UA Spoofing own section, all inactive
This commit is contained in:
parent
ffbbb43110
commit
32c4e5a1dc
52
user.js
52
user.js
@ -1166,29 +1166,6 @@ user_pref("network.dns.blockDotOnion", true);
|
||||
// 2626: strip optional user agent token, default is false, included for completeness
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
|
||||
user_pref("general.useragent.compatMode.firefox", false);
|
||||
// 2627: Spoof default UA & relevant (navigator) parts (also see 0204 for UA language)
|
||||
// NOTE: may be better handled by an extension (eg whitelisitng), try not to clash with it
|
||||
// NOTE: this is NOT a complete solution (feature detection, some navigator objects leak, resource URI etc)
|
||||
// AIM: match latest TBB settings: Windows, ESR, OS etc
|
||||
// WARNING: If you do not understand fingerprinting then don't use this section
|
||||
// test: http://browserspy.dk/browser.php
|
||||
// http://browserspy.dk/showprop.php (for buildID)
|
||||
// http://browserspy.dk/useragent.php
|
||||
// ==start==
|
||||
// A: navigator.userAgent leaks in JS, setting this also seems to break UA extension whitelisting
|
||||
// user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"); // (hidden pref)
|
||||
// B: navigator.buildID (see gecko.buildID in about:config) reveals build time
|
||||
// down to the second which defeats user agent spoofing and can compromise OS etc
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=583181
|
||||
user_pref("general.buildID.override", "20100101"); // (hidden pref)
|
||||
// C: navigator.appName
|
||||
user_pref("general.appname.override", "Netscape"); // (hidden pref)
|
||||
// D: navigator.appVersion
|
||||
user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref)
|
||||
// E: navigator.platform leaks in JS
|
||||
user_pref("general.platform.override", "Win32"); // (hidden pref)
|
||||
// F: navigator.oscpu
|
||||
user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)
|
||||
// 2628: disable UITour backend so there is no chance that a remote page can use it
|
||||
user_pref("browser.uitour.enabled", false);
|
||||
user_pref("browser.uitour.url", "");
|
||||
@ -1265,6 +1242,35 @@ user_pref("svg.disabled", true);
|
||||
// CVE-2017-5383: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
|
||||
user_pref("network.IDN_show_punycode", true);
|
||||
|
||||
/*** 2697: USER AGENT (UA) SPOOFING
|
||||
Spoofing your UA to *LOWER* entropy *does* *not* *work*. It may even cause site breakage
|
||||
depending on your values. Even if you spoof, like TBB (Tor Browser Bundle) does, as the
|
||||
lastest ESR, it still *does* *not* *work*. There are two main reasons for this.
|
||||
1. Many of the components that make up your UA can be derived by other means. And when
|
||||
those values differ, you provide more bits and raise entropy. Examples of leaks include
|
||||
navigator objects, resource://URIs, <isindex> locale, feature detection and more.
|
||||
2. You are not in a controlled set of signifcant numbers, where the values are enforced
|
||||
by default. It works for TBB because for TBB, the spoofed values ARE their default.
|
||||
* We do not recommend UA spoofing yourself, leave it to privacy.resistFingerprinting (see 2699)
|
||||
* Values below are for example only based on the current ESR/TBB at the time of writing
|
||||
***/
|
||||
// 2697-A: navigator.userAgent leaks in JS
|
||||
// NOTE: setting this will break any UA spoofing add-on whitelisting
|
||||
// user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"); // (hidden pref)
|
||||
// 2697-B: navigator.buildID (see gecko.buildID in about:config) reveals build time
|
||||
// down to the second which defeats user agent spoofing and can compromise OS etc
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=583181
|
||||
// user_pref("general.buildID.override", "20100101"); // (hidden pref)
|
||||
// 2697-C: navigator.appName
|
||||
//user_pref("general.appname.override", "Netscape"); // (hidden pref)
|
||||
// 2697-D: navigator.appVersion
|
||||
// user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref)
|
||||
// 2697-E: navigator.platform leaks in JS
|
||||
// user_pref("general.platform.override", "Win32"); // (hidden pref)
|
||||
// 2697-F: navigator.oscpu leaks in JS
|
||||
// user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)
|
||||
// 2697-G: also see 0204 for general.useragent.locale
|
||||
|
||||
/*** 2698: FIRST PARTY ISOLATION (FPI) ***/
|
||||
// 2698a: enable first party isolation pref and OriginAttribute (FF51+)
|
||||
// WARNING: breaks lots of cross-domain logins and site funtionality until perfected
|
||||
|
Loading…
Reference in New Issue
Block a user