diff --git a/README.md b/README.md index b976166..41bc976 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Privafox-Firefox -This project aim to fix security and privacy issues related to firefox without loosing speed performances. It uses `mozilla.cfg` and `policies.json`. +This project aim to fix security and privacy issues related to firefox without loosing speed performances. It uses `local-settings.js`, `mozilla.cfg` and `policies.json`. Features : ---------- @@ -13,11 +13,11 @@ Download : ---------- Official builds with privafox -- [Privafox-1.5-Firefox-Linux-63.0.3.tar.bz2](https://github.com/intika/privafox-firefox/releases/download/Privafox-v1.5-v63.0.3/privafox-1.5-firefox-linux-63.0.3.tar.bz2) - 51.8 MB - SHA1 : 4295799cc3bbc809eaa56a6fe347f30c0af737c5 +- [Privafox-1.8-Firefox-Linux-63.0.3.tar.bz2](https://github.com/intika/privafox-firefox/releases/download/Privafox-v1.8-v63.0.3/Privafox-1.8-Firefox-Linux-63.0.3.tar.bz2) - 51.8 MB - SHA1 : 321152189184ca9e2b3500a0aa5c5c47aff5999f -- [Privafox-1.5-Firefox-Windows-63.0.3.zip](https://github.com/intika/privafox-firefox/releases/download/Privafox-v1.5-v63.0.3/privafox-1.5-firefox-win-63.0.3.zip) - 60.3 MB - SHA1 : 89b0234770e60cbd9c41f0d59e42283e44d17d60 +- [Privafox-1.8-Firefox-Windows-63.0.3.zip](https://github.com/intika/privafox-firefox/releases/download/Privafox-v1.8-v63.0.3/Privafox-1.8-Firefox-Windows-63.0.3.zip) - 60.3 MB - SHA1 : 4dba7913435d5517f4e10f7b55aa395e5088b143 -- [Privafox-1.5-Firefox-Mac-63.0.3.dmg](https://github.com/intika/privafox-firefox/releases/download/Privafox-v1.5-v63.0.3/privafox-1.5-firefox-mac-63.0.3.dmg) - 60.5 MB - SHA1 : 5b57e9996fb7017cb2444958bef8ac8338ac19a4 +- [Privafox-1.8-Firefox-Mac-63.0.3.dmg](https://github.com/intika/privafox-firefox/releases/download/Privafox-v1.8-v63.0.3/Privafox-1.8-Firefox-Mac-63.0.3.dmg) - 60.5 MB - SHA1 : e693b9141098456a419ed7fb71f4b8c42001cde9 Capture : --------- @@ -135,6 +135,8 @@ Settings Index (`mozilla.cfg`) : Documentation : --------------- +**Local-settings.js** : Defaulting firefox settings + **Mozilla.cfg** : Locking firefox settings for security, privacy & prevent settings changes **Policies.json** : The policies.json is cross-platform compatible, making it preferred method for enterprise environments that have workstations running various operating systems (the settings availables with `policies.json` are limited right now because this is a new feature of firefox) @@ -143,8 +145,9 @@ Documentation : **lockPref** : Locked preference can not be changed on firefox, nor by extensions, can only be changed here -**Section** : Description of the settings section separated by "----" +**Section** : Description of the settings section separated by ">>>..." +**Defaulting VS Enforcing** : Default settings value are changed in `local-settings.js` and enforced settings are changed in `mozilla.cfg`, defaulted setting can be changed by the user in the browser while enforced settings are locked and can not be changed Building and packaging : ------------------------ diff --git a/background.png b/packages/background.png similarity index 100% rename from background.png rename to packages/background.png diff --git a/privafox/defaults/pref/local-settings.js b/privafox/defaults/pref/local-settings.js deleted file mode 100644 index 1c70f7d..0000000 --- a/privafox/defaults/pref/local-settings.js +++ /dev/null @@ -1,5 +0,0 @@ -/* Intika MoD -*/ - -pref("general.config.filename", "mozilla.cfg"); -pref("general.config.obscure_value", 0); diff --git a/privafox/defaults/pref/local-settings.js b/privafox/defaults/pref/local-settings.js new file mode 120000 index 0000000..a0f5bc7 --- /dev/null +++ b/privafox/defaults/pref/local-settings.js @@ -0,0 +1 @@ +../../../../defaults/pref/local-settings.js \ No newline at end of file diff --git a/privafox/distribution/policies.json b/privafox/distribution/policies.json deleted file mode 100644 index 7d46ec8..0000000 --- a/privafox/distribution/policies.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "policies": { - "AppUpdateURL": "", - "DisableAppUpdate": true, - "DisableFeedbackCommands": true, - "DisableFirefoxAccounts": true, - "DisableFirefoxStudies": true, - "DisablePocket": true, - "DisableProfileImport": true, - "DisableSetDesktopBackground": true, - "DisableSystemAddonUpdate": true, - "DisableTelemetry": true, - "DontCheckDefaultBrowser": true, - "SanitizeOnShutdown": true - } -} diff --git a/privafox/distribution/policies.json b/privafox/distribution/policies.json new file mode 120000 index 0000000..994947b --- /dev/null +++ b/privafox/distribution/policies.json @@ -0,0 +1 @@ +../../../distribution/policies.json \ No newline at end of file diff --git a/privafox/mozilla.cfg b/privafox/mozilla.cfg deleted file mode 100644 index cd655d2..0000000 --- a/privafox/mozilla.cfg +++ /dev/null @@ -1,1423 +0,0 @@ -// - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - -// -// Version : 1.5 -// -// Privafox-Firefox : Tunning firefox settings (js/cfg/user/about:config) for a better security, privacy and performances -// -// Mozilla.CFG : Locking firefox settings for security, privacy & prevent settings changes -// -// Autor : Intika - intikadev (at) gmail.com -// -// Donation : Paypal : intikadev (at) gmail.com -// -// Site : https://github.com/intika/privafox-firefox -// -// Based on : User.js (https://github.com/pyllyukko/user.js/) and PrivaConf (https://addons.mozilla.org/en-US/firefox/addon/privaconf/) -// Thanks to : pyllyukko and honesty -// -// Documentation : -// --------------- -// "Section" : Description of the settings section separated by "----" -// "Bench Diff" : Impact on the performances of firefox can be a gain or loss of performance -// +100/5000 stand for 2% gained performance and -1500/5000 stand for -30% performance loss -// Performance can be tested here : https://intika.github.io/octane/ -// bench need to be launched with other applications closed and with no other activity but -// the bunchmark, also the bunch need to be lunched at least 3 times (then make an average) -// "Pref" : Preference/Settings name -// "lockPref" : Locked preference can not be changed on firefox, nor by extensions, can only be changed here -// - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - -// -// Index : -// ------- -// -// Section : Performances 1/5 // Bench Diff : +650 / 5000 -// Section : Performances 2/5 // Bench Diff : -800 / 5000 -// Section : Performances 3/5 // Bench Diff : -1720 / 5000 -// Section : Performances 4/5 // Bench Diff : -200 / 5000 -// Section : Performances 5/5 // Bench Diff : -50 / 5000 -// ---------------------------------------- -// Section : Controversial // Bench Diff : +0 / 5000 -// Section : Cookies Settings // Bench Diff : +0 / 5000 -// Section : Firefox ResistFingerprinting // Bench Diff : +0 / 5000 -// Section : Locale/Time // Bench Diff : +0 / 5000 -// Section : Ghacks-user Select // Bench Diff : +100 / 5000 -// ---------------------------------------- -// Section : General Settings 1/3 // Bench Diff : +100 / 5000 -// Section : General Settings 2/3 // Bench Diff : +0 / 5000 -// Section : General Settings 3/3 // Bench Diff : -40 / 5000 -// ---------------------------------------- -// Section : Security 1/3 // Bench Diff : +0/5000 -// Section : Security 2/3 // Bench Diff : +0/5000 -// Section : Security 3/3 (Cipher) // Bench Diff : +0/5000 -// ---------------------------------------- -// Section : Microsoft Windows // Bench Diff : ???/5000 -// ---------------------------------------- -// Section : Disabled // Bench Diff : ???/5000 -// - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Performances 1/5 -// Bench Diff : +650/5000 - -// Bench Diff : +100/5000 -// Increases animation speed. May mitigate choppy scrolling. -lockPref("layout.frame_rate.precise", true); - -// Bench Diff : +500/5000 -// Enable Hardware Acceleration and Off Main Thread Compositing (OMTC). -// It's likely your browser is already set to use these features. -// May introduce instability on some hardware. -lockPref("webgl.force-enabled", true); -lockPref("layers.acceleration.force-enabled", true); - -// Bench Diff : 0/5000 -lockPref("html5.offmainthread", true); -lockPref("layers.offmainthreadcomposition.enabled", true); -lockPref("layers.offmainthreadcomposition.async-animations", true); -lockPref("layers.async-video.enabled", true); - -// Bench Diff : +50/5000 -lockPref("browser.tabs.animate", false); -lockPref("browser.download.animateNotifications", false); - -// Bench Diff : -80/5000 -// Pref : Spoof CPU Core Def 16 -//lockPref("dom.maxHardwareConcurrency", 8); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Performances 2/5 -// Bench Diff : -800/5000 - -// Bench Diff : -500/5000 -// Tell garbage collector to start running when javascript is using xx MB of memory. -// Garbage collection releases memory back to the system. -// Apparently does not do better on testing... but worst -//lockPref("javascript.options.mem.high_water_mark", 96); - -// Bench Diff : -200/5000 -// Pref : Disable WebAssembly -// https://webassembly.org/ -// https://en.wikipedia.org/wiki/WebAssembly -// https://trac.torproject.org/projects/tor/ticket/21549 -//lockPref("javascript.options.wasm", false); - -// Bench Diff : -100/5000 -// Pref : Prevent font fingerprinting -// https://browserleaks.com/fonts -// https://github.com/pyllyukko/user.js/issues/120 -//lockPref("browser.display.use_document_fonts", 0); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Performances 3/5 -// Bench Diff : -1720/5000 - -// Bench Diff : -220/5000 -// Pref : Disable webGL I/II -// WebGL introduce high fingerprinting... (webgl is direct hardware js) -lockPref("webgl.disabled", true); -lockPref("webgl.enable-webgl2", false); -lockPref("webgl.min_capability_mode", true); - -// Bench Diff : 0/5000 -// Pref : Disable webGL II/II -// WebGL introduce high fingerprinting... (webgl is direct hardware js) -lockPref("pdfjs.enableWebGL", false); -lockPref("webgl.disable-extensions", true); -lockPref("webgl.disable-fail-if-major-performance-caveat", true); -lockPref("webgl.enable-debug-renderer-info", false); - -// Bench Diff : -1500/5000 -// Pref : Disable asm.js -// http://asmjs.org/ -// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ -// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/ -// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712 -//lockPref("javascript.options.asmjs", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Performances 4/5 -// Bench Diff : -200/5000 - -// Pref : JS Shared Memory - Default false -// https://github.com/MrAlex94/Waterfox/issues/356 -lockPref("javascript.options.shared_memory", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Performances 5/5 -// Bench Diff : -50/5000 - -/* 2302: disable service workers - * Service workers essentially act as proxy servers that sit between web apps, and the browser - * and network, are event driven, and can control the web page/site it is associated with, - * intercepting and modifying navigation and resource requests, and caching resources. - * [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. - * [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access. ***/ -lockPref("dom.serviceWorkers.enabled", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Controversial -// Bench Diff : +0/5000 - -// Pref : Disable IndexedDB (disabled) -// https://developer.mozilla.org/en-US/docs/IndexedDB -// https://en.wikipedia.org/wiki/Indexed_Database_API -// https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review -// http://forums.mozillazine.org/viewtopic.php?p=13842047 -// https://github.com/pyllyukko/user.js/issues/8 -// NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled -lockPref("dom.indexedDB.enabled", false); -lockPref("dom.indexedDB.logging.details", false); -lockPref("dom.indexedDB.logging.enabled", false); - -/* 2516: disable PointerEvents - * [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent ***/ -lockPref("dom.w3c_pointer_events.enabled", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Cookies Settings -// Bench Diff : +0/5000 - -// Pref : Accept Only 1st Party Cookies -// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1 -// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways -// CIS 2.5.1 -lockPref("network.cookie.cookieBehavior", 1); - -// Pref : Cookies expires at the end of the session (when the browser closes) -// http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2 -lockPref("network.cookie.lifetimePolicy", 2); - -// Pref : Disable Cookie Exception Button -lockPref("pref.privacy.disable_button.cookie_exceptions", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Firefox ResistFingerprinting -// Bench Diff : +0/5000 -// Overrided by 'privacy.resistFingerprinting' this need to be -// kept disabled to make resistFingerprinting efficient -// https://wiki.mozilla.org/Security/Fingerprinting - -// Pref : Enable hardening against various fingerprinting vectors (Tor Uplift project) -// https://wiki.mozilla.org/Security/Tor_Uplift/Tracking -// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933 -lockPref("privacy.resistFingerprinting", true); - -// 4503: disable mozAddonManager Web API (FF57+) -// [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need -// to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect -// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 -lockPref("privacy.resistFingerprinting.block_mozAddonManager", true); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Locale/Time/UserAgent -// Bench Diff : +0/5000 -// Overrided by 'privacy.resistFingerprinting' thin need to be kept disabled -// to make resistFingerprinting efficient - -/* 0864: disable date/time picker (FF57+ default true) - * This can leak your locale if not en-US - * [1] https://trac.torproject.org/projects/tor/ticket/21787 ***/ -//lockPref("dom.forms.datetime", false); - -// Pref : Prevent leaking application locale/date format using JavaScript -// https://bugzilla.mozilla.org/show_bug.cgi?id=867501 -// https://hg.mozilla.org/mozilla-central/rev/52d635f2b33d -//lockPref("javascript.use_us_english_locale", true); - -// Pref : Don't use OS values to determine locale, force using Firefox locale setting -// http://kb.mozillazine.org/Intl.locale.matchOS -//lockPref("intl.locale.matchOS", false); - -// Pref : Set Accept-Language HTTP header to en-US regardless of Firefox localization -// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language -lockPref("intl.accept_languages", "en-US, en"); -//lockPref("intl.regional_prefs.use_os_locales", false); - -//lockPref("general.useragent.locale", "en-US"); -//lockPref("intl.locale.requested", "en-US"); - -// Ignored Because Of "privacy.resistFingerprintin" -// Pref : Spoof User-agent (disabled) -//lockPref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0, 45"); -//lockPref("general.appname.override", "Netscape"); -//lockPref("general.appversion.override", "5.0 (Windows)"); -//lockPref("general.platform.override", "Win32"); -//lockPref("general.oscpu.override", "Windows NT 6.1"); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Ghacks-user Select -// Bench Diff : +100/5000 - -/* 0707: disable (or setup) DNS-over-HTTPS (DoH) (FF60+) - * TRR = Trusted Recursive Resolver - * .mode: 0=off, 1=race, 2=TRR first, 3=TRR only, 4=race for stats, but always use native result - * [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare) - * [1] https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ - * [2] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ ***/ -lockPref("network.trr.mode", 0); -lockPref("network.trr.bootstrapAddress", ""); -lockPref("network.trr.uri", ""); - -/* 0101: disable default browser check - * [SETTING] General>Startup>Always check if Firefox is your default browser ***/ -lockPref("browser.shell.checkDefaultBrowser", false); - -/* 0333: disable health report - * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/ -lockPref("datareporting.healthreport.uploadEnabled", false); - -/* 0426: enforce Content Blocking (required to block cookies) (FF63+) ***/ -lockPref("browser.contentblocking.enabled", true); // default: true - -/* 0516: disable Onboarding (FF55+) - * Onboarding is an interactive tour/setup for new installs/profiles and features. Every time - * about:home or about:newtab is opened, the onboarding overlay is injected into that page - * [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3] - * [1] https://wiki.mozilla.org/Firefox/Onboarding - * [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf - * [3] https://bugzilla.mozilla.org/863246#c154 ***/ -lockPref("browser.onboarding.enabled", false); - -/* 0518: disable Web Compatibility Reporter (FF56+) - * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ -lockPref("extensions.webcompat-reporter.enabled", false); - -/* 0608: disable predictor / prefetching (FF48+) ***/ -lockPref("network.predictor.enable-prefetch", false); - -/* 0702: disable HTTP2 (which was based on SPDY which is now deprecated) - * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance - * privacy, and in fact opens up a number of server-side fingerprinting opportunities - * [1] https://http2.github.io/faq/ - * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html - * [3] https://queue.acm.org/detail.cfm?id=2716278 - * [4] https://github.com/ghacksuserjs/ghacks-user.js/issues/107 ***/ -//lockPref("network.http.spdy.enabled", false); -//lockPref("network.http.spdy.enabled.deps", false); -//lockPref("network.http.spdy.enabled.http2", false); -//https://github.com/ghacksuserjs/ghacks-user.js/issues/107 - -/* 0703: disable HTTP Alternative Services (FF37+) - * [1] https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3970881 - * [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/ -lockPref("network.http.altsvc.enabled", false); -lockPref("network.http.altsvc.oe", false); - -/* 0706: remove paths when sending URLs to PAC scripts (FF51+) - * CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) - * [1] https://bugzilla.mozilla.org/1255474 ***/ -lockPref("network.proxy.autoconfig_url.include_path", false); // default: false - -/* 0709: disable using UNC (Uniform Naming Convention) paths (FF61+) - * [1] https://trac.torproject.org/projects/tor/ticket/26424 ***/ -lockPref("network.file.disable_unc_paths", true); // (hidden pref) - -/* 0710: disable GIO as a potential proxy bypass vector - * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, - * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64) - * [1] https://bugzilla.mozilla.org/1433507 - * [2] https://trac.torproject.org/23044 - * [3] https://en.wikipedia.org/wiki/GVfs - * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ -lockPref("network.gio.supported-protocols", ""); // (hidden pref) - -/* 0804: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY - * This is a PER TAB session history. You still have a full history stored under all history - * default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages - * use it as a means of referral (e.g. hotlinking), 4 or 6 or 10 may be more practical ***/ -lockPref("browser.sessionhistory.max_entries", 10); - -/* 0809: disable location bar suggesting "preloaded" top websites (FF54+) - * [1] https://bugzilla.mozilla.org/1211726 ***/ -lockPref("browser.urlbar.usepreloadedtopurls.enabled", false); - -/* 0810: disable location bar making speculative connections (FF56+) - * [1] https://bugzilla.mozilla.org/1348275 ***/ -lockPref("browser.urlbar.speculativeConnect.enabled", false); - -/* 0850e: disable location bar one-off searches (FF51+) - * [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/ -lockPref("browser.urlbar.oneOffSearches", false); - -/* 0906: disable websites' autocomplete="off" (FF30+) - * Don't let sites dictate use of saved logins and passwords. Increase security through - * stronger password use. The trade-off is the convenience. Some sites should never be - * saved (such as banking sites). Set at true, informed users can make their own choice. ***/ -lockPref("signon.storeWhenAutocompleteOff", true); // default: true - -/* 0911: prevent cross-origin images from triggering an HTTP-Authentication prompt (FF55+) - * [1] https://bugzilla.mozilla.org/1357835 ***/ -lockPref("network.auth.subresource-img-cross-origin-http-auth-allow", false); - -/* 1021: disable storing extra session data - * extra session data contains contents of forms, scrollbar positions, cookies and POST data - * define on which sites to save extra session data: - * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ -lockPref("browser.sessionstore.privacy_level", 2); - -/* 1023: set the minimum interval between session save operations - increasing it - * can help on older machines and some websites, as well as reducing writes, see [1] - * Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc - * [WARNING] This can also affect entries in the "Recently Closed Tabs" feature: - * i.e. the longer the interval the more chance a quick tab open/close won't be captured. - * This longer interval *may* affect history but we cannot replicate any history not recorded - * [1] https://bugzilla.mozilla.org/1304389 ***/ -lockPref("browser.sessionstore.interval", 60000); - -/* 1030: disable favicons in shortcuts - * URL shortcuts use a cached randomly named .ico file which is stored in your - * profile/shortcutCache directory. The .ico remains after the shortcut is deleted. - * If set to false then the shortcuts use a generic Firefox icon ***/ -lockPref("browser.shell.shortcutFavicons", false); - -/* 1032: disable favicons in web notifications ***/ -lockPref("alerts.showFavicons", false); // default: false - -/* 1201: disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack) - * [WARNING] <2% of secure sites do NOT support the newer "secure" renegotiation, see [2] - * [1] https://wiki.mozilla.org/Security:Renegotiation - * [2] https://www.ssllabs.com/ssl-pulse/ ***/ -lockPref("security.ssl.require_safe_negotiation", true); - -/* 1205: disable TLS1.3 0-RTT (round-trip time) (FF51+) - * [1] https://github.com/tlswg/tls13-spec/issues/1001 - * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ -lockPref("security.tls.enable_0rtt_data", false); // (FF55+ default true) - -/* 1272: display advanced information on Insecure Connection warning pages - * only works when it's possible to add an exception - * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/) - * [TEST] https://expired.badssl.com/ ***/ -lockPref("browser.xul.error_pages.expert_bad_cert", true); - -/* 1407: disable special underline handling for a few fonts which you will probably never use [RESTART] - * Any of these fonts on your system can be enumerated for fingerprinting. - * [1] http://kb.mozillazine.org/Font.blacklist.underline_offset ***/ -lockPref("font.blacklist.underline_offset", ""); - -/* 1408: disable graphite which FF49 turned back on by default - * In the past it had security issues. Update: This continues to be the case, see [1] - * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/ -lockPref("gfx.font_rendering.graphite.enabled", false); - -/* 1604: CROSS ORIGIN: control the amount of information to send (FF52+) - * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ -lockPref("network.http.referer.XOriginTrimmingPolicy", 2); - -/* 1605: ALL: disable spoofing a referer - * [WARNING] Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) protections that some sites may rely on ***/ -// Default false -lockPref("network.http.referer.spoofSource", false); - -/* 1801: set default plugin state (i.e. new plugins on discovery) to never activate - * 0=disabled, 1=ask to activate, 2=active - you can override individual plugins ***/ -lockPref("plugin.default.state", 1); -lockPref("plugin.defaultXpi.state", 1); - -/* 1825: disable widevine CDM (Content Decryption Module) [SETUP] ***/ -lockPref("media.gmp-widevinecdm.visible", false); -lockPref("media.gmp-widevinecdm.enabled", false); -lockPref("media.gmp-widevinecdm.autoupdate", false); - -/* 2001: disable WebRTC (Web Real-Time Communication) - * [1] https://www.privacytools.io/#webrtc ***/ -lockPref("media.peerconnection.use_document_iceservers", false); -lockPref("media.peerconnection.video.enabled", false); -lockPref("media.peerconnection.identity.enabled", false); -lockPref("media.peerconnection.identity.timeout", 1); -lockPref("media.peerconnection.turn.disable", true); -lockPref("media.peerconnection.ice.tcp", false); - -/* 2026: disable canvas capture stream (FF41+) - * [1] https://developer.mozilla.org/docs/Web/API/HTMLCanvasElement/captureStream ***/ -lockPref("canvas.capturestream.enabled", false); - -/* 2027: disable camera image capture (FF35+) - * [1] https://trac.torproject.org/projects/tor/ticket/16339 ***/ -lockPref("dom.imagecapture.enabled", false); // default: false - -/* 2028: disable offscreen canvas (FF44+) - * [1] https://developer.mozilla.org/docs/Web/API/OffscreenCanvas ***/ -lockPref("gfx.offscreencanvas.enabled", false); // default: false - -/* 2201: prevent websites from disabling new window features - * [1] http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features ***/ -lockPref("dom.disable_window_open_feature.close", true); -lockPref("dom.disable_window_open_feature.location", true); // default: true -lockPref("dom.disable_window_open_feature.menubar", true); -lockPref("dom.disable_window_open_feature.minimizable", true); -lockPref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar -lockPref("dom.disable_window_open_feature.resizable", true); // default: true -lockPref("dom.disable_window_open_feature.status", true); // status bar - default: true -lockPref("dom.disable_window_open_feature.titlebar", true); -lockPref("dom.disable_window_open_feature.toolbar", true); - -/* 2202: prevent scripts moving and resizing open windows ***/ -lockPref("dom.disable_window_move_resize", true); - -/* 2203: open links targeting new windows in a new tab instead - * This stops malicious window sizes and some screen resolution leaks. - * You can still right-click a link and open in a new window. - * [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html - * [1] https://trac.torproject.org/projects/tor/ticket/9881 ***/ -lockPref("browser.link.open_newwindow", 3); -lockPref("browser.link.open_newwindow.restriction", 0); - -/* 2426: disable Intersection Observer API (FF53+) - * Almost a year to complete, three versions late to stable (as default false), - * number #1 cause of crashes in nightly numerous times, and is (primarily) an - * ad network API for "ad viewability checks" down to a pixel level - * [1] https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API - * [2] https://w3c.github.io/IntersectionObserver/ - * [3] https://bugzilla.mozilla.org/1243846 ***/ -lockPref("dom.IntersectionObserver.enabled", false); - -/* 2601: prevent accessibility services from accessing your browser [RESTART] - * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser - * [1] https://support.mozilla.org/kb/accessibility-services ***/ -lockPref("accessibility.force_disabled", 1); - -/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ -lockPref("browser.uitour.enabled", false); -lockPref("browser.uitour.url", ""); - -/* 2611: disable middle mouse click opening links from clipboard - * [1] https://trac.torproject.org/projects/tor/ticket/10089 - * [2] http://kb.mozillazine.org/Middlemouse.contentLoadURL ***/ -lockPref("middlemouse.contentLoadURL", false); - -/* 2616: remove special permissions for certain mozilla domains (FF35+) - * [1] resource://app/defaults/permissions ***/ -lockPref("permissions.manager.defaultsUrl", ""); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : General Settings 1/3 -// Bench Diff : +100/5000 - -lockPref("devtools.onboarding.telemetry.logged", false); -lockPref("urlclassifier.malwareTable", ""); -lockPref("urlclassifier.trackingTable", ""); -lockPref("services.sync.engine.addresses.available", false); -lockPref("browser.bookmarks.restore_default_bookmarks", false); -lockPref("pdfjs.previousHandler.alwaysAskBeforeHandling", true); -lockPref("pref.general.disable_button.default_browser", false); -lockPref("pref.privacy.disable_button.tracking_protection_exceptions", false); -lockPref("pref.privacy.disable_button.view_passwords", false); -lockPref("identity.mobilepromo.android", ""); -lockPref("extensions.systemAddon.update.url", ""); -lockPref("datareporting.healthreport.about.reportUrl", ""); -lockPref("datareporting.healthreport.infoURL", ""); -lockPref("browser.urlbar.daysBeforeHidingSuggestionsPrompt", 0); -lockPref("browser.urlbar.searchSuggestionsChoice", false); -lockPref("browser.urlbar.timesBeforeHidingSuggestionsHint", 0); -lockPref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", true); -lockPref("app.feedback.baseURL", ""); -lockPref("app.normandy.enabled", false); -lockPref("app.normandy.api_url", ""); -lockPref("app.normandy.first_run", false); -lockPref("app.normandy.user_id", ""); -lockPref("app.releaseNotesURL", ""); -lockPref("app.update.auto", false); -lockPref("extensions.update.autoUpdateDefault", false); -lockPref("app.update.staging.enabled", false); -lockPref("app.update.silent", false); -lockPref("app.update.lastUpdateTime.telemetry_modules_ping", 0); -lockPref("app.update.url", ""); -lockPref("app.update.url.details", ""); -lockPref("app.update.url.manual", ""); -lockPref("app.vendorURL", ""); -lockPref("breakpad.reportURL", ""); -lockPref("browser.chrome.errorReporter.submitUrl", ""); -lockPref("browser.chrome.errorReporter.enabled", false); -lockPref("browser.contentblocking.reportBreakage.url", ""); -lockPref("browser.ping-centre.staging.endpoint", ""); -lockPref("browser.ping-centre.telemetry", false); -lockPref("browser.safebrowsing.allowOverride", false); -lockPref("browser.safebrowsing.blockedURIs.enabled", false); -lockPref("browser.safebrowsing.downloads.enabled", false); -lockPref("browser.safebrowsing.downloads.remote.block_dangerous", false); -lockPref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); -lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); -lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false); -lockPref("browser.safebrowsing.downloads.remote.enabled", false); -lockPref("browser.safebrowsing.downloads.remote.url", ""); -lockPref("browser.safebrowsing.enabled", false); -lockPref("browser.safebrowsing.malware.enabled", false); -lockPref("browser.safebrowsing.passwords.enabled", false); -lockPref("browser.safebrowsing.phishing.enabled", false); -lockPref("browser.safebrowsing.provider.google4.advisoryURL", ""); -lockPref("browser.safebrowsing.provider.google4.dataSharingURL", ""); -lockPref("browser.safebrowsing.provider.google4.gethashURL", ""); -lockPref("browser.safebrowsing.provider.google4.lists", ""); -lockPref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); -lockPref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); -lockPref("browser.safebrowsing.provider.google4.reportURL", ""); -lockPref("browser.safebrowsing.provider.google4.updateURL", ""); -lockPref("browser.safebrowsing.provider.google.advisoryURL", ""); -lockPref("browser.safebrowsing.provider.google.gethashURL", ""); -lockPref("browser.safebrowsing.provider.google.lastupdatetime", ""); -lockPref("browser.safebrowsing.provider.google.lists", ""); -lockPref("browser.safebrowsing.provider.google.nextupdatetime", ""); -lockPref("browser.safebrowsing.provider.google.pver", ""); -lockPref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); -lockPref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); -lockPref("browser.safebrowsing.provider.google.reportURL", ""); -lockPref("browser.safebrowsing.provider.google.updateURL", ""); -lockPref("browser.safebrowsing.provider.mozilla.gethashURL", ""); -lockPref("browser.safebrowsing.provider.mozilla.lastupdatetime", ""); -lockPref("browser.safebrowsing.provider.mozilla.nextupdatetime", ""); -lockPref("browser.safebrowsing.provider.mozilla.updateURL", ""); -lockPref("browser.safebrowsing.reportPhishURL", ""); -lockPref("browser.search.suggest.enabled", false); -lockPref("captivedetect.canonicalURL", ""); -lockPref("clipboard.autocopy", false); -lockPref("datareporting.healthreport.service.enabled", false); -lockPref("datareporting.policy.firstRunURL", ""); -lockPref("device.sensors.enabled", false); -lockPref("devtools.devedition.promo.url", ""); -lockPref("devtools.devices.url", ""); -lockPref("devtools.gcli.imgurUploadURL", ""); -lockPref("devtools.gcli.jquerySrc", ""); -lockPref("devtools.gcli.underscoreSrc", ""); -lockPref("devtools.telemetry.supported_performance_marks", ""); -lockPref("devtools.telemetry.tools.opened.version", ""); -lockPref("dom.battery.enabled", false); -lockPref("dom.gamepad.enabled", false); -lockPref("dom.permissions.enabled", false); -lockPref("dom.popup_maximum", 4); -lockPref("dom.registerProtocolHandler.insecure.enabled", true); -lockPref("experiments.activeExperiment", false); -lockPref("extensions.blocklist.detailsURL", ""); -lockPref("extensions.blocklist.itemURL", ""); -lockPref("extensions.blocklist.url", ""); -lockPref("extensions.update.background.url", ""); -lockPref("extensions.getAddons.showPane", false); -lockPref("extensions.webservice.discoverURL", ""); -lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", ""); -lockPref("gecko.handlerService.schemes.webcal.0.uriTemplate", ""); -lockPref("geo.enabled", false); -lockPref("geo.wifi.uri", ""); -lockPref("identity.fxaccounts.auth.uri", ""); -lockPref("identity.fxaccounts.remote.oauth.uri", ""); -lockPref("identity.fxaccounts.remote.profile.uri", ""); -lockPref("identity.mobilepromo.ios", ""); -lockPref("layout.css.visited_links_enabled", false); -lockPref("lpbmode.enabled", true); -lockPref("mailnews.messageid_browser.url", ""); -lockPref("mailnews.mx_service_url", ""); -lockPref("media.eme.enabled", false); -lockPref("media.gmp-eme-adobe.enabled", false); -lockPref("media.gmp-provider.enabled", false); -lockPref("media.gmp.trial-create.enabled", false); -lockPref("media.gmp-manager.url.override", "data:text/plain,"); -lockPref("media.gmp-manager.updateEnabled", false); -lockPref("network.predictor.enabled", false); -lockPref("plugins.crash.supportUrl", ""); -lockPref("privacy.trackingprotection.introURL", ""); -lockPref("services.sync.clients.lastSync", "0"); -lockPref("services.sync.clients.lastSyncLocal", "0"); -lockPref("services.sync.declinedEngines", ""); -lockPref("services.sync.enabled", false); -lockPref("services.sync.globalScore", 0); -lockPref("services.sync.jpake.serverURL", ""); -lockPref("services.sync.migrated", true); -lockPref("services.sync.nextSync", 0); -lockPref("services.sync.prefs.sync.browser.safebrowsing.downloads.enabled", false); -lockPref("services.sync.prefs.sync.browser.safebrowsing.malware.enabled", false); -lockPref("services.sync.prefs.sync.browser.safebrowsing.passwords.enabled", false); -lockPref("services.sync.prefs.sync.browser.safebrowsing.phishing.enabled", false); -lockPref("services.sync.serverURL", ""); -lockPref("services.sync.tabs.lastSync", "0"); -lockPref("services.sync.tabs.lastSyncLocal", "0"); -lockPref("social.directories", ""); -lockPref("social.remote-install.enabled", false); -lockPref("social.whitelist", ""); -lockPref("sync.enabled", false); -lockPref("sync.jpake.serverURL", ""); -lockPref("sync.serverURL", ""); -lockPref("toolkit.crashreporter.infoURL", ""); -lockPref("toolkit.telemetry.archive.enabled", false); -lockPref("toolkit.telemetry.updatePing.enabled", false); -lockPref("toolkit.telemetry.bhrPing.enabled", false); -lockPref("toolkit.telemetry.cachedClientID", ""); -lockPref("toolkit.telemetry.enabled", false); -lockPref("toolkit.telemetry.firstShutdownPing.enabled", false); -lockPref("toolkit.telemetry.hybridContent.enabled", false); -lockPref("toolkit.telemetry.infoURL", ""); -lockPref("toolkit.telemetry.newProfilePing.enabled", false); -lockPref("toolkit.telemetry.previousBuildID", ""); -lockPref("toolkit.telemetry.prompted", 0); -lockPref("toolkit.telemetry.prompted", 2); -lockPref("toolkit.telemetry.rejected", true); -lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); -lockPref("toolkit.telemetry.server", ""); -lockPref("toolkit.telemetry.server_owner", ""); -lockPref("toolkit.telemetry.shutdownPingSender.enabled", false); -lockPref("toolkit.telemetry.unified", false); -lockPref("toolkit.telemetry.coverage.opt-out", true); -lockPref("webextensions.storage.sync.serverURL", ""); -lockPref("extensions.formautofill.addresses.enabled", false); -lockPref("extensions.formautofill.available", "off"); -lockPref("extensions.formautofill.creditCards.enabled", false); -lockPref("extensions.formautofill.heuristics.enabled", false); -lockPref("extensions.screenshots.upload-disabled", true); -lockPref("media.autoplay.enabled", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : General Settings 2/3 -// Bench Diff : +0/5000 - -// Set to enforce, choice was left to the user in previous version -lockPref("privacy.donottrackheader.enabled", true); - -// Pref : Referer: ALL: control the amount of information to send -// 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ -lockPref("network.http.referer.trimmingPolicy", 2); - -// Close tab -lockPref("browser.tabs.closeTabByDblclick", true); - -// Pref : Disable collection/sending of the health report (healthreport.sqlite*) -// https://support.mozilla.org/en-US/kb/firefox-health-report-understand-your-browser-perf -// https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html -lockPref("datareporting.healthreport.uploadEnabled", false); -lockPref("datareporting.healthreport.service.enabled", false); -lockPref("datareporting.policy.dataSubmissionEnabled", false); - -// Pref : Disable right-click menu manipulation via JavaScript (disabled) -lockPref("dom.event.contextmenu.enabled", false); - -// Pref : Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript -// NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...) -// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled -lockPref("dom.event.clipboardevents.enabled", false); - -// Pref : Force Punycode for Internationalized Domain Names -// http://kb.mozillazine.org/Network.IDN_show_punycode -// https://www.xudongz.com/blog/2017/idn-phishing/ -// https://wiki.mozilla.org/IDN_Display_Algorithm -// https://en.wikipedia.org/wiki/IDN_homograph_attack -// https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ -// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6 -lockPref("network.IDN_show_punycode", true); - -// Pref : Disable Pocket -// https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox -// https://github.com/pyllyukko/user.js/issues/143 -lockPref("browser.pocket.enabled", false); -lockPref("extensions.pocket.enabled", false); -lockPref("extensions.pocket.site", ""); -lockPref("extensions.pocket.oAuthConsumerKey", ""); -lockPref("extensions.pocket.api", ""); - -// Pref : Disable Heartbeat (Mozilla user rating telemetry) -// https://wiki.mozilla.org/Advocacy/heartbeat -// https://trac.torproject.org/projects/tor/ticket/19047 -lockPref("browser.selfsupport.url", ""); - -// Pref : Disable downloading homepage snippets/messages from Mozilla -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content -// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service -lockPref("browser.aboutHomeSnippets.updateUrl", ""); - -// Pref : Don't reveal build ID -// Value taken from Tor Browser -// https://bugzilla.mozilla.org/show_bug.cgi?id=583181 -lockPref("general.buildID.override", "20100101"); -lockPref("browser.startup.homepage_override.buildID", "20100101"); -lockPref("browser.startup.homepage_override.mstone", "ignore"); - -// Pref : Disable pinging URIs specified in HTML ping= attributes -// http://kb.mozillazine.org/Browser.send_pings -lockPref("browser.send_pings", false); - -// Pref : When browser pings are enabled, only allow pinging the same host as the origin page -// http://kb.mozillazine.org/Browser.send_pings.require_same_host -lockPref("browser.send_pings.require_same_host", true); - -// Pref : Disable form autofill, don't save information entered in web page forms and the Search Bar -lockPref("browser.formfill.enable", false); - -// Pref : Delete Search and Form History -// CIS Version 1.2.0 October 21st, 2011 2.5.6 -lockPref("browser.formfill.expire_days", 0); - -// Pref : Disable password manager -// CIS Version 1.2.0 October 21st, 2011 2.5.2 -lockPref("signon.rememberSignons", false); - -// Pref : Do not download URLs for the offline cache -// http://kb.mozillazine.org/Browser.cache.offline.enable -lockPref("browser.cache.offline.enable", false); - -// Pref : Set time range to "Everything" as default in "Clear Recent History" -lockPref("privacy.sanitize.timeSpan", 0); - -// If your OS or ISP does not support IPv6, there is no reason to have this preference set to false. -lockPref("network.dns.disableIPv6", true); - -// Pref : Disable DNS prefetching -// http://kb.mozillazine.org/Network.dns.disablePrefetch -// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching -lockPref("network.dns.disablePrefetch", true); -lockPref("network.dns.disablePrefetchFromHTTPS", true); - -// Pref : Disable prefetching of URLs -// http://kb.mozillazine.org/Network.prefetch-next -// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F -// Link prefetching is when a webpage hints to the browser that certain pages are likely to be visited, -// so the browser downloads them immediately so they can be displayed immediately when the user requests it. -lockPref("network.prefetch-next", false); - -// Pref : Disable speculative pre-connections -// Disable prefetch link on hover. -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections -// https://bugzilla.mozilla.org/show_bug.cgi?id=814169 -lockPref("network.http.speculative-parallel-limit", 0); - -// WebSockets is a technology that makes it possible to open an interactive communication -// session between the user's browser and a server. (May leak IP when using proxy/VPN) -lockPref("media.peerconnection.enabled", false); -lockPref("network.websocket.enabled", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : General Settings 3/3 -// Bench Diff : -40/5000 - -// Pref : Disable DOM timing API -// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI -// https://www.w3.org/TR/navigation-timing/#privacy -lockPref("dom.enable_performance", false); -lockPref("dom.enable_performance_navigation_timing", false); - -// Pref : Make sure the User Timing API does not provide a new high resolution timestamp -// https://trac.torproject.org/projects/tor/ticket/16336 -// https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security -lockPref("dom.enable_user_timing", false); - -// Pref : Disable Web Audio API -// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 -// Avoid fingerprinting... -lockPref("dom.webaudio.enabled", false); - -// Pref : When geolocation is enabled, don't log geolocation requests to the console -lockPref("geo.wifi.logging.enabled", false); - -// Pref : Disable raw TCP socket support (mozTCPSocket) -// https://trac.torproject.org/projects/tor/ticket/18863 -// https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/ -// https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket -lockPref("dom.mozTCPSocket.enabled", false); - -// Pref : Disable leaking network/browser connection information via Javascript -// Network Information API provides general information about the system's connection type (WiFi, cellular, etc.) -// https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API -// https://wicg.github.io/netinfo/#privacy-considerations -// https://bugzilla.mozilla.org/show_bug.cgi?id=960426 -lockPref("dom.netinfo.enabled", false); - -// Pref : Don't reveal your internal IP when WebRTC is enabled (Firefox >= 52) -// https://wiki.mozilla.org/Media/WebRTC/Privacy -// https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC -lockPref("media.peerconnection.ice.no_host", true); // Firefox >= 52 - -// Pref : Disable WebRTC getUserMedia, screen sharing, audio capture, video capture -// https://wiki.mozilla.org/Media/getUserMedia -// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/ -// https://developer.mozilla.org/en-US/docs/Web/API/Navigator -lockPref("media.navigator.enabled", false); -lockPref("media.navigator.video.enabled", false); -lockPref("media.getusermedia.screensharing.enabled", false); -lockPref("media.getusermedia.audiocapture.enabled", false); - -// Pref : Disable telephony API -// https://wiki.mozilla.org/WebAPI/Security/WebTelephony -lockPref("dom.telephony.enabled", false); - -// Pref : Disable "beacon" asynchronous HTTP transfers (used for analytics) -// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon -lockPref("beacon.enabled", false); - -// Pref : Disable speech recognition -// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html -// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition -// https://wiki.mozilla.org/HTML5_Speech_API -lockPref("media.webspeech.recognition.enable", false); - -// Pref : Disable virtual reality devices APIs -// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM -// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API -lockPref("dom.vr.enabled", false); - -// Pref : Disable vibrator API -lockPref("dom.vibrator.enabled", false); - -// Pref : Disable resource timing API -// https://www.w3.org/TR/resource-timing/#privacy-security -lockPref("dom.enable_resource_timing", false); - -// Pref : Disable face detection -lockPref("camera.control.face_detection.enabled", false); - -// Pref : Disable GeoIP lookup on your address to set default search engine region -// https://trac.torproject.org/projects/tor/ticket/16254 -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine -lockPref("browser.search.countryCode", "US"); -lockPref("browser.search.region", "US"); -lockPref("browser.search.geoip.url", ""); -lockPref("browser.search.geoSpecificDefaults.url", ""); - -// Pref : Don't use Mozilla-provided location-specific search engines -lockPref("browser.search.geoSpecificDefaults", false); - -// Pref : Do not automatically send selection to clipboard on some Linux platforms -// http://kb.mozillazine.org/Clipboard.autocopy -lockPref("clipboard.autocopy", false); - -// Pref : Don't trim HTTP off of URLs in the address bar. -// https://bugzilla.mozilla.org/show_bug.cgi?id=665580 -lockPref("browser.urlbar.trimURLs", false); - -// Pref : Don't try to guess domain names when entering an invalid domain name in URL bar -// http://www-archive.mozilla.org/docs/end-user/domain-guessing.html -lockPref("browser.fixup.alternate.enabled", false); - -// Pref : When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs -// https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851 -lockPref("browser.fixup.hide_user_pass", true); - -// Pref : Send DNS request through SOCKS when SOCKS proxying is in use -// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers -lockPref("network.proxy.socks_remote_dns", true); - -// Pref : Don't monitor OS online/offline connection state -// https://trac.torproject.org/projects/tor/ticket/18945 -lockPref("network.manage-offline-status", false); - -// Pref : Disable JAR from opening Unsafe File Types -// http://kb.mozillazine.org/Network.jar.open-unsafe-types -// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7 -lockPref("network.jar.open-unsafe-types", false); - -// CIS 2.7.4 Disable Scripting of Plugins by JavaScript -// http://forums.mozillazine.org/viewtopic.php?f=7&t=153889 -lockPref("security.xpconnect.plugin.unrestricted", false); - -// Pref : Set File URI Origin Policy -// http://kb.mozillazine.org/Security.fileuri.strict_origin_policy -// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8 -lockPref("security.fileuri.strict_origin_policy", true); - -// Pref : Disable Displaying Javascript in History URLs -// http://kb.mozillazine.org/Browser.urlbar.filter.javascript -// CIS 2.3.6 -lockPref("browser.urlbar.filter.javascript", true); - -// Pref : Disable SVG in OpenType fonts -// https://wiki.mozilla.org/SVGOpenTypeFonts -// https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle -lockPref("gfx.font_rendering.opentype_svg.enabled", false); - -// Pref : Disable video stats to reduce fingerprinting threat -// https://bugzilla.mozilla.org/show_bug.cgi?id=654550 -// https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785 -// https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065 -lockPref("media.video_stats.enabled", false); - -// Pref : Enable only whitelisted URL protocol handlers -// Disabling nonessential protocols breaks all interaction with custom protocols such -// as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... -// clients when clicking on links with these protocols -lockPref("network.protocol-handler.warn-external-default", true); -lockPref("network.protocol-handler.external.http", false); -lockPref("network.protocol-handler.external.https", false); -lockPref("network.protocol-handler.external.javascript", false); -lockPref("network.protocol-handler.external.moz-extension", false); -lockPref("network.protocol-handler.external.ftp", false); -lockPref("network.protocol-handler.external.file", false); -lockPref("network.protocol-handler.external.about", false); -lockPref("network.protocol-handler.external.chrome", false); -lockPref("network.protocol-handler.external.blob", false); -lockPref("network.protocol-handler.external.data", false); -lockPref("network.protocol-handler.expose-all", false); -lockPref("network.protocol-handler.expose.http", true); -lockPref("network.protocol-handler.expose.https", true); -lockPref("network.protocol-handler.expose.javascript", true); -lockPref("network.protocol-handler.expose.moz-extension", true); -lockPref("network.protocol-handler.expose.ftp", true); -lockPref("network.protocol-handler.expose.file", true); -lockPref("network.protocol-handler.expose.about", true); -lockPref("network.protocol-handler.expose.chrome", true); -lockPref("network.protocol-handler.expose.blob", true); -lockPref("network.protocol-handler.expose.data", true); - -// Pref : Ensure you have a security delay when installing add-ons (milliseconds) -// http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox -// http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ -lockPref("security.dialog_enable_delay", 1000); - -// Pref : Disable Reader -lockPref("reader.parse-on-load.enabled", false); - -// Pref : Opt-out of add-on metadata updates -// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/ -lockPref("extensions.getAddons.cache.enabled", false); - -// Pref : Opt-out of themes (Persona) updates -// https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287 -lockPref("lightweightThemes.update.enabled", false); - -// Pref : Disable Flash Player NPAPI plugin -// http://kb.mozillazine.org/Flash_plugin -lockPref("plugin.state.flash", 0); - -// Pref : Disable Java NPAPI plugin -lockPref("plugin.state.java", 0); - -// Pref : Disable sending Flash Player crash reports -lockPref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); - -// Pref : When Flash crash reports are enabled, don't send the visited URL in the crash report -lockPref("dom.ipc.plugins.reportCrashURL", false); - -// Pref : Disable Shumway (Mozilla Flash renderer) -// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway -lockPref("shumway.disabled", true); - -// Pref : Disable Gnome Shell Integration NPAPI plugin -lockPref("plugin.state.libgnome-shell-browser-plugin", 0); - -// Pref : Enable plugins click-to-play -// https://wiki.mozilla.org/Firefox/Click_To_Play -// https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/ -lockPref("plugins.click_to_play", true); -lockPref("plugin.sessionPermissionNow.intervalInMinutes", 0); - -// Pref : Updates addons automatically -// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/ -lockPref("extensions.update.enabled", false); - -// Pref : Enable add-on and certificate blocklists (OneCRL) from Mozilla -// Updated at interval defined in extensions.blocklist.interval (default: 86400) -lockPref("extensions.blocklist.enabled", false); -lockPref("services.blocklist.update_enabled", false); - -// Pref : Disable system add-on updates (hidden & always-enabled add-ons from Mozilla) -lockPref("extensions.systemAddon.update.enabled", false); - -// Pref : Disable WebIDE Web Debug -// https://trac.torproject.org/projects/tor/ticket/16222 -// https://developer.mozilla.org/docs/Tools/WebIDE -lockPref("devtools.webide.enabled", false); -lockPref("devtools.webide.autoinstallADBHelper", false); -lockPref("devtools.webide.autoinstallFxdtAdapters", false); - -// Pref : Disable remote debugging -// https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop -// https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings -lockPref("devtools.debugger.remote-enabled", false); -lockPref("devtools.chrome.enabled", false); -lockPref("devtools.debugger.force-local", true); - -// Pref : Disable Mozilla telemetry/experiments -// https://wiki.mozilla.org/Platform/Features/Telemetry -// https://wiki.mozilla.org/Privacy/Reviews/Telemetry -// https://wiki.mozilla.org/Telemetry -// https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry -// https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715 -// https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry -// https://gecko.readthedocs.io/en/latest/browser/experiments/experiments/manifest.html -// https://wiki.mozilla.org/Telemetry/Experiments -// https://support.mozilla.org/en-US/questions/1197144 -lockPref("experiments.supported", false); -lockPref("experiments.enabled", false); -lockPref("experiments.manifest.uri", ""); - -// Pref : Disallow Necko to do A/B testing -// https://trac.torproject.org/projects/tor/ticket/13170 -lockPref("network.allow-experiments", false); - -// Pref : Disable sending reports of tab crashes to Mozilla (about:tabcrashed), don't nag user about unsent crash reports -// https://hg.mozilla.org/mozilla-central/file/tip/browser/app/profile/firefox.js -lockPref("browser.tabs.crashReporting.sendReport", false); -lockPref("browser.crashReports.unsubmittedCheck.enabled", false); -lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); - -// Pref : Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface) -// https://wiki.mozilla.org/FlyWeb -// https://wiki.mozilla.org/FlyWeb/Security_scenarios -// https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit -// http://www.ghacks.net/2016/07/26/firefox-flyweb -lockPref("dom.flyweb.enabled", false); - -// Pref : Disable the UITour backend -// https://trac.torproject.org/projects/tor/ticket/19047#comment:3 -lockPref("browser.uitour.enabled", false); - -// Pref : Enable contextual identity Containers feature (Firefox >= 52) -// NOTICE: Containers are not available in Private Browsing mode -// https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers -lockPref("privacy.userContext.enabled", true); - -// Pref : Disable Firefox Hello metrics collection -// https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion -lockPref("loop.logDomains", false); - -// Pref : Enforce checking for Firefox updates -lockPref("app.update.enabled", false); - -// Pref : Disable SHIELD -// https://support.mozilla.org/en-US/kb/shield -// https://bugzilla.mozilla.org/show_bug.cgi?id=1370801 -lockPref("extensions.shield-recipe-client.enabled", false); -lockPref("app.shield.optoutstudies.enabled", false); - -// Pref : Disable new tab tile ads & preload & Activity Stream -// http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox -// http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331 -// https://wiki.mozilla.org/Firefox/Activity_Stream -// https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping -// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source -// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping -lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false); -lockPref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); -lockPref("browser.newtabpage.activity-stream.showSponsored", false); -lockPref("browser.newtabpage.activity-stream.aboutHome.enabled", false); -lockPref("browser.newtabpage.activity-stream.asrouter.messageProviders", ""); -lockPref("browser.newtabpage.activity-stream.telemetry", false); -lockPref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); -lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false); -lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); -lockPref("browser.newtabpage.activity-stream.disableSnippets", true); -lockPref("browser.newtabpage.directory.ping", "0.0.0.0"); -lockPref("browser.newtabpage.directory.source", "0.0.0.0"); -lockPref("browser.newtabpage.enhanced", false); -lockPref("browser.newtabpage.directory.ping", ""); -lockPref("browser.newtabpage.directory.source", "data:text/plain,{}"); -lockPref("browser.newtabpage.activity-stream.enabled", false); -lockPref("browser.newtab.preload", false); -// Does not spy after tunning -//lockPref("browser.newtabpage.enabled", false); - -// Pref : Reject .onion hostnames before passing the to DNS -// https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 -// RFC 7686 -//lockPref("network.dns.blockDotOnion", true); -// Tor compatibility... -//lockPref("network.http.referer.hideOnionSource", true); -// This browser is not meant to be used with tor - -// Pref : Disable "Show search suggestions in location bar results" -lockPref("browser.urlbar.suggest.searches", false); -lockPref("browser.urlbar.userMadeSearchSuggestionsChoice", true); - -// Pref : Disable SSDP -// https://bugzilla.mozilla.org/show_bug.cgi?id=1111967 -lockPref("browser.casting.enabled", false); - -// Pref : Disable automatic downloading of OpenH264 codec -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities -// https://andreasgal.com/2014/10/14/openh264-now-in-firefox/ -lockPref("media.gmp-gmpopenh264.enabled", false); -lockPref("media.gmp-gmpopenh264.autoupdate", false); -lockPref("media.gmp-manager.url", ""); - -// Pref : Never check updates for search engines -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking -lockPref("browser.search.update", false); - -// Pref : Disable automatic captive portal detection (Firefox >= 52.0) -// https://support.mozilla.org/en-US/questions/1157121 -lockPref("network.captive-portal-service.enabled", false); - -// Pref : Disallow NTLMv1 -// https://bugzilla.mozilla.org/show_bug.cgi?id=828183 -lockPref("network.negotiate-auth.allow-insecure-ntlm-v1", false); -// it is still allowed through HTTPS. -lockPref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false); - -// Pref : Enable CSP 1.1 script-nonce directive support -// https://bugzilla.mozilla.org/show_bug.cgi?id=855326 -lockPref("security.csp.experimentalEnabled", true); - -// Pref : Enable Content Security Policy (CSP) -// https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy -// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -lockPref("security.csp.enable", true); - -// Pref : Enable Subresource Integrity -// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity -// https://wiki.mozilla.org/Security/Subresource_Integrity -lockPref("security.sri.enable", true); - -// Pref : Require manual intervention to autofill known username/passwords sign-in forms -// http://kb.mozillazine.org/Signon.autofillForms -// https://www.torproject.org/projects/torbrowser/design/#identifier-linkability -lockPref("signon.autofillForms", false); - -// Pref : Disable formless login capture -// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947 -lockPref("signon.formlessCapture.enabled", false); - -// Pref : When username/password autofill is enabled, still disable it on non-HTTPS sites -// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317 -lockPref("signon.autofillForms.http", false); - -// Pref : Delete temporary files on exit -// https://bugzilla.mozilla.org/show_bug.cgi?id=238789 -lockPref("browser.helperApps.deleteTempFileOnExit", true); - -// Pref : Do not create screenshots of visited pages (relates to the "new tab page" feature) -// https://support.mozilla.org/en-US/questions/973320 -// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled -lockPref("browser.pagethumbnails.capturing_disabled", true); - -// Pref : Disable bookmarks backups (default: 15) -// http://kb.mozillazine.org/Browser.bookmarks.max_backups -lockPref("browser.bookmarks.max_backups", 1); - -// Pref : Display a notification bar when websites offer data for offline use -// http://kb.mozillazine.org/Browser.offline-apps.notify -lockPref("browser.offline-apps.notify", true); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Security 1/3 -// Bench Diff : +0/5000 - -// Pref : Enable insecure password warnings (login forms in non-HTTPS pages) -// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/ -// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119 -// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156 -lockPref("security.insecure_password.ui.enabled", true); - -// Pref : Show in-content login form warning UI for insecure login fields -// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317 -lockPref("security.insecure_field_warning.contextual.enabled", true); - -// Pref : Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla) -// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ -// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List -// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security -lockPref("network.stricttransportsecurity.preloadlist", false); - -// Pref : Disable TLS Session Tickets -// https://www.blackhat.com/us-13/briefings.html#NextGen -// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf -// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf -// https://bugzilla.mozilla.org/show_bug.cgi?id=917049 -// https://bugzilla.mozilla.org/show_bug.cgi?id=967977 -lockPref("security.ssl.disable_session_identifiers", true); - -// Pref : Disable insecure TLS version fallback -// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025 -// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645 -lockPref("security.tls.version.fallback-limit", 3); - -// Pref : Only allow TLS 1.[0-3] -// http://kb.mozillazine.org/Security.tls.version.* -lockPref("security.tls.version.min", 2); - -// Pref : Enfore Public Key Pinning -// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning -// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning -// "2. Strict. Pinning is always enforced." -lockPref("security.cert_pinning.enforcement_level", 2); - -// Pref : Disallow SHA-1 -// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140 -// https://shattered.io/ -lockPref("security.pki.sha1_enforcement_level", 1); - -// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) -// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken -// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 -lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true); - -// Pref : Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog -// http://kb.mozillazine.org/Browser.ssl_override_behavior -// https://github.com/pyllyukko/user.js/issues/210 -lockPref("browser.ssl_override_behavior", 1); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Security 2/3 -// Bench Diff : +0/5000 - -lockPref("security.ssl.errorReporting.automatic", false); -lockPref("security.ssl.errorReporting.url", ""); -lockPref("security.OCSP.enabled", 0); -lockPref("security.ssl.errorReporting.enabled", false); -lockPref("security.disable_button.openDeviceManager", false); -lockPref("security.disable_button.openCertManager", false); -lockPref("security.mixed_content.upgrade_display_content", true); -lockPref("security.mixed_content.block_object_subrequest", true); -lockPref("security.mixed_content.block_display_content", true); -lockPref("security.mixed_content.block_active_content", true); -lockPref("security.insecure_connection_icon.enabled", true); -lockPref("security.insecure_connection_icon.pbmode.enabled", true); -lockPref("security.insecure_connection_text.enabled", true); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Security 3/3 (Cipher) -// Bench Diff : +0/5000 - -lockPref("security.ssl3.rsa_des_ede3_sha", false); -lockPref("security.ssl3.rsa_aes_256_sha", false); -lockPref("security.ssl3.rsa_aes_128_sha", false); - -// Pref : Enable ciphers with ECDHE and key size > 128bits -lockPref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // 0xc014 -lockPref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a - -// Pref : Enable GCM ciphers (TLSv1.2 only) -// https://en.wikipedia.org/wiki/Galois/Counter_Mode -lockPref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b -lockPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // 0xc02f - -// Pref : Enable ChaCha20 and Poly1305 (Firefox >= 47) -// https://www.mozilla.org/en-US/firefox/47.0/releasenotes/ -// https://tools.ietf.org/html/rfc7905 -// https://bugzilla.mozilla.org/show_bug.cgi?id=917571 -// https://bugzilla.mozilla.org/show_bug.cgi?id=1247860 -// https://cr.yp.to/chacha.html -lockPref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true); -lockPref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true); - -// Pref : Disable RC4 -// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security -// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882 -// https://rc4.io/ -// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 -lockPref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); -lockPref("security.ssl3.ecdh_rsa_rc4_128_sha", false); -lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); -lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); -lockPref("security.ssl3.rsa_rc4_128_md5", false); -lockPref("security.ssl3.rsa_rc4_128_sha", false); -lockPref("security.tls.unrestricted_rc4_fallback", false); - -// Pref : Disable SEED cipher -// https://en.wikipedia.org/wiki/SEED -lockPref("security.ssl3.rsa_seed_sha", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Microsoft Windows -// Bench Diff : ???/5000 - -// Pref : Other webGl [WINDOWS] -lockPref("webgl.dxgl.enabled", false); - -// Pref : disable scanning for plugins [WINDOWS] -lockPref("plugin.scan.plid.all", false); - -// Pref : disable Windows jumplist [WINDOWS] -lockPref("browser.taskbar.lists.enabled", false); -lockPref("browser.taskbar.lists.frequent.enabled", false); -lockPref("browser.taskbar.lists.recent.enabled", false); -lockPref("browser.taskbar.lists.tasks.enabled", false); - -// Pref : disable Windows taskbar preview [WINDOWS] -lockPref("browser.taskbar.previews.enable", false); - -// Pref : disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] -// [1] https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/ -lockPref("network.protocol-handler.external.ms-windows-store", false); - -// Pref : disable background update service [WINDOWS] -// [SETTING] General>Firefox Updates>Use a background service to install updates -lockPref("app.update.service.enabled", false); - -// --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -// Section : Disabled -// Bench Diff : ???/5000 - -// Pref : Disable URL bar autocomplete and history/bookmarks suggestions dropdown -// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 -//lockPref("browser.urlbar.autocomplete.enabled", false); - -// Pref : Only allow TLS 1.[0-3] -// http://kb.mozillazine.org/Security.tls.version.* -//lockPref("security.tls.version.max", 4); - -// Pref : Disable "Are you sure you want to leave this page?" popups on page close -// https://support.mozilla.org/en-US/questions/1043508 -// Does not prevent JS leaks of the page close event. -// https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload -//lockPref("dom.disable_beforeunload", true); - -// Pref : Decrease system information leakage to Mozilla blocklist update servers -// https://trac.torproject.org/projects/tor/ticket/16931 -//lockPref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/"); - -// Pref : When password manager is enabled, lock the password storage periodically -// CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage -//lockPref("security.ask_for_password", 2); - -// Pref : Lock the password storage every 1 minutes (default: 30) -//lockPref("security.password_lifetime", 1); - -// Pref : Disable inline autocomplete in URL bar -// http://kb.mozillazine.org/Inline_autocomplete -//lockPref("browser.urlbar.autoFill", false); -//lockPref("browser.urlbar.autoFill.typed", false); - -// Pref : Enable first-party isolation -// https://bugzilla.mozilla.org/show_bug.cgi?id=1299996 -// https://bugzilla.mozilla.org/show_bug.cgi?id=1260931 -// https://wiki.mozilla.org/Security/FirstPartyIsolation -// NOTICE: First-party isolation breaks Microsoft Teams -// NOTICE: First-party isolation causes HTTP basic auth to ask for credentials for every new tab (see #425) -//lockPref("privacy.firstparty.isolate", true); - -// Track Protection - Leave choice to user -//lockPref("privacy.trackingprotection.enabled", true); - -// Pref : Disable in-content SVG rendering (Firefox >= 53) (disabled) -// NOTICE-DISABLED: Disabling SVG support breaks many UI elements on many sites -// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 -// https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16 -//lockPref("svg.disabled", true); - -// Pref : Disable Caching of SSL Pages -// CIS Version 1.2.0 October 21st, 2011 2.5.8 -// http://kb.mozillazine.org/Browser.cache.disk_cache_ssl -//lockPref("browser.cache.disk_cache_ssl", false); - -// Pref : Don't remember browsing history -//lockPref("places.history.enabled", false); - -/* 2212: limit events that can cause a popup - * default is "change click dblclick mouseup pointerup notificationclick reset submit touchend" - * [1] http://kb.mozillazine.org/Dom.popup_allowed_events ***/ -//lockPref("dom.popup_allowed_events", "click dblclick"); - -/* 2210: block popup windows - * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ -//lockPref("dom.disable_open_during_load", true); - -/* 2031: disable audio auto-play in non-active tabs (FF51+) - * [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/ -//lockPref("media.block-autoplay-until-in-foreground", true); - -/* 1603: CROSS ORIGIN: control when to send a referer [SETUP] - * 0=always (default), 1=only if base domains match, 2=only if hosts match ***/ -//Can break some important site... (payment... ) -//lockPref("network.http.referer.XOriginPolicy", 1); - -/* 1405: disable WOFF2 (Web Open Font Format) (FF35+) ***/ -//lockPref("gfx.downloadable_fonts.woff2.enabled", false); - -/* 1406: disable CSS Font Loading API - * [SETUP] Disabling fonts can uglify the web a fair bit. ***/ -//lockPref("layout.css.font-loading-api.enabled", false); - -/* 2403: disable clipboard commands (cut/copy) from "non-privileged" content (FF41+) - * this disables document.execCommand("cut"/"copy") to protect your clipboard - * [1] https://bugzilla.mozilla.org/1170911 ***/ -//lockPref("dom.allow_cut_copy", false); // (hidden pref) diff --git a/privafox/mozilla.cfg b/privafox/mozilla.cfg new file mode 120000 index 0000000..a022d12 --- /dev/null +++ b/privafox/mozilla.cfg @@ -0,0 +1 @@ +../../mozilla.cfg \ No newline at end of file diff --git a/releases/Privafox-1.8-Firefox-Linux-63.0.3.tar.bz2.REMOVED.git-id b/releases/Privafox-1.8-Firefox-Linux-63.0.3.tar.bz2.REMOVED.git-id new file mode 100644 index 0000000..ddcae2f --- /dev/null +++ b/releases/Privafox-1.8-Firefox-Linux-63.0.3.tar.bz2.REMOVED.git-id @@ -0,0 +1 @@ +bd82c894448430ca8df1b94f391320535125f897 \ No newline at end of file diff --git a/releases/Privafox-1.8-Firefox-Mac-63.0.3.dmg.REMOVED.git-id b/releases/Privafox-1.8-Firefox-Mac-63.0.3.dmg.REMOVED.git-id new file mode 100644 index 0000000..b56fc8b --- /dev/null +++ b/releases/Privafox-1.8-Firefox-Mac-63.0.3.dmg.REMOVED.git-id @@ -0,0 +1 @@ +1f4e9abcb8342358ba045efb19561c95a5856fdc \ No newline at end of file diff --git a/releases/Privafox-1.8-Firefox-Windows-63.0.3.zip.REMOVED.git-id b/releases/Privafox-1.8-Firefox-Windows-63.0.3.zip.REMOVED.git-id new file mode 100644 index 0000000..77f4ae7 --- /dev/null +++ b/releases/Privafox-1.8-Firefox-Windows-63.0.3.zip.REMOVED.git-id @@ -0,0 +1 @@ +a9af1052e87e297311ccff1dcb67214b2c20e5c5 \ No newline at end of file