diff --git a/user.js b/user.js index 3108477..bdf68c9 100644 --- a/user.js +++ b/user.js @@ -7,7 +7,7 @@ * README: - 1. Consider using Tor Browser if it meets your needs or fits your threat model better + 1. Consider using Tor Browser if it meets your needs or fits your threat model * https://www.torproject.org/about/torusers.html.en 2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries * https://github.com/arkenfox/user.js/wiki @@ -71,11 +71,12 @@ 5000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED + ******/ /* START: internal custom pref to test for syntax errors - * [NOTE] In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug - * pref no longer necessarily means that all prefs have been applied. Check the console right + * [NOTE] Not all syntax errors cause parsing to abort i.e. reaching the last debug pref + * no longer necessarily means that all prefs have been applied. Check the console right * after startup for any warnings/error messages related to non-applied prefs * [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/ user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); @@ -105,7 +106,7 @@ user_pref("browser.startup.homepage", "about:blank"); user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtab.preload", false); /* 0105: disable Activity Stream stuff (AS) - * AS is the default homepage/newtab in FF57+, based on metadata and browsing behavior. + * AS is the default homepage/newtab based on metadata and browsing behavior * **NOT LISTING ALL OF THESE: USE THE PREFERENCES UI** * [SETTING] Home>Firefox Home Content>... to show/hide what you want ***/ /* 0105a: disable Activity Stream telemetry ***/ @@ -125,7 +126,7 @@ user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); /* 0110: start Firefox in PB (Private Browsing) mode - * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed + * [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed * [WARNING] The P in PB mode is misleading: it means no "persistent" disk storage such as history, * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). * In fact, PB mode limits or removes the ability to control some of these, and you need to quit @@ -177,10 +178,6 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIET FOX We only disable the auto-INSTALL of Firefox (app) updates. You still get prompts to update, and it only takes one click. We highly discourage disabling auto-CHECKING for updates. - - Legitimate reasons to disable auto-INSTALLS include hijacked/monetized extensions, time - constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is still important - to do updates for security reasons, please do so manually if you make changes. ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); /* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] @@ -208,11 +205,10 @@ user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF] /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); /* 0330: disable telemetry - * the pref (.unified) affects the behaviour of the pref (.enabled) - * IF unified=false then .enabled controls the telemetry module - * IF unified=true then .enabled ONLY controls whether to record extended data - * so make sure to have both set as false - * [NOTE] FF58+ 'toolkit.telemetry.enabled' is now LOCKED to reflect prerelease + * The "unified" pref affects the behaviour of the "enabled" pref + * - If "unified" is false then "enabled" controls the telemetry module + * - If "unified" is true then "enabled" only controls whether to record extended data + * [NOTE] FF58+ "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease * or release builds (true and false respectively) [2] * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/ @@ -281,8 +277,8 @@ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work ***/ /* 0410: disable SB (Safe Browsing) - * [WARNING] Do this at your own risk! These are the master switches. - * [SETTING] Privacy & Security>Security>... "Block dangerous and deceptive content" ***/ + * [WARNING] Do this at your own risk! These are the master switches + * [SETTING] Privacy & Security>Security>... Block dangerous and deceptive content ***/ // user_pref("browser.safebrowsing.malware.enabled", false); // user_pref("browser.safebrowsing.phishing.enabled", false); /* 0411: disable SB checks for downloads (both local lookups + remote) @@ -300,7 +296,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/ // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); -/* 0419: disable 'ignore this warning' on SB warnings [FF45+] +/* 0419: disable "ignore this warning" on SB warnings [FF45+] * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB * [TEST] see github wiki APPENDIX A: Test Sites: Section 5 * [1] https://bugzilla.mozilla.org/1226490 ***/ @@ -331,7 +327,7 @@ user_pref("app.normandy.api_url", ""); user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+] - * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/ + * Currently blocked by "datareporting.healthreport.uploadEnabled" (see 0340) ***/ user_pref("browser.ping-centre.telemetry", false); /* 0515: disable Screenshots ***/ // user_pref("extensions.screenshots.disabled", true); // [FF55+] @@ -371,10 +367,10 @@ user_pref("network.http.speculative-parallel-limit", 0); /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); /* 0701: disable IPv6 - * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even - * assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 + * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming + * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4 * [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6 - * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an + * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" @@ -383,7 +379,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost user_pref("network.dns.disableIPv6", true); /* 0702: disable HTTP2 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to - * enhance privacy, and opens up a number of server-side fingerprinting opportunities. + * enhance privacy, and opens up a number of server-side fingerprinting opportunities * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites * [STATS] ~46% of sites (July 2021) [5] * [1] https://http2.github.io/faq/ @@ -396,7 +392,7 @@ user_pref("network.dns.disableIPv6", true); // user_pref("network.http.spdy.enabled.http2", false); // user_pref("network.http.spdy.websockets", false); // [FF65+] /* 0703: disable HTTP Alternative Services [FF37+] - * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the + * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) and you understand the * consequences. FPI isolates these, but it was designed with the Tor protocol in mind, * and the Tor Browser has extra protection, including enhanced sanitizing per Identity. * [1] https://tools.ietf.org/html/rfc7838#section-9 @@ -422,18 +418,18 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS - Change items 0850 and above to suit for privacy vs convenience and functionality. Consider - your environment (no unwanted eyeballs), your device (restricted access), your device's - unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check - the items cleared on shutdown in section 2800. + Change 0850 and above to suit for privacy vs convenience and functionality. + Consider your environment (no unwanted eyeballs), your device (restricted access), + your device's unattended state (locked, encrypted, forensic hardened). Likewise, + you may want to check the items cleared on shutdown in section 2800. [1] https://xkcd.com/538/ ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); /* 0801: disable location bar using search - * Don't leak URL typos to a search engine, give an error message instead. + * Don't leak URL typos to a search engine, give an error message instead * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" - * [NOTE] This does **not** affect explicit user action such as using search buttons in the - * dropdown, or using keyword search shortcuts you configure in options (e.g. 'd' for DuckDuckGo) + * [NOTE] This does not affect explicit user action such as using search buttons in the + * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) * [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search * engine that respects privacy, then you probably don't need this ***/ user_pref("keyword.enabled", false); @@ -514,7 +510,7 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ // user_pref("signon.rememberSignons", false); /* 0902: use a primary password - * There are no preferences for this. It is all handled internally. + * There are no preferences for this. It is all handled internally * [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ /* 0903: set how often Firefox should ask for the primary password @@ -545,12 +541,12 @@ user_pref("network.http.windows-sso.enabled", false); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001) *and* memory (1003) caches is one solution; but that's extreme and fingerprintable. A hardened - Temporary Containers configuration can effectively do the same thing, by isolating every tab [4]. + Temporary Containers configuration can effectively do the same thing, by isolating every tab [4] We consider avoiding disk cache (1001) so cache is session/memory only (like Private Browsing mode), and isolating cache to first party (4001) is sufficient and a good balance between risk and performance. ETAGs can also be neutralized by modifying response headers [5], and - you can clear the cache manually or on a regular basis with an extension. + you can clear the cache manually or on a regular basis with an extension [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/ @@ -590,12 +586,10 @@ user_pref("browser.sessionstore.privacy_level", 2); // user_pref("browser.sessionstore.resume_from_crash", false); /* 1023: set the minimum interval between session save operations * Increasing this can help on older machines and some websites, as well as reducing writes [1] - * Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc - * [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature: - * i.e. the longer the interval the more chance a quick tab open/close won't be captured. - * This longer interval *may* affect history but we cannot replicate any history not recorded + * [SETUP-CHROME] This can affect entries in "Recently Closed Tabs": i.e. the + * longer the interval the more chance a quick tab open/close won't be captured * [1] https://bugzilla.mozilla.org/1304389 ***/ -user_pref("browser.sessionstore.interval", 30000); +user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 1500] /* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] * [1] https://bugzilla.mozilla.org/603903 ***/ user_pref("toolkit.winRegisterApplicationRestart", false); @@ -603,7 +597,7 @@ user_pref("toolkit.winRegisterApplicationRestart", false); /** FAVICONS ***/ /* 1030: disable favicons in shortcuts * URL shortcuts use a cached randomly named .ico file which is stored in your - * profile/shortcutCache directory. The .ico remains after the shortcut is deleted. + * profile/shortcutCache directory. The .ico remains after the shortcut is deleted * If set to false then the shortcuts use a generic Firefox icon ***/ user_pref("browser.shell.shortcutFavicons", false); /* 1031: disable favicons in history and bookmarks @@ -638,7 +632,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 - * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. + * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); @@ -686,8 +680,8 @@ user_pref("security.OCSP.require", true); * 2=deprecated option that now maps to 1 * 3=only allowed for locally-added roots (e.g. anti-virus) * 4=only allowed for locally-added roots or for certs in 2015 and earlier - * [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and - * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete. + * [SETUP-CHROME] When disabled, some man-in-the-middle devices, e.g. security scanners and + * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/ user_pref("security.pki.sha1_enforcement_level", 1); /* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS] @@ -732,8 +726,8 @@ user_pref("dom.security.https_only_mode", true); // [FF76+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ // user_pref("dom.security.https_only_mode.upgrade_local", true); /* 1246: disable HTTP background requests [FF82+] - * When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox - * sends HTTP requests in order to check if the server supports HTTPS or not. + * When attempting to upgrade, if the server doesn't respond within 3 seconds, + * Firefox sends HTTP requests in order to check if the server supports HTTPS or not * This is done to avoid waiting for a timeout which takes 90 seconds * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); @@ -805,14 +799,13 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4620) + * [NOTE] In FF81+ the whitelist overrides RFP's font visibility (see 4620) * [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] /*** [SECTION 1600]: HEADERS / REFERERS Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone - --- Expect some breakage: Use an extension if you need precise control --- full URI: https://example.com:8888/foo/bar.html?id=1234 @@ -935,8 +928,8 @@ user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!"); /* 2202: prevent scripts from moving and resizing open windows ***/ user_pref("dom.disable_window_move_resize", true); /* 2203: open links targeting new windows in a new tab instead - * This stops malicious window sizes and some screen resolution leaks. - * You can still right-click a link and open in a new window. + * Stops malicious window sizes and some screen resolution leaks. + * You can still right-click a link and open in a new window * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab @@ -949,8 +942,7 @@ user_pref("browser.link.open_newwindow.restriction", 0); /* 2210: block popup windows * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ user_pref("dom.disable_open_during_load", true); -/* 2212: limit events that can cause a popup [SETUP-WEB] - * default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu ***/ +/* 2212: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2300]: WEB WORKERS @@ -971,11 +963,11 @@ user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!"); * Service workers essentially act as proxy servers that sit between web apps, and the * browser and network, are event driven, and can control the web page/site it is associated * with, intercepting and modifying navigation and resource requests, and caching resources. - * [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. - * [NOTE] Service workers only run over HTTPS. Service workers have no DOM access. + * [NOTE] Service workers require HTTPS, have no DOM access, and are not supported in PB mode [1] * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for * service worker notifications (2304), push notifications (disabled, 2305) and service worker - * cache (2740). If you enable this pref, then check those settings as well ***/ + * cache (2740). If you enable this pref, then check those settings as well + * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/ user_pref("dom.serviceWorkers.enabled", false); /* 2304: disable Web Notifications * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (2306) @@ -984,11 +976,10 @@ user_pref("dom.serviceWorkers.enabled", false); // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] /* 2305: disable Push Notifications [FF44+] * Push is an API that allows websites to send you (subscribed) messages even when the site - * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server. + * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind * a prompt (2306). Disabling service workers alone doesn't stop Firefox polling the - * Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config - * or on start), and you will get a new one within a few seconds. + * Mozilla Push Server. To remove all subscriptions, reset your userAgentID. * [1] https://support.mozilla.org/kb/push-notifications-firefox * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ user_pref("dom.push.enabled", false); @@ -1008,8 +999,8 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! /* 2402: disable website access to clipboard events/content [SETUP-HARDEN] * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website - * [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and - * 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1] + * [WARNING] In FF88 or lower, with clipboardevents enabled, if both "middlemouse.paste" and + * "general.autoScroll" are true (at least one is default false) then the clipboard can leak [1] * [1] https://bugzilla.mozilla.org/1528289 ***/ // user_pref("dom.event.clipboardevents.enabled", false); /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] @@ -1017,9 +1008,8 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! * [1] https://bugzilla.mozilla.org/1170911 ***/ user_pref("dom.allow_cut_copy", false); /* 2405: disable "Confirm you want to leave" dialog on page close - * Does not prevent JS leaks of the page close event. - * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload - * [2] https://support.mozilla.org/questions/1043508 ***/ + * Does not prevent JS leaks of the page close event + * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload ***/ user_pref("dom.disable_beforeunload", true); /* 2414: disable shaking the screen ***/ user_pref("dom.vibrator.enabled", false); @@ -1117,7 +1107,7 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] * [1] https://bugzilla.mozilla.org/1173199 ***/ // user_pref("mathml.disabled", true); /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] - * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. + * [WARNING] Expect breakage including youtube player controls * [1] https://bugzilla.mozilla.org/1216893 ***/ // user_pref("svg.disabled", true); /* 2611: disable middle mouse click opening links from clipboard @@ -1144,12 +1134,12 @@ user_pref("network.IDN_show_punycode", true); /* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME] * This setting controls if the option "Display in Firefox" is available in the setting below * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") - * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) + * PROS: pdfjs is lightweight, open source, and as secure/vetted more than most * Exploits are rare (one serious case in seven years), treated seriously and patched quickly. * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. * CONS: You may prefer a different pdf reader for security reasons - * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) + * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code * [SETTING] General>Applications>Portable Document Format (PDF) ***/ user_pref("pdfjs.disabled", false); // [DEFAULT: false] user_pref("pdfjs.enableScripting", false); // [FF86+] @@ -1268,11 +1258,10 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 2720: disable DOM (Document Object Model) Storage - * [WARNING] This will break a LOT of sites' functionality AND extensions! - * You are better off using an extension for more granular control ***/ + * [WARNING] This will break lots of sites and extensions! ***/ // user_pref("dom.storage.enabled", false); /* 2730: disable offline cache (appCache) - * [NOTE] In FF90+ the storage capability has been removed (1694662). For FF78-89 see the 2730 deprecated pref + * [NOTE] In FF90+ the storage capability has been removed (1694662) * [WARNING] The API is easily fingerprinted, do not disable ***/ // user_pref("browser.cache.offline.enable", false); /* 2740: disable service worker cache and cache storage @@ -1301,7 +1290,7 @@ user_pref("dom.storage.next_gen", true); "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) * "Offline Website Data" includes appCache (2730), localStorage (2720), service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) - * In both 2803 + 2804, the 'download' and 'history' prefs are combined in the + * In both 2803 + 2804, the "download" and "history" prefs are combined in the Firefox interface as "Browsing & Download History" and their values will be synced ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); @@ -1309,11 +1298,10 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); /* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME] - * [NOTE] If 'history' is true, downloads will also be cleared regardless of the value - * but if 'history' is false, downloads can still be cleared independently - * However, this may not always be the case. The interface combines and syncs these - * prefs when set from there, and the sanitize code may change at any time - * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/ + * [NOTE] If "history" is true, downloads will also be cleared + * [NOTE] Active Logins does not refer to logins via cookies, but rather HTTP Basic Authentication [1] + * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings + * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cookies", true); user_pref("privacy.clearOnShutdown.downloads", true); // see note above @@ -1324,9 +1312,9 @@ user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences /* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History - * Firefox remembers your last choices. This will reset them when you start Firefox. - * [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog - * for "Clear Recent History" is opened, it is synced to the same as 'history' ***/ + * Firefox remembers your last choices. This will reset them when you start Firefox + * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog + * for "Clear Recent History" is opened, it is synced to the same as "history" ***/ user_pref("privacy.cpd.cache", true); user_pref("privacy.cpd.cookies", true); // user_pref("privacy.cpd.downloads", true); // not used, see note above @@ -1342,12 +1330,11 @@ user_pref("privacy.cpd.siteSettings", false); // Site Preferences * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ // user_pref("privacy.clearOnShutdown.openWindows", true); // user_pref("privacy.cpd.openWindows", true); -/* 2806: reset default 'Time range to clear' for 'Clear Recent History' (see 2804) - * Firefox remembers your last choice. This will reset the value when you start Firefox. - * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, - * 4=today, 5=last five minutes, 6=last twenty-four hours - * [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a - * blank value if they are used, but they do work as advertised ***/ +/* 2806: reset default "Time range to clear" for "Clear Recent History" (see 2804) + * Firefox remembers your last choice. This will reset the value when you start Firefox + * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today + * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown, + * which will display a blank value, and are not guaranteed to work ***/ user_pref("privacy.sanitize.timeSpan", 0); /*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION) @@ -1380,7 +1367,7 @@ user_pref("privacy.firstparty.isolate", true); * [NOTE] Setting this to false may reduce the breakage in 4001 * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3] - * The 2nd pref removes that limitation and will only allow communication if FPDs also match. + * The 2nd pref removes that limitation and will only allow communication if FPDs also match * [1] https://bugzilla.mozilla.org/1319773#c22 * [2] https://bugzilla.mozilla.org/1492607 * [3] https://developer.mozilla.org/docs/Web/API/Window/postMessage ***/ @@ -1459,13 +1446,13 @@ user_pref("privacy.firstparty.isolate", true); ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] - * [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects, - * but is largely robust nowadays. Give it a try. Your choice. Also see 4504 (letterboxing). + * [SETUP-WEB] RFP can some cause website breakage: mainly canvas, use a site exception via the urlbar + * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme * [1] https://bugzilla.mozilla.org/418986 ***/ user_pref("privacy.resistFingerprinting", true); /* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] * Width will round down to multiples of 200s and height to 100s, to fit your screen. - * The override values are a starting point to round from if you want some control + * The max values are a starting point to round from if you want some control * [1] https://bugzilla.mozilla.org/1330882 ***/ // user_pref("privacy.window.maxInnerWidth", 1000); // user_pref("privacy.window.maxInnerHeight", 1000); @@ -1475,10 +1462,10 @@ user_pref("privacy.resistFingerprinting", true); user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] /* 4504: enable RFP letterboxing [FF67+] * Dynamically resizes the inner window by applying margins in stepped ranges [2] - * If you use the dimension pref, then it will only apply those resolutions. The format is - * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") - * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but - * dislike margins being applied, then flip this pref, keeping in mind that it is effectively fingerprintable + * If you use the dimension pref, then it will only apply those resolutions. + * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000") + * [SETUP-WEB] This is independent of RFP (4501). If you're not using RFP, or you are but + * dislike the margins, then flip this pref, keeping in mind that it is effectively fingerprintable * [WARNING] DO NOT USE: the dimension pref is only meant for testing * [1] https://bugzilla.mozilla.org/1407366 * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ @@ -1556,7 +1543,7 @@ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan To save some overrides, we've made a few active as they seem to be universally used ***/ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); -/* WELCOME & WHAT's NEW NOTICES ***/ +/* WELCOME & WHAT'S NEW NOTICES ***/ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch // user_pref("startup.homepage_welcome_url", ""); // user_pref("startup.homepage_welcome_url.additional", "");