diff --git a/README.md b/README.md index 2f33ad9..1a27d8a 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ A `user.js` is a configuration file that can control Firefox settings - for a mo The `arkenfox user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen). -Everyone, experts included, should at least read the [wiki](https://github.com/arkenfox/user.js/wiki), as it contains important information regarding a few `user.js` settings. +Everyone, experts included, should at least read the [wiki](https://github.com/arkenfox/user.js/wiki), as it contains important information regarding a few `user.js` settings. There is also an [interactive current release](https://arkenfox.github.io/gui/), thanks to [icpantsparti2](https://github.com/icpantsparti2). Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://2019.www.torproject.org/about/torusers.html) calls for it, or for accessing hidden services. diff --git a/prefsCleaner.bat b/prefsCleaner.bat index 7591c0e..2e3403f 100644 --- a/prefsCleaner.bat +++ b/prefsCleaner.bat @@ -3,17 +3,19 @@ TITLE prefs.js cleaner REM ### prefs.js cleaner for Windows REM ## author: @claustromaniac -REM ## version: 2.5 +REM ## version: 2.7 CD /D "%~dp0" +IF /I "%~1"=="-unattended" (SET _ua=1) + :begin ECHO: ECHO: ECHO ######################################## ECHO #### prefs.js cleaner for Windows #### ECHO #### by claustromaniac #### -ECHO #### v2.5 #### +ECHO #### v2.7 #### ECHO ######################################## ECHO: CALL :message "This script should be run from your Firefox profile directory." @@ -22,18 +24,20 @@ CALL :message "This will allow inactive preferences to be reset to their default ECHO This Firefox profile shouldn't be in use during the process. CALL :message "" TIMEOUT 1 /nobreak >nul -CHOICE /C SHE /N /M "Start [S] Help [H] Exit [E]" -CLS -IF ERRORLEVEL 3 (EXIT /B) -IF ERRORLEVEL 2 (GOTO :showhelp) + +IF NOT DEFINED _ua ( + CHOICE /C SHE /N /M "Start [S] Help [H] Exit [E]" + CLS + IF ERRORLEVEL 3 (EXIT /B) + IF ERRORLEVEL 2 (GOTO :showhelp) +) IF NOT EXIST "user.js" (CALL :abort "user.js not found in the current directory." 30) IF NOT EXIST "prefs.js" (CALL :abort "prefs.js not found in the current directory." 30) CALL :strlenCheck CALL :FFcheck CALL :message "Backing up prefs.js..." -FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET ldt=%%j -SET ldt=%ldt:~0,8%_%ldt:~8,6% +FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%# COPY /B /V /Y prefs.js "prefs-backup-%ldt%.js" CALL :message "Cleaning prefs.js..." diff --git a/prefsCleaner.sh b/prefsCleaner.sh index 88fc581..2ef32a2 100755 --- a/prefsCleaner.sh +++ b/prefsCleaner.sh @@ -2,12 +2,23 @@ ## prefs.js cleaner for Linux/Mac ## author: @claustromaniac -## version: 1.6 +## version: 1.9 ## special thanks to @overdodactyl and @earthlng for a few snippets that I stol..*cough* borrowed from the updater.sh ## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in update_prefsCleaner() ) +# Check if running as root and if any files have the owner/group as root/wheel. +if [ "${EUID:-"$(id -u)"}" -eq 0 ]; then + printf "You shouldn't run this with elevated privileges (such as with doas/sudo).\n" + exit 1 +elif [ -n "$(find ./ -user 0 -o -group 0)" ]; then + printf 'It looks like this script was previously run with elevated privileges, +you will need to change ownership of the following files to your user:\n' + find . -user 0 -o -group 0 + exit 1 +fi + readonly CURRDIR=$(pwd) ## get the full path of this script (readlink for Linux, greadlink for Mac with coreutils installed) @@ -138,7 +149,7 @@ echo -e "\n\n" echo " ╔══════════════════════════╗" echo " ║ prefs.js cleaner ║" echo " ║ by claustromaniac ║" -echo " ║ v1.6 ║" +echo " ║ v1.9 ║" echo " ╚══════════════════════════╝" echo -e "\nThis script should be run from your Firefox profile directory.\n" echo "It will remove any entries from prefs.js that also exist in user.js." diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index 15f59d7..6e06248 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -3,7 +3,7 @@ - removed from the arkenfox user.js - deprecated by Mozilla but listed in the arkenfox user.js in the past - Last updated: 5-December-2022 + Last updated: 27-January-2023 Instructions: - [optional] close Firefox and backup your profile @@ -239,6 +239,7 @@ /* REMOVED */ /* 103+ */ 'beacon.enabled', + 'browser.startup.blankWindow', 'browser.newtab.preload', 'browser.newtabpage.activity-stream.feeds.discoverystreamfeed', 'browser.newtabpage.activity-stream.feeds.snippets', @@ -257,7 +258,6 @@ 'extensions.formautofill.creditCards.available', 'extensions.formautofill.creditCards.supported', 'network.http.altsvc.oe', - 'security.tls.version.enable-deprecated', /* 92-102 */ 'browser.urlbar.trimURLs', 'dom.caches.enabled', diff --git a/updater.bat b/updater.bat index 40a6d10..f6174f7 100644 --- a/updater.bat +++ b/updater.bat @@ -3,10 +3,10 @@ TITLE arkenfox user.js updater REM ## arkenfox user.js updater for Windows REM ## author: @claustromaniac -REM ## version: 4.18 +REM ## version: 4.19 REM ## instructions: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-windows -SET v=4.18 +SET v=4.19 VERIFY ON CD /D "%~dp0" @@ -177,8 +177,7 @@ IF EXIST user.js.new ( IF DEFINED _singlebackup ( MOVE /Y user.js user.js.bak >nul ) ELSE ( - FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET ldt=%%j - SET ldt=!ldt:~0,8!_!ldt:~8,6! + FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%# MOVE /Y user.js "user-backup-!ldt!.js" >nul ) REN user.js.new user.js diff --git a/updater.sh b/updater.sh index c109ccb..183ec5c 100755 --- a/updater.sh +++ b/updater.sh @@ -2,12 +2,23 @@ ## arkenfox user.js updater for macOS and Linux -## version: 3.5 +## version: 3.8 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac, @infinitewarp ## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in update_updater() ) +# Check if running as root and if any files have the owner/group as root/wheel. +if [ "${EUID:-"$(id -u)"}" -eq 0 ]; then + printf "You shouldn\'t run this with elevated privileges (such as with doas/sudo).\n" + exit 1 +elif [ -n "$(find ./ -user 0 -o -group 0)" ]; then + printf 'It looks like this script was previously run with elevated privileges, +you will need to change ownership of the following files to your user:\n' + find . -user 0 -o -group 0 + exit 1 +fi + readonly CURRDIR=$(pwd) SCRIPT_FILE=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null) diff --git a/user.js b/user.js index 1f34e49..3e3b84c 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 21 December 2022 -* version: 108 +* date: 30 March 2023 +* version: 111 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -261,7 +261,8 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost /* 0701: disable IPv6 * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4 - * [STATS] Firefox telemetry (Sept 2022) shows ~8% of successful connections are IPv6 + * [SETUP-WEB] PR_CONNECT_RESET_ERROR: this pref *might* be the cause + * [STATS] Firefox telemetry (Feb 2023) shows ~9% of successful connections are IPv6 * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. @@ -425,7 +426,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * but the problem is that the browser can't know that. Setting this pref to true is the only way for the * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site? - * [STATS] SSL Labs (Sept 2022) reports over 99.3% of top sites have secure renegotiation [4] + * [STATS] SSL Labs (Feb 2023) reports over 99.3% of top sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://datatracker.ietf.org/doc/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 @@ -470,8 +471,7 @@ user_pref("security.OCSP.require", true); user_pref("security.family_safety.mode", 0); /* 1223: enable strict PKP (Public Key Pinning) * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict - * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE: If you rely on an AV (antivirus) to protect - * your web browsing by inspecting ALL your web traffic, then override to current default ***/ + * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE ***/ user_pref("security.cert_pinning.enforcement_level", 2); /* 1224: enable CRLite [FF73+] * 0 = disabled @@ -557,15 +557,6 @@ user_pref("privacy.userContext.ui.enabled", true); /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); -/* 2001: disable WebRTC (Web Real-Time Communication) - * Firefox uses mDNS hostname obfuscation on desktop (except Windows7/8) and the - * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. after - * you grant device (microphone or camera) access - * [SETUP-HARDEN] Test first. Windows7/8 users only: behind a proxy who never use WebRTC - * [TEST] https://browserleaks.com/webrtc - * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ - * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ - // user_pref("media.peerconnection.enabled", false); /* 2002: force WebRTC inside the proxy [FF70+] ***/ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); /* 2003: force a single network interface for ICE candidates generation [FF42+] @@ -596,8 +587,6 @@ user_pref("media.eme.enabled", false); user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); /* 2402: prevent scripts from moving and resizing open windows ***/ user_pref("dom.disable_window_move_resize", true); -/* 2404: limit events that can cause a pop-up [SETUP-WEB] ***/ -user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -607,8 +596,6 @@ user_pref("accessibility.force_disabled", 1); /* 2603: remove temp files opened with an external application * [1] https://bugzilla.mozilla.org/302433 ***/ user_pref("browser.helperApps.deleteTempFileOnExit", true); -/* 2604: disable page thumbnail collection ***/ -user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ user_pref("browser.uitour.enabled", false); // user_pref("browser.uitour.url", ""); // Defense-in-depth @@ -819,6 +806,7 @@ user_pref("privacy.sanitize.timeSpan", 0); 531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1) 1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100) 1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102) + 1422237 - return "srgb" with color-gamut (FF110) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] @@ -853,10 +841,6 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); /* 4506: set RFP's font visibility level (1402) [FF94+] ***/ // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1] -/* 4507: disable showing about:blank as soon as possible during startup [FF60+] - * When default true this no longer masks the RFP chrome resizing activity - * [1] https://bugzilla.mozilla.org/1448423 ***/ -user_pref("browser.startup.blankWindow", false); /* 4510: disable using system colors * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS] @@ -891,7 +875,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). * In fact, PB mode limits or removes the ability to control some of these, and you need to quit * Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide - * a temporary self-contained new session. Close all Private Windows to clear the PB mode session. + * a temporary self-contained new session. Close all private windows to clear the PB session. * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode * [1] https://wiki.mozilla.org/Private_Browsing * [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/ @@ -963,6 +947,12 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow // user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] // user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] // user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] +/* 5018: limit events that can cause a pop-up ***/ + // user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); +/* 5019: disable page thumbnail collection ***/ + // user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] +/* 5020: disable Windows native notifications and use app notications instead [FF111+] [WINDOWS] ***/ + // user_pref("alerts.useSystemBackend.windows.notificationserver.enabled", false); /*** [SECTION 5500]: OPTIONAL HARDENING Not recommended. Overriding these can cause breakage and performance issues, @@ -1033,11 +1023,12 @@ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /* 6050: prefsCleaner: reset previously active items removed from arkenfox FF102+ ***/ // user_pref("beacon.enabled", ""); + // user_pref("browser.startup.blankWindow", ""); // user_pref("browser.newtab.preload", ""); // user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", ""); // user_pref("browser.newtabpage.activity-stream.feeds.snippets", ""); // user_pref("browser.region.network.url", ""); - // user_pref("browser.region.update.enabled", "") + // user_pref("browser.region.update.enabled", ""); // user_pref("browser.ssl_override_behavior", ""); // user_pref("devtools.chrome.enabled", ""); // user_pref("dom.disable_beforeunload", ""); @@ -1147,6 +1138,13 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/ // user_pref("dom.push.enabled", false); +/* 7020: disable WebRTC (Web Real-Time Communication) + * [WHY] Firefox desktop uses mDNS hostname obfuscation and the private IP is never exposed until + * required in TRUSTED scenarios; i.e. after you grant device (microphone or camera) access + * [TEST] https://browserleaks.com/webrtc + * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ + * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ + // user_pref("media.peerconnection.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING [WHY] They are insufficient to help anti-fingerprinting and do more harm than good @@ -1186,6 +1184,9 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", fa user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); /* 9003: disable What's New toolbar icon [FF69+] ***/ user_pref("browser.messaging-system.whatsNewPanel.enabled", false); +/* 9004: disable search terms [FF110+] + * [SETTING] Search>Search Bar>Use the address bar for search and navigation>Show search terms instead of URL... ***/ +user_pref("browser.urlbar.showSearchTerms.enabled", false); /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED Documentation denoted as [-]. Items deprecated prior to FF91 have been archived at [1]