1
0

1600 cleanup and header-rewrite

This commit is contained in:
earthlng 2018-02-06 20:09:11 +01:00 committed by GitHub
parent d924c01518
commit a290b3ad3d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

45
user.js
View File

@ -843,16 +843,14 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1121643 ***/ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1121643 ***/
// user_pref("font.system.whitelist", ""); // (hidden pref) // user_pref("font.system.whitelist", ""); // (hidden pref)
/*** 1600: HEADERS / REFERERS [SETUP] /*** 1600: HEADERS / REFERERS
Except for DNT (Do Not Track), referers are best controlled by an extension. Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that.
It is important to realize that it is *cross domain* referers that need Thus we enforce the default values for 1601, 1602, 1605 and 1606 to minimize breakage,
controlling, and this is best handled by EITHER 1603 or 1604, not both. and only tweak 1603 (+1604).
Our default settings provide the best balance between protection and amount of breakage.
Option 1: Recommended: Use an extension to block all referers, and then whitelist To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2).
sites on a granular, per domain level. To fix broken sites, temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config,
Option 2: As per the original settings below: Set XOriginPolicy (1603) to 1 (less breakage) use the site and then change the values back. If you visit those sites regularly, use an extension.
or 2 (more breakage) and leave XOriginTrimmingPolicy (1604) at default 0
Option 3: Set XOriginPolicy (1603) to default 0 and set XOriginTrimmingPolicy (1604) to 2
full URI: https://example.com:8888/foo/bar.html?id=1234 full URI: https://example.com:8888/foo/bar.html?id=1234
scheme+host+path+port: https://example.com:8888/foo/bar.html scheme+host+path+port: https://example.com:8888/foo/bar.html
@ -862,32 +860,29 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
***/ ***/
user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
/* 1601: ALL: control when images/links send a referer /* 1601: ALL: control when images/links send a referer
* 0=never, 1=send only when links are clicked, 2=for links and images (default) * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
* [NOTE] Recommended left at default. Focus on XSS and granular cross origin referer control ***/
user_pref("network.http.sendRefererHeader", 2); user_pref("network.http.sendRefererHeader", 2);
/* 1602: ALL: control the amount of information to send /* 1602: ALL: control the amount of information to send
* 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/
* [NOTE] Cross origin requests can be fine tuned in 1603 + 1604. Limiting same origin requests
* is rather pointless. Recommended left at default for zero same origin breakage ***/
user_pref("network.http.referer.trimmingPolicy", 0); user_pref("network.http.referer.trimmingPolicy", 0);
/* 1603: CROSS ORIGIN: control when to send a referer [SETUP] /* 1603: CROSS ORIGIN: control when to send a referer [SETUP]
* 0=always (default), 1=only if base domains match, 2=only if hosts match * 0=always (default), 1=only if base domains match, 2=only if hosts match ***/
* [NOTE] 1=less breakage, possible leakage 2=less leakage, more breakage
* [WARNING] Reset to default 0 if you have issues accessing your modem/router ***/
user_pref("network.http.referer.XOriginPolicy", 1); user_pref("network.http.referer.XOriginPolicy", 1);
/* 1604: CROSS ORIGIN: control the amount of information to send (FF52+) /* 1604: CROSS ORIGIN: control the amount of information to send (FF52+)
* 0=send full URI (default) 1=scheme+host+path+port 2=scheme+host+port ***/ * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/
user_pref("network.http.referer.XOriginTrimmingPolicy", 0); user_pref("network.http.referer.XOriginTrimmingPolicy", 0);
/* 1605: ALL: disable spoofing a referer /* 1605: ALL: disable spoofing a referer
* Spoofing increases your exposure to cross-site request forgeries ***/ * [WARNING] Spoofing effectively disables the anti-CSRF protections that some sites may rely on ***/
user_pref("network.http.referer.spoofSource", false); user_pref("network.http.referer.spoofSource", false);
/* 1606: ALL: set the default Referrer Policy (FF53+) /* 1606: ALL: set the default Referrer Policy
* 0=no-referer 1=same-origin 2=strict-origin-when-cross-origin * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
* 3=no-referrer-when-downgrade (default)
* [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
* [1] https://www.w3.org/TR/referrer-policy/ * [1] https://www.w3.org/TR/referrer-policy/
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1304623 ***/ * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
user_pref("network.http.referer.userControlPolicy", 3); * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
user_pref("network.http.referer.userControlPolicy", 3); // (FF53-FF58) default: 3
user_pref("network.http.referer.defaultPolicy", 3); // (FF59+) default: 3
user_pref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2
/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain (FF54+) /* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain (FF54+)
* [NOTE] Firefox cannot access .onion sites by default. We recommend you use * [NOTE] Firefox cannot access .onion sites by default. We recommend you use
* TBB (Tor Browser Bundle) which is specifically designed for the dark web * TBB (Tor Browser Bundle) which is specifically designed for the dark web