michel_ouba/FF_arkenfox_user.js
michel_ouba/FF_arkenfox_user.js
1
0
Fork 0
Code Releases Activity

harden cross-domain referers, closes #1077

Browse Source
This commit is contained in:
Thorin-Oakenpants 2020-12-27 05:01:33 +00:00 committed by GitHub
parent 0152b38b8b
commit 8c9d0bbe72
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
user.js
View File

@ -815,10 +815,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
/*** [SECTION 1600]: HEADERS / REFERERS
Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone
---
harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below)
harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage
---
If you want any REAL control over referers and breakage, then use an extension
Expect some breakage: Use an extension if you need precise control
---
full URI: https://example.com:8888/foo/bar.html?id=1234
scheme+host+port+path: https://example.com:8888/foo/bar.html
@ -829,17 +826,17 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
/* 1601: ALL: control when images/links send a referer
* 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
// user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2]
// user_pref("network.http.sendRefererHeader", 2);
/* 1602: ALL: control the amount of information to send
* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
// user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0]
// user_pref("network.http.referer.trimmingPolicy", 0);
/* 1603: CROSS ORIGIN: control when to send a referer
* 0=always (default), 1=only if base domains match, 2=only if hosts match
* [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/
user_pref("network.http.referer.XOriginPolicy", 1);
user_pref("network.http.referer.XOriginPolicy", 2);
/* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0]
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
/* 1605: ALL: disable spoofing a referer
* [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF
* (Cross-Site Request Forgery) protections that some sites may rely on ***/