From a290b3ad3d48c1e16952174be8a28b885760e5bd Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 6 Feb 2018 20:09:11 +0100 Subject: [PATCH 1/3] 1600 cleanup and header-rewrite --- user.js | 45 ++++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/user.js b/user.js index 32701bd..61336ad 100644 --- a/user.js +++ b/user.js @@ -843,16 +843,14 @@ user_pref("gfx.font_rendering.graphite.enabled", false); * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1121643 ***/ // user_pref("font.system.whitelist", ""); // (hidden pref) -/*** 1600: HEADERS / REFERERS [SETUP] - Except for DNT (Do Not Track), referers are best controlled by an extension. - It is important to realize that it is *cross domain* referers that need - controlling, and this is best handled by EITHER 1603 or 1604, not both. - - Option 1: Recommended: Use an extension to block all referers, and then whitelist - sites on a granular, per domain level. - Option 2: As per the original settings below: Set XOriginPolicy (1603) to 1 (less breakage) - or 2 (more breakage) and leave XOriginTrimmingPolicy (1604) at default 0 - Option 3: Set XOriginPolicy (1603) to default 0 and set XOriginTrimmingPolicy (1604) to 2 +/*** 1600: HEADERS / REFERERS + Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. + Thus we enforce the default values for 1601, 1602, 1605 and 1606 to minimize breakage, + and only tweak 1603 (+1604). + Our default settings provide the best balance between protection and amount of breakage. + To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2). + To fix broken sites, temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config, + use the site and then change the values back. If you visit those sites regularly, use an extension. full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+path+port: https://example.com:8888/foo/bar.html @@ -862,32 +860,29 @@ user_pref("gfx.font_rendering.graphite.enabled", false); ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: ALL: control when images/links send a referer - * 0=never, 1=send only when links are clicked, 2=for links and images (default) - * [NOTE] Recommended left at default. Focus on XSS and granular cross origin referer control ***/ + * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/ user_pref("network.http.sendRefererHeader", 2); /* 1602: ALL: control the amount of information to send - * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port - * [NOTE] Cross origin requests can be fine tuned in 1603 + 1604. Limiting same origin requests - * is rather pointless. Recommended left at default for zero same origin breakage ***/ + * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/ user_pref("network.http.referer.trimmingPolicy", 0); /* 1603: CROSS ORIGIN: control when to send a referer [SETUP] - * 0=always (default), 1=only if base domains match, 2=only if hosts match - * [NOTE] 1=less breakage, possible leakage 2=less leakage, more breakage - * [WARNING] Reset to default 0 if you have issues accessing your modem/router ***/ + * 0=always (default), 1=only if base domains match, 2=only if hosts match ***/ user_pref("network.http.referer.XOriginPolicy", 1); /* 1604: CROSS ORIGIN: control the amount of information to send (FF52+) - * 0=send full URI (default) 1=scheme+host+path+port 2=scheme+host+port ***/ + * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 0); /* 1605: ALL: disable spoofing a referer - * Spoofing increases your exposure to cross-site request forgeries ***/ + * [WARNING] Spoofing effectively disables the anti-CSRF protections that some sites may rely on ***/ user_pref("network.http.referer.spoofSource", false); -/* 1606: ALL: set the default Referrer Policy (FF53+) - * 0=no-referer 1=same-origin 2=strict-origin-when-cross-origin - * 3=no-referrer-when-downgrade (default) +/* 1606: ALL: set the default Referrer Policy + * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy * [1] https://www.w3.org/TR/referrer-policy/ - * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1304623 ***/ -user_pref("network.http.referer.userControlPolicy", 3); + * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy + * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/ +user_pref("network.http.referer.userControlPolicy", 3); // (FF53-FF58) default: 3 +user_pref("network.http.referer.defaultPolicy", 3); // (FF59+) default: 3 +user_pref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2 /* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain (FF54+) * [NOTE] Firefox cannot access .onion sites by default. We recommend you use * TBB (Tor Browser Bundle) which is specifically designed for the dark web From ca11a88189d3d055862618b93a44324803967721 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 6 Feb 2018 23:50:30 +0000 Subject: [PATCH 2/3] minor edits --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 61336ad..ea9bb7a 100644 --- a/user.js +++ b/user.js @@ -844,9 +844,9 @@ user_pref("gfx.font_rendering.graphite.enabled", false); // user_pref("font.system.whitelist", ""); // (hidden pref) /*** 1600: HEADERS / REFERERS - Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. - Thus we enforce the default values for 1601, 1602, 1605 and 1606 to minimize breakage, - and only tweak 1603 (+1604). + Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. Thus we enforce + the default values for 1601, 1602, 1605 and 1606 to minimize breakage, and only tweak 1603 and 1604. + Our default settings provide the best balance between protection and amount of breakage. To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2). To fix broken sites, temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config, From 4fdf32219332220e4ac3d07cdd4fadf4456ffeee Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 6 Feb 2018 23:57:34 +0000 Subject: [PATCH 3/3] CSRF acronym --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index ea9bb7a..7664e04 100644 --- a/user.js +++ b/user.js @@ -872,7 +872,7 @@ user_pref("network.http.referer.XOriginPolicy", 1); * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 0); /* 1605: ALL: disable spoofing a referer - * [WARNING] Spoofing effectively disables the anti-CSRF protections that some sites may rely on ***/ + * [WARNING] Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) protections that some sites may rely on ***/ user_pref("network.http.referer.spoofSource", false); /* 1606: ALL: set the default Referrer Policy * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade