From 05abe82136a02b33c3eb71c47577d7bc5f375b58 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 18 Aug 2022 20:12:42 +0000 Subject: [PATCH 1/9] v105 partition SWers by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1784900 --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 8ae66eb..4c00428 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 18 August 2022 -* version: 103 +* date: 30 August 2022 +* version: 104 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -750,7 +750,7 @@ user_pref("browser.contentblocking.category", "strict"); * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ // user_pref("privacy.antitracking.enableWebcompat", false); /* 2710: enable state partitioning of service workers [FF96+] ***/ -user_pref("privacy.partition.serviceWorkers", true); +user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+] /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); From 848290898da60d64dfaeb804228bb5528364042d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 22 Aug 2022 16:02:07 +0000 Subject: [PATCH 2/9] svg opentype fonts -> optional, see #1529 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 4c00428..7091d41 100644 --- a/user.js +++ b/user.js @@ -549,8 +549,6 @@ user_pref("browser.xul.error_pages.expert_bad_cert", true); /*** [SECTION 1400]: FONTS ***/ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); -/* 1401: disable rendering of SVG OpenType fonts ***/ -user_pref("gfx.font_rendering.opentype_svg.enabled", false); /* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+] * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed * In normal windows: uses the first applicable: RFP (4506) over TP over Standard @@ -1041,6 +1039,8 @@ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!"); * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ // user_pref("javascript.options.wasm", false); +/* 5507: disable rendering of SVG OpenType fonts ***/ + // user_pref("gfx.font_rendering.opentype_svg.enabled", false); /*** [SECTION 6000]: DON'T TOUCH ***/ user_pref("_user.js.parrot", "6000 syntax error: the parrot's 'istory!"); From ff8d63f7e428462e0864ca1c20740e8631f96437 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 23 Aug 2022 16:42:32 +0000 Subject: [PATCH 3/9] remove dead prefs https://bugzilla.mozilla.org/show_bug.cgi?id=1745248 - they migrated to `.supported` prefs (values detect or off) --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 7091d41..0aedc06 100644 --- a/user.js +++ b/user.js @@ -372,8 +372,6 @@ user_pref("browser.formfill.enable", false); * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] -user_pref("extensions.formautofill.available", "off"); // [FF56+] -user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0820: disable coloring of visited links @@ -1083,6 +1081,9 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] // user_pref("privacy.firstparty.isolate.use_site", ""); // user_pref("privacy.window.name.update.enabled", ""); // user_pref("security.insecure_connection_text.enabled", ""); +/* 6051: prefsCleaner: reset items removed from arkenfox FF102+ ***/ + // user_pref("extensions.formautofill.available", "off"); // [FF56+] + // user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 61f01f81fdc57846012001009cba603928f62e75 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 23 Aug 2022 16:53:27 +0000 Subject: [PATCH 4/9] tidy --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 0aedc06..85b642c 100644 --- a/user.js +++ b/user.js @@ -1082,8 +1082,8 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] // user_pref("privacy.window.name.update.enabled", ""); // user_pref("security.insecure_connection_text.enabled", ""); /* 6051: prefsCleaner: reset items removed from arkenfox FF102+ ***/ - // user_pref("extensions.formautofill.available", "off"); // [FF56+] - // user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] + // user_pref("extensions.formautofill.available", ""); + // user_pref("extensions.formautofill.creditCards.available", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From d040b95ed293548cbdff13c0c10367807ac0ec30 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 23 Aug 2022 17:29:47 +0000 Subject: [PATCH 5/9] also reset the prefs migrated to .supported also hides/shows the UI. There is no need for this, it is overkill (and users might never be able to work out how to get them back). The .enabled prefs are enough to toggle the checkboxes IF they show based on .supportedCountries (which relies on browser.search.region) --- user.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user.js b/user.js index 85b642c..bf3df89 100644 --- a/user.js +++ b/user.js @@ -1083,7 +1083,9 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] // user_pref("security.insecure_connection_text.enabled", ""); /* 6051: prefsCleaner: reset items removed from arkenfox FF102+ ***/ // user_pref("extensions.formautofill.available", ""); + // user_pref("extensions.formautofill.addresses.supported", ""); // user_pref("extensions.formautofill.creditCards.available", ""); + // user_pref("extensions.formautofill.creditCards.supported", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 5780b6d19750b165e42d4c7e698337eeea8bfa97 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 23 Aug 2022 17:51:35 +0000 Subject: [PATCH 6/9] move Form Autofill to 5000s --- user.js | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index bf3df89..7f16d55 100644 --- a/user.js +++ b/user.js @@ -366,14 +366,6 @@ user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); -/* 0811: disable Form Autofill - * [NOTE] Stored data is NOT secure (uses a JSON file) - * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses - * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ -user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] -user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] -user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0820: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing @@ -999,6 +991,15 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow * 0=desktop, 1=downloads (default), 2=last used * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ // user_pref("browser.download.folderList", 2); +/* 5017: disable Form Autofill + * If .supportedCountries includes your region (browser.search.region) and .supported + * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON + * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes + * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses + * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ + // user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] + // user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] + // user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /*** [SECTION 5500]: OPTIONAL HARDENING Not recommended. Overriding these can cause breakage and performance issues, From 74be763f6065c9df00918a7ebe8fec5f6b3a8563 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 24 Aug 2022 05:53:46 +0000 Subject: [PATCH 7/9] add OCSP hard-fail error code --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 7f16d55..7dd0812 100644 --- a/user.js +++ b/user.js @@ -470,7 +470,8 @@ user_pref("security.tls.enable_0rtt_data", false); * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... * [1] https://en.wikipedia.org/wiki/Ocsp ***/ user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] -/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB] +/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail + * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it From e38f02bc22e15e2e90bc50a413e4fd68c43a0640 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 28 Aug 2022 00:31:59 +0000 Subject: [PATCH 8/9] add extra bugzilla --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 7dd0812..f2e931f 100644 --- a/user.js +++ b/user.js @@ -1356,7 +1356,7 @@ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] // 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810) // 0=keep until they expire (default), 2=keep until you close Firefox // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed - // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665 + // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761 user_pref("network.cookie.lifetimePolicy", 2); // 6012: disable SHA-1 certificates // [-] https://bugzilla.mozilla.org/1766687 From 3c73bc1e56e94d025edb732e34fc169bb5ab3e94 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 11 Sep 2022 02:39:08 +0000 Subject: [PATCH 9/9] 2720: add APS --- user.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index f2e931f..d6faae2 100644 --- a/user.js +++ b/user.js @@ -1,6 +1,6 @@ /****** * name: arkenfox user.js -* date: 30 August 2022 +* date: 11 September 2022 * version: 104 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -740,6 +740,8 @@ user_pref("browser.contentblocking.category", "strict"); // user_pref("privacy.antitracking.enableWebcompat", false); /* 2710: enable state partitioning of service workers [FF96+] ***/ user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+] +/* 2720: enable APS (Always Partitioning Storage) [FF104+] */ +user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");