1
0

2600: security regroup (#416)

* 2600: security regroup

* fixup
This commit is contained in:
earthlng 2018-05-05 18:21:21 +02:00 committed by Thorin-Oakenpants
parent c5a1a038d2
commit 149aab6b1e

42
user.js
View File

@ -1271,18 +1271,6 @@ user_pref("middlemouse.contentLoadURL", false);
* [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons * [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons
* [SETTING-ESR52] Security>General>Warn me when sites try to install add-ons ***/ * [SETTING-ESR52] Security>General>Warn me when sites try to install add-ons ***/
user_pref("xpinstall.whitelist.required", true); // default: true user_pref("xpinstall.whitelist.required", true); // default: true
/* 2622: enforce a security delay when installing extensions (milliseconds)
* default=1000, This also covers the delay in "Save" on downloading files.
* [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
* [2] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
user_pref("security.dialog_enable_delay", 700);
/* 2623: enable Strict File Origin Policy on local files
* [1] http://kb.mozillazine.org/Security.fileuri.strict_origin_policy ***/
user_pref("security.fileuri.strict_origin_policy", true);
/* 2624: enable Subresource Integrity (SRI) (FF43+)
* [1] https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
* [2] https://wiki.mozilla.org/Security/Subresource_Integrity ***/
user_pref("security.sri.enable", true); // default: true
/* 2625: clear localStorage and UUID when an extension is uninstalled /* 2625: clear localStorage and UUID when an extension is uninstalled
* [NOTE] Both preferences must be the same * [NOTE] Both preferences must be the same
* [1] https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local * [1] https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local
@ -1336,9 +1324,6 @@ user_pref("devtools.chrome.enabled", false);
* [1] archived: https://archive.is/DYjAM ***/ * [1] archived: https://archive.is/DYjAM ***/
user_pref("extensions.enabledScopes", 1); // (hidden pref) user_pref("extensions.enabledScopes", 1); // (hidden pref)
user_pref("extensions.autoDisableScopes", 15); user_pref("extensions.autoDisableScopes", 15);
/* 2670: disable "image/" mime types bypassing CSP (FF51+)
* [1] https://bugzilla.mozilla.org/1288361 ***/
user_pref("security.block_script_with_wrong_mime", true);
/* 2671: disable in-content SVG (Scalable Vector Graphics) (FF53+) /* 2671: disable in-content SVG (Scalable Vector Graphics) (FF53+)
* [WARNING] SVG is fairly common (~15% of the top 10K sites), so will cause some breakage * [WARNING] SVG is fairly common (~15% of the top 10K sites), so will cause some breakage
* including youtube player controls. Best left for "hardened" or specific profiles. * including youtube player controls. Best left for "hardened" or specific profiles.
@ -1355,20 +1340,35 @@ user_pref("security.block_script_with_wrong_mime", true);
* [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ * [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/ * [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
user_pref("network.IDN_show_punycode", true); user_pref("network.IDN_show_punycode", true);
/* 2673: enable CSP (Content Security Policy) /* 2680: disable "image/" mime types bypassing CSP (FF51+)
* [1] https://bugzilla.mozilla.org/1288361 ***/
user_pref("security.block_script_with_wrong_mime", true);
/* 2681: enable CSP (Content Security Policy)
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
user_pref("security.csp.enable", true); // default: true user_pref("security.csp.enable", true); // default: true
/* 2674: enable CSP 1.1 experimental hash-source directive (FF29+) /* 2682: disable CSP violation events (FF59+)
* [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent ***/
user_pref("security.csp.enable_violation_events", false);
/* 2683: enable CSP 1.1 experimental hash-source directive (FF29+)
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975 ***/ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975 ***/
user_pref("security.csp.experimentalEnabled", true); user_pref("security.csp.experimentalEnabled", true);
/* 2675: block top level window data: URIs (FF56+) /* 2684: block top level window data: URIs (FF56+)
* [1] https://bugzilla.mozilla.org/1331351 * [1] https://bugzilla.mozilla.org/1331351
* [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/ * [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
* [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/ * [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
/* 2676: disable CSP violation events (FF59+) /* 2685: enforce a delay for security dialogs
* [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent ***/ * fe. when installing extensions or downloading files.
user_pref("security.csp.enable_violation_events", false); * [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
* [2] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
user_pref("security.dialog_enable_delay", 700); // default: 1000 (milliseconds)
/* 2686: enable Strict File Origin Policy on local files
* [1] http://kb.mozillazine.org/Security.fileuri.strict_origin_policy ***/
user_pref("security.fileuri.strict_origin_policy", true);
/* 2687: enable Subresource Integrity (SRI) (FF43+)
* [1] https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
* [2] https://wiki.mozilla.org/Security/Subresource_Integrity ***/
user_pref("security.sri.enable", true); // default: true
/*** 2700: PERSISTENT STORAGE /*** 2700: PERSISTENT STORAGE
Data SET by websites including Data SET by websites including