Secure Sept 2021 (#36)

SecureFox.js

@@ -11,7 +11,7 @@
  * SecureFox                                                                *
  * "Natura non constristatur."                                              *     
  * priority: provide sensible security and privacy                          *  
- * version: August 2021                                                     *
+ * version: September 2021                                                  *
  * url: https://github.com/yokoffing/Better-Fox                             *                   
 ****************************************************************************/
 
@@ -41,17 +41,16 @@ user_pref("privacy.socialtracking.block_cookies.enabled", true); // default
 user_pref("urlclassifier.trackingSkipURLs", "*.twitter.com, *.twimg.com"); // hidden
 user_pref("urlclassifier.features.socialtracking.skipURLs", "*.instagram.com, *.twitter.com, *.twimg.com"); // hidden
 
-// PREF: Network Partitioning
+// PREF: Site Isolation
-// Network Partitioning (isolation) will allow Firefox to associate resources on a per-website basis rather than together
+// Creates operating system process-level boundaries for all sites loaded in Firefox for Desktop. Isolating each site
-// in the same pool. This includes like the cache, favicons, CSS files, images, and even speculative connections(!). 
+// into a separate operating system process makes it harder for malicious sites to read another site’s private data.
-// [1] https://www.zdnet.com/article/firefox-to-ship-network-partitioning-as-a-new-anti-tracking-defense/
+// [1] https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture/
-// [2] https://github.com/privacycg/storage-partitioning#introduction
+user_pref("fission.autostart", true);
-// [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#network_partitioning
-// [4] https://blog.mozilla.org/security/2021/01/26/supercookie-protections/
-// [5] https://hacks.mozilla.org/2021/02/introducing-state-partitioning/
-user_pref("privacy.partition.network_state", true); // default
 
-// PREF: Dynamic First-Party Isolation (dFPI) [aka State Paritioning]
+// PREF: State Paritioning [aka Dynamic First-Party Isolation (dFPI)]
+// Firefox manages client-side state (i.e., data stored in the browser) to mitigate the ability of websites to abuse state
+// for cross-site tracking. This effort aims to achieve that by providing what is effectively a "different", isolated storage
+// location to every website a user visits.
 // dFPI is a more web-compatible version of FPI, which double keys all third-party state by the origin of the top-level
 // context. dFPI isolates user's browsing data for each top-level eTLD+1, but is flexible enough to apply web
 // compatibility heuristics to address resulting breakage by dynamically modifying a frame's storage principal.
@@ -59,12 +58,24 @@ user_pref("privacy.partition.network_state", true); // default
 // [NOTE] dFPI partitions all of the following caches by the top-level site being visited: HTTP cache, image cache,
 // favicon cache, HSTS cache, OCSP cache, style sheet cache, font cache, DNS cache, HTTP Authentication cache,
 // Alt-Svc cache, and TLS certificate cache.
-// [1] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/State_Partitioning
+// [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1549587
-// [2] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
+// [2] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/State_Partitioning
+// [3] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
+// [4] https://hacks.mozilla.org/2021/02/introducing-state-partitioning/
 user_pref("network.cookie.cookieBehavior", 5); // changes to 5 when Enhanced Tracking Protection is set to "Strict"
 user_pref("browser.contentblocking.state-partitioning.mvp.ui.enabled", true); // default 
 user_pref("browser.contentblocking.reject-and-isolate-cookies.preferences.ui.enabled", true); // default
 
+// PREF: Network Partitioning
+// Networking-related APIs are not intended to be used for websites to store data, but they can be abused for
+// cross-site tracking. Network APIs and caches are permanently partitioned by the top-level site.
+// Network Partitioning (isolation) will allow Firefox to associate resources on a per-website basis rather than together
+// in the same pool. This includes cache, favicons, CSS files, images, and even speculative connections. 
+// [1] https://www.zdnet.com/article/firefox-to-ship-network-partitioning-as-a-new-anti-tracking-defense/
+// [2] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#network_partitioning
+// [3] https://blog.mozilla.org/security/2021/01/26/supercookie-protections/
+user_pref("privacy.partition.network_state", true); // default
+
 // PREF: Redirect Tracking Prevention
 // All storage is cleared (more or less) daily from origins that are known trackers and that
 // haven’t received a top-level user interaction (including scroll) within the last 45 days.
@@ -104,6 +115,13 @@ user_pref("security.remote_settings.crlite_filters.enabled", true);
 // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1286798
 user_pref("dom.storage.next_gen", true);
 
+// PREF: SameStie Cookies
+// [1] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
+// [2] https://web.dev/samesite-cookies-explained/
+user_pref("network.cookie.sameSite.laxByDefault", true);
+user_pref("network.cookie.sameSite.noneRequiresSecure", true);
+user_pref("network.cookie.sameSite.schemeful", true);
+
 // PREF: disable cache
 // user_pref("browser.cache.disk.enable", true); // default
 
@@ -112,6 +130,9 @@ user_pref("dom.storage.next_gen", true);
 // [1] https://github.com/arkenfox/user.js/issues/1055
 // user_pref("browser.cache.offline.enable", false);
 
+// PREF: WebRTC Global Mute Toggles
+user_pref("privacy.webrtc.globalMuteToggles", true);
+
 /******************************************************************************
  * SECTION: CLEARING DATA DEFAULTS                           *
 ******************************************************************************/
@@ -155,18 +176,19 @@ user_pref("privacy.history.custom", true);
  * SECTION: SPECULATIVE CONNECTIONS                           *
 ******************************************************************************/
 
-// [NOTE] Firefox 85+ partitions pooled connections, prefetch connections, pre-connect connections,
+// [NOTE] Firefox 85+ partitions (isolates) pooled connections, prefetch connections, pre-connect connections,
-// speculative connections, TLS session identifiers, and other connections. For more information, see "PREF: Network
+// speculative connections, TLS session identifiers, and other connections. We can take advantage of the speed of
-// Partitioning and "PREF: Dynamic First-Party Isolation". You may customize this section to your comfort-level.
+// pre-connections while preserving privacy. Users may harden these settings to their preference.
+// For more information, see "PREF: State Paritioning" and "PREF: Network Partitioning".
 
 // [NOTE] uBlock Origin overrides Firefox defaults and sets these settings to false. To enable:
 // [SETTINGS] uBlock Origin -> Extension options -> Settings -> Privacy -> uncheck "Disable pre-fetching"
 
 // PREF: Network Predictor
-// Keeps track of components that were loaded during the visit of a page on the Internet so that the browser knows next time
+// Keeps track of components that were loaded during page visits so that the browser knows next time
-// which resources to request from the web server:
+// which resources to request from the server: It uses a local file to remember which resources were
-// It uses a local file to remember which resources were needed when the user visits a webpage (such as image.jpg and script.js),
+// needed when the user visits a webpage (such as image.jpg and script.js), so that the next time the
-// so that the next time the user mouseovers a link to that webpage, this history can be used to predict what resources will
+// user mouseovers a link to that webpage, this history can be used to predict what resources will
 // be needed rather than wait for the document to link those resources.
 // Only performs pre-connect, not prefetch, by default. No data is actually sent to the site until a user actively clicks a link.
 // [NOTE] DNS pre-resolve and TCP preconnect (which includes SSL handshake). Honors settings in Private Browsing to erase data.
@@ -174,62 +196,70 @@ user_pref("privacy.history.custom", true);
 // [2] https://www.ghacks.net/2014/05/11/seer-disable-firefox/
 // [3] https://github.com/dillbyrne/random-agent-spoofer/issues/238#issuecomment-110214518
 // [4] https://www.igvita.com/posa/high-performance-networking-in-google-chrome/#predictor
-user_pref("network.predictor.enabled", true); // default
+user_pref("network.predictor.enabled", false);
 // Fetch critical resources on the page ahead of time as determined by the local file, to accelerate rendering of the page.
-user_pref("network.predictor.enable-hover-on-ssl", true);
+// user_pref("network.predictor.enable-hover-on-ssl", true);
-user_pref("network.predictor.enable-prefetch", true);
+// user_pref("network.predictor.enable-prefetch", true);
 
 // PREF: DNS pre-resolve <link rel="dns-prefetch">
 // Resolve hostnames ahead of time, to avoid DNS latency.
+// [NOTE] Only allowing secure requests.
 // [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
 // [2] https://css-tricks.com/prefetching-preloading-prebrowsing/#dns-prefetching
-// [3] http://www.mecs-press.org/ijieeb/ijieeb-v7-n5/IJIEEB-V7-N5-2.pdf
+// [3] https://www.keycdn.com/blog/resource-hints#2-dns-prefetching
+// [4] http://www.mecs-press.org/ijieeb/ijieeb-v7-n5/IJIEEB-V7-N5-2.pdf
 user_pref("network.dns.disablePrefetch", true);
-user_pref("network.dns.disablePrefetchFromHTTPS", false);
+user_pref("network.dns.disablePrefetchFromHTTPS", true); // default
 
 // PREF: Preconnect to the autocomplete URL in the address bar
 // Firefox preloads URLs that autocomplete when a user types into the address bar.
 // Connects to destination server ahead of time, to avoid TCP handshake latency.
 // [NOTE] Firefox will perform DNS lookup and TCP and TLS handshake, but will not start sending or receiving HTTP data.
 // [1] https://www.ghacks.net/2017/07/24/disable-preloading-firefox-autocomplete-urls/
-user_pref("browser.urlbar.speculativeConnect.enabled", true); // default
+user_pref("browser.urlbar.speculativeConnect.enabled", false);
 
 // PREF: Link prefetching <link rel="prefetch">
-// Fetch critical resources on the page ahead of time, to accelerate rendering of the page.
+// A directive that tells a browser to fetch a resource that will probably be needed for the next navigation.
-// Websites can provide Firefox with hints as to which page is likely the be accessed next so that it is downloaded right away,
+// The resource will be fetched with extremely low priority (since everything the browser knows
-// even if you don't request that link. The prefetch resource hint tells the browser to go grab a resource even though it
+// is needed in the current page is more important than a resource that we guess might be needed in the next one).
-// hasn’t been requested by the current page, and puts it into cache. Firefox will request the resource at a low
+// Prefetch’s main use case is speeding up the next navigation rather than the current one.
-// priority and only during idle time so that the resource doesn’t compete with anything needed for the current navigation.
 // When the user clicks on a link, or initiates any kind of page load, link prefetching will stop and any prefetch hints will be discarded.
 // [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Privacy_implications
 // [2] http://www.mecs-press.org/ijieeb/ijieeb-v7-n5/IJIEEB-V7-N5-2.pdf
 // [3] https://timkadlec.com/remembers/2020-06-17-prefetching-at-this-age/
-user_pref("network.prefetch-next", true); // default
+// [4] https://3perf.com/blog/link-rels/#prefetch
+user_pref("network.prefetch-next", false);
 
 // PREF: Prefetch links upon hover
 // When you hover over links, connections are established to linked domains and servers automatically to speed up the loading
 // process should you click on the link. To improve the loading speed, Firefox will open predictive connections to sites when
 // the user hovers their mouse over. In case the user follows through with the action, the page can begin loading faster since
-// some of the work was already started in advance.
+// some of the work was already started in advance. Focuses on fetching a resource for the NEXT navigation.
 // [NOTE] TCP and SSL handshakes are set up in advance but page contents are not downloaded until a click on the link is registered.
 // [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
-// [2] https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links
+// [2] https://www.keycdn.com/blog/resource-hints#prefetch
-user_pref("network.http.speculative-parallel-limit", 6); // default
+// [3] https://3perf.com/blog/link-rels/#prefetch
+user_pref("network.http.speculative-parallel-limit", 0);
 
 // PREF: Preload <link rel=preload>
-// Fetch the entire page with all of its resources ahead of time, to enable instant navigation when triggered by the user.
+// Tells the browser to download and cache a resource (like a script or a stylesheet) as soon as possible.
-// Allows developers to hint to the browser to preload some resources with a higher priority and in advance, which helps the web page to
+// The browser doesn’t do anything with the resource after downloading it. Scripts aren’t executed, stylesheets
-// render and get into the stable and interactive state faster. This spec assumes that sometimes it’s best to always download an asset,
+// aren’t applied. It’s just cached – so that when something else needs it, it’s available immediately.
-// regardless of whether the browser thinks that’s a good idea or not(!). Unlike prefetching assets, which can be ignored, preloading assets
+// Focuses on fetching a resource for the CURRENT navigation.
-// must be requested by the browser.
+// [NOTE] Unlike other pre-connection tags (except modulepreload), this tag is mandatory for the browser.
-// [WARNING] Interferes with content blocking extensions, even if you utilize DNS-level blocking as well. Disable this!
+// A browser is required to download the resource specified in <link rel="preload">. With other tags described here,
-// [1] https://www.janbambas.cz/firefox-enables-link-rel-preload-support/
+// a browser is free to skip preloading the resource if it decides to (e.g. if the network is slow).
-// [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1639607
+// [TESTING] May possibly interfear with content blocking on the webpage.
-// [3] https://css-tricks.com/prefetching-preloading-prebrowsing/#future-option-preloading
+// [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1639607
+// [2] https://w3c.github.io/preload/
+// [3] https://3perf.com/blog/link-rels/#preload
+// [4] https://medium.com/reloading/preload-prefetch-and-priorities-in-chrome-776165961bbf
+// [5] https://www.smashingmagazine.com/2016/02/preload-what-is-it-good-for/#how-can-preload-do-better
+// [6] https://www.keycdn.com/blog/resource-hints#preload
 user_pref("network.preload", false);
 
 // PREF: New tab preload
-// [WARNING] Disabling this causes a delay when opening a new tab.
+// [WARNING] Disabling this causes a delay when opening a new tab in Firefox.
 // [1] https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
 // [2] https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
 // [3] https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
@@ -289,6 +319,7 @@ user_pref("network.IDN_show_punycode", true);
 // connections only when a website does not support it. Unlike HTTPS-Only Mode, Firefox
 // will NOT ask for your permission before connecting to a website that doesn’t support secure connections.
 // [NOTE] HTTPS-Only Mode needs to be disabled for HTTPS First to work.
+// [TEST] http://example.com [upgrade]
 // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1706552
 user_pref("dom.security.https_first", true);
 user_pref("dom.security.https_first_pbm", true); // default
@@ -297,17 +328,24 @@ user_pref("dom.security.https_first_pbm", true); // default
  * SECTION: HTTPS-ONLY MODE                              *
 ******************************************************************************/
 
-// PREF: HTTPS-only connections
+// Firefox displays a warning page if HTTPS is not supported by a server. Options to use HTTP are then provided.
-// Firefox asks for your permission before connecting to a website that doesn’t support secure connections.
+// [NOTE] When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored.
-// [1] https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
+// [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily
-// user_pref("dom.security.https_only_mode", true);
+// [SETTING] Privacy & Security>HTTPS-Only Mode
-// user_pref("dom.security.https_only_mode_ever_enabled", true);
+// [TEST] http://example.com [upgrade]
+// [TEST] http://neverssl.org/ [no upgrade]
+// [1] https://bugzilla.mozilla.org/1613063
+// [2] https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
 
-// PREF: HTTPS-only connection in Private Browsing windows only
+// PREF: Disable HTTPS-only Mode for Normal Browsing windows
+user_pref("dom.security.https_only_mode", false); // default
+user_pref("dom.security.https_only_mode_ever_enabled", false); // default
+
+// PREF: Enable HTTPS-only Mode for Private Browsing windows
 user_pref("dom.security.https_only_mode_pbm", true);
 user_pref("dom.security.https_only_mode_ever_enabled_pbm", true);
 
-// PREF: Disable HTTP background requests
+// PREF: Disable HTTP background requests in HTTPS-only Mode
 // When attempting to upgrade, if the server doesn't respond within 3 seconds, Firefox
 // sends HTTP requests in order to check if the server supports HTTPS or not.
 // This is done to avoid waiting for a timeout which takes 90 seconds.
@@ -316,7 +354,7 @@ user_pref("dom.security.https_only_mode_ever_enabled_pbm", true);
 user_pref("dom.security.https_only_mode_send_http_background_request", false);
 
 // PREF: Enable HTTPS-Only mode for local resources
-user_pref("dom.security.https_only_mode.upgrade_local", true);
+// user_pref("dom.security.https_only_mode.upgrade_local", true);
 
 /******************************************************************************
  * SECTION: DNS-over-HTTPS                                                    *
@@ -328,8 +366,10 @@ user_pref("dom.security.https_only_mode.upgrade_local", true);
 // [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
 // [2] https://www.internetsociety.org/blog/2018/12/dns-privacy-support-in-mozilla-firefox/
 // 0=off, 2=TRR preferred, 3=TRR only, 5=TRR disabled
-user_pref("network.trr.mode", 3);
+user_pref("network.trr.mode", 2);
-user_pref("network.trr.send_user-agent_headers", false); // default
+user_pref("network.trr.request_timeout_ms", 4000); /* default=1500 */
+// user_pref("network.trr.request_timeout_mode_trronly_ms", 30000); // default
+// user_pref("network.trr.send_user-agent_headers", false); // default
 user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 
 // PREF: Force FF to always use your custom DNS resolver
@@ -440,7 +480,7 @@ user_pref("network.auth.subresource-http-auth-allow", 1);
 
 // PREF: disable automatic authentication on Microsoft sites [WINDOWS]
 // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1695693,1719301
-user_pref("network.http.windows-sso.enabled", false);
+// user_pref("network.http.windows-sso.enabled", false);
 
 // PREF: Block insecure active content (scripts) on HTTPS pages.
 // [1] https://trac.torproject.org/projects/tor/ticket/21323
@@ -559,7 +599,7 @@ user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
 // PREF: Use Mozilla geolocation service instead of Google when geolocation is enabled
 // user_pref("permissions.default.geo", 0);
 user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
-// PREF: enable logging geolocation to the console
+// Enable logging geolocation to the console
 // user_pref("geo.provider.network.logging.enabled", true);
 
 // PREF: Enforce Firefox blocklist for extensions + No hiding tabs
@@ -568,17 +608,22 @@ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/
 // [2] https://trac.torproject.org/projects/tor/ticket/16931
 user_pref("extensions.blocklist.enabled", true); // default
 
+// PREF: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+]
+// [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed
+// [SETTING] General>Firefox Updates>Check for updates but let you choose to install them
+user_pref("app.update.auto", false);
+
+// PREF: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS]
+// [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running
+// [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/
+user_pref("app.update.background.scheduling.enabled", false);
+
 // PREF: Disable automatic extension updates
 // user_pref("extensions.update.enabled", false);
 // user_pref("extensions.autoupdate.enabled", false);
 // user_pref("extensions.update.url", "");
 // user_pref("extensions.update.background.url", "");
 
-// PREF: disable auto-INSTALLING Firefox updates via a background service
-// [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running
-// [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/
-// user_pref("app.update.background.scheduling.enabled", false);
-
 /******************************************************************************
  * SECTION: TELEMETRY                                                   *
 ******************************************************************************/