATION
* will be shown.
* enable safe negotiation and show warning when it is not supported. might cause breakage.
*/
defaultPref("security.ssl.require_safe_negotiation", true);
defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
@ -186,20 +208,26 @@ defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
* our strategy with revocation is to perform all possible checks with CRL, but when a cert
* cannot be checked with it we use OCSP stapled with hard-fail, to still keep privacy and
* increase security.
* crlite is in mode 3 by default, which allows us to detect false positive with OCSP.
* in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check.
* switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP.
*/
defaultPref("security.remote_settings.crlite_filters.enabled", true);
defaultPref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
defaultPref("security.pki.crlite_mode", 2); // mode 2 means enforce CRL checks
defaultPref("security.OCSP.enabled", 1); // default
defaultPref("security.OCSP.require", true); // set to hard-fail
/** [SECTION] TLS/SSL */
pref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref(), default
defaultPref("browser.xul.error_pages.expert_bad_cert", true); // show relevant and advanced issues on warnings and error screens
lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref()
// show relevant and advanced issues on warnings and error screens
defaultPref("browser.ssl_override_behavior", 1);
defaultPref("browser.xul.error_pages.expert_bad_cert", true);
/** [SECTION] PERMISSIONS */
pref("permissions.delegation.enabled", false); // force permission request to show real origin
pref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
lockPref("permissions.delegation.enabled", false); // force permission request to show real origin
lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
/** [SECTION] FONTS */
defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts
/** [SECTION] SAFE BROWSING
* disable safe browsing, including the fetch of updates. reverting the 7 prefs below
@ -213,16 +241,18 @@ defaultPref("browser.safebrowsing.provider.google4.updateURL", "");
defaultPref("browser.safebrowsing.provider.google.gethashURL", "");
defaultPref("browser.safebrowsing.provider.google.updateURL", "");
/**
* disable safe browsing checks on downloads, both local and remote. the resetting prefs
* disable safe browsing checks on downloads, both local and remote. the locked prefs
* control remote checks, while the first one is for local checks only.
*/
defaultPref("browser.safebrowsing.downloads.enabled", false);
pref("browser.safebrowsing.downloads.remote.enabled", false);
pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
// empty for defense in depth
pref("browser.safebrowsing.downloads.remote.url", "");
pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
lockPref("browser.safebrowsing.downloads.remote.enabled", false);
lockPref("browser.safebrowsing.downloads.remote.url", "");
lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false);
// other safe browsing options, all default but enforce
lockPref("browser.safebrowsing.passwords.enabled", false);
lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
lockPref("browser.safebrowsing.provider.google4.dataSharingURL", "");
/** [SECTION] OTHERS */
defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
@ -236,10 +266,9 @@ defaultPref("pdfjs.enableScripting", false); // disable js scripting in the buil
* replace google with mozilla as the default geolocation provide and prevent use of OS location services
*/
defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
defaultPref("geo.provider.ms-windows-location", false); // [WINDOWS]
defaultPref("geo.provider.use_corelocation", false); // [MAC]
defaultPref("geo.provider.use_gpsd", false); // [LINUX]
defaultPref("geo.provider.use_geoclue", false); // [LINUX]
lockPref("geo.provider.ms-windows-location", false); // [WINDOWS]
lockPref("geo.provider.use_corelocation", false); // [MAC]
lockPref("geo.provider.use_gpsd", false); // [LINUX]
/** [SECTION] LANGUAGE
* show language as en-US for all users, regardless of their OS language and browser language.
@ -248,8 +277,8 @@ defaultPref("geo.provider.use_geoclue", false); // [LINUX]
pref("javascript.use_us_english_locale", true);
pref("intl.accept_languages", "en-US, en");
// disable region specific updates from mozilla
pref("browser.region.network.url", "");
pref("browser.region.update.enabled", false);
lockPref("browser.region.network.url", "");
lockPref("browser.region.update.enabled", false);
@ -263,18 +292,19 @@ defaultPref("media.gmp-provider.enabled", false);
defaultPref("media.gmp-gmpopenh264.enabled", false);
/** [SECTION] SEARCH AND URLBAR
* disable search suggestion and do not update opensearch engines.
* disable search suggestion by default and do not update opensearch engines. urls should also be
* displayed in full instead of trimming them.
*/
defaultPref("browser.urlbar.suggest.searches", false);
defaultPref("browser.search.suggest.enabled", false);
defaultPref("browser.search.update", false);
defaultPref("browser.urlbar.trimURLs", false);
/**
* the pref disables the whole feature and hide it from the ui
* (as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1755057).
* this also includes the best match feature, as it is part of firefox suggest.
*/
pref("browser.urlbar.quicksuggest.enabled", false);
defaultPref("browser.urlbar.suggest.weather", false); // disable weather suggestions in urlbar once they are no longer behind feature gate
/** [SECTION] DOWNLOADS
* user interaction should always be required for downloads, as a way to enhance security by asking
@ -286,13 +316,19 @@ defaultPref("browser.download.manager.addToRecentDocs", false); // do not add do
defaultPref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu for every download, we already have enough interaction
/** [SECTION] AUTOPLAY
* block autoplay unless element is right-clicked. this means background videos, videos in a different tab,
* or media opened while other media is played will not start automatically.
* thumbnails will not autoplay unless hovered. exceptions can be set from the UI.
* block autoplay unless element is clicked, and apply the policy to all elements
* including muted ones.
*/
defaultPref("media.autoplay.blocking_policy", 2);
defaultPref("media.autoplay.default", 5);
/** [SECTION] POP-UPS AND WINDOWS
* disable annoyin pop-ups and limit events that can trigger them.
*/
defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups
defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
/**
* prevent scripts from resizing existing windows and opening new ones, by forcing them into
* new tabs that can't be resized as well.
*/
@ -301,7 +337,7 @@ defaultPref("browser.link.open_newwindow", 3);
defaultPref("browser.link.open_newwindow.restriction", 0);
/** [SECTION] MOUSE */
defaultPref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads
defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click from opening links
@ -315,13 +351,6 @@ defaultPref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mo
defaultPref("extensions.webextensions.restrictedDomains", "");
defaultPref("extensions.enabledScopes", 5); // hidden
defaultPref("extensions.postDownloadThirdPartyPrompt", false);
/**
* the pref disables quarantined domains.
* this is a security feature, we should remove it with v116 as there will be a UI to control this per-extension.
* unless we patch remote settings we rely on static dumps. this means even if we did not flip this pref it would
* not make a difference at the moment.
*/
defaultPref("extensions.quarantinedDomains.enabled", false);
/** [SECTION] SYSTEM
* built-in extension are not allowed to auto-update. additionally the reporter extension
@ -359,8 +388,11 @@ defaultPref("identity.fxaccounts.enabled", false);
*/
defaultPref("signon.rememberSignons", false);
defaultPref("signon.autofillForms", false);
defaultPref("extensions.formautofill.available", "off");
defaultPref("extensions.formautofill.addresses.enabled", false);
defaultPref("extensions.formautofill.creditCards.enabled", false);
defaultPref("extensions.formautofill.creditCards.available", false);
defaultPref("extensions.formautofill.heuristics.enabled", false);
defaultPref("signon.formlessCapture.enabled", false);
/** [SECTION] CONTAINERS
@ -370,14 +402,17 @@ defaultPref("privacy.userContext.enabled", true);
defaultPref("privacy.userContext.ui.enabled", true);
/** [SECTION] DEVTOOLS
* disable remote debugging.
* disable chrome and remote debugging.
*/
pref("devtools.debugger.remote-enabled", false); // default, but subject to branding so keep it
defaultPref("devtools.chrome.enabled", false);
defaultPref("devtools.debugger.remote-enabled", false);
defaultPref("devtools.remote.adb.extensionURL", "");
defaultPref("devtools.selfxss.count", 0); // required for devtools console to work
/** [SECTION] OTHERS */
pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
defaultPref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
lockPref("browser.translation.engine", ""); // remove translation engine
defaultPref("accessibility.force_disabled", 1); // block accessibility services
defaultPref("webchannel.allowObject.urlWhitelist", ""); // do not receive objects through webchannels
@ -386,7 +421,7 @@ defaultPref("services.settings.server", "https://%.invalid") // set the remote s
/** [SECTION] BRANDING
* set librewolf support and releases urls in the UI, so that users land in the proper places.
*/
defaultPref("app.support.baseURL", "https://support.librewolf.net/");
defaultPref("app.support.baseURL", "https://librewolf.net/docs/faq/#");
defaultPref("browser.search.searchEnginesURL", "https://librewolf.net/docs/faq/#how-do-i-add-a-search-engine");
defaultPref("browser.geolocation.warning.infoURL", "https://librewolf.net/docs/faq/#how-do-i-enable-location-aware-browsing");
defaultPref("app.feedback.baseURL", "https://librewolf.net/#questions");
@ -409,32 +444,34 @@ lockPref("browser.uitour.url", "");
defaultPref("browser.shell.checkDefaultBrowser", false);
/** [SECTION] NEW TAB PAGE
* we want NTP to display nothing but the search bar without anything distracting.
* the three prefs below are just for minimalism and they should be easy to revert for users.
* we want the new tab page to display nothing but the search bar without anything distracting.
*/
defaultPref("browser.newtab.preload", false);
defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false);
// hide stories and sponsored content from Firefox Home
// hide pocket and sponsored content, from new tab page and search bar
lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false);
lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false);
lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}"); // hide buggy pocket section from about:preferences#home
lockPref("browser.newtabpage.activity-stream.showSponsored", false);
lockPref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
// disable telemetry in Firefox Home
lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false);
lockPref("browser.newtabpage.activity-stream.telemetry", false);
// hide stories UI in about:preferences#home, empty highlights list
lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}");
lockPref("browser.newtabpage.activity-stream.default.sites", "");
lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default
/** [SECTION] ABOUT
* remove annoying ui elements from the about pages, including about:protections
*/
defaultPref("browser.contentblocking.report.lockwise.enabled", false);
defaultPref("browser.contentblocking.report.monitor.enabled", false);
lockPref("browser.contentblocking.report.hide_vpn_banner", true);
lockPref("browser.contentblocking.report.vpn.enabled", false);
lockPref("browser.contentblocking.report.show_mobile_app", false);
lockPref("browser.vpn_promo.enabled", false);
lockPref("browser.promo.focus.enabled", false);
// ...about:addons recommendations sections and more
defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false);
defaultPref("extensions.getAddons.showPane", false);
@ -466,7 +503,9 @@ lockPref("toolkit.telemetry.newProfilePing.enabled", false);
lockPref("toolkit.telemetry.updatePing.enabled", false);
lockPref("toolkit.telemetry.firstShutdownPing.enabled", false);
lockPref("toolkit.telemetry.shutdownPingSender.enabled", false);
lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // default
lockPref("toolkit.telemetry.bhrPing.enabled", false);
lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default
lockPref("toolkit.telemetry.cachedClientID", "");
lockPref("toolkit.telemetry.previousBuildID", "");
lockPref("toolkit.telemetry.server_owner", "");
@ -491,10 +530,12 @@ lockPref("browser.discovery.sites", "");
lockPref("browser.tabs.crashReporting.sendReport", false);
lockPref("breakpad.reportURL", "");
// disable connectivity checks
pref("network.connectivity-service.enabled", false);
lockPref("network.connectivity-service.enabled", false);
// disable captive portal
pref("network.captive-portal-service.enabled", false);
pref("captivedetect.canonicalURL", "");
lockPref("network.captive-portal-service.enabled", false);
lockPref("captivedetect.canonicalURL", "");
// prevent sending server side analytics
lockPref("beacon.enabled", false);
/** [CATEGORY] WINDOWS
* the prefs in this section only apply to windows installations and they don't have any
@ -510,8 +551,9 @@ defaultPref("app.update.background.scheduling.enabled", false);
/** [SECTION] OTHERS */
lockPref("default-browser-agent.enabled", false); // disable windows specific telemetry
defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
pref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot
lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot
lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert
defaultPref("network.http.windows-sso.enabled", false); // disable MS auto authentication via sso