michel_ouba/FF_arkenfox_user.js
michel_ouba/FF_arkenfox_user.js
1
0
Fork 0
Code Releases Activity

cleanup continued, #1239

Browse Source 
More minor tweaks to come. This isn't final
- 0102: ambiguous that the clearing was related to PB mode
- 0900s:
   - get rid of 0901, it has no pref, stick link in header
   - 0905: values on multi-lines use spaces = more readable
- 1000s:
   - rename as disk avoidance and remove sub-section headers
   - remove the outdated section header
- 4001: it will never be perfected, it's doing it's job
- 5500s: optional hardening
   - legit security measures, but commonality in caveats, so I made them a separate section
   - this flips graphite, asm.js and wasm from active to inactive: these are overkill: exhibit A: hundreds of millions of Firefox users
   - e.g. graphite and wasm are enabled on Tor Browser
   - new CVE keyword links
- 7000s: don't bother - two more items added
- 5000s: optional opsec and cleanout 0800s header
- re-number
   - 0900s, 1000s, 1400s, 2400s

PS: I need a new parrot: "9000 syntax error: I ran out of parrots"
This commit is contained in:
Thorin-Oakenpants 2021-08-24 22:51:48 +00:00 committed by GitHub
parent 778421cad4
commit 7144f8b7f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 166 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

354
user.js
View File

@ -50,14 +50,14 @@
0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc
0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
0900: PASSWORDS 0900: PASSWORDS
1000: CACHE / SESSION (RE)STORE / FAVICONS 1000: DISK AVOIDANCE
1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP)
1400: FONTS 1400: FONTS
1600: HEADERS / REFERERS 1600: HEADERS / REFERERS
1700: CONTAINERS 1700: CONTAINERS
2000: PLUGINS / MEDIA / WEBRTC 2000: PLUGINS / MEDIA / WEBRTC
2300: WEB WORKERS 2300: WEB WORKERS
2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT 2400: DOM (DOCUMENT OBJECT MODEL)
2500: FINGERPRINTING 2500: FINGERPRINTING
2600: MISCELLANEOUS 2600: MISCELLANEOUS
2700: PERSISTENT STORAGE 2700: PERSISTENT STORAGE
@ -65,6 +65,7 @@
4000: FPI (FIRST PARTY ISOLATION) 4000: FPI (FIRST PARTY ISOLATION)
4500: RFP (RESIST FINGERPRINTING) 4500: RFP (RESIST FINGERPRINTING)
5000: OPTIONAL OPSEC 5000: OPTIONAL OPSEC
5500: OPTIONAL HARDENING
6000: DON'T TOUCH 6000: DON'T TOUCH
7000: DON'T BOTHER 7000: DON'T BOTHER
8000: DON'T BOTHER: NON-RFP 8000: DON'T BOTHER: NON-RFP
@ -90,7 +91,7 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
user_pref("browser.shell.checkDefaultBrowser", false); user_pref("browser.shell.checkDefaultBrowser", false);
/* 0102: set startup page [SETUP-CHROME] /* 0102: set startup page [SETUP-CHROME]
* 0=blank, 1=home, 2=last visited page, 3=resume previous session * 0=blank, 1=home, 2=last visited page, 3=resume previous session
* [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804) * [NOTE] Session Restore is cleared with history (2803, 2804), and not used in Private Browsing mode
* [SETTING] General>Startup>Restore previous session ***/ * [SETTING] General>Startup>Restore previous session ***/
user_pref("browser.startup.page", 0); user_pref("browser.startup.page", 0);
/* 0103: set HOME+NEWWINDOW page /* 0103: set HOME+NEWWINDOW page
@ -116,17 +117,6 @@ user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); //
/* 0106: clear default topsites /* 0106: clear default topsites
* [NOTE] This does not block you from adding your own ***/ * [NOTE] This does not block you from adding your own ***/
user_pref("browser.newtabpage.activity-stream.default.sites", ""); user_pref("browser.newtabpage.activity-stream.default.sites", "");
/* 0110: start Firefox in PB (Private Browsing) mode
* [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed
* [WARNING] The P in PB mode can be misleading: it means no "persistent" disk state such as history,
* caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode).
* In fact, PB mode limits or removes the ability to control some of these, and you need to quit
* Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide
* a temporary self-contained new session. Close all Private Windows to clear the PB mode session.
* [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode
* [1] https://wiki.mozilla.org/Private_Browsing
* [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/
// user_pref("browser.privatebrowsing.autostart", true);
/*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ /*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/
user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
@ -232,11 +222,11 @@ user_pref("network.captive-portal-service.enabled", false); // [FF52+]
user_pref("network.connectivity-service.enabled", false); user_pref("network.connectivity-service.enabled", false);
/*** [SECTION 0400]: SAFE BROWSING (SB) /*** [SECTION 0400]: SAFE BROWSING (SB)
Safe Browsing has taken many steps to preserve privacy. If required, a full url is never SB has taken many steps to preserve privacy. If required, a full url is never sent
sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real to Google, only a part-hash of the prefix, hidden with noise of other real part-hashes.
PART-hashes. Google also swear it is anonymized and only used to flag malicious sites. Firefox takes measures such as striping out identifying parameters and since SBv4 (FF57+)
Firefox also takes measures such as striping out identifying parameters and since SBv4 (FF57+)
doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity)
FWIW, Google also swear it is anonymized and only used to flag malicious sites.
[1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
[2] https://wiki.mozilla.org/Security/Safe_Browsing [2] https://wiki.mozilla.org/Security/Safe_Browsing
@ -361,13 +351,7 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
* [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
Change 0850 and above to suit for privacy vs convenience and functionality.
Consider your environment (no unwanted eyeballs), your device (restricted access),
your device's unattended state (locked, encrypted, forensic hardened). Likewise,
you may want to check the items cleared on shutdown in section 2800.
[1] https://xkcd.com/538/
***/
user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
/* 0801: disable location bar using search /* 0801: disable location bar using search
* Don't leak URL typos to a search engine, give an error message instead * Don't leak URL typos to a search engine, give an error message instead
@ -412,22 +396,10 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false);
* [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions * [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions
* [1] https://bugzilla.mozilla.org/1642623 ***/ * [1] https://bugzilla.mozilla.org/1642623 ***/
user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
/* 0850a: disable location bar suggestion types
* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/
// user_pref("browser.urlbar.suggest.history", false);
// user_pref("browser.urlbar.suggest.bookmark", false);
// user_pref("browser.urlbar.suggest.openpage", false);
// user_pref("browser.urlbar.suggest.topsites", false); // [FF78+]
/* 0850b: disable tab-to-search [FF85+] /* 0850b: disable tab-to-search [FF85+]
* Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
// user_pref("browser.urlbar.suggest.engines", false); // user_pref("browser.urlbar.suggest.engines", false);
/* 0850c: disable location bar dropdown
* This value controls the total number of entries to appear in the location bar dropdown ***/
// user_pref("browser.urlbar.maxRichResults", 0);
/* 0850d: disable location bar autofill
* [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
// user_pref("browser.urlbar.autoFill", false);
/* 0860: disable search and form history /* 0860: disable search and form history
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [NOTE] We also clear formdata on exit (2803) * [NOTE] We also clear formdata on exit (2803)
@ -435,120 +407,66 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/ * [2] https://bugzilla.mozilla.org/381681 ***/
user_pref("browser.formfill.enable", false); user_pref("browser.formfill.enable", false);
/* 0862: disable browsing and download history
* [NOTE] We also clear history and downloads on exit (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
// user_pref("places.history.enabled", false);
/* 0870: disable Windows jumplist [WINDOWS] ***/
user_pref("browser.taskbar.lists.enabled", false);
user_pref("browser.taskbar.lists.frequent.enabled", false);
user_pref("browser.taskbar.lists.recent.enabled", false);
user_pref("browser.taskbar.lists.tasks.enabled", false);
/* 0871: disable Windows taskbar preview [WINDOWS] ***/
// user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false]
/*** [SECTION 0900]: PASSWORDS ***/ /*** [SECTION 0900]: PASSWORDS
[1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
***/
user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
/* 0901: disable saving passwords /* 0901: set when Firefox should prompt for the primary password
* [NOTE] This does not clear any passwords already saved * 0=once per session (default), 1=every time it's needed, 2=after n minutes (0902) ***/
* [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/
// user_pref("signon.rememberSignons", false);
/* 0902: use a primary password
* There are no preferences for this. It is all handled internally
* [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password
* [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/
/* 0903: set when Firefox should prompt for the primary password
* 0=once per session (default), 1=every time it's needed, 2=every n minutes (0904) ***/
user_pref("security.ask_for_password", 2); user_pref("security.ask_for_password", 2);
/* 0904: set how long in minutes Firefox should remember the primary password (0903) ***/ /* 0902: set how long in minutes Firefox should remember the primary password (0901) ***/
user_pref("security.password_lifetime", 5); // [DEFAULT: 30] user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
/* 0905: disable auto-filling username & password form fields /* 0903: disable auto-filling username & password form fields
* can leak in cross-site forms *and* be spoofed * can leak in cross-site forms *and* be spoofed
* [NOTE] Username & password is still available when you enter the field * [NOTE] Username & password is still available when you enter the field
* [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords
* [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ ***/ * [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ ***/
user_pref("signon.autofillForms", false); user_pref("signon.autofillForms", false);
/* 0909: disable formless login capture for Password Manager [FF51+] ***/ /* 0904: disable formless login capture for Password Manager [FF51+] ***/
user_pref("signon.formlessCapture.enabled", false); user_pref("signon.formlessCapture.enabled", false);
/* 0912: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+] /* 0905: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+]
* hardens against potential credentials phishing * hardens against potential credentials phishing
* 0 = don't allow sub-resources to open HTTP authentication credentials dialogs * 0 = don't allow sub-resources to open HTTP authentication credentials dialogs
* 1 = don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs * 1 = don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs
* 2 = allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ * 2 = allow sub-resources to open HTTP authentication credentials dialogs (default) ***/
user_pref("network.auth.subresource-http-auth-allow", 1); user_pref("network.auth.subresource-http-auth-allow", 1);
/* 0913: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] /* 0906: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+]
* [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single sign-on for... * [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single sign-on for...
* [1] https://support.mozilla.org/kb/windows-sso ***/ * [1] https://support.mozilla.org/kb/windows-sso ***/
user_pref("network.http.windows-sso.enabled", false); user_pref("network.http.windows-sso.enabled", false);
/*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS /*** [SECTION 1000]: DISK AVOIDANCE
Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001) [NOTE] Cache is isolated with network partitioning (FF85+) or when using FPI
*and* memory (1003) caches is one solution; but that's extreme and fingerprintable. A hardened
Temporary Containers configuration can effectively do the same thing, by isolating every tab [4]
We consider avoiding disk cache (1001) so cache is session/memory only (like Private Browsing
mode), and isolating cache to first party (4001) is sufficient and a good balance between
risk and performance. ETAGs can also be neutralized by modifying response headers [5], and
you can clear the cache manually or on a regular basis with an extension
[1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
[2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
[3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
[4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
[5] https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor
***/ ***/
user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
/** CACHE ***/
/* 1001: disable disk cache /* 1001: disable disk cache
* [SETUP-PERF] If you think disk cache may help (heavy tab user, high-res video), * [SETUP-PERF] If you think disk cache helps, then feel free to override this
* or you use a hardened Temporary Containers, then feel free to override this
* [NOTE] We also clear cache on exit (2803) ***/ * [NOTE] We also clear cache on exit (2803) ***/
user_pref("browser.cache.disk.enable", false); user_pref("browser.cache.disk.enable", false);
/* 1003: disable memory cache /* 1002: disable media cache from writing to disk in Private Browsing
* capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/
// user_pref("browser.cache.memory.enable", false);
// user_pref("browser.cache.memory.capacity", 0);
/* 1006: disable permissions manager from writing to disk [RESTART]
* [NOTE] This means any permission changes are session only
* [1] https://bugzilla.mozilla.org/967812 ***/
// user_pref("permissions.memory_only", true); // [HIDDEN PREF]
/* 1007: disable media cache from writing to disk in Private Browsing
* [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB
* [SETUP-WEB] ESR78: playback might break on subsequent loading (1650281) ***/ * [SETUP-WEB] ESR78: playback might break on subsequent loading (1650281) ***/
user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+]
user_pref("media.memory_cache_max_size", 65536); user_pref("media.memory_cache_max_size", 65536);
/* 1003: disable storing extra session data [SETUP-CHROME]
/** SESSIONS & SESSION RESTORE ***/
/* 1020: exclude "Undo Closed Tabs" in Session Restore ***/
// user_pref("browser.sessionstore.max_tabs_undo", 0);
/* 1021: disable storing extra session data [SETUP-CHROME]
* define on which sites to save extra session data such as form content, cookies and POST data * define on which sites to save extra session data such as form content, cookies and POST data
* 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
user_pref("browser.sessionstore.privacy_level", 2); user_pref("browser.sessionstore.privacy_level", 2);
/* 1022: disable resuming session from crash ***/ /* 1004: set the minimum interval between session save operations
// user_pref("browser.sessionstore.resume_from_crash", false);
/* 1023: set the minimum interval between session save operations
* Increasing this can help on older machines and some websites, as well as reducing writes [1] * Increasing this can help on older machines and some websites, as well as reducing writes [1]
* [SETUP-CHROME] This can affect entries in "Recently Closed Tabs": i.e. the * [SETUP-CHROME] This can affect entries in "Recently Closed Tabs": i.e. the
* longer the interval the more chance a quick tab open/close won't be captured * longer the interval the more chance a quick tab open/close won't be captured
* [1] https://bugzilla.mozilla.org/1304389 ***/ * [1] https://bugzilla.mozilla.org/1304389 ***/
user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 15000] user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 15000]
/* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] /* 1005: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS]
* [1] https://bugzilla.mozilla.org/603903 ***/ * [1] https://bugzilla.mozilla.org/603903 ***/
user_pref("toolkit.winRegisterApplicationRestart", false); user_pref("toolkit.winRegisterApplicationRestart", false);
/* 1006: disable favicons in shortcuts
/** FAVICONS ***/
/* 1030: disable favicons in shortcuts
* URL shortcuts use a cached randomly named .ico file which is stored in your * URL shortcuts use a cached randomly named .ico file which is stored in your
* profile/shortcutCache directory. The .ico remains after the shortcut is deleted * profile/shortcutCache directory. The .ico remains after the shortcut is deleted
* If set to false then the shortcuts use a generic Firefox icon ***/ * If set to false then the shortcuts use a generic Firefox icon ***/
user_pref("browser.shell.shortcutFavicons", false); user_pref("browser.shell.shortcutFavicons", false);
/* 1031: disable favicons in history and bookmarks
* Stored as data blobs in favicons.sqlite, these don't reveal anything that your
* actual history (and bookmarks) already do. Your history is more detailed, so
* control that instead; e.g. disable history, clear history on close, use PB mode
* [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/
// user_pref("browser.chrome.site_icons", false);
/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP)
Your cipher and other settings can be used in server side fingerprinting Your cipher and other settings can be used in server side fingerprinting
@ -613,11 +531,6 @@ user_pref("security.pki.sha1_enforcement_level", 1);
* 2=detect Family Safety mode and import the root * 2=detect Family Safety mode and import the root
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/ * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/
user_pref("security.family_safety.mode", 0); user_pref("security.family_safety.mode", 0);
/* 1222: disable intermediate certificate caching (fingerprinting attack vector) [FF41+] [RESTART]
* [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
* Saved logins and passwords are not available. Reset the pref and restart to return them.
* [1] https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/ ***/
// user_pref("security.nocertdb", true); // [HIDDEN PREF]
/* 1223: enable strict pinning /* 1223: enable strict pinning
* PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
* [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing
@ -672,25 +585,14 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
/*** [SECTION 1400]: FONTS ***/ /*** [SECTION 1400]: FONTS ***/
user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
/* 1401: disable rendering of SVG OpenType fonts /* 1401: disable rendering of SVG OpenType fonts ***/
* [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.opentype_svg.enabled", false);
/* 1402: disable graphite /* 1402: limit font visibility (Windows, Mac, some Linux) [FF79+]
* Graphite has had many critical security issues in the past [1]
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
* [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/
user_pref("gfx.font_rendering.graphite.enabled", false);
/* 1403: limit font visibility (Windows, Mac, some Linux) [FF79+]
* [NOTE] In FF80+ RFP ignores the pref and uses value 1 * [NOTE] In FF80+ RFP ignores the pref and uses value 1
* Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
* 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
* [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
// user_pref("layout.css.font-visibility.level", 1); // user_pref("layout.css.font-visibility.level", 1);
/* 1404: disable icon fonts (glyphs) and local fallback rendering
* [1] https://bugzilla.mozilla.org/789788
* [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/
// user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
// user_pref("gfx.downloadable_fonts.fallback_delay", -1);
/*** [SECTION 1600]: HEADERS / REFERERS /*** [SECTION 1600]: HEADERS / REFERERS
Expect some breakage e.g. banks: use an extension if you need precise control Expect some breakage e.g. banks: use an extension if you need precise control
@ -813,58 +715,30 @@ user_pref("dom.serviceWorkers.enabled", false);
user_pref("dom.push.enabled", false); user_pref("dom.push.enabled", false);
// user_pref("dom.push.userAgentID", ""); // user_pref("dom.push.userAgentID", "");
/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/ /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/
user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
/* 2401: disable website control over browser right-click context menu /* 2401: disable "Confirm you want to leave" dialog on page close
* [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
// user_pref("dom.event.contextmenu.enabled", false);
/* 2402: disable website access to clipboard events/content [SETUP-HARDEN]
* [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress
* This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
* [WARNING] In FF88 or lower, with clipboardevents enabled, if both "middlemouse.paste" and
* "general.autoScroll" are true (at least one is default false) then the clipboard can leak [1]
* [1] https://bugzilla.mozilla.org/1528289 ***/
// user_pref("dom.event.clipboardevents.enabled", false);
/* 2403: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
* this disables document.execCommand("cut"/"copy") to protect your clipboard
* [1] https://bugzilla.mozilla.org/1170911 ***/
user_pref("dom.allow_cut_copy", false);
/* 2404: disable "Confirm you want to leave" dialog on page close
* Does not prevent JS leaks of the page close event * Does not prevent JS leaks of the page close event
* [1] https://developer.mozilla.org/docs/Web/Events/beforeunload ***/ * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload ***/
user_pref("dom.disable_beforeunload", true); user_pref("dom.disable_beforeunload", true);
/* 2405: prevent scripts from moving and resizing open windows ***/ /* 2402: prevent scripts from moving and resizing open windows ***/
user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_window_move_resize", true);
/* 2406: block popup windows /* 2403: block popup windows
* [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/
user_pref("dom.disable_open_during_load", true); user_pref("dom.disable_open_during_load", true);
/* 2407: limit events that can cause a popup [SETUP-WEB] ***/ /* 2404: limit events that can cause a popup [SETUP-WEB] ***/
user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
/* 2408: enable (limited but sufficient) window.opener protection [FF65+] /* 2405: enable (limited but sufficient) window.opener protection [FF65+]
* Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+]
/* 2420: disable asm.js [FF22+] [SETUP-PERF] /* 2406: disable website access to clipboard events/content
* [1] http://asmjs.org/ * Requires user interaction. Applies to onCut/onCopy/onPaste events
* [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js * [SETUP-HARDEN] Will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress ***/
* [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ // user_pref("dom.event.clipboardevents.enabled", false);
user_pref("javascript.options.asmjs", false); /* 2407: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
/* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] * this disables document.execCommand("cut"/"copy") to protect your clipboard
* [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new * [1] https://bugzilla.mozilla.org/1170911 ***/
* hidden pref is enabled, then Ion can still be used by extensions (1599226) user_pref("dom.allow_cut_copy", false);
* [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit ***/
// user_pref("javascript.options.ion", false);
// user_pref("javascript.options.baselinejit", false);
// user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
/* 2422: disable WebAssembly [FF52+]
* Vulnerabilities have increasingly been found, including those known and fixed
* in native programs years ago [2]. WASM has powerful low-level access, making
* certain attacks (brute-force) and vulnerabilities more possible
* [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3]
* [1] https://developer.mozilla.org/docs/WebAssembly
* [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
* [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
user_pref("javascript.options.wasm", false);
/*** [SECTION 2500]: FINGERPRINTING ***/ /*** [SECTION 2500]: FINGERPRINTING ***/
user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
@ -967,22 +841,12 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+]
user_pref("extensions.postDownloadThirdPartyPrompt", false); user_pref("extensions.postDownloadThirdPartyPrompt", false);
/** DOWNLOADS ***/ /** DOWNLOADS ***/
/* 2650: discourage downloading to desktop
* 0=desktop, 1=downloads (default), 2=last used
* [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
// user_pref("browser.download.folderList", 2);
/* 2651: enable user interaction for security by always asking where to download /* 2651: enable user interaction for security by always asking where to download
* [SETUP-CHROME] On Android this blocks longtapping and saving images * [SETUP-CHROME] On Android this blocks longtapping and saving images
* [SETTING] General>Downloads>Always ask you where to save files ***/ * [SETTING] General>Downloads>Always ask you where to save files ***/
user_pref("browser.download.useDownloadDir", false); user_pref("browser.download.useDownloadDir", false);
/* 2652: disable adding downloads to the system's "recent documents" list ***/ /* 2652: disable adding downloads to the system's "recent documents" list ***/
user_pref("browser.download.manager.addToRecentDocs", false); user_pref("browser.download.manager.addToRecentDocs", false);
/* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN]
* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
* in such a way that it is forbidden to run external applications.
* [WARNING] This may interfere with some users' workflow or methods
* [1] https://bugzilla.mozilla.org/1281959 ***/
// user_pref("browser.download.forbid_open_with", true);
/** EXTENSIONS ***/ /** EXTENSIONS ***/
/* 2660: lock down allowed extension directories /* 2660: lock down allowed extension directories
@ -1137,7 +1001,7 @@ user_pref("privacy.sanitize.timeSpan", 0);
***/ ***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
/* 4001: enable First Party Isolation [FF51+] /* 4001: enable First Party Isolation [FF51+]
* [SETUP-WEB] May break cross-domain logins and site functionality until perfected * [SETUP-WEB] Will break most cross-domain logins
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/
user_pref("privacy.firstparty.isolate", true); user_pref("privacy.firstparty.isolate", true);
/* 4002: enforce FPI restriction for window.opener [FF54+] /* 4002: enforce FPI restriction for window.opener [FF54+]
@ -1255,8 +1119,115 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
* [1] https://bugzilla.mozilla.org/1448423 ***/ * [1] https://bugzilla.mozilla.org/1448423 ***/
user_pref("browser.startup.blankWindow", false); user_pref("browser.startup.blankWindow", false);
/*** [SECTION 5000]: OPTIONAL OPSEC ***/ /*** [SECTION 5000]: OPTIONAL OPSEC
Disk avoidance, application data isolation, eyeballs...
***/
user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow"); user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow");
/* 5001: start Firefox in PB (Private Browsing) mode
* [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed
* [NOTE] The P in PB mode can be misleading: it means no "persistent" disk state such as history,
* caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode).
* In fact, PB mode limits or removes the ability to control some of these, and you need to quit
* Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide
* a temporary self-contained new session. Close all Private Windows to clear the PB mode session.
* [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode
* [1] https://wiki.mozilla.org/Private_Browsing
* [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/
// user_pref("browser.privatebrowsing.autostart", true);
/* 5002: disable memory cache
* capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/
// user_pref("browser.cache.memory.enable", false);
// user_pref("browser.cache.memory.capacity", 0);
/* 5003: disable saving passwords
* [NOTE] This does not clear any passwords already saved
* [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/
// user_pref("signon.rememberSignons", false);
/* 5004: disable permissions manager from writing to disk [FF41+] [RESTART]
* [NOTE] This means any permission changes are session only
* [1] https://bugzilla.mozilla.org/967812 ***/
// user_pref("permissions.memory_only", true); // [HIDDEN PREF]
/* 5005: disable intermediate certificate caching [FF41+] [RESTART]
* [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
* Saved logins and passwords are not available. Reset the pref and restart to return them ***/
// user_pref("security.nocertdb", true); // [HIDDEN PREF]
/* 5006: disable favicons in history and bookmarks
* [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your
* actual history (and bookmarks) already do. Your history is more detailed, so
* control that instead; e.g. disable history, clear history on close, use PB mode
* [NOTE] favicons.sqlite is sanitized on Firefox close ***/
// user_pref("browser.chrome.site_icons", false);
/* 5007: exclude "Undo Closed Tabs" in Session Restore ***/
// user_pref("browser.sessionstore.max_tabs_undo", 0);
/* 5008: disable resuming session from crash ***/
// user_pref("browser.sessionstore.resume_from_crash", false);
/* 5009: disable "open with" in download dialog [FF50+]
* Application data isolation [1]
* [1] https://bugzilla.mozilla.org/1281959 ***/
// user_pref("browser.download.forbid_open_with", true);
/* 5010: disable location bar suggestion types
* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/
// user_pref("browser.urlbar.suggest.history", false);
// user_pref("browser.urlbar.suggest.bookmark", false);
// user_pref("browser.urlbar.suggest.openpage", false);
// user_pref("browser.urlbar.suggest.topsites", false); // [FF78+]
/* 5011: disable location bar dropdown
* This value controls the total number of entries to appear in the location bar dropdown ***/
// user_pref("browser.urlbar.maxRichResults", 0);
/* 5012: disable location bar autofill
* [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
// user_pref("browser.urlbar.autoFill", false);
/* 5013: disable browsing and download history
* [NOTE] We also clear history and downloads on exit (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
// user_pref("places.history.enabled", false);
/* 5014: disable Windows jumplist [WINDOWS] ***/
// user_pref("browser.taskbar.lists.enabled", false);
// user_pref("browser.taskbar.lists.frequent.enabled", false);
// user_pref("browser.taskbar.lists.recent.enabled", false);
// user_pref("browser.taskbar.lists.tasks.enabled", false);
/* 5015: disable Windows taskbar preview [WINDOWS] ***/
// user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false]
/* 5016: discourage downloading to desktop
* 0=desktop, 1=downloads (default), 2=last used
* [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
// user_pref("browser.download.folderList", 2);
/*** [SECTION 5500]: OPTIONAL HARDENING
Not recommended. Keep in mind that these can cause breakage, performance
issues, are mostly fingerpintable, and the threat model is practically zero
***/
user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!");
/* 5501: disable MathML (Mathematical Markup Language) [FF51+]
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml ***/
// user_pref("mathml.disabled", true); // 1173199
/* 5502: disable in-content SVG (Scalable Vector Graphics) [FF53+]
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg ***/
// user_pref("svg.disabled", true); // 1216893
/* 5503: disable graphite
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
* [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/
// user_pref("gfx.font_rendering.graphite.enabled", false);
/* 5504: disable asm.js [FF22+]
* [1] http://asmjs.org/
* [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
* [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
// user_pref("javascript.options.asmjs", false);
/* 5505: disable Ion and baseline JIT to harden against JS exploits
* [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
* hidden pref is enabled, then Ion can still be used by extensions (1599226)
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit ***/
// user_pref("javascript.options.ion", false);
// user_pref("javascript.options.baselinejit", false);
// user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
/* 5506: disable WebAssembly [FF52+]
* Vulnerabilities [1] have increasingly been found, including those known and fixed
* in native programs years ago [2]. WASM has powerful low-level access, making
* certain attacks (brute-force) and vulnerabilities more possible
* [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3]
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
* [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
* [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
// user_pref("javascript.options.wasm", false);
/*** [SECTION 6000]: DON'T TOUCH ***/ /*** [SECTION 6000]: DON'T TOUCH ***/
user_pref("_user.js.parrot", "6000 syntax error: the parrot's 'istory!"); user_pref("_user.js.parrot", "6000 syntax error: the parrot's 'istory!");
@ -1342,14 +1313,15 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
* [WHY] Already isolated by network partitioning (FF85+) or FPI ***/ * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/
// user_pref("network.http.altsvc.enabled", false); // user_pref("network.http.altsvc.enabled", false);
// user_pref("network.http.altsvc.oe", false); // user_pref("network.http.altsvc.oe", false);
/* 7011: disable MathML (Mathematical Markup Language) [FF51+] /* 7011: disable website control over browser right-click context menu
* [WHY] Fingerprintable, breakage, threat model * [WHY] Just use Shift-Right-Click ***/
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml ***/ // user_pref("dom.event.contextmenu.enabled", false);
// user_pref("mathml.disabled", true); // 1173199 /* 7012: disable icon fonts (glyphs) and local fallback rendering
/* 7012: disable in-content SVG (Scalable Vector Graphics) [FF53+] * [WHY] Breakage, font fallback is equivalency, also RFP
* [WHY] Fingerprintable, breakage, threat model * [1] https://bugzilla.mozilla.org/789788
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg ***/ * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/
// user_pref("svg.disabled", true); // 1216893 // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
// user_pref("gfx.downloadable_fonts.fallback_delay", -1);
/*** [SECTION 8000]: DON'T BOTHER: NON-RFP /*** [SECTION 8000]: DON'T BOTHER: NON-RFP
[WHY] They are insufficient to help anti-fingerprinting and do more harm than good [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
@ -1387,7 +1359,7 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan
Non-project related but useful. If any interest you, add them to your overrides Non-project related but useful. If any interest you, add them to your overrides
To save some overrides, we've made a few active as they seem to be universally used To save some overrides, we've made a few active as they seem to be universally used
***/ ***/
user_pref("_user.js.parrot", "9000 syntax error: this is an ex-parrot!"); user_pref("_user.js.parrot", "9000 syntax error: I ran out of parrots");
/* WELCOME & WHAT'S NEW NOTICES ***/ /* WELCOME & WHAT'S NEW NOTICES ***/
user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
// user_pref("startup.homepage_welcome_url", ""); // user_pref("startup.homepage_welcome_url", "");
@ -1468,7 +1440,7 @@ user_pref("browser.download.hide_plugins_without_extensions", false);
// 0105d: disable Activity Stream recent Highlights in the Library [FF57+] // 0105d: disable Activity Stream recent Highlights in the Library [FF57+]
// [-] https://bugzilla.mozilla.org/1689405 // [-] https://bugzilla.mozilla.org/1689405
// user_pref("browser.library.activity-stream.enabled", false); // user_pref("browser.library.activity-stream.enabled", false);
// 4616: disable PointerEvents // 8002: disable PointerEvents
// [1] https://developer.mozilla.org/docs/Web/API/PointerEvent // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent
// [-] https://bugzilla.mozilla.org/1688105 // [-] https://bugzilla.mozilla.org/1688105
// user_pref("dom.w3c_pointer_events.enabled", false); // user_pref("dom.w3c_pointer_events.enabled", false);