From cba49cd4b3f47c0d8e447c04c2f121b98a618e9a Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 5 Mar 2017 20:44:31 +0200 Subject: [PATCH 01/27] Comment out browser.privatebrowsing.autostart --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index ebecd3cb..51941c74 100644 --- a/user.js +++ b/user.js @@ -675,7 +675,7 @@ user_pref("network.cookie.thirdparty.sessionOnly", true); // NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode // NOTICE: Private browsing breaks Kerberos authentication // NOTICE: Disables "Containers" functionality (see below) -user_pref("browser.privatebrowsing.autostart", true); +//user_pref("browser.privatebrowsing.autostart", true); // PREF: Do not store POST data in saved sessions // http://kb.mozillazine.org/Browser.sessionstore.postdata From 4906f680498a3edde86cf27c2f3cd52e86e386c7 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 2 Apr 2017 11:25:16 +0300 Subject: [PATCH 02/27] Comment out several settings --- user.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index 51941c74..c57ba88a 100644 --- a/user.js +++ b/user.js @@ -14,7 +14,7 @@ // NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...) // Unknown security implications // CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed) -user_pref("dom.serviceWorkers.enabled", false); +//user_pref("dom.serviceWorkers.enabled", false); // PREF: Disable Web Workers // https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers @@ -23,7 +23,7 @@ user_pref("dom.workers.enabled", false); // PREF: Disable web notifications // https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501 -user_pref("dom.webnotifications.enabled", false); +//user_pref("dom.webnotifications.enabled", false); // PREF: Disable DOM timing API // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI @@ -696,12 +696,12 @@ user_pref("browser.cache.offline.enable", false); // NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945 user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.clearOnShutdown.cache", true); -user_pref("privacy.clearOnShutdown.cookies", true); +//user_pref("privacy.clearOnShutdown.cookies", true); user_pref("privacy.clearOnShutdown.downloads", true); user_pref("privacy.clearOnShutdown.formdata", true); user_pref("privacy.clearOnShutdown.history", true); user_pref("privacy.clearOnShutdown.offlineApps", true); -user_pref("privacy.clearOnShutdown.passwords", true); +//user_pref("privacy.clearOnShutdown.passwords", true); user_pref("privacy.clearOnShutdown.sessions", true); user_pref("privacy.clearOnShutdown.openWindows", true); @@ -860,7 +860,7 @@ user_pref("browser.urlbar.autoFill.typed", false); // https://www.labnol.org/software/browsers/prevent-firefox-showing-bookmarks-address-location-bar/3636/ // http://kb.mozillazine.org/Browser.urlbar.maxRichResults // "Setting the preference to 0 effectively disables the Location Bar dropdown entirely." -user_pref("browser.urlbar.maxRichResults", 0); +//user_pref("browser.urlbar.maxRichResults", 0); // PREF: Disable CSS :visited selectors // https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/ @@ -872,7 +872,7 @@ user_pref("layout.css.visited_links_enabled", false); // PREF: Disable URL bar autocomplete // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 -user_pref("browser.urlbar.autocomplete.enabled", false); +//user_pref("browser.urlbar.autocomplete.enabled", false); // PREF: Do not check if Firefox is the default browser user_pref("browser.shell.checkDefaultBrowser", false); From 9b8626c4224088ff3510185d9be26a1a9cbca1b7 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 2 Apr 2017 11:25:56 +0300 Subject: [PATCH 03/27] network.cookie.lifetimePolicy -> 0 --- user.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index c57ba88a..c09c33ba 100644 --- a/user.js +++ b/user.js @@ -746,7 +746,9 @@ user_pref("browser.formfill.enable", false); // PREF: Cookies expires at the end of the session (when the browser closes) // http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2 -user_pref("network.cookie.lifetimePolicy", 2); +//user_pref("network.cookie.lifetimePolicy", 2); +// The cookie's lifetime is supplied by the server +user_pref("network.cookie.lifetimePolicy", 0); // PREF: Require manual intervention to autofill known username/passwords sign-in forms // http://kb.mozillazine.org/Signon.autofillForms From 3b479713bc81f9afd517b065070583d2d23f164b Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sat, 20 May 2017 19:40:38 +0200 Subject: [PATCH 04/27] run make whatdoesitdo --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f3133d19..b6cc2bcb 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,8 @@ HTML5 / [APIs](https://wiki.mozilla.org/WebAPI) / [DOM](https://en.wikipedia.org * Make sure the User Timing API does not provide a new high resolution timestamp [ [1](https://trac.torproject.org/projects/tor/ticket/16336) [2](https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security) ] * Disable Web Audio API [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1288359) ] * Disable Location-Aware Browsing (geolocation) [ [1](https://www.mozilla.org/en-US/firefox/geolocation/) ] +* When geolocation is enabled, use Mozilla geolocation service instead of Google [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=689252) ] +* When geolocation is enabled, don't log geolocation requests to the console * Disable raw TCP socket support (mozTCPSocket) [ [1](https://trac.torproject.org/projects/tor/ticket/18863) [2](https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/) [3](https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket) ] * Disable leaking network/browser connection information via Javascript * Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox < 42) @@ -175,6 +177,7 @@ Settings that do not belong to other sections or are user specific preferences. * Do not submit invalid URIs entered in the address bar to the default search engine [ [1](http://kb.mozillazine.org/Keyword.enabled) ] * Don't trim HTTP off of URLs in the address bar. [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=665580) ] * Don't try to guess domain names when entering an invalid domain name in URL bar [ [1](http://www-archive.mozilla.org/docs/end-user/domain-guessing.html) ] +* When browser.fixup.alternate.enabled is enabled, do not fix URLs containing 'user:password' data * Send DNS request through SOCKS when SOCKS proxying is in use [ [1](https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers) ] * Don't monitor OS online/offline connection state [ [1](https://trac.torproject.org/projects/tor/ticket/18945) ] * Enforce Mixed Active Content Blocking [ [1](https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990) [2](https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default) [3](https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/) ] @@ -188,6 +191,7 @@ Settings that do not belong to other sections or are user specific preferences. * Disable video stats to reduce fingerprinting threat [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=654550) [2](https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785) [3](https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065) ] * Don't reveal build ID * Prevent font fingerprinting [ [1](https://browserleaks.com/fonts) [2](https://github.com/pyllyukko/user.js/issues/120) ] +* Enable only whitelisted URL protocol handlers [ [1](http://kb.mozillazine.org/Network.protocol-handler.external-default) [2](http://kb.mozillazine.org/Network.protocol-handler.warn-external-default) [3](http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29) [4](https://news.ycombinator.com/item?id=13047883) [5](https://bugzilla.mozilla.org/show_bug.cgi?id=167475) [6](https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005) ] ### Extensions / plugins @@ -240,6 +244,7 @@ Prevents the browser from [auto-connecting](https://support.mozilla.org/en-US/kb * Reject .onion hostnames before passing the to DNS [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1228457) ] * Disable search suggestions in the search bar [ [1](http://kb.mozillazine.org/Browser.search.suggest.enabled) ] * Disable "Show search suggestions in location bar results" +* When using the location bar, don't suggest URLs from browsing history * Disable SSDP [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1111967) ] * Disable automatic downloading of OpenH264 codec [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities) [2](https://andreasgal.com/2014/10/14/openh264-now-in-firefox/) ] * Disable speculative pre-connections [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections) [2](https://bugzilla.mozilla.org/show_bug.cgi?id=814169) ] @@ -389,15 +394,13 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced * Disabling ServiceWorkers breaks functionality on some sites (Google Street View...) -* Disabling DOM storage is known to cause`TypeError: localStorage is null` errors * Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...) * Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) * Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality -* IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled * Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured * Disabling SVG support breaks many UI elements on many sites +* Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols * Containers are not available in Private Browsing mode -* Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work. * Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting. * Do No Track must be enabled manually * Spoofing referers breaks functionality on websites relying on authentic referer headers From 8328afa79532a9b8e49d9006636a66e147721b35 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sat, 20 May 2017 19:36:30 +0200 Subject: [PATCH 05/27] add (disabled) to prefs disabled in the relaxed variant change NOTICE -> NOTICE-DISABLED to prevent irrelevant entries in known problems readme section --- user.js | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/user.js b/user.js index c09c33ba..9ce834f7 100644 --- a/user.js +++ b/user.js @@ -7,11 +7,11 @@ * SECTION: HTML5 / APIs / DOM * ******************************************************************************/ -// PREF: Disable Service Workers +// PREF: Disable Service Workers (disabled) // https://developer.mozilla.org/en-US/docs/Web/API/Worker // https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API // https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers -// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...) +// NOTICE-DISABLED: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...) // Unknown security implications // CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed) //user_pref("dom.serviceWorkers.enabled", false); @@ -21,7 +21,7 @@ // https://www.w3schools.com/html/html5_webworkers.asp user_pref("dom.workers.enabled", false); -// PREF: Disable web notifications +// PREF: Disable web notifications (disabled) // https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501 //user_pref("dom.webnotifications.enabled", false); @@ -668,13 +668,13 @@ user_pref("network.cookie.thirdparty.sessionOnly", true); * SECTION: Caching * ******************************************************************************/ -// PREF: Permanently enable private browsing mode +// PREF: Permanently enable private browsing mode (disabled) // https://support.mozilla.org/en-US/kb/Private-Browsing // https://wiki.mozilla.org/PrivateBrowsing -// NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 -// NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode -// NOTICE: Private browsing breaks Kerberos authentication -// NOTICE: Disables "Containers" functionality (see below) +// NOTICE-DISABLED: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 +// NOTICE-DISABLED: When Javascript is enabled, Websites can detect use of Private Browsing mode +// NOTICE-DISABLED: Private browsing breaks Kerberos authentication +// NOTICE-DISABLED: Disables "Containers" functionality (see below) //user_pref("browser.privatebrowsing.autostart", true); // PREF: Do not store POST data in saved sessions @@ -692,7 +692,7 @@ user_pref("browser.cache.offline.enable", false); // PREF: Clear history when Firefox closes // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically -// NOTICE: Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) +// NOTICE-DISABLED: Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) // NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945 user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.clearOnShutdown.cache", true); @@ -744,10 +744,11 @@ user_pref("signon.rememberSignons", false); // PREF: Disable form autofill, don't save information entered in web page forms and the Search Bar user_pref("browser.formfill.enable", false); -// PREF: Cookies expires at the end of the session (when the browser closes) +// PREF: Cookies expires at the end of the session (when the browser closes) (disabled) // http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2 //user_pref("network.cookie.lifetimePolicy", 2); -// The cookie's lifetime is supplied by the server + +// PREF: The cookie's lifetime is supplied by the server user_pref("network.cookie.lifetimePolicy", 0); // PREF: Require manual intervention to autofill known username/passwords sign-in forms @@ -858,7 +859,7 @@ user_pref("network.IDN_show_punycode", true); user_pref("browser.urlbar.autoFill", false); user_pref("browser.urlbar.autoFill.typed", false); -// PREF: Don't suggest any URLs while typing at the address bar +// PREF: Don't suggest any URLs while typing at the address bar (disabled) // https://www.labnol.org/software/browsers/prevent-firefox-showing-bookmarks-address-location-bar/3636/ // http://kb.mozillazine.org/Browser.urlbar.maxRichResults // "Setting the preference to 0 effectively disables the Location Bar dropdown entirely." @@ -872,7 +873,7 @@ user_pref("layout.css.visited_links_enabled", false); // PREF: ?? (disabled) // http://kb.mozillazine.org/Places.frecency.unvisited%28place_type%29Bonus -// PREF: Disable URL bar autocomplete +// PREF: Disable URL bar autocomplete (disabled) // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 //user_pref("browser.urlbar.autocomplete.enabled", false); From ed7ccb88417ffca7141e9a8b3a9c286ccf468600 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sat, 20 May 2017 19:41:28 +0200 Subject: [PATCH 06/27] run make whatdoesitdo again, removes disabled items from readme --- README.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/README.md b/README.md index b6cc2bcb..ef353688 100644 --- a/README.md +++ b/README.md @@ -130,9 +130,7 @@ Some of the settings in this `user.js` file might seem redundant, as some of the ### HTML5 / APIs / DOM HTML5 / [APIs](https://wiki.mozilla.org/WebAPI) / [DOM](https://en.wikipedia.org/wiki/Document_Object_Model) related settings. Mozilla is keen to implement every new HTML5 feature, which have had unforeseen security or privacy implications. This section disables many of those new and yet to be proven technologies. -* Disable Service Workers [ [1](https://developer.mozilla.org/en-US/docs/Web/API/Worker) [2](https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API) [3](https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers) ] * Disable Web Workers [ [1](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers) [2](https://www.w3schools.com/html/html5_webworkers.asp) ] -* Disable web notifications [ [1](https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501) ] * Disable DOM timing API [ [1](https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI) [2](https://www.w3.org/TR/navigation-timing/#privacy) ] * Make sure the User Timing API does not provide a new high resolution timestamp [ [1](https://trac.torproject.org/projects/tor/ticket/16336) [2](https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security) ] * Disable Web Audio API [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1288359) ] @@ -265,7 +263,6 @@ HTTP protocol related entries. This affects cookies, the user agent, referer and ### Caching Enable and configure private browsing mode, don't store information locally during the browsing session -* Permanently enable private browsing mode [ [1](https://support.mozilla.org/en-US/kb/Private-Browsing) [2](https://wiki.mozilla.org/PrivateBrowsing) ] * Do not store POST data in saved sessions [ [1](http://kb.mozillazine.org/Browser.sessionstore.postdata) ] * Disable the Session Restore service [ [1](http://kb.mozillazine.org/Browser.sessionstore.enabled) ] * Do not download URLs for the offline cache [ [1](http://kb.mozillazine.org/Browser.cache.offline.enable) ] @@ -278,7 +275,7 @@ Enable and configure private browsing mode, don't store information locally duri * Disable download history * Disable password manager * Disable form autofill, don't save information entered in web page forms and the Search Bar -* Cookies expires at the end of the session (when the browser closes) [ [1](http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2) ] +* The cookie's lifetime is supplied by the server * Require manual intervention to autofill known username/passwords sign-in forms [ [1](http://kb.mozillazine.org/Signon.autofillForms) [2](https://www.torproject.org/projects/torbrowser/design/#identifier-linkability) ] * When username/password autofill is enabled, still disable it on non-HTTPS sites [ [1](https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317) ] * Show in-content login form warning UI for insecure login fields [ [1](https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317) ] @@ -301,9 +298,7 @@ Improve visibility of security-related elements, mitigate shoulder-surfing * Enable Information Bar for Outdated Plugins [ [1](http://forums.mozillazine.org/viewtopic.php?f=8&t=2490287) ] * Force Punycode for Internationalized Domain Names [ [1](http://kb.mozillazine.org/Network.IDN_show_punycode) [2](https://www.xudongz.com/blog/2017/idn-phishing/) [3](https://wiki.mozilla.org/IDN_Display_Algorithm) [4](https://en.wikipedia.org/wiki/IDN_homograph_attack) [5](https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/) ] * Disable inline autocomplete in URL bar [ [1](http://kb.mozillazine.org/Inline_autocomplete) ] -* Don't suggest any URLs while typing at the address bar [ [1](https://www.labnol.org/software/browsers/prevent-firefox-showing-bookmarks-address-location-bar/3636/) [2](http://kb.mozillazine.org/Browser.urlbar.maxRichResults) ] * Disable CSS :visited selectors [ [1](https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/) [2](https://dbaron.org/mozilla/visited-privacy) ] -* Disable URL bar autocomplete [ [1](http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5) ] * Do not check if Firefox is the default browser * When password manager is enabled, lock the password storage periodically * Lock the password storage every 1 minutes (default: 30) @@ -393,7 +388,6 @@ Additional add-ons that you might consider using or reading about: Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: -* Disabling ServiceWorkers breaks functionality on some sites (Google Street View...) * Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...) * Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) * Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality @@ -407,11 +401,6 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced * Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon * Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection * Blocking 3rd-party cookies breaks a number of payment gateways -* You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 -* When Javascript is enabled, Websites can detect use of Private Browsing mode -* Private browsing breaks Kerberos authentication -* Disables "Containers" functionality (see below) -* Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) * Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945 * OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host * OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder From a5f1ddf7a0502e7ff26864ea88eb0008640cf212 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sat, 20 May 2017 19:44:49 +0200 Subject: [PATCH 07/27] readme: add link to relaxed/master diff, update travis badge branch --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ef353688..c2c4217e 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,9 @@ A [user.js](http://kb.mozillazine.org/User.js_file) configuration file for [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) designed to harden browser settings and make it more secure. -[![Build Status](https://travis-ci.org/pyllyukko/user.js.svg?branch=master)](https://travis-ci.org/pyllyukko/user.js) +**This a relaxed variant. [Differences with the original hardened version](https://github.com/pyllyukko/user.js/compare/relaxed)** + +[![Build Status](https://travis-ci.org/pyllyukko/user.js.svg?branch=relaxed)](https://travis-ci.org/pyllyukko/user.js) ### Main goals From 2ad2ab87074dffb6857497eba8e2293687a93de5 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 18 May 2017 22:28:03 +0300 Subject: [PATCH 08/27] signon.storeWhenAutocompleteOff PREF -> disabled --- README.md | 1 - user.js | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index c2c4217e..0c53192f 100644 --- a/README.md +++ b/README.md @@ -281,7 +281,6 @@ Enable and configure private browsing mode, don't store information locally duri * Require manual intervention to autofill known username/passwords sign-in forms [ [1](http://kb.mozillazine.org/Signon.autofillForms) [2](https://www.torproject.org/projects/torbrowser/design/#identifier-linkability) ] * When username/password autofill is enabled, still disable it on non-HTTPS sites [ [1](https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317) ] * Show in-content login form warning UI for insecure login fields [ [1](https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317) ] -* Disable the password manager for pages with autocomplete=off [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=956906) ] * Delete Search and Form History * Clear SSL Form Session Data [ [1](http://kb.mozillazine.org/Browser.sessionstore.privacy_level#2) ] * Delete temporary files on exit [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=238789) ] diff --git a/user.js b/user.js index 9ce834f7..6d55bec7 100644 --- a/user.js +++ b/user.js @@ -764,7 +764,7 @@ user_pref("signon.autofillForms.http", false); // https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317 user_pref("security.insecure_field_warning.contextual.enabled", true); -// PREF: Disable the password manager for pages with autocomplete=off +// PREF: Disable the password manager for pages with autocomplete=off (disabled) // https://bugzilla.mozilla.org/show_bug.cgi?id=956906 // OWASP ASVS V9.1 // Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms) From 07508e3292b1efed7badc31b7fdbffdb2f5f07ac Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 18 May 2017 22:30:48 +0300 Subject: [PATCH 09/27] Minor README tweak Change parentheses to square brackets, so it's consistent. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c53192f..314c9fc4 100644 --- a/README.md +++ b/README.md @@ -473,7 +473,7 @@ For more information, see [CONTRIBUTING](https://github.com/pyllyukko/user.js/bl * [BrowserSpy.dk](http://browserspy.dk/) * [BrowserLeaks.com](https://www.browserleaks.com/firefox) -* [AmIUnique](https://amiunique.org/) ([1](https://github.com/DIVERSIFY-project/amiunique)) +* [AmIUnique](https://amiunique.org/) [[1](https://github.com/DIVERSIFY-project/amiunique)] * [Panopticlick](https://panopticlick.eff.org/) * [Unique Machine](http://www.uniquemachine.org/) * [Firefox Addon Detector](https://thehackerblog.com/addon_scanner/) [[1](https://thehackerblog.com/dirty-browser-enumeration-tricks-using-chrome-and-about-to-detect-firefox-plugins/)] From 74dc2549f52d226bd9376bd97471924406e801e5 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 18 May 2017 22:46:42 +0300 Subject: [PATCH 10/27] Minor README tweaks --- README.md | 4 ++-- user.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 314c9fc4..0c3c2b90 100644 --- a/README.md +++ b/README.md @@ -310,7 +310,7 @@ Improve visibility of security-related elements, mitigate shoulder-surfing * Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla) [ [1](https://blog.mozilla.org/security/2012/11/01/preloading-hsts/) [2](https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List) [3](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) ] * Enable Online Certificate Status Protocol [ [1](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) [2](https://www.imperialviolet.org/2014/04/19/revchecking.html) [3](https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/) [4](https://wiki.mozilla.org/CA:RevocationPlan) [5](https://wiki.mozilla.org/CA:ImprovingRevocation) [6](https://wiki.mozilla.org/CA:OCSP-HardFail) [7](https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html) [8](https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html) ] * Enable OCSP Stapling support [ [1](https://en.wikipedia.org/wiki/OCSP_stapling) [2](https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/) [3](https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx) ] -* Enable OCSP Must-Staple support (45+) [ [1](https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/) [2](https://www.entrust.com/ocsp-must-staple/) [3](https://github.com/schomery/privacy-settings/issues/40) ] +* Enable OCSP Must-Staple support (Firefox >= 45) [ [1](https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/) [2](https://www.entrust.com/ocsp-must-staple/) [3](https://github.com/schomery/privacy-settings/issues/40) ] * Require a valid OCSP response for OCSP enabled certificates [ [1](https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA) ] * Disable TLS Session Tickets [ [1](https://www.blackhat.com/us-13/briefings.html#NextGen) [2](https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf) [3](https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf) [4](https://bugzilla.mozilla.org/show_bug.cgi?id=917049) [5](https://bugzilla.mozilla.org/show_bug.cgi?id=967977) ] * Only allow TLS 1.[0-3] [ [1](http://kb.mozillazine.org/Security.tls.version.*) ] @@ -333,7 +333,7 @@ This section tweaks the cipher suites used by Firefox. The idea is to support on * Disable 256 bits ciphers without PFS * Enable ciphers with ECDHE and key size > 128bits * Enable GCM ciphers (TLSv1.2 only) [ [1](https://en.wikipedia.org/wiki/Galois/Counter_Mode) ] -* Enable ChaCha20 and Poly1305 (47+) [ [1](https://www.mozilla.org/en-US/firefox/47.0/releasenotes/) [2](https://tools.ietf.org/html/rfc7905) [3](https://bugzilla.mozilla.org/show_bug.cgi?id=917571) [4](https://bugzilla.mozilla.org/show_bug.cgi?id=1247860) [5](https://cr.yp.to/chacha.html) ] +* Enable ChaCha20 and Poly1305 (Firefox >= 47) [ [1](https://www.mozilla.org/en-US/firefox/47.0/releasenotes/) [2](https://tools.ietf.org/html/rfc7905) [3](https://bugzilla.mozilla.org/show_bug.cgi?id=917571) [4](https://bugzilla.mozilla.org/show_bug.cgi?id=1247860) [5](https://cr.yp.to/chacha.html) ] * Disable ciphers susceptible to the logjam attack [ [1](https://weakdh.org/) ] * Disable ciphers with DSA (max 1024 bits) * Fallbacks due compatibility reasons diff --git a/user.js b/user.js index 6d55bec7..78f447ba 100644 --- a/user.js +++ b/user.js @@ -919,7 +919,7 @@ user_pref("security.OCSP.enabled", 1); // https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx user_pref("security.ssl.enable_ocsp_stapling", true); -// PREF: Enable OCSP Must-Staple support (45+) +// PREF: Enable OCSP Must-Staple support (Firefox >= 45) // https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/ // https://www.entrust.com/ocsp-must-staple/ // https://github.com/schomery/privacy-settings/issues/40 @@ -1061,7 +1061,7 @@ user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // 0xc02f -// PREF: Enable ChaCha20 and Poly1305 (47+) +// PREF: Enable ChaCha20 and Poly1305 (Firefox >= 47) // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/ // https://tools.ietf.org/html/rfc7905 // https://bugzilla.mozilla.org/show_bug.cgi?id=917571 From 3ece7d1e6c0591d56252f7fa423e6e5132aa371d Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 18 May 2017 23:02:13 +0300 Subject: [PATCH 11/27] dom.indexedDB.enabled -> false (still commented out) Preparing for #263 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 78f447ba..ce909553 100644 --- a/user.js +++ b/user.js @@ -140,7 +140,7 @@ user_pref("browser.send_pings.require_same_host", true); // http://forums.mozillazine.org/viewtopic.php?p=13842047 // https://github.com/pyllyukko/user.js/issues/8 // NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled -//user_pref("dom.indexedDB.enabled", true); +//user_pref("dom.indexedDB.enabled", false); // TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications" From ff9cbee6caf9fd1da2b0b73d394893d25c5cb367 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 21 May 2017 12:20:11 +0300 Subject: [PATCH 12/27] Removed browser.urlbar.maxRichResults As discussed in #208 The URL suggestion is controlled by browser.urlbar.autocomplete.enabled --- user.js | 6 ------ 1 file changed, 6 deletions(-) diff --git a/user.js b/user.js index ce909553..457265fa 100644 --- a/user.js +++ b/user.js @@ -859,12 +859,6 @@ user_pref("network.IDN_show_punycode", true); user_pref("browser.urlbar.autoFill", false); user_pref("browser.urlbar.autoFill.typed", false); -// PREF: Don't suggest any URLs while typing at the address bar (disabled) -// https://www.labnol.org/software/browsers/prevent-firefox-showing-bookmarks-address-location-bar/3636/ -// http://kb.mozillazine.org/Browser.urlbar.maxRichResults -// "Setting the preference to 0 effectively disables the Location Bar dropdown entirely." -//user_pref("browser.urlbar.maxRichResults", 0); - // PREF: Disable CSS :visited selectors // https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/ // https://dbaron.org/mozilla/visited-privacy From 6e49ce497297c9cf8b699f844476bb464027f8f9 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 21 May 2017 12:46:41 +0300 Subject: [PATCH 13/27] Disable Archive API This is already disabled by default Relates to #208 --- user.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user.js b/user.js index 457265fa..d67baabc 100644 --- a/user.js +++ b/user.js @@ -157,6 +157,10 @@ user_pref("dom.vr.enabled", false); // PREF: Disable vibrator API user_pref("dom.vibrator.enabled", false); +// PREF: Disable Archive API +// https://wiki.mozilla.org/WebAPI/ArchiveAPI +user_pref("dom.archivereader.enabled", false); + // PREF: Disable webGL // https://en.wikipedia.org/wiki/WebGL // https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ From af0c5b4f584c457c79a52a620063e9d92c0ea816 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 21 May 2017 18:49:45 +0300 Subject: [PATCH 14/27] Archive API Firefox < 54 https://github.com/pyllyukko/user.js/commit/6e49ce497297c9cf8b699f844476bb464027f8f9#commitcomment-22221960 --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index d67baabc..b9b3ae8f 100644 --- a/user.js +++ b/user.js @@ -157,8 +157,9 @@ user_pref("dom.vr.enabled", false); // PREF: Disable vibrator API user_pref("dom.vibrator.enabled", false); -// PREF: Disable Archive API +// PREF: Disable Archive API (Firefox < 54) // https://wiki.mozilla.org/WebAPI/ArchiveAPI +// https://bugzilla.mozilla.org/show_bug.cgi?id=1342361 user_pref("dom.archivereader.enabled", false); // PREF: Disable webGL From e99deb1d82e2e6eb14cc734ac1fe245d4b5a6af1 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Mon, 12 Jun 2017 17:16:41 +0200 Subject: [PATCH 15/27] [relaxed] don't set dom.event.clipboardevents.enabled and dom.allow_cut_copy to false Fixes #287 --- user.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index b9b3ae8f..9420d34d 100644 --- a/user.js +++ b/user.js @@ -101,15 +101,15 @@ user_pref("dom.telephony.enabled", false); // https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon user_pref("beacon.enabled", false); -// PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript -// NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) +// PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript (disabled) +// NOTICE-DISABLED: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled -user_pref("dom.event.clipboardevents.enabled", false); +// user_pref("dom.event.clipboardevents.enabled", false); -// PREF: Disable "copy to clipboard" functionality via Javascript (Firefox >= 41) +// PREF: Disable "copy to clipboard" functionality via Javascript (Firefox >= 41) (disabled) // NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality // https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3 -user_pref("dom.allow_cut_copy", false); +// user_pref("dom.allow_cut_copy", false); // PREF: Disable speech recognition // https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html From 1014c5c32dcbb6bacdb1997bcef803a6572d3bab Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 13 Jun 2017 20:37:59 +0200 Subject: [PATCH 16/27] [relaxed] do not enforce Mixed Passive Content blocking as mixed passive content is very frequently encountered, and is silently blocked (there is no indication of what happens, some page elements just do not display). See missing images on https://forum.freecadweb.org/viewtopic.php?f=24&t=22922 for example. This is still mitigated by either using uBlock in Hard mode, or by setting HTTPS everywhere to `Block all unencrypted requests`. --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index b9b3ae8f..3d654454 100644 --- a/user.js +++ b/user.js @@ -254,9 +254,9 @@ user_pref("network.manage-offline-status", false); // https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ user_pref("security.mixed_content.block_active_content", true); -// PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content) +// PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content) (disabled) // NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured -user_pref("security.mixed_content.block_display_content", true); +// user_pref("security.mixed_content.block_display_content", true); // PREF: Disable JAR from opening Unsafe File Types // http://kb.mozillazine.org/Network.jar.open-unsafe-types From 741a8bbb2411cf014757ca3885a0a91c07d46639 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 13 Jun 2017 23:06:36 +0200 Subject: [PATCH 17/27] s/NOTICE/NOTICE-DISABLED --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 9420d34d..e6899287 100644 --- a/user.js +++ b/user.js @@ -107,7 +107,7 @@ user_pref("beacon.enabled", false); // user_pref("dom.event.clipboardevents.enabled", false); // PREF: Disable "copy to clipboard" functionality via Javascript (Firefox >= 41) (disabled) -// NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality +// NOTICE-DISABLED: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality // https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3 // user_pref("dom.allow_cut_copy", false); From 9b4b2168a6eaa2a02937965abb7d2ab40e1ad48f Mon Sep 17 00:00:00 2001 From: nodiscc Date: Wed, 14 Jun 2017 00:18:31 +0200 Subject: [PATCH 18/27] [relaxed] don't disable password manager Add a NOTICE recommending use of the Master password feature. `security.ask_for_password = 2` makes sure the password storage is locked again after a short interval. Using a password manager is recommended to avoid the temptation to use simple/memorable passwords and to reuse passwords across websites. Though there are other password managers available (KeePass...), the native Firefox one is probably the easiest to use and requires no extra configuration steps (except setting a master password) --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 3d654454..e986052c 100644 --- a/user.js +++ b/user.js @@ -742,9 +742,10 @@ user_pref("browser.cache.disk_cache_ssl", false); // CIS Version 1.2.0 October 21st, 2011 2.5.5 user_pref("browser.download.manager.retention", 0); -// PREF: Disable password manager +// PREF: Disable password manager (disabled) +// NOTICE: Make sure to set a Master password to protect Firefox's password storage against basic malware that could extract your password information // CIS Version 1.2.0 October 21st, 2011 2.5.2 -user_pref("signon.rememberSignons", false); +// user_pref("signon.rememberSignons", false); // PREF: Disable form autofill, don't save information entered in web page forms and the Search Bar user_pref("browser.formfill.enable", false); From d684068532d3845c5714dc070bbcd1f3efc86d02 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 28 Jun 2017 13:00:34 +0300 Subject: [PATCH 19/27] Comment out dom.workers.enabled This is required at least by https://web.whatsapp.com/ --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 28c9daf0..f7bd9777 100644 --- a/user.js +++ b/user.js @@ -16,10 +16,10 @@ // CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed) //user_pref("dom.serviceWorkers.enabled", false); -// PREF: Disable Web Workers +// PREF: Disable Web Workers (disabled) // https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers // https://www.w3schools.com/html/html5_webworkers.asp -user_pref("dom.workers.enabled", false); +//user_pref("dom.workers.enabled", false); // PREF: Disable web notifications (disabled) // https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501 From 4ce6cdc2bc88484da18c546ce6b19b1d98c10330 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 28 Jun 2017 13:29:36 +0300 Subject: [PATCH 20/27] Add NOTICE-DISABLED to mixed display content --- README.md | 1 - user.js | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 78dd76e8..3e20e645 100644 --- a/README.md +++ b/README.md @@ -187,7 +187,6 @@ Settings that do not belong to other sections or are user specific preferences. * Send DNS request through SOCKS when SOCKS proxying is in use [ [1](https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers) ] * Don't monitor OS online/offline connection state [ [1](https://trac.torproject.org/projects/tor/ticket/18945) ] * Enforce Mixed Active Content Blocking [ [1](https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990) [2](https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default) [3](https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/) ] -* Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content) * Disable JAR from opening Unsafe File Types [ [1](http://kb.mozillazine.org/Network.jar.open-unsafe-types) ] * Set File URI Origin Policy [ [1](http://kb.mozillazine.org/Security.fileuri.strict_origin_policy) ] * Disable Displaying Javascript in History URLs [ [1](http://kb.mozillazine.org/Browser.urlbar.filter.javascript) ] diff --git a/user.js b/user.js index a8e43d44..0903f07a 100644 --- a/user.js +++ b/user.js @@ -260,7 +260,7 @@ user_pref("network.manage-offline-status", false); user_pref("security.mixed_content.block_active_content", true); // PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content) (disabled) -// NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured +// NOTICE-DISABLED: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured // user_pref("security.mixed_content.block_display_content", true); // PREF: Disable JAR from opening Unsafe File Types From 52719b3aca1e0c19db0c64d03f4c5d79f1888297 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 28 Jun 2017 13:41:52 +0300 Subject: [PATCH 21/27] make whatdoesitdo --- README.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/README.md b/README.md index 2ab437e4..84c9a590 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,6 @@ Some of the settings in this `user.js` file might seem redundant, as some of the ### HTML5 / APIs / DOM HTML5 / [APIs](https://wiki.mozilla.org/WebAPI) / [DOM](https://en.wikipedia.org/wiki/Document_Object_Model) related settings. Mozilla is keen to implement every new HTML5 feature, which have had unforeseen security or privacy implications. This section disables many of those new and yet to be proven technologies. -* Disable Web Workers [ [1](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers) [2](https://www.w3schools.com/html/html5_webworkers.asp) ] * Disable DOM timing API [ [1](https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI) [2](https://www.w3.org/TR/navigation-timing/#privacy) ] * Make sure the User Timing API does not provide a new high resolution timestamp [ [1](https://trac.torproject.org/projects/tor/ticket/16336) [2](https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security) ] * Disable Web Audio API [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1288359) ] @@ -152,8 +151,6 @@ HTML5 / [APIs](https://wiki.mozilla.org/WebAPI) / [DOM](https://en.wikipedia.org * Disable battery API (Firefox < 52) [ [1](https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager) [2](https://bugzilla.mozilla.org/show_bug.cgi?id=1313580) ] * Disable telephony API [ [1](https://wiki.mozilla.org/WebAPI/Security/WebTelephony) ] * Disable "beacon" asynchronous HTTP transfers (used for analytics) [ [1](https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon) ] -* Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript -* Disable "copy to clipboard" functionality via Javascript (Firefox >= 41) * Disable speech recognition [ [1](https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html) [2](https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition) [3](https://wiki.mozilla.org/HTML5_Speech_API) ] * Disable speech synthesis [ [1](https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis) ] * Disable sensor API [ [1](https://wiki.mozilla.org/Sensor_API) ] @@ -280,7 +277,6 @@ Enable and configure private browsing mode, don't store information locally duri * Disable disk cache [ [1](http://kb.mozillazine.org/Browser.cache.disk.enable) ] * Disable Caching of SSL Pages * Disable download history -* Disable password manager * Disable form autofill, don't save information entered in web page forms and the Search Bar * The cookie's lifetime is supplied by the server * Require manual intervention to autofill known username/passwords sign-in forms [ [1](http://kb.mozillazine.org/Signon.autofillForms) [2](https://www.torproject.org/projects/torbrowser/design/#identifier-linkability) ] @@ -397,9 +393,6 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced * Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...) -* Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) -* Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality -* Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured * Disabling SVG support breaks many UI elements on many sites * Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols * Containers are not available in Private Browsing mode @@ -411,6 +404,7 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced * Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection * Blocking 3rd-party cookies breaks a number of payment gateways * Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945 +* Make sure to set a Master password to protect Firefox's password storage against basic malware that could extract your password information * .URL shortcut files will be created with a generic icon * OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host * OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder From eb667625ad559f4199b471761abd3bdf7dece8eb Mon Sep 17 00:00:00 2001 From: nodiscc Date: Wed, 20 Sep 2017 14:58:44 +0200 Subject: [PATCH 22/27] relaxed: readme: link to plaintext diff instead of commit compare --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 84c9a590..aa74b08b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ A [user.js](http://kb.mozillazine.org/User.js_file) configuration file for [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) designed to harden browser settings and make it more secure. -**This a relaxed variant. [Differences with the original hardened version](https://github.com/pyllyukko/user.js/compare/relaxed)** +**This a relaxed variant. [Differences with the original hardened version](https://github.com/pyllyukko/user.js/compare/relaxed#files_bucket)** [![Build Status](https://travis-ci.org/pyllyukko/user.js.svg?branch=relaxed)](https://travis-ci.org/pyllyukko/user.js) From 21676804fc8d13fb1e1cca506f677b118bd45a38 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Wed, 20 Sep 2017 15:00:55 +0200 Subject: [PATCH 23/27] relaxed: readme: update download links to relaxed branch Ref #338 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index aa74b08b..8d8482d3 100644 --- a/README.md +++ b/README.md @@ -46,9 +46,9 @@ There are several parts to all this and they are: Different download methods are available: - * Clone using git: `git clone https://github.com/pyllyukko/user.js` - * Download and extract the [ZIP file](https://github.com/pyllyukko/user.js/archive/master.zip) containing the latest version. - * Download the latest `user.js` [directly](https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js) + * Clone using git: `git clone -b relaxed https://github.com/pyllyukko/user.js` + * Download and extract the [ZIP file](https://github.com/pyllyukko/user.js/archive/relaxed.zip) containing the latest version. + * Download the latest `user.js` [directly](https://raw.githubusercontent.com/pyllyukko/user.js/relaxed/user.js) ## Installation From fe7bb95dd15986255a16c2c39112278fec816ea0 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 9 Sep 2018 12:03:00 +0300 Subject: [PATCH 24/27] Allow SVG Relates to #399 --- README.md | 2 -- user.js | 6 +++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 828f998e..e5a91213 100644 --- a/README.md +++ b/README.md @@ -198,7 +198,6 @@ Settings that do not belong to other sections or are user specific preferences. * Disable Displaying Javascript in History URLs [ [1](http://kb.mozillazine.org/Browser.urlbar.filter.javascript) ] * Disable asm.js [ [1](http://asmjs.org/) [2](https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/) [3](https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/) [4](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712) ] * Disable SVG in OpenType fonts [ [1](https://wiki.mozilla.org/SVGOpenTypeFonts) [2](https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle) ] -* Disable in-content SVG rendering (Firefox >= 53) * Disable video stats to reduce fingerprinting threat [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=654550) [2](https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785) [3](https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065) ] * Don't reveal build ID * Prevent font fingerprinting [ [1](https://browserleaks.com/fonts) [2](https://github.com/pyllyukko/user.js/issues/120) ] @@ -407,7 +406,6 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced * Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...) -* Disabling SVG support breaks many UI elements on many sites * Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols * Containers are not available in Private Browsing mode * Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting. diff --git a/user.js b/user.js index a7c2635e..972c9980 100644 --- a/user.js +++ b/user.js @@ -298,11 +298,11 @@ user_pref("javascript.options.asmjs", false); // https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle user_pref("gfx.font_rendering.opentype_svg.enabled", false); -// PREF: Disable in-content SVG rendering (Firefox >= 53) -// NOTICE: Disabling SVG support breaks many UI elements on many sites +// PREF: Disable in-content SVG rendering (Firefox >= 53) (disabled) +// NOTICE-DISABLED: Disabling SVG support breaks many UI elements on many sites // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 // https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16 -user_pref("svg.disabled", true); +//user_pref("svg.disabled", true); // PREF: Disable video stats to reduce fingerprinting threat From 4c4a013cbbc0a7b989af7f0ea9746d69e1ad82bb Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Tue, 9 Oct 2018 18:46:50 +0300 Subject: [PATCH 25/27] Added a note about service workers --- README.md | 1 + user.js | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index e5a91213..32e43775 100644 --- a/README.md +++ b/README.md @@ -416,6 +416,7 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced * Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection * Blocking 3rd-party cookies breaks a number of payment gateways * Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945 +* Having either of privacy.clearOnShutdown.history or privacy.clearOnShutdown.offlineApps as true will clear service workers when closing Firefox * Make sure to set a Master password to protect Firefox's password storage against basic malware that could extract your password information * .URL shortcut files will be created with a generic icon * OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host diff --git a/user.js b/user.js index 972c9980..297a3967 100644 --- a/user.js +++ b/user.js @@ -741,6 +741,7 @@ user_pref("browser.cache.offline.enable", false); // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically // NOTICE-DISABLED: Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) // NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945 +// NOTICE: Having either of privacy.clearOnShutdown.history or privacy.clearOnShutdown.offlineApps as true will clear service workers when closing Firefox user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.clearOnShutdown.cache", true); //user_pref("privacy.clearOnShutdown.cookies", true); From aeacabdc8174a9f822049280709c0562e124df8c Mon Sep 17 00:00:00 2001 From: antmak Date: Mon, 20 May 2019 14:00:42 +0700 Subject: [PATCH 26/27] relaxed: Fix up using the branch in the readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 32e43775..01b65357 100644 --- a/README.md +++ b/README.md @@ -120,7 +120,7 @@ For any of the above methods, you can keep your browser's `user.js` with the lat ```` cd ~/.mozilla/firefox -git clone 'https://github.com/pyllyukko/user.js.git' +git clone -b relaxed 'https://github.com/pyllyukko/user.js.git' cd XXXXXXXX.your_profile_name ln -s ../user.js/user.js user.js ```` From 5cec6d538068e61aeca08eb5163768ddadc2145c Mon Sep 17 00:00:00 2001 From: pulpan977 <63933799+pulpan977@users.noreply.github.com> Date: Sat, 24 Apr 2021 15:51:39 +0000 Subject: [PATCH 27/27] Update relaxed variant with new settings from master --- user.js | 125 ++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 98 insertions(+), 27 deletions(-) diff --git a/user.js b/user.js index 297a3967..3d2e9692 100644 --- a/user.js +++ b/user.js @@ -38,6 +38,7 @@ user_pref("dom.enable_user_timing", false); // PREF: Disable Web Audio API // https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 +// NOTICE: Web Audio API is required for Unity web player/games user_pref("dom.webaudio.enabled", false); // PREF: Disable Location-Aware Browsing (geolocation) @@ -197,6 +198,10 @@ user_pref("webgl.enable-debug-renderer-info", false); user_pref("dom.maxHardwareConcurrency", 2); // PREF: Disable WebAssembly +// https://webassembly.org/ +// https://en.wikipedia.org/wiki/WebAssembly +// https://trac.torproject.org/projects/tor/ticket/21549 +// NOTICE: WebAssembly is required for Unity web player/games user_pref("javascript.options.wasm", false); /****************************************************************************** @@ -317,7 +322,8 @@ user_pref("media.video_stats.enabled", false); user_pref("general.buildID.override", "20100101"); user_pref("browser.startup.homepage_override.buildID", "20100101"); -// PREF: Prevent font fingerprinting +// PREF: Don't use document specified fonts to prevent installed font enumeration (fingerprinting) +// https://github.com/pyllyukko/user.js/issues/395 // https://browserleaks.com/fonts // https://github.com/pyllyukko/user.js/issues/120 user_pref("browser.display.use_document_fonts", 0); @@ -397,10 +403,6 @@ user_pref("dom.ipc.plugins.reportCrashURL", false); // https://github.com/mozilla-services/shavar-plugin-blocklist user_pref("browser.safebrowsing.blockedURIs.enabled", true); -// PREF: Disable Shumway (Mozilla Flash renderer) -// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway -user_pref("shumway.disabled", true); - // PREF: Disable Gnome Shell Integration NPAPI plugin user_pref("plugin.state.libgnome-shell-browser-plugin", 0); @@ -431,10 +433,26 @@ user_pref("services.blocklist.update_enabled", true); // https://trac.torproject.org/projects/tor/ticket/16931 user_pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/"); +// PREF: Disable system add-on updates (hidden & always-enabled add-ons from Mozilla) +// https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html +// https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ +// https://github.com/pyllyukko/user.js/issues/419 +// https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1248-1257 +// NOTICE: Disabling system add-on updates prevents Mozilla from "hotfixing" your browser to patch critical problems (one possible use case from the documentation) +user_pref("extensions.systemAddon.update.enabled", false); + /****************************************************************************** * SECTION: Firefox (anti-)features / components * * ******************************************************************************/ +// PREF: Disable Extension recommendations (Firefox >= 65) +// https://support.mozilla.org/en-US/kb/extension-recommendations +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false); + +// PREF: Trusted Recursive Resolver (DNS-over-HTTPS) (disabled) +// https://wiki.mozilla.org/Trusted_Recursive_Resolver +//user_pref("network.trr.mode", 0); + // PREF: Disable WebIDE // https://trac.torproject.org/projects/tor/ticket/16222 // https://developer.mozilla.org/docs/Tools/WebIDE @@ -460,6 +478,7 @@ user_pref("devtools.debugger.force-local", true); // https://wiki.mozilla.org/Telemetry/Experiments user_pref("toolkit.telemetry.enabled", false); user_pref("toolkit.telemetry.unified", false); +user_pref("toolkit.telemetry.archive.enabled", false); user_pref("experiments.supported", false); user_pref("experiments.enabled", false); user_pref("experiments.manifest.uri", ""); @@ -506,11 +525,32 @@ user_pref("privacy.trackingprotection.pbmode.enabled", true); // https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers user_pref("privacy.userContext.enabled", true); -// PREF: Enable hardening against various fingerprinting vectors (Tor Uplift project) +// PREF: Enable Firefox's anti-fingerprinting mode ("resist fingerprinting" or RFP) (Tor Uplift project) // https://wiki.mozilla.org/Security/Tor_Uplift/Tracking // https://bugzilla.mozilla.org/show_bug.cgi?id=1333933 +// https://wiki.mozilla.org/Security/Fingerprinting +// NOTICE: RFP breaks some keyboard shortcuts used in certain websites (see #443) +// NOTICE: RFP changes your time zone user_pref("privacy.resistFingerprinting", true); +// PREF: disable mozAddonManager Web API [FF57+] +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330 +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1406795 +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1415644 +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1453988 +// https://trac.torproject.org/projects/tor/ticket/26114 +user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); +user_pref("extensions.webextensions.restrictedDomains", ""); + +// PREF: enable RFP letterboxing / resizing of inner window [FF67+] (disabled) +// https://bugzilla.mozilla.org/1407366 +//user_pref("privacy.resistFingerprinting.letterboxing", true); +//user_pref("privacy.resistFingerprinting.letterboxing.dimensions", "800x600, 1000x1000, 1600x900"); + +// PREF: disable showing about:blank/maximized window as soon as possible during startup [FF60+] +// https://bugzilla.mozilla.org/1448423 +user_pref("browser.startup.blankWindow", false); + // PREF: Disable the built-in PDF viewer // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2743 // https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/ @@ -523,11 +563,21 @@ user_pref("pdfjs.disabled", true); user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("datareporting.healthreport.service.enabled", false); user_pref("datareporting.policy.dataSubmissionEnabled", false); +// "Allow Firefox to make personalized extension recommendations" +user_pref("browser.discovery.enabled", false); -// PREF: Disable Heartbeat (Mozilla user rating telemetry) +// PREF: Disable Shield/Heartbeat/Normandy (Mozilla user rating telemetry) // https://wiki.mozilla.org/Advocacy/heartbeat // https://trac.torproject.org/projects/tor/ticket/19047 -user_pref("browser.selfsupport.url", ""); +// https://trac.torproject.org/projects/tor/ticket/18738 +// https://wiki.mozilla.org/Firefox/Shield +// https://github.com/mozilla/normandy +// https://support.mozilla.org/en-US/kb/shield +// https://bugzilla.mozilla.org/show_bug.cgi?id=1370801 +user_pref("app.normandy.enabled", false); +user_pref("app.normandy.api_url", ""); +user_pref("extensions.shield-recipe-client.enabled", false); +user_pref("app.shield.optoutstudies.enabled", false); // PREF: Disable Firefox Hello (disabled) (Firefox < 49) // https://wiki.mozilla.org/Loop @@ -574,12 +624,6 @@ user_pref("browser.safebrowsing.downloads.remote.enabled", false); user_pref("browser.pocket.enabled", false); user_pref("extensions.pocket.enabled", false); -// PREF: Disable SHIELD -// https://support.mozilla.org/en-US/kb/shield -// https://bugzilla.mozilla.org/show_bug.cgi?id=1370801 -user_pref("extensions.shield-recipe-client.enabled", false); -user_pref("app.shield.optoutstudies.enabled", false); - // PREF: Disable "Recommended by Pocket" in Firefox Quantum user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); @@ -682,17 +726,19 @@ user_pref("security.sri.enable", true); // NOTICE: Do No Track must be enabled manually //user_pref("privacy.donottrackheader.enabled", true); -// PREF: Send a referer header with the target URI as the source +// PREF: Send a referer header with the target URI as the source (disabled) // https://bugzilla.mozilla.org/show_bug.cgi?id=822869 // https://github.com/pyllyukko/user.js/issues/227 -// NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers -// NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon -// NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection +// NOTICE-DISABLED: Spoofing referers breaks functionality on websites relying on authentic referer headers +// NOTICE-DISABLED: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon +// NOTICE-DISABLED: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs -user_pref("network.http.referer.spoofSource", true); +//user_pref("network.http.referer.spoofSource", true); // PREF: Don't send referer headers when following links across different domains (disabled) // https://github.com/pyllyukko/user.js/issues/227 +// https://github.com/pyllyukko/user.js/issues/328 +// https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ // user_pref("network.http.referer.XOriginPolicy", 2); // PREF: Accept Only 1st Party Cookies @@ -705,6 +751,8 @@ user_pref("network.cookie.cookieBehavior", 1); // https://bugzilla.mozilla.org/show_bug.cgi?id=1299996 // https://bugzilla.mozilla.org/show_bug.cgi?id=1260931 // https://wiki.mozilla.org/Security/FirstPartyIsolation +// NOTICE: First-party isolation breaks Microsoft Teams +// NOTICE: First-party isolation causes HTTP basic auth to ask for credentials for every new tab (see #425) user_pref("privacy.firstparty.isolate", true); // PREF: Make sure that third-party cookies (if enabled) never persist beyond the session. @@ -852,6 +900,17 @@ user_pref("browser.shell.shortcutFavicons", false); // http://kb.mozillazine.org/Browser.bookmarks.max_backups user_pref("browser.bookmarks.max_backups", 0); +// PREF: Export bookmarks to HTML automatically when closing Firefox (disabled) +// https://support.mozilla.org/en-US/questions/1176242 +//user_pref("browser.bookmarks.autoExportHTML", true); +//user_pref("browser.bookmarks.file", '/path/to/bookmarks-export.html'); + +// PREF: Disable downloading of favicons in response to favicon fingerprinting techniques +// https://github.com/jonasstrehle/supercookie +// http://kb.mozillazine.org/Browser.chrome.site_icons +// https://blog.mozilla.org/security/2021/01/26/supercookie-protections/ +user_pref("browser.chrome.site_icons", false); + /******************************************************************************* * SECTION: UI related * *******************************************************************************/ @@ -867,6 +926,7 @@ user_pref("security.insecure_password.ui.enabled", true); // PREF: Disable "Are you sure you want to leave this page?" popups on page close // https://support.mozilla.org/en-US/questions/1043508 +// NOTICE: disabling "beforeunload" events may lead to losing data entered in web forms // Does not prevent JS leaks of the page close event. // https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload //user_pref("dom.disable_beforeunload", true); @@ -885,6 +945,11 @@ user_pref("browser.download.useDownloadDir", false); user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtab.url", "about:blank"); +// PREF: Disable Snippets +// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service +// https://support.mozilla.org/en-US/kb/snippets-firefox-faq +user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); + // PREF: Disable Activity Stream // https://wiki.mozilla.org/Firefox/Activity_Stream user_pref("browser.newtabpage.activity-stream.enabled", false); @@ -1002,6 +1067,8 @@ user_pref("security.ssl.disable_session_identifiers", true); // http://kb.mozillazine.org/Security.tls.version.* // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.) // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol. +// 3 = TLS 1.2 is the minimum required / maximum supported encryption protocol. +// 4 = TLS 1.3 is the minimum required / maximum supported encryption protocol. user_pref("security.tls.version.min", 1); user_pref("security.tls.version.max", 4); @@ -1010,7 +1077,7 @@ user_pref("security.tls.version.max", 4); // https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645 user_pref("security.tls.version.fallback-limit", 3); -// PREF: Enfore Public Key Pinning +// PREF: Enforce Public Key Pinning // https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning // "2. Strict. Pinning is always enforced." @@ -1045,6 +1112,12 @@ user_pref("security.ssl.errorReporting.automatic", false); // https://github.com/pyllyukko/user.js/issues/210 user_pref("browser.ssl_override_behavior", 1); +// PREF: Encrypted SNI (when TRR is enabled) +// https://www.cloudflare.com/ssl/encrypted-sni/ +// https://wiki.mozilla.org/Trusted_Recursive_Resolver#ESNI +// https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications_(ESNI) +user_pref("network.security.esni.enabled", true); + /****************************************************************************** * SECTION: Cipher suites * ******************************************************************************/ @@ -1109,10 +1182,6 @@ user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false); // PREF: Disable 256 bits ciphers without PFS user_pref("security.ssl3.rsa_camellia_256_sha", false); -// PREF: Enable ciphers with ECDHE and key size > 128bits -user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // 0xc014 -user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a - // PREF: Enable GCM ciphers (TLSv1.2 only) // https://en.wikipedia.org/wiki/Galois/Counter_Mode user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b @@ -1138,6 +1207,8 @@ user_pref("security.ssl3.dhe_dss_aes_256_sha", false); user_pref("security.ssl3.dhe_dss_camellia_128_sha", false); user_pref("security.ssl3.dhe_dss_camellia_256_sha", false); -// PREF: Fallbacks due compatibility reasons -user_pref("security.ssl3.rsa_aes_256_sha", true); // 0x35 -user_pref("security.ssl3.rsa_aes_128_sha", true); // 0x2f +// PREF: Ciphers with CBC & SHA-1 (disabled) +//user_pref("security.ssl3.rsa_aes_256_sha", false); // 0x35 +//user_pref("security.ssl3.rsa_aes_128_sha", false); // 0x2f +//user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); // 0xc014 +//user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // 0xc00a