arkenfox / user.js Goto Github PK
View Code? Open in Web Editor NEWFirefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
License: MIT License
Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
License: MIT License
network.http.enablePerElementReferrer is commented out in user.js [ghacks]-0.11.js as well as in, here, ghacks-user.js-51.0 but with no additional information.
I read at https://www.anonymous-proxy.eu/firefox-privacy-tuning.php (mentioning this page because info on above setting is hard to find),
Mozilla's Firefox has introduced an experimental "per-element referrer" feature which is transmitting HTTP referrer for particular elements such as:
Hyperlink
Picture
Frame
Clickable area
That sites advises to set it to false (default=true). But not sure the setting is still experimental and not sure as well that site is right.
I've set it to false,
// Disable per-element HTTP referrer (HTTP referrer for particular elements such as Hyperlink, Picture, Frame, Clickable area)
// https://www.anonymous-proxy.eu/firefox-privacy-tuning.php
user_pref("network.http.enablePerElementReferrer", false); // Default=true
What would the experts say?
/* 0850b: disable location bar dropdown
* This controls the maximum number of entries that can appear in the location bar dropdown.
* Zero completely disables it. If you want ANY dropdown functionality, this must be changed ***/
Zero does not completely disables it.
/* 0850c: disable location bar suggestion types
* [SETTING] Options>Privacy>Location Bar>When using the location bar, suggest
* [NOTE] If you wish to enable these suggestions, make sure 0850a and 0850b are at default ***/
0850b doesn't need to be at default to enable... actually can be anything, but results are funny.
0850a is a master switch, since you have the false value, I don't see a reason to force 0850b to 0.
Locked sticky issue for tracking of old stuff and reminders of new stuff etc
changelog at end of this issue
dom.storage_access.enabled
- revisit to see if they have stopped thisnetwork.trr.custom_uri
network.security.esni.enabled
1473736security.all_resource_uri_content_accessible
- see resource URI 863246webauth.webauthn*
(FF53+): https://www.w3.org/TR/webauthn/#use-casessecurity.pki.certificate_transparency.mode
(FF52+)plugin.disable_full_page_plugin_for_types
javascript.options.shared_memory
datareporting.policy.firstRunURL
(FF51+) - default blank so far 51-53
network.http.enablePerElementReferrer
- see #59
extensions.hideSystemAddons
- does not exist (yet, if ever)
extensions.systemAddon*
- we will pick up from release diffsbrowser.newtabpage.remote*
- we will pick up from release diffs (currently off)
javascript.options.mem.high_water_mark
browser.safebrowsing.provider.google.lists
and browser.safebrowsing.provider.mozilla.lists
browser.search.redirectWindowsSearch
config.trim_on_minimize
content.interrupt.parsing
toolkit.crashreporter.enabled
urlclassifier.*Table
- no need to blank these IMObrowser.download.manager.scanWhenDone
- removed in 55pdfium.enabled
- mortar pdf is deaddevtools.webide.widget.autoinstall
- removed in FF55devtools.webide.adaptersAddonURL
- removed in 57, 1393497devtools.webide.addonsURL
- removed in 57, 1398061devtools.webide.simulatorAddonsURL
- removed in 57, 1398061browser.search.isUS
- removed in 62devtools.telemetry.tools.opened.version
- removed in 62
// earthling other
// prevent handlerService overwrites, see chrome://browser-region/locale/region.properties
user_pref("gecko.handlerService.defaultHandlersVersion", "999");
// disable mailto handler
// there's actually a ton of network.protocol-handler.external* prefs
// we already block the ms-windows-store this way
user_pref("network.protocol-handler.external.mailto", false);
/*** from earthling Sept 2016 ***/
// (FF49+) enable sites to use much higher max-age values for HPKP (HTTP Public Key Pinning)
// [sites set this in the header]
// default value in FF49: 5184000 (60 days) -> 31536000 = 365 days in seconds
// WARNING: can block domains for 1 year after last visit if the domain-owners mess things up or get hacked
// !! this is only a 'max-age' maximum, not enforcing it to one year, only allowing it to be that long if
// sites choose to use such a long max-age
// -> also see: https://dxr.mozilla.org/mozilla-central/source/netwerk/base/security-prefs.js#100
// https://tools.ietf.org/html/rfc7469#section-4.1
// https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html
// HPKP can be problematic for domain-owners but is a great privacy/security feature for users of those domains.
// If some admins want to set max-age to 1 year f.e., it shows that they are confident in being able to provide
// and maintain a secure domain-access for that long and are willing to risk huge damages to their companies if
// they fail in doing so. Therefore limiting the usefulness of HPKP for end-users by setting a lower max max-age
// is not in the interest of more advanced users who know what they are doing and who would like to get the most
// out of HPKP.
user_pref("security.cert_pinning.max_max_age_seconds", 31536000);
/*** from various ***/
user_pref("mousewheel.system_scroll_override_on_root_content.enabled", false);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("devtools.cache.disabled", true);
user_pref("devtools.remote.wifi.scan", false);
user_pref("devtools.remote.wifi.visible", false);
user_pref("devtools.webide.adbAddonURL", "");
user_pref("security.warn_viewing_mixed", true); // also see bug 616712 android?
user_pref("browser.display.auto_quality_min_font_size", 0);
// from ainatar nov 10 2016
user_pref("full-screen-api.allow-trusted-requests-only", true);
user_pref("full-screen-api.pointer-lock.enabled", true);
user_pref("layers.async-video.enabled", true);
user_pref("layout.css.prefixes.webkit", true);
// not in user.js, listed 19-Feb-2017
user_pref("browser.cache.compression_level", 1); // default = 0
user_pref("media.cache_size", 0); // default = 51200
user_pref("media.hardware-video-decoding.enabled", false); // default=true
// personal stuff?
user_pref("layout.word_select.eat_space_to_next_word", false);
user_pref("layout.word_select.stop_at_punctuation", true);
user_pref("alerts.disableSlidingEffect", true);
user_pref("nglayout.enable_drag_images", false);
user_pref("browser.link.open_newwindow.override.external", 3);
2019
...
we currently have (and it will need a tidy up/check for FF53, I think some of these may have fallen off be not longer applicable, eg 2652 probably won't apply).
EDIT: doh! of course 2652 will apply until e10s is enforced! - end edit
/* 2650: start the browser in e10s mode (FF48+)
* After restarting the browser, you can check whether it's enabled by visiting
* about:support and checking that "Multiprocess Windows" = 1
* use force-enable and extensions.e10sblocksenabling if you have add-ons ***/
// user_pref("browser.tabs.remote.autostart", true);
// user_pref("browser.tabs.remote.autostart.2", true); // (FF49+)
// user_pref("browser.tabs.remote.force-enable", true); // (hidden pref)
// user_pref("extensions.e10sBlocksEnabling", false);
/* 2651: control e10s number of container processes
* [1] http://www.ghacks.net/2016/02/15/change-how-many-processes-multi-process-firefox-uses/
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1207306 ***/
// user_pref("dom.ipc.processCount", 4);
/* 2652: enable console shim warnings for extensions that don't have the flag 'multiprocessCompatible' as true ***/
user_pref("dom.ipc.shims.enabledWarnings", true);
/* 2660: enforce separate content process for file://URLs (FF53+?)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1147911
* [2] http://www.ghacks.net/2016/11/27/firefox-53-exclusive-content-process-for-local-files/ ***/
user_pref("browser.tabs.remote.separateFileUriProcess", true);
there is also this from FF53 stable
/* enable WebExtension addon code to run in a separate process (webext-oop) (FF53+)
* [1] https://wiki.mozilla.org/WebExtensions/Implementing_APIs_out-of-process */
// pref("extensions.webextensions.remote", false);
and to add for info
security.sandbox.content.level
This makes sense to put right at the start of the js, and it nicely takes a chunk out of the 2600's which is rather big and messy. Note: we still have to deal with containers later on as well in a new section.
Based on pyllyukko's user.js, something like
// Start in private browsing mode
// https://wiki.mozilla.org/Private_Browsing
// user_pref("browser.privatebrowsing.autostart
", true);
// user_pref("extensions.ghostery.privateBrowsing
", true);
119 diffs ( 54 new, 55 gone, 10 different )
Done - see 82432a3
pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/"); // prev: "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/"
==NEW
pref("apz.allow_with_webrender", false);
pref("browser.formautofill.loglevel", "Warn"); // see master switch to disable
pref("browser.urlbar.usepreloadedtopurls.expire_days", 14); // see master switch to disable
pref("browser.storageManager.pressureNotification.minIntervalMS", 1200000);
pref("browser.storageManager.pressureNotification.usageThresholdGB", 5);
pref("devtools.gridinspector.showGridOutline", false);
pref("devtools.source-map.locations.enabled", false);
pref("dom.forms.select.customstyling", true); // https://bugzilla.mozilla.org/show_bug.cgi?id=1339966
pref("dom.ipc.plugins.forcedirect.enabled", true); // we do not support flash
pref("dom.moduleScripts.enabled", false); // ECMAScripts
pref("dom.timeout.max_consecutive_callbacks", 5);
pref("dom.vr.puppet.enabled", false);
pref("dom.vr.test.enabled", false);
pref("extensions.e10sMultiBlocksEnabling", true); // leave e10s experimental staging alone
pref("gfx.downloadable_fonts.keep_variation_tables", false);
pref("gfx.downloadable_fonts.otl_validation", false);
pref("gfx.webrender.enabled", true);
pref("image.mem.animated.discardable", false);
pref("image.mem.shared", false);
// ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1331944
// ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1339202
pref("intl.tsf.associate_imc_only_when_imm_ime_is_active", false);
pref("intl.tsf.hack.ms_japanese_ime.do_not_associate_imc_on_win10", true);
pref("intl.uidirection", -1);
pref("layers.advanced.border-layers", false);
pref("layers.advanced.caret-layers", false);
pref("layout.css.text-justify.enabled", false);
pref("layout.scrollbars.always-layerize-track", false);
/* https://developer.mozilla.org/en-US/docs/Mozilla/QA/Marionette ***/
pref("marionette.enabled", false);
pref("marionette.forcelocal", true);
pref("marionette.log.level", "info");
pref("marionette.port", 2828);
pref("marionette.prefs.recommended", true);
pref("media.eme.vp9-in-mp4.enabled", false);
pref("media.ffmpeg.low-latency.enabled", false);
pref("services.sync.engine.bookmarks.validation.interval", 86400);
pref("services.sync.engine.bookmarks.validation.maxRecords", 1000);
pref("services.sync.engine.bookmarks.validation.percentageChance", 10);
pref("signon.masterPasswordReprompt.timeout_ms", 900000);
pref("network.throttle.enable", true);
pref("network.throttle.resume-for", 2000);
pref("network.throttle.suspend-for", 2000);
==REMOVED or HIDDEN
pref("browser.newtabpage.remote", false);
pref("browser.newtabpage.remote.content-signing-test", false);
pref("browser.newtabpage.remote.keys", "");
pref("browser.newtabpage.remote.mode", "production");
pref("browser.newtabpage.remote.version", "1");
pref("devtools.sourcemap.locations.enabled", false);
pref("devtools.toolbox.toolbarSpec", '["splitconsole", "paintflashing toggle","scratchpad","resize toggle","screenshot --fullpage --file", "rulers", "measure"]');
pref("gfx.font_rendering.cleartype.always_use_for_content", false);
pref("gfx.font_rendering.cleartype.use_for_downloadable_fonts", true);
pref("intl.uidirection.ar", "rtl");
pref("intl.uidirection.fa", "rtl");
pref("intl.uidirection.he", "rtl");
pref("intl.uidirection.ug", "rtl");
pref("intl.uidirection.ur", "rtl");
// https://bugzilla.mozilla.org/show_bug.cgi?id=1343941
pref("layers.allow-d3d9-fallback", false);
pref("layers.prefer-d3d9", false);
pref("layout.css.object-fit-and-position.enabled", true);
pref("layout.css.unprefixing-service.enabled", true);
// remove HTTP1 Pipeline Support: https://bugzilla.mozilla.org/show_bug.cgi?id=1340655
pref("network.http.pipelining", false);
pref("network.http.pipelining.abtest", false);
pref("network.http.pipelining.aggressive", false);
pref("network.http.pipelining.max-optimistic-requests", 4);
pref("network.http.pipelining.maxrequests", 32);
pref("network.http.pipelining.maxsize", 300000);
pref("network.http.pipelining.read-timeout", 30000);
pref("network.http.pipelining.reschedule-on-timeout", true);
pref("network.http.pipelining.reschedule-timeout", 1500);
pref("network.http.pipelining.ssl", false);
pref("network.http.proxy.pipelining", false);
pref("pointer-lock-api.prefixed.enabled", false);
pref("security.sandbox.windows.log", false);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1296767#c125
pref("services.sync.jpake.firstMsgMaxTries", 300);
pref("services.sync.jpake.lastMsgMaxTries", 300);
pref("services.sync.jpake.maxTries", 10);
pref("services.sync.jpake.pollInterval", 1000);
pref("services.sync.jpake.serverURL", "https://setup.services.mozilla.com/");
pref("services.sync.log.logger.service.jpakeclient", "Debug");
pref("services.sync.log.logger.userapi", "Debug");
pref("services.sync.miscURL", "misc/");
pref("services.sync.privacyURL", "https://services.mozilla.com/privacy-policy/");
pref("services.sync.scheduler.sync11.singleDeviceInterval", 86400);
pref("services.sync.serverURL", "https://auth.services.mozilla.com/");
pref("services.sync.statusURL", "https://services.mozilla.com/status/");
pref("services.sync.syncKeyHelpURL", "https://services.mozilla.com/help/synckey");
pref("services.sync.termsURL", "https://services.mozilla.com/tos/");
pref("services.sync.userURL", "user/");
// ---------------------------------------------------------------------------------------
// renamed to 'services.sync.engine.bookmarks.validation.*'
pref("services.sync.validation.interval", 86400);
pref("services.sync.validation.maxRecords", 100);
pref("services.sync.validation.percentageChance", 10);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1313045
pref("toolkit.identity.debug", false);
pref("toolkit.identity.enabled", false);
==CHANGED
pref("browser.safebrowsing.provider.google4.lists", "goog-badbinurl-proto,goog-downloadwhite-proto,goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto"); // prev: "goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto"
pref("dom.event.highrestimestamp.enabled", true); // prev: false
pref("dom.ipc.plugins.asyncdrawing.enabled", true); // prev: false // we do not support flash
pref("extensions.blocklist.detailsURL", "https://blocked.cdn.mozilla.net/"); // prev: "https://www.mozilla.com/%LOCALE%/blocklist/"
pref("extensions.blocklist.itemURL", "https://blocked.cdn.mozilla.net/%blockID%.html"); // prev: "https://blocklist.addons.mozilla.org/%LOCALE%/%APP%/blocked/%blockID%"
pref("font.name-list.serif.x-math", "..."); // removed 'Symbol' from the list
pref("layout.css.clip-path-shapes.enabled", true); // prev: false
pref("security.mixed_content.hsts_priming_cache_timeout", 604800); // prev: 10080
Use this issue to suggest scripts for our wiki section Further Hardening: Extension Scripts. We're looking for scripts that enhance privacy and security, and block tracking and fingerprinting.
Please try to stick to general/global or major site specific scripts (such as google), rather than obscure sites no one really cares about.
Please note: The comments here will be regularly cleaned out to keep this sticky usable
FYI... @Thorin-Oakenpants you can delete this post after reading
Nothing new, but there are some sites identified
network.http.sendSecureXSiteReferrer = false > breaks login at aliexpress
dom.indexedDB.enabled = false > breaks Outlook Web Access (at least on Exchange 2013)
full-screen-api.enabled = false > breaks fullscreen video (youtube, etc...)
Cheers
Do you know what section in the user.js would cause the player controls YouTube to break or become missing>
133 diffs ( 74 new, 38 gone, 21 different )
2671
551427f
1606
See d87bcfd
(striked ones changed in a beta version but the change didn't land in stable)
0351
3023
0410c
2022
0608
already keeping an eye on
(#20)1202
2011
==NEW
pref("browser.formautofill.experimental", false);
pref("browser.safebrowsing.temporary.take_v4_completion_result", false);
pref("devtools.command-button-pick.enabled", true);
pref("devtools.debugger.call-stack-visible", false);
pref("devtools.debugger.end-panel-collapsed", false);
pref("devtools.debugger.pending-selected-location", "{}");
pref("devtools.debugger.scopes-visible", false);
pref("devtools.debugger.start-panel-collapsed", false);
pref("devtools.debugger.tabs", "[]");
pref("devtools.gridinspector.showGridLineNumbers", false);
pref("devtools.gridinspector.showInfiniteLines", false);
pref("devtools.inspector.colorWidget.enabled", false);
pref("devtools.screenshot.audio.enabled", true);
pref("devtools.screenshot.clipboard.enabled", false);
pref("devtools.webconsole.filter.css", false);
pref("dom.forms.selectSearch", false);
pref("dom.ipc.processCount.webLargeAllocation", 10);
pref("dom.largeAllocationHeader.enabled", true);
pref("dom.select_popup_in_parent.enabled", false);
pref("dom.storage.testing", false);
pref("extensions.getAddons.themes.browseURL", "https://addons.mozilla.org/%LOCALE%/firefox/themes/?src=firefox");
pref("extensions.webcompat-reporter.enabled", false);
pref("extensions.webcompat-reporter.newIssueEndpoint", "https://webcompat.com/issues/new");
pref("extensions.webextensions.identity.redirectDomain", "extensions.allizom.org");
pref("extensions.webextensions.themes.enabled", false);
pref("identity.fxaccounts.settings.devices.uri", "https://accounts.firefox.com/settings/clients?service=sync&context=fx_desktop_v3");
pref("layers.geometry.basic.enabled", true);
pref("layers.geometry.opengl.enabled", true);
pref("layers.gpu-process.enabled", true);
pref("layout.animation.prerender.absolute-limit-x", 4096);
pref("layout.animation.prerender.absolute-limit-y", 4096);
pref("layout.animation.prerender.partial", false);
pref("layout.animation.prerender.viewport-ratio-limit-x", "1.125");
pref("layout.animation.prerender.viewport-ratio-limit-y", "1.125");
pref("layout.css.display-flow-root.enabled", true);
pref("layout.css.font-variations.enabled", false);
pref("media.cubeb.log_level", "");
pref("media.decoder.recycle.enabled", false);
pref("media.gpu-process-decoder", true);
pref("media.wmf.allow-unsupported-resolutions", false);
pref("network.standard-url.enable-rust", false);
pref("places.frecency.redirectSourceVisitBonus", 25);
pref("plugins.flashBlock.enabled", false);
pref("privacy.history.custom", false);
pref("privacy.permissionPrompts.showCloseButton", false);
pref("privacy.temporary_permission_expire_time_ms", 3600000);
pref("security.mixed_content.hsts_priming_request_timeout", 3000);
pref("services.blocklist.pinning.bucket", "pinning");
pref("services.blocklist.pinning.checked", 0);
pref("services.blocklist.pinning.collection", "pins");
pref("urlclassifier.flashAllowExceptTable", "testexcept-flashallow-simple,except-flashallow-digest256");
pref("urlclassifier.flashAllowTable", "test-flashallow-simple,allow-flashallow-digest256");
pref("urlclassifier.flashExceptTable", "testexcept-flash-simple,except-flash-digest256");
pref("urlclassifier.flashSubDocExceptTable", "testexcept-flashsubdoc-simple,except-flashsubdoc-digest256");
pref("urlclassifier.flashSubDocTable", "test-flashsubdoc-simple,block-flashsubdoc-digest256");
pref("urlclassifier.flashTable", "test-flash-simple,block-flash-digest256");
pref("webgl.max-acceptable-fb-status-invals", 0);
pref("webgl.max-perf-warnings", 0);
==REMOVED or HIDDEN
/*** we have none of these ***/
pref("accessibility.ipc_architecture.enabled", true);
pref("browser.preferences.animateFadeIn", false);
pref("browser.tabs.dontfocusfordialogs", true);
pref("browser.uitour.readerViewTrigger", "^https:\\/\\/www\\.mozilla\\.org\\/[^\\/]+\\/firefox\\/reading\\/start");
pref("devtools.apps.forbidden-permissions", "embed-apps");
pref("devtools.netmonitor.statistics", true);
pref("dom.details_element.enabled", true);
pref("dom.mozInputMethod.enabled", false);
pref("dom.mozNetworkStats.enabled", false);
pref("dom.mozPermissionSettings.enabled", false);
pref("dom.mozSettings.allowForceReadOnly", false);
pref("dom.mozSettings.enabled", false);
pref("dom.mozSettings.SettingsDB.debug.enabled", false);
pref("dom.mozSettings.SettingsDB.verbose.enabled", false);
pref("dom.mozSettings.SettingsManager.debug.enabled", false);
pref("dom.mozSettings.SettingsManager.verbose.enabled", false);
pref("dom.mozSettings.SettingsRequestManager.debug.enabled", false);
pref("dom.mozSettings.SettingsRequestManager.verbose.enabled", false);
pref("dom.mozSettings.SettingsService.debug.enabled", false);
pref("dom.mozSettings.SettingsService.verbose.enabled", false);
pref("dom.node.rootNode.enabled", false);
pref("dom.presentation.discovery.legacy.enabled", false);
pref("dom.system_update.debug", false);
pref("dom.system_update.enabled", false);
pref("gecko.handlerService.allowRegisterFromDifferentHost", false);
pref("gfx.prefer-mesa-llvmpipe", false);
pref("image.mozsamplesize.enabled", false);
pref("layout.css.display-contents.enabled", true);
pref("network.standard-url.encode-utf8", true);
pref("network.standard-url.escape-utf8", true);
pref("security.ssl.enable_npn", true);
pref("security.ssl.false_start.require-npn", false);
==CHANGED
pref("browser.addon-watch.ignore", "[\"[email protected]\",\"[email protected]\",\"[email protected]\",\"fx-devtools\",\"[email protected]\"]"); // prev: "[\"[email protected]\",\"[email protected]\",\"[email protected]\",\"fx-devtools\"]"
pref("browser.migrate.chrome.history.limit", 2000); // prev: 0
pref("browser.migrate.chrome.history.maxAgeInDays", 180); // prev: 0
pref("browser.safebrowsing.provider.mozilla.lists", "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256"); // prev: "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256"
pref("devtools.jsonview.enabled", true); // prev: false
pref("devtools.netmonitor.har.defaultFileName", "Archive %date"); // prev: "Archive %y-%m-%d %H-%M-%S"
pref("devtools.toolbox.toolbarSpec", '["splitconsole", "paintflashing toggle","scratchpad","resize toggle","screenshot --fullpage --file", "rulers", "measure"]'); // prev: '["splitconsole", "paintflashing toggle","scratchpad","resize toggle","screenshot --fullpage", "rulers", "measure"]'
pref("lightweightThemes.recommendedThemes", /*** big long string ***/); // prev: /*** big long string ***/
pref("media.decoder-doctor.notifications-allowed", /*** big long string ***/); // prev: /*** big long string ***/
pref("media.dormant-on-pause-timeout-ms", 5000); // prev: -1
pref("media.navigator.audio.full_duplex", true); // prev: false
pref("places.frecency.permRedirectVisitBonus", 50); // prev: 0
pref("places.frecency.tempRedirectVisitBonus", 40); // prev: 0
pref("services.sync.engine.tabs.filteredUrls", "^(about:.*|resource:.*|chrome:.*|wyciwyg:.*|file:.*|blob:.*)$"); // prev: "^(about:.*|chrome://weave/.*|wyciwyg:.*|file:.*|blob:.*)$"
pref("urlclassifier.disallow_completions", /*** big long string ***/); // prev: /*** big long string ***/
I looked at our current settings and I want to share some of my observations.
https://badssl.com/
https://www.howsmyssl.com/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
https://dh2048.badssl.com/ => we break dh2048 due to user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
The eff article explicitly names that pref and recommends to disable it even though it talks about 1024-bit primes being presumably broken by the NSA, and that pref uses a 2048-bit prime.
There's also this sentence from the mozilla wiki for "Modern compatibility":
It doesn't say it's easy to break only that it's slow. Do we assume the NSA can also break DHE with a 2048-bit prime, or should we comment out that pref for less breakage (and recommend it only for the paranoid?) - because according to badssl.com dh2048 is still secure.
If we keep it, we may want to rename 1210 to 'disable DHE (Diffie-Hellman Key Exchange)' and remove the 1024 bit part.
'Modern compatibility' ciphers and the matching pref:
Interestingly Firefox sends them in a different order (see howsmyssl.com).
Instead of 1-8 its 5,6,3,4,1,2,7,8
When 9+10 are enabled the order is 5,6,3,4,1,2,7,9,8,10
(+ TLS_RSA_WITH_AES_128_CBC_SHA
and TLS_RSA_WITH_AES_256_CBC_SHA
at the end [11+12], for the 2 remaining ones that we still allow)
The Rationales explain some of it:
In Modern compatibility:
AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES.
While in Intermediate compatibility (default):
ChaCha20 is prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
Well, anyhow, there's nothing we can do about it anyway.
Apart from the 10 modern ciphers (2 of which we have disabled) we only support 2 older ones: security.ssl3.rsa_aes_128_sha
and security.ssl3.rsa_aes_256_sha
, which is why static-rsa
(https://static-rsa.badssl.com/) still works, but it's listed with an !
and not a red warning sign.
The only other thing that I really don't like is that https://incomplete-chain.badssl.com/ still works.
But maybe this can be fixed if security.nocertdb
is set to true; I haven't tested this because I really don't like the current implementation behind that pref.
IMO we should remove 1214, because the 128bit in AES is not the problem, 5+6 have them also.
And the 2 prefs in 1214 are part of the 10 modern ciphers.
Perhaps we were a bit overeager when we added 1214, without really understanding it. (?)
snip
I am in the middle of 52 upgrades + changes, revamping passwords section, revamping 800 section, waiting to commit 1600 section revamp, trying to close out the wiki and readme (and have a life and do my other sh*t) .... anyway, I just moved the following pref from the 0800 section where it does not fit, and for the life of me can't remember (or added it before it launched and never fully explored it) what the heck it actually achieves.
/* 3025: disable search reset (about:searchreset) (FF51+)
* http://www.ghacks.net/2016/08/19/firefox-51-search-restore-feature/ ***/
user_pref("browser.search.reset.enabled", false);
user_pref("browser.search.reset.whitelist", "");
At first glance it doesn't seem to do anything. It does not block the page or disable the buttons in about:searchreset.. Nor does not disable the button "Restore Default Search Engines" in Options>Search (which I am loathe to click right now, but could do a test later). I'm a bit preoccupied with a dozen things. Can someone please tell me exactly what this does. I would like to either dismiss the pref or clarify exactly what it does.
Locked sticky issue for tracking privacy.resistFingerprinting
Last updated: see changelog at foot (regularly cleaned out)
๐ป FF41
๐ป FF50
๐ป FF55
๐ป FF56
๐ป FF57
๐ป FF58
privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts
)until then, you can open about:debugging>Add-ons, click the extension's
manifest.url
and on that page, right click >View Page Info
>Permissions
and set a canvas exception
privacy.resistFingerprinting
๐ป FF59
privacy.spoof_english
(pref is used internally AFAICT, we should not meddle with it)๐ป FF60
2011
)๐ป FF62
๐ป FF63
no-preference
with prefers-reduced-motion
๐ป FF64
๐ป FF65
๐ป FF67
ui.use_standins_for_native_colors
=true
(2618
)dom.event.highrestimestamp.enabled
light
with prefers-color-scheme
- see MDN for this standard added in FF67๐ป FF68
๐ป FF70
๐ป FF72
๐ป FF74
๐ป FF78
isPointInPath
and isPointInStroke
still use the white-canvas๐ป FF80
BaseFonts
(non Android)
kBaseFonts
and kLangPackFonts
layout.css.font-visibility.level
= 1
๐ป FF82
2020
...
user_pref("browser.backspace_action", 2);
- if it's not a privacy issue, can I set it to 5-6?
user_pref("browser.privatebrowsing.autostart", true);
- why is this commented out?
user_pref("browser.sessionhistory.max_total_viewers", 0);
- is it a privacy / security issue living this commented out?
user_pref("clipboard.autocopy", false);
- is this Linux only?
Is commenting out
user_pref("media.eme.enabled", false);
user_pref("browser.eme.ui.enabled", false);
user_pref("media.eme.apiVisible", false);
good for entropy? Do they pose a privacy / security risk if left enabled?
I removed these from my user.js because I think they raise your entropy:
(please let me know if I got it wrong)
user_pref("media.flac.enabled", true);
user_pref("media.mediasource.enabled", true);
user_pref("media.mediasource.mp4.enabled", true);
user_pref("media.mediasource.webm.audio.enabled", true);
user_pref("media.mp4.enabled", true);
user_pref("media.ogg.enabled", false);
user_pref("media.ogg.flac.enabled", false);
user_pref("media.opus.enabled", false);
user_pref("media.raw.enabled", false);
user_pref("media.wave.enabled", false);
user_pref("media.webm.enabled", true);
user_pref("media.wmf.enabled", true);
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
Is there a reason that search suggestion from bookmarked and opened tabs are disabled?
I am using the following:
browser.urlbar.maxRichResults = 8
browser.urlbar.suggest.bookmark = true
browser.urlbar.suggest.openpage = true
Just can't see any privacy problems here, only productivity improvements.
Also accessibility.typeaheadfind = true
seems nice productivity improvement.
For dom.event.contextmenu.enabled
I am not sure about privacy/security (?), but some pages (outlook web access for example) provides additional control over context menu.
I notice that reader.parse-on-load.enabled = false
to disable Reader View. What is the reasoning behind this choice? I'm having a hard time understanding what privacy downside there is since switching to this view does not result in any more network request (according to the Network log).
Before we revamp the 2300 section, which I will rename as Web Workers, I think it's important we understand what they are. This issue is for discussing that, and any ramifications: security/privacy.
NOTE: also see #60 which mentions the FBI exploit, CVEs (might be fixed but there will be more), latest Pwn2Own exploit, add-on breakage (find another add-on or talk to the developer).
Web Workers: https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API
In case you were wondering about these redo section issues (there are more coming):
Section 1200 needs some love. I know @earthlng has some ideas for this section. I definitely want ciphers grouped together in say a 1250s. This is all about the order, numbering, wording. Don't want to get into discussions on the merits of turning things on and off or technical discussions on cipher suites and how curves are better than squares xD.
I think the 1000s cache section could do with a little love. My thoughts are the header section (or some items) needs a [SETUP] tag and information on session restores (crash recovery etc).
I gave pk some instructions the other day on how to trigger a FF crash. I'll repost them here. I need to make sure that all the session restore and resume from crash is grouped together, and to make sure it is clear what needs to be done to enable them.
/******
user.js * date: 18 Feb 2017 vs pyllyukko user.js
what pyllyukko has that we doesn't
******/
---original post--
See: pyllyukko/user.js#205 (comment)
I will compare us to pyllyukko and output
Then we can decide what to add/discard
"setting is under" - 9 instances + "settings are under" - 3 instances
eg: [SETTING] Options>Search>Provide search suggestions
As far I can see dom.workers.enabled
was security problematic and fixed in previous versions of FF.
Is this one safe to be true now?
Not asking for a change. I have a few pages (fe. https://regex101.com/r/bR8lT1/1) where I would need workers and asking if it is safe to enable in my user.js.
Thank you gang
Hello,
I have recently been experiencing some issues with ghack. This is the first of many.
Steps to reproduce:
1- Get latest firefox nightly on Arch Linux.
2- Try to go to 'about:preferences#privacy' and notice how everything is blank an empty
3- Click on an other tab
4- Try clicking on the privacy tab and notice how the tab doesn't change.
Solution:
Remove 1004.
write up a pull-request to set this one to true and give props to @crssi
snip
After #10 ghacks mini diff and #208 pyllyukko monster diff ToDo's ae finished, do a diff of active values and investigate
security.password_lifetime
to applyWhen gfx.downloadable_fonts.woff2.enabled
is set to "false" then some web pages doesn't show navigation and other icons. Instead there is just a empty placeholder without functionality meaning.
Is there any concern not to set it back to default, that's the value "true"?
Just putting here some settings I have stumbled upon.
I haven't investigate into those yet, so don't kill me, please. :)
Some might be deprecated already, some might not be existing, etc.
==
I am out for a few days.
If anyone already know for some of those, I would be happy for your comment.
I thought I would start a thread on known PB mode issues/problems. Personally, I don't think I know of any real benefits to PB mode over a controlled normal mode, and quite a few downsides. I'll start the ball rolling by mentioning one item
You cannot see or control PB mode cookies, or so called "private cookies". So essentially, until you close Firefox, your cookies that you accept will be retained. Good luck to people who think running PB mode for days on end is a good idea
This is why I always think its better to start in normal mode and flick open a new private window when needed. Indeed, without closing FF, just closing all PB Mode windows clears the data, and the next PB Mode window starts anew - as evidence by the tracking id PoC at http://www.radicalresearch.co.uk/lab/hstssupercookies
Maybe Francois can tell what benefits PB mode offers that we can't achieve in normal mode already using smarts
I propose that we start using version numbers to match Firefox. When the user.js is ready for the next stable, eg 52, I commit changes to the date and version number and create a release. I assume the release will be an archived version of all files (so far license and use4r.js) - right?
This way users can easily get the version that is applicable to their FF - starting from 51+. I know it doesn't exactly help ESR but is a good starting point i.e take version 45-51 as applicable and uncomment deprecated for ESR 45, etc - any pref active not used in code is harmless, if that makes sense.
So, should we do this? Change the current user.js to version 51, change the release date to today, and make a release with the tag 51
?
If 0304 is set to false, then 0305 does not to be forced to false.
Does anyone have information on the new 'Site Deployment Checker' Extension? I've found only a vague, "politician type" answer with a Bug report:
...this system addon is used by mozilla to look into the integrity of its critical infrastructure like the download page by looking at real world data of certificates in use there (bug 1346017).
While I'm at it, what the scoop on 'Application Update Service Helper'? I keep all auto-update stuff disabled so I can manually check when needed. Does this interfere with anything yet?
i'm not aware of 'dom.event.contextmenu.enabled' breaking JS context menus - rather the JS context menu is placed under the default FF context menu, so you have both - if you want to use the JS menu, press Esc once
current descrip:
'[WARNING] This will break sites' functionality such as Dropbox'
might want to change that to reflect what i stated above?
The shutdown section needs a some love. Using words like "stuff" in 2803 is lame. I'm also not happy with the 2803a and 2804a numbering. Those 2 prefs need to be clarified exactly what they are doing as well. Especially 2803a, because we are shutting down, so how can that differ from what is already in 2803. As for 2804a, does it close current tabs/windows (but leave FF open) or what. I need to do some testing in a nilla FF.
Also, the section header could expanded a tad to explain clearing session data vs keeping it - a bit like the new 0800 (forms etc) section.
Locked sticky issue for tracking privacy.firstparty.isolate
Last updated: see changelog at foot
privacy.firstparty.isolate
๐ป FF51
๐ป FF52
๐ป FF53
๐ป FF54
๐ป FF55
๐ป FF58
privacy.firstparty.isolate
๐ป FF63
๐ป FF65
๐ป FF68
๐ป FF69
๐ป FF73
this is now obsolete: FPI is not being worked on: it is superceeded by dFPI
...
moved from Issue #60
@zymase wrote:
FYI there is (at least) one Firefox add-on which will not perform correctly with
dom.workers.enabled
set to false : Country Flags & IP WhoisI've had difficulty finding the culprit when I noticed that Country Flags & IP Whois wasn't displaying the country flag & IP address in the urlbar because switching
dom.workers.enabled
to default = true wouldn't make it before restarting Firefox.If it is possible, and that's what I was doing, to set
dom.workers.enabled
to true on a per-site basis (Google Street View mainly, here) it leads to a choice setting vs. add-on when an add-on won't run if set to false. I'm keeping the add-on in this case because I really use it quite a lot.
@Thorin-Oakenpants wrote:
If it is possible, and that's what I was doing, to set dom.workers.enabled to true on a per-site basis
When XUL goes, AFAIK, web extensions will not allow add-ons to change (maybe even to read) preferences that are not their own. Extensions to flip prefs will be obsolete. That said, we have until 57 (and after that the ESR extended life). Also e10s is almost enforced, just to make matters a little tougher.
There are quite a few add-ons that flip prefs with whitelists. Maybe you can hunt one down and all it would need is a little code change - but, IMO, that's not a very elegant solution as it doesn't handle multiple pages on the fly. Probably easier, a simple toggle button extension of which there are hundreds of these, but no idea if any are e10s compliant.
@zymase wrote (and got a ๐ from @Atavic):
If it weren't this Country Flags & IP Whois Firefox add-on which requires
dom.workers.enabled
set to its default true value to perform I'd includedom.workers.enabled
to a Custom Buttons (Firefox add-on itself) button called Pref Toggler (http://custombuttons.sourceforge.net/forum/viewtopic.php?f=4&t=381) which allows a quick access & edit to about:config settings chosen by the user. But as I said when it comes to an add-on which requires a default about:config setting to be left unchanged then it's either the add-on or the setting when this add-on runs and performs on each and every Web page.I'll add that I was surprised that a very add-on depended on
dom.workers.enabled
, when I thought up to now that this setting concerned Web sites only.
@Thorin-Oakenpants wrote:
FWIW: Flagfox does all this and more, and is e10s. I'm always wary of these sorts of things (yes I know country data is local csvs etc) - you want to be careful what data is being sent to who (and how, is it https) in order to look info up (and is it automated or only when you go to check?).
@zymase wrote (and got a ๐ from @Atavic):
The country flag and server IP is performed automatically, the DB is local (included in the add-on) but the IP Whois is only performed on demand. So there's no automatic external call.
Concerning the IP Whois the one used by the add-on is, IMO, clumsy. I've mentioned this together with an improvement proposition for performing Whois with another site, on the add-on's GitHub page at andy-portmen/country-flags#1
I really like this add-on, runs fine and allows the user to have quick and substantial info about the visited site .... but it needs
dom.workers.enabled
set to true ...
@Atavic wrote:
@zymase Good hints!
Dec 2019:
Locked sticky issue for tracking other Tor Uplift items of interest (after RFP #7 and FPI #8 )
Last updated: see changelog at foot
๐ป FF52
๐ป FF56
<isindex>
๐ป FF57
security.all_resource_uri_content_accessible
- may add this to user.js [reminder]๐ป FF59
๐ป FF60
๐ป FF64
๐ป FF68
๐ป FF70
...
Hey... pardon my stupidity, but what exactly is cleared when privacy.clearOnShutdown.sessions = true
?
snip
/***************************************************
* diffs between FF prefs v51.0 and v52.0
*
* prefs: 2833
* 2717 matching prefs
* 116 diffs ( 55 new, 38 gone, 23 different )
/***************************************************/
0201
0603b
0608
1260
2509
2511
==NEW
* pref("app.update.timerFirstInterval", 30000);
* pref("browser.migrate.chrome.history.limit", 0);
* pref("browser.migrate.chrome.history.maxAgeInDays", 0);
* pref("browser.tabs.crashReporting.requestEmail", false);
* pref("browser.tabs.delayHidingAudioPlayingIconMS", 3000);
* pref("devtools.debugger.client-source-maps-enabled", true);
* pref("devtools.layoutview.enabled", false);
* pref("devtools.webconsole.filter.debug", true);
* pref("devtools.webconsole.filter.net", false);
* pref("devtools.webconsole.ui.filterbar", false);
* pref("dom.audiochannel.audioCompeting.allAgents", false);
* pref("dom.forms.datetime.timepicker", false);
* pref("dom.gamepad.extensions.enabled", false);
* pref("dom.idle_period.throttled_length", 10000);
* pref("dom.manifest.onappinstalled", false);
* pref("dom.requestIdleCallback.enabled", false);
* pref("dom.select_events.textcontrols.enabled", false);
* pref("dom.w3c_pointer_events.implicit_capture", false);
* pref("dom.webnotifications.requireinteraction.count", 3);
* pref("dom.webnotifications.requireinteraction.enabled", false);
* pref("gfx.canvas.skiagl.dynamic-cache", true);
* pref("identity.fxaccounts.contextParam", "fx_desktop_v3");
* pref("idle_queue.long_period", 50);
* pref("idle_queue.min_period", 3);
* pref("layers.draw-mask-debug", false);
* pref("layout.accessiblecaret.hide_carets_for_mouse_input", true);
* pref("layout.idle_period.required_quiescent_frames", 2);
* pref("layout.idle_period.time_limit", 1);
* pref("logging.config.clear_on_startup", true); [zilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1239686)
* IF logging this clears the log on restart go see the DXR code
* pref("media.dormant-on-pause-timeout-ms", -1);
* pref("media.navigator.load_adapt.encoder_only", true);
* pref("media.peerconnection.dtmf.enabled", true); [zilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1313406)
* pref("media.wmf.vp9.enabled", false);
* pref("narrate.filter-voices", true);
* pref("network.auth.private-browsing-sso", false);
* pref("network.http.max_response_header_size", 393216);
* pref("network.http.spdy.default-hpack-buffer", 65536);
* pref("plugins.favorfallback.mode", "never");
* pref("plugins.favorfallback.rules", "");
* pref("prompts.authentication_dialog_abuse_limit", 3); [CVE](https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5419) - will enforce if it changes
* pref("security.csp.enableStrictDynamic", true);
* pref("security.enterprise_roots.enabled", false);
* pref("security.mixed_content.hsts_priming_cache_timeout", 10080);
* pref("security.sandbox.windows.log.stackTraceDepth", 0);
* pref("services.sync.log.logger.engine.extension-storage", "Debug");
* pref("services.sync.validation.interval", 86400);
* pref("services.sync.validation.maxRecords", 100);
* pref("services.sync.validation.percentageChance", 10);
* pref("webextensions.storage.sync.enabled", false);
* pref("webextensions.storage.sync.serverURL", "https://webextensions.settings.services.mozilla.com/v1");
==REMOVED or HIDDEN
* pref("app.update.cert.requireBuiltIn", false);
* pref("bidi.support", 1);
* pref("browser.search.redirectWindowsSearch", true);
* pref("devtools.command-button-pick.enabled", true);
* pref("devtools.debugger.promise", false);
* pref("dom.apps.reset-permissions", false);
* pref("dom.cellbroadcast.enabled", false);
* pref("dom.icc.enabled", false);
* pref("dom.image.picture.enabled", true);
* pref("dom.image.srcset.enabled", true);
* pref("dom.manifest.oninstall", false);
* pref("dom.MediaError.message.enabled", false);
* pref("dom.mobileconnection.enabled", false);
* pref("dom.mozApps.debug", false);
* pref("dom.mozApps.maxLocalId", 1000);
* pref("dom.mozApps.signed_apps_installable_from", "https://marketplace.firefox.com");
* pref("dom.sms.defaultServiceId", 0);
* pref("dom.sms.enabled", false);
* pref("dom.sms.maxReadAheadEntries", 0);
* pref("dom.sms.requestStatusReport", true);
* pref("dom.sms.strict7BitEncoding", false);
* pref("dom.telephony.defaultServiceId", 0);
* pref("dom.undo_manager.enabled", false);
* pref("dom.voicemail.defaultServiceId", 0);
* pref("dom.voicemail.enabled", false);
* pref("layout.css.masking.enabled", true);
* pref("media.decoder.heuristic.dormant.enabled", true);
* pref("media.decoder.heuristic.dormant.timeout", 10000);
* pref("media.format-reader.ogg", true);
* pref("media.wave.decoder.enabled", true);
* pref("media.webm.intel_decoder.enabled", false);
* pref("network.http.enable-packaged-apps", false);
* pref("network.http.signed-packages.enabled", false);
* pref("security.apps.privileged.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");
==CHANGED
pref("browser.shell.skipDefaultBrowserCheckOnFirstRun", false); // prev: true
pref("devtools.apps.forbidden-permissions", "embed-apps"); // prev: "embed-apps,embed-widgets"
pref("devtools.responsive.html.enabled", true); // prev: false
// https://developer.mozilla.org/en-US/docs/Web/API/Document/onselectionchange
pref("dom.select_events.enabled", true); // prev: false
pref("gfx.content.azure.backends", "direct2d1.1,skia,cairo"); // prev: "direct2d1.1,cairo"
pref("layout.css.grid.enabled", true); // prev: false
pref("layout.css.touch_action.enabled", true); // prev: false
pref("layout.accessiblecaret.enabled_on_touch", true); // prev: false
pref("layout.accessiblecaret.use_long_tap_injector", false); // prev: true
pref("media.decoder-doctor.notifications-allowed", `big long string`
pref("media.wmf.disable-d3d11-for-dlls", `massive long string not repeating here`
pref("memory.low_commit_space_threshold_mb", 128); // prev: 256
pref("memory.low_virtual_memory_threshold_mb", 128); // prev: 256
pref("narrate.voice", " { \"default\": \"automatic\" }"); // prev: "automatic"
pref("services.sync.registerEngines", `big long string`
pref("services.sync.sendTabToDevice.enabled", true); // prev: false
changelog:
ok ... let's get to the good stuff now ... prefs, prefs, prefs and some more prefs ...
user_pref("network.http.referer.XOriginPolicy", 1); // Beware! This can cause breakage! see section 1600
user_pref("network.http.referer.spoofSource", false); // enforcing FF52 default value
user_pref("network.http.referer.trimmingPolicy", 0); // enforcing FF52 default value
user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // enforcing FF52 default value -- new in FF52
user_pref("network.http.sendRefererHeader", 2); // enforcing FF52 default value
// user_pref("network.http.referer.userControlPolicy", 3); // not in FF52 - new in FF53
user_pref("javascript.options.wasm", false); // default: true -- if you want to use WebAssembly comment this one out
user_pref("network.cookie.leave-secure-alone", true); // enforcing FF52 default value
user_pref("security.insecure_field_warning.contextual.enabled", true); // enforcing FF52 default value
user_pref("signon.autofillForms.http", false); // enforcing FF52 default value
user_pref("browser.ssl_override_behavior", 1);
user_pref("browser.urlbar.suggest.bookmark", false); // you may not like this
user_pref("browser.urlbar.suggest.openpage", false); // ... or this
user_pref("browser.xul.error_pages.expert_bad_cert", true);
user_pref("network.IDN_show_punycode", true); // you may not like this if you're using a non-latin alphabet
user_pref("security.csp.enable", true); // enforcing FF52 default value
user_pref("security.csp.experimentalEnabled", true); // experimental - yes we're adventurous - use on your own risk !!
// user_pref("accessibility.typeaheadfind", true);
// user_pref("browser.privatebrowsing.autostart", true);
// user_pref("font.system.whitelist", "");
// user_pref("security.ssl3.rsa_aes_128_sha", false);
// user_pref("security.ssl3.rsa_aes_256_sha", false);
user_pref("browser.link.open_newwindow.restriction", 0); // this will open some popup-windows in a tab instead
user_pref("network.stricttransportsecurity.preloadlist", true); // we also changed the value to true !!! -- default: true
user_pref("privacy.clearOnShutdown.openWindows", false); // we also changed the value to false !!! -- default: false
user_pref("privacy.cpd.openWindows", false); // we also changed the value to false !!! -- default: false
user_pref("privacy.donottrackheader.enabled", false); // we also changed the value to false !!! -- default: false
user_pref("browser.sessionhistory.max_entries", 10); // previously: 4
user_pref("browser.search.reset.enabled", false);
user_pref("browser.search.reset.whitelist", "");
user_pref("clipboard.autocopy", false);
user_pref("general.appname.override", "Netscape");
user_pref("general.appversion.override", "5.0 (Windows)");
user_pref("general.buildID.override", "20100101");
user_pref("general.oscpu.override", "Windows NT 6.1");
user_pref("general.platform.override", "Win32");
user_pref("privacy.cpd.downloads", true);
plus we fixed some typos and other minor things
=> we're trying our best but grammar nazis are very welcome
we also changed one of the URL-prefs so we can log all your browsing history
=> seriously, you should never use something like this without reading it from top to bottom
=> no seriously - don't worry - we would never do that (or would we?)
Thanks to everyone who contributed - we appreciate it a lot!
any and all help, suggestions, recommendations, links, tips and tricks, questions, thank you's or whathaveyou - signup/login and start typing
If you start FF in "normal" mode, any new private windows will display a badge/icon in the top right (a mask image). (Side note: themes do not load either)
If you start FF in PB mode, there is no PB mode icon shown anywhere. If you then open a new "normal" window, there is no difference to that visually from the PB mode window (I have never started in PB mode so I would like to clarify this).
I have tested this with multiple vanilla FF52s. To me, this either a bit of a failure and/or ambiguous. @fmarier
==
below are three concurrent profiles (vanilla FF52), all with Options>Privacy>History>Firefox will use custom settings
, starting in "normal" mode (i.e "always use PB mode" is unchecked), with spawned PB windows (just reusing the image from the wiki to show the PB mode badge and loss of theme)
And here is a browser.privatebrowsing.autostart
->true. If you spawn a "new window" or a "new private window", they are indistinguishable
==
So am I missing something here?
I do not start in PB mode myself (never have until now), but read/assumed that you could spawn a "normal" window (because the menu item/key-combo/hamburger buttons/context menus are all there) - indeed I have suggested this to others to test if the cause of an issue was PB mode (recently it was containers not working, then SDC addons not working - and both times the reply was, yes, that's it - not 100% sure if that means they followed my advice exactly - I'm guessing not)
So which is it: PB start mode->new window-> is this a normal window or a private window?
TCP/IP OS Fingerprinting returns my actual Windows NT kernel version even though I use
user_pref("general.oscpu.override", "Windows NT 6.1");
Is there something that can be done?
dom.event.contextmenu.enable, currently under 2200 UI Meddling. Issue created because someone else queried it - so lets discuss it.
Personally, I find it annoying that sites remove my right click context, and only a handful of sites I use use it (for enhanced functionality/features), and it is handy - but I just bypass that functionality, or use a secondary browser. While it nicely fits in the section, it really, IMO, has no privacy issues.
The other issue is, how widespread is sites abusing this, if at all. What does setting a nothing right click context achieve (is this the ruse they use to disable selecting text?). I have no idea because its been disabled for me for years.
IF there are no security (and privacy) concerns, then should this be moved to the personal section?
This section IMO doesn't really belong in the main js, which is meant to be for privacy, security, FP'ing tweaks. I originally added webm as the default differed (but not any more) and I wanted to view them occasionally. Then feature creep happened - partly because of the changes and migration on the web from flash to html5 (I wanted to make sure all the youtube boxes came up ticked, so users can ditch flash more comfortably), and now it's expanded to include flac and so on. It ended up under the "media" section over the course of it's lifespan so far. I think it's still good information to have, but I see no security issues here.
In FF52 the defaults for all are true, so we differ on 5 of them. Is this FP'able in any way? Does it really matter?
/* currently as in the user.js ***/
/* 2025: enable/disable various media types [SETUP] ***/
user_pref("media.mp4.enabled", true);
user_pref("media.flac.enabled", true); // (FF51+)
user_pref("media.ogg.enabled", false);
user_pref("media.ogg.flac.enabled", false); // (FF51+)
user_pref("media.opus.enabled", false);
user_pref("media.raw.enabled", false);
user_pref("media.wave.enabled", false);
user_pref("media.webm.enabled", true);
user_pref("media.wmf.enabled", true); // https://www.youtube.com/html5 - for the two H.264 entries
I propose setting the lot to true, commenting them all out, and moving to the personal section. At the very least, this removes ambiguity over privacy/security concerns, and reduces any possible breakage.
The 1600: Referers section needs some love. We have some changes coming up in the next release (52). These are
Deprecated in 52+
1601: network.http.sendSecureXSiteReferrer
New in 52+ (currently in section 9999)
// 1600's: restrict the contents of referrers attached to cross-origin requests (FF52+)
// 0- 1- 2-scheme+hostname+port
// user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
// 1600's: default referrer fallback override? (FF52+?)
// 0-no-referer 1-same-origin 2-strict-origin-when-cross-origin
// 3-no-referrer-when-downgrade (default)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1304623
// user_pref("network.http.referer.userControlPolicy", 3);
I also came across this article released today: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ which nicely describes what each type of referer does exactly. Might be a good ref for you @pyllyukko
The 1600's section currently has only one active pref, and recommends using an add-on. In 52, it could be completely inactive - this doesn't seem right - surely some of these 7 prefs by default could be tightened up? And I think the section still needs better explanation (It's getting a bit confusing). I don;t mind losing all the numbering and starting from scratch, so it's logical. @fmarier 's opinion here would be great. Especially what the inactive defaults should be. Do we set them at FF defaults, or at most private or at a balance for less site breakage - and the new ones, what do we do with those: the first of which I have not filled in what 0 or 1 means, and I'd also like someone else to confirm what I already have is ok/right, including the descriptions.
Just using a new issue to deal with this rather than OT elsewhere.
Here is a pastebin which expires in 24hrs.
Because every single non user_pref line is modified, I have taken the opportunity to do more than that. All up:
[WARNING]
and [SETUP]
The idea, without going overboard, with the [WARNING]
and [SETUP]
tags is that warning is more about (major) site breaking etc and setup is stuff that is optional or should be looked at when setting up - doh! By that, I mean that 90% of the 270+ numbered items cause zero breakage or issues, 5% are optional i.e the user can make an informed decision and knows the drawbacks (eg keeping history), and the rest are items that cause site breakage or are bad to implement etc. The two tags can be used in conjunction (i.e more than one tag per item), they can be at the end of a section title, at the end of a preference number title, in a comment at the end of a user_pref line, in the middle of a section description, or at the start of a item's warning section etc.
@earthlng I have tested it for syntax, etc. Do one of your compares to make sure no pref values got changed, or prefs switched between active/inactive. And then make any changes you want and pastebin me back a version. Make any changes you want (ignore passwords/referrers sections), because this is a one time deal since 70% of the lines are going to change. Take your time.
@everyone else - if you want to proof-read it when you have some time, or offer suggestions, go for it. I can do the commit when we're all happy.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.