mirror of
https://github.com/yokoffing/Betterfox.git
synced 2026-06-12 15:40:48 +05:30
SecureFox.js Jan 2022 (#47)
* change PREF to allow Reddit posts
* disable disk cache
* SSL
* Certs
* SSL / TLS and Region
* disable search engine updates
* disable social tracking (breaks Instagram posts)
* uncomment user_pref("toolkit.coverage.endpoint.base", ""); and user_pref("app.normandy.api_url", "");
* ETP forces Custom if socialtracking disabled
* "network.trr.send_user-agent_headers", false); now default
* referer policy
* SSL update
* security.ssl.require_safe_negotiation still breaks some pages
* comment out xOrigin
* comment out pbmode referer
* enable browser.sessionstore.privacy_level
* comment out require safe nego
* disallowCrossSiteRelaxing now default v. 97
* app.update.background.scheduling.enabled depreciated
* items to clear on shutdown
* SESSION RESTORE
* sanitize options
* favicon storing
* OCSP
* TP is default
This commit is contained in:
yokoffing
+249
-48
@@ -11,7 +11,7 @@
|
||||
* SecureFox *
|
||||
* "Natura non constristatur." *
|
||||
* priority: provide sensible security and privacy *
|
||||
* version: December 2021 *
|
||||
* version: January 2022 *
|
||||
* url: https://github.com/yokoffing/Better-Fox *
|
||||
****************************************************************************/
|
||||
|
||||
@@ -28,15 +28,21 @@
|
||||
// [2] https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
|
||||
// [3] https://www.reddit.com/r/firefox/comments/l7xetb/network_priority_for_firefoxs_enhanced_tracking/gle2mqn/?web2x&context=3
|
||||
user_pref("browser.contentblocking.category", "strict");
|
||||
user_pref("privacy.trackingprotection.enabled", true);
|
||||
user_pref("privacy.trackingprotection.enabled", true); // default
|
||||
user_pref("privacy.trackingprotection.pbmode.enabled", true); // default
|
||||
user_pref("privacy.trackingprotection.cryptomining.enabled", true); // default
|
||||
user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // default
|
||||
user_pref("privacy.trackingprotection.socialtracking.enabled", true);
|
||||
user_pref("privacy.trackingprotection.socialtracking.enabled", true); // enabled with "Strict"
|
||||
user_pref("privacy.socialtracking.block_cookies.enabled", true); // default
|
||||
// user_pref("browser.contentblocking.customBlockList.preferences.ui.enabled", true);
|
||||
|
||||
// PREF: allow embedded tweets and Instagram posts
|
||||
// PREF: Lower the priority of network loads for resources on the tracking protection list.
|
||||
user_pref("privacy.trackingprotection.lower_network_priority", true);
|
||||
|
||||
// PREF: allow embedded tweets and Reddit posts
|
||||
// [TEST] https://www.pcgamer.com/amazing-halo-infinite-bugs-are-already-rolling-in/
|
||||
// [TEST] https://www.ndtv.com/entertainment/bharti-singh-and-husband-haarsh-limbachiyaa-announce-pregnancy-see-trending-post-2646359
|
||||
// [TEST] https://www.thelineofbestfit.com/news/latest-news/cher-and-saweetie-unite-for-new-mac-cosmetics-campaign
|
||||
// [1] https://www.reddit.com/r/firefox/comments/l79nxy/firefox_dev_is_ignoring_social_tracking_preference/gl84ukk
|
||||
// [2] https://www.reddit.com/r/firefox/comments/pvds9m/reddit_embeds_not_loading/
|
||||
user_pref("urlclassifier.trackingSkipURLs", "*.reddit.com, *.twitter.com, *.twimg.com"); // hidden
|
||||
@@ -79,6 +85,12 @@ user_pref("browser.contentblocking.reject-and-isolate-cookies.preferences.ui.ena
|
||||
user_pref("privacy.partition.network_state", true); // default
|
||||
user_pref("privacy.partition.network_state.ocsp_cache", true);
|
||||
user_pref("privacy.partition.serviceWorkers", true);
|
||||
// user_pref("privacy.partition.bloburl_per_agent_cluster", true); // currently the only non-partitioned item in TCP is blobs
|
||||
|
||||
// PREF: Smartblock
|
||||
// [1] https://support.mozilla.org/en-US/kb/smartblock-enhanced-tracking-protection
|
||||
// [2] https://www.youtube.com/watch?v=VE8SrClOTgw
|
||||
user_pref("extensions.webcompat.enable_shims", true); // default
|
||||
|
||||
// PREF: Redirect Tracking Prevention
|
||||
// All storage is cleared (more or less) daily from origins that are known trackers and that
|
||||
@@ -108,13 +120,6 @@ user_pref("dom.battery.enabled", false);
|
||||
// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings
|
||||
// user_pref("permissions.default.xr", 2);
|
||||
|
||||
// PREF: CRLite
|
||||
// This will reduce the number of times an OCSP server needs to be contacted and therefore increase privacy.
|
||||
// [1] https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/
|
||||
// [2] https://github.com/arkenfox/user.js/issues/1065
|
||||
user_pref("security.pki.crlite_mode", 2);
|
||||
user_pref("security.remote_settings.crlite_filters.enabled", true);
|
||||
|
||||
// PREF: Local Storage Next Generation (LSNG) (DOMStorage)
|
||||
// [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1286798
|
||||
user_pref("dom.storage.next_gen", true); // default
|
||||
@@ -122,27 +127,147 @@ user_pref("dom.storage.next_gen", true); // default
|
||||
// PREF: SameStie Cookies
|
||||
// [1] https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
|
||||
// [2] https://web.dev/samesite-cookies-explained/
|
||||
// user_pref("network.cookie.sameSite.laxByDefault", true);
|
||||
// user_pref("network.cookie.sameSite.noneRequiresSecure", true);
|
||||
// user_pref("network.cookie.sameSite.schemeful", false); // default
|
||||
user_pref("network.cookie.sameSite.laxByDefault", true); // default
|
||||
user_pref("network.cookie.sameSite.noneRequiresSecure", true); // default
|
||||
user_pref("network.cookie.sameSite.schemeful", false); // default
|
||||
|
||||
// PREF: disable cache
|
||||
// user_pref("browser.cache.disk.enable", true); // default
|
||||
// PREF: WebRTC Global Mute Toggles
|
||||
// user_pref("privacy.webrtc.globalMuteToggles", true);
|
||||
|
||||
/****************************************************************************
|
||||
* SECTION: OSCP & CERTS / HPKP (HTTP Public Key Pinning) *
|
||||
****************************************************************************/
|
||||
// PREF: OCSP (Online Certificate Status Protocol)
|
||||
// [1] https://scotthelme.co.uk/revocation-is-broken/
|
||||
// [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||
|
||||
// PREF: enforce OCSP fetching to confirm current validity of certificates
|
||||
// 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
|
||||
// OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
|
||||
// It's a trade-off between security (checking) and privacy (leaking info to the CA)
|
||||
// [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
|
||||
// [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers...
|
||||
// [1] https://en.wikipedia.org/wiki/Ocsp ***/
|
||||
user_pref("security.OCSP.enabled", 0); // [DEFAULT: 1]
|
||||
|
||||
// PREF: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
|
||||
// When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
|
||||
// Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
|
||||
// It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
|
||||
// could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
|
||||
// [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||
// [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
|
||||
// user_pref("security.OCSP.require", true);
|
||||
|
||||
// PREF: disable or limit SHA-1 certificates
|
||||
// 0 = allow all
|
||||
// 1 = block all
|
||||
// 3 = only allow locally-added roots (e.g. anti-virus) (default)
|
||||
// 4 = only allow locally-added roots or for certs in 2015 and earlier
|
||||
// If you have problems, update your software: SHA-1 is obsolete
|
||||
// [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
|
||||
user_pref("security.pki.sha1_enforcement_level", 1);
|
||||
|
||||
// PREF: enable strict pinning
|
||||
// PKP (Public Key Pinning) 0=disabled, 1=allow user MiTM (such as your antivirus), 2=strict
|
||||
// If you rely on an AV (antivirus) to protect your web browsing
|
||||
// by inspecting ALL your web traffic, then leave at current default=1
|
||||
// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206
|
||||
user_pref("security.cert_pinning.enforcement_level", 2);
|
||||
|
||||
// PREF: CRLite
|
||||
// This will reduce the number of times an OCSP server needs to be contacted and therefore increase privacy.
|
||||
// [1] https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/
|
||||
// [2] https://github.com/arkenfox/user.js/issues/1065
|
||||
user_pref("security.pki.crlite_mode", 2);
|
||||
user_pref("security.remote_settings.crlite_filters.enabled", true);
|
||||
|
||||
/****************************************************************************
|
||||
* SECTION: SSL (Secure Sockets Layer) / TLS (Transport Layer Security) *
|
||||
****************************************************************************/
|
||||
|
||||
// PREF: display warning on the padlock for "broken security"
|
||||
// Bug: warning padlock not indicated for subresources on a secure page! [2]
|
||||
// [TEST] (January 2022) https://www.unibs.it/it
|
||||
// [1] https://wiki.mozilla.org/Security:Renegotiation
|
||||
// [2] https://bugzilla.mozilla.org/1353705
|
||||
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
|
||||
|
||||
// PREF: require safe negotiation
|
||||
// Blocks connections (SSL_ERROR_UNSAFE_NEGOTIATION) to servers that don't support RFC 5746 [2]
|
||||
// as they're potentially vulnerable to a MiTM attack [3]. A server without RFC 5746 can be
|
||||
// safe from the attack if it disables renegotiations but the problem is that the browser can't
|
||||
// know that. Setting this pref to true is the only way for the browser to ensure there will be
|
||||
// no unsafe renegotiations on the channel between the browser and the server.
|
||||
// [STATS] SSL Labs (January 2022) reports that over 99.2% of top sites have secure renegotiation [4]
|
||||
// [1] https://wiki.mozilla.org/Security:Renegotiation
|
||||
// [2] https://datatracker.ietf.org/doc/html/rfc5746
|
||||
// [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
|
||||
// [4] https://www.ssllabs.com/ssl-pulse/
|
||||
// user_pref("security.ssl.require_safe_negotiation", true);
|
||||
|
||||
// PREF: display advanced information on Insecure Connection warning pages
|
||||
// only works when it's possible to add an exception
|
||||
// i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
|
||||
// [TEST] https://expired.badssl.com/ ***/
|
||||
user_pref("browser.xul.error_pages.expert_bad_cert", true);
|
||||
|
||||
// PREF: control "Add Security Exception" dialog on SSL warnings
|
||||
// 0=do neither, 1=pre-populate url, 2=pre-populate url + pre-fetch cert (default)
|
||||
// [1] https://github.com/pyllyukko/user.js/issues/210
|
||||
user_pref("browser.ssl_override_behavior", 1);
|
||||
|
||||
// PREF: disable TLS1.3 0-RTT (round-trip time) [FF51+]
|
||||
// This data is not forward secret, as it is encrypted solely under keys derived using
|
||||
// the offered PSK. There are no guarantees of non-replay between connections
|
||||
// [1] https://github.com/tlswg/tls13-spec/issues/1001
|
||||
// [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt
|
||||
// [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
|
||||
user_pref("security.tls.enable_0rtt_data", false);
|
||||
|
||||
/****************************************************************************
|
||||
* SECTION: DISK AVOIDANCE *
|
||||
****************************************************************************/
|
||||
|
||||
// PREF: disable disk cache
|
||||
// [NOTE] If you think disk cache helps perf, then feel free to override this
|
||||
user_pref("browser.cache.disk.enable", false);
|
||||
|
||||
// PREF: disable media cache from writing to disk in Private Browsing
|
||||
// [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB
|
||||
user_pref("browser.privatebrowsing.forceMediaMemoryCache", true);
|
||||
user_pref("media.memory_cache_max_size", 65536); // 8x default size of 8192 [performance enhancement]
|
||||
|
||||
// PREF: disable storing extra session data
|
||||
// define on which sites to save extra session data such as form content, cookies and POST data
|
||||
// 0=everywhere, 1=unencrypted sites, 2=nowhere
|
||||
user_pref("browser.sessionstore.privacy_level", 2);
|
||||
|
||||
// PREF: disable shortcut favicons from being stored in profile
|
||||
user_pref("browser.shell.shortcutFavicons", false);
|
||||
|
||||
// PREF: disable page thumbnails capturing
|
||||
user_pref("browser.pagethumbnails.capturing_disabled", true); // [depreciated?]
|
||||
|
||||
// PREF: set the minimum interval between session save operations
|
||||
// Increasing this can help on older machines and some websites, as well as reducing writes
|
||||
// [1] https://bugzilla.mozilla.org/1304389
|
||||
// user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 15000]
|
||||
|
||||
// PREF: disable automatic Firefox start and session restore after reboot [WINDOWS]
|
||||
// [1] https://bugzilla.mozilla.org/603903
|
||||
// user_pref("toolkit.winRegisterApplicationRestart", false);
|
||||
|
||||
// PREF: disable offline cache (appCache)
|
||||
// [WARNING] The API is easily fingerprinted, do not disable!
|
||||
// [1] https://github.com/arkenfox/user.js/issues/1055
|
||||
// user_pref("browser.cache.offline.enable", false);
|
||||
|
||||
// PREF: WebRTC Global Mute Toggles
|
||||
// user_pref("privacy.webrtc.globalMuteToggles", true);
|
||||
|
||||
// PREF: set third-party cookies to session-only
|
||||
user_pref("network.cookie.thirdparty.sessionOnly", true);
|
||||
user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true);
|
||||
|
||||
// PREF: delete all cookies after a certain period of time
|
||||
// ALTERNATIVE: Use a cookie manager extension
|
||||
// user_pref("network.cookie.lifetimePolicy", 3);
|
||||
// user_pref("network.cookie.lifetime.days", 7);
|
||||
|
||||
@@ -156,13 +281,13 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true);
|
||||
// Regardless of what you set privacy.cpd.downloads to, as soon as the dialog
|
||||
// for "Clear Recent History" is opened, it is synced to the same as 'history'.
|
||||
// user_pref("privacy.cpd.downloads", true); // not used, see note above
|
||||
user_pref("privacy.cpd.history", true); // Browsing & Download History
|
||||
user_pref("privacy.cpd.formdata", true); // Form & Search History
|
||||
user_pref("privacy.cpd.offlineApps", true); // Offline Website Data
|
||||
user_pref("privacy.cpd.cache", true); // Cache
|
||||
user_pref("privacy.cpd.history", true); // Browsing & Download History [DEFAULT]
|
||||
user_pref("privacy.cpd.formdata", true); // Form & Search History [DEFAULT]
|
||||
user_pref("privacy.cpd.offlineApps", false); // Offline Website Data [DEFAULT]
|
||||
user_pref("privacy.cpd.cache", true); // Cache [DEFAULT]
|
||||
user_pref("privacy.cpd.cookies", false); // Cookies
|
||||
user_pref("privacy.cpd.sessions", false); // Active Logins
|
||||
user_pref("privacy.cpd.siteSettings", false); // Site Preferences
|
||||
user_pref("privacy.cpd.sessions", false); // Active Logins [DEFAULT]
|
||||
// user_pref("privacy.cpd.siteSettings", false); // Site Preferences [DEFAULT]
|
||||
|
||||
// PREF: reset default 'Time range to clear' for 'Clear Recent History'.
|
||||
// Firefox remembers your last choice. This will reset the value when you start Firefox.
|
||||
@@ -172,9 +297,44 @@ user_pref("privacy.cpd.siteSettings", false); // Site Preferences
|
||||
// blank value if they are used, but they do work as advertised.
|
||||
user_pref("privacy.sanitize.timeSpan", 0);
|
||||
|
||||
// PREF: keep cookies until the browser is closed, then delete everything minus exceptions
|
||||
user_pref("network.cookie.lifetimePolicy", 2);
|
||||
|
||||
// PREF: this way of sanitizing would override the exceptions set by the users and just delete everything,
|
||||
// therefore we tell it to delete everything but ignore data needed to stay logged into websites set
|
||||
// manually as exceptions.
|
||||
|
||||
// PREF: enable Firefox to clear items on shutdown
|
||||
// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
|
||||
// user_pref("privacy.sanitize.sanitizeOnShutdown", true);
|
||||
|
||||
// PREF: set what items to clear on shutdown
|
||||
// These items do not use exceptions, it is all or nothing
|
||||
// [NOTE] If "history" is true, downloads will also be cleared
|
||||
// [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
|
||||
// [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
|
||||
// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings
|
||||
// [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
|
||||
user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT]
|
||||
user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT]
|
||||
user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT]
|
||||
user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT]
|
||||
user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT]
|
||||
user_pref("privacy.clearOnShutdown.offlineApps", false); // [DEFAULT]
|
||||
user_pref("privacy.clearOnShutdown.cookies", false);
|
||||
// user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT]
|
||||
|
||||
// PREF: set History section to show all options
|
||||
user_pref("privacy.history.custom", true);
|
||||
|
||||
/* override recipe: enable session restore ***/
|
||||
/* override recipe: keep some cookies (+ other optional site data) on exit ***/
|
||||
user_pref("browser.startup.page", 3);
|
||||
// user_pref("places.history.enabled", true);
|
||||
// user_pref("network.cookie.lifetimePolicy", 2); // session cookies
|
||||
user_pref("privacy.clearOnShutdown.cookies", false); // 2811
|
||||
user_pref("privacy.clearOnShutdown.offlineApps", false); // 2811 optional
|
||||
|
||||
/******************************************************************************
|
||||
* SECTION: SPECULATIVE CONNECTIONS *
|
||||
******************************************************************************/
|
||||
@@ -289,6 +449,11 @@ user_pref("browser.search.separatePrivateDefault.ui.enabled", true);
|
||||
user_pref("browser.search.suggest.enabled", false);
|
||||
user_pref("browser.search.suggest.enabled.private", false); // default
|
||||
|
||||
// PREF: disable location bar leaking single words to a DNS provider after searching
|
||||
// 0=never resolve single words, 1=heuristic (default), 2=always resolve
|
||||
// [1] https://bugzilla.mozilla.org/1642623
|
||||
user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
|
||||
|
||||
// PREF: disable Firefox Suggest
|
||||
user_pref("browser.urlbar.groupLabels.enabled", false);
|
||||
user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
|
||||
@@ -303,7 +468,7 @@ user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
|
||||
// and is a security risk (e.g. common typos & malicious sites set up to exploit this).
|
||||
user_pref("browser.fixup.alternate.enabled", false);
|
||||
|
||||
// PREF: "Not Secure" text in the URL bar on HTTP sites
|
||||
// PREF: display "Not Secure" text on HTTP sites
|
||||
user_pref("security.insecure_connection_text.enabled", true);
|
||||
user_pref("security.insecure_connection_text.pbmode.enabled", true);
|
||||
|
||||
@@ -332,6 +497,8 @@ user_pref("network.IDN_show_punycode", true);
|
||||
// [NOTE] HTTPS-Only Mode needs to be disabled for HTTPS First to work.
|
||||
// [TEST] http://example.com [upgrade]
|
||||
// [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1706552
|
||||
// [2] https://web.dev/why-https-matters/
|
||||
// [3] https://www.cloudflare.com/learning/ssl/why-use-https/
|
||||
user_pref("dom.security.https_first", true);
|
||||
user_pref("dom.security.https_first_pbm", true); // default
|
||||
|
||||
@@ -347,6 +514,8 @@ user_pref("dom.security.https_first_pbm", true); // default
|
||||
// [TEST] http://neverssl.org/ [no upgrade]
|
||||
// [1] https://bugzilla.mozilla.org/1613063
|
||||
// [2] https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
|
||||
// [3] https://web.dev/why-https-matters/
|
||||
// [4] https://www.cloudflare.com/learning/ssl/why-use-https/
|
||||
|
||||
// PREF: disable HTTPS-only Mode for Normal Browsing windows
|
||||
user_pref("dom.security.https_only_mode", false); // default
|
||||
@@ -378,9 +547,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false);
|
||||
// [2] https://www.internetsociety.org/blog/2018/12/dns-privacy-support-in-mozilla-firefox/
|
||||
// 0=off, 2=TRR preferred, 3=TRR only, 5=TRR disabled
|
||||
user_pref("network.trr.mode", 2);
|
||||
user_pref("network.trr.request_timeout_ms", 4000); /* default=1500 */
|
||||
// user_pref("network.trr.request_timeout_mode_trronly_ms", 30000); // default
|
||||
// user_pref("network.trr.send_user-agent_headers", false); // default
|
||||
// user_pref("network.trr.request_timeout_ms", 4000); /* default=1500 */
|
||||
user_pref("network.trr.send_user-agent_headers", false); // default
|
||||
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
|
||||
// Temporary workaround for DNS leak with DOH active:
|
||||
// [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1730418
|
||||
@@ -542,15 +710,42 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // default
|
||||
// string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks.
|
||||
user_pref("privacy.window.name.update.enabled", true); // default
|
||||
|
||||
// PREF: Downgrade Cross-Origin (Third-Party) Referers
|
||||
// CROSS ORIGIN: control when to send a referer
|
||||
// [1] https://github.com/arkenfox/user.js/issues/1077
|
||||
/******************************************************************************
|
||||
* SECTION: HEADERS / REFERERS *
|
||||
******************************************************************************/
|
||||
|
||||
// PREF: Set the default Referrer Policy; to be used unless overriden by the site.
|
||||
// 0=no-referrer, 1=same-origin, 2=strict-origin-when-cross-origin (default),
|
||||
// 3=no-referrer-when-downgrade.
|
||||
// [TEST https://www.sportskeeda.com/mma/news-joe-rogan-accuses-cnn-altering-video-color-make-look-sick
|
||||
// [1] https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/
|
||||
// [2] https://web.dev/referrer-best-practices/
|
||||
// [3] https://plausible.io/blog/referrer-policy
|
||||
user_pref("network.http.referer.defaultPolicy", 2); // default
|
||||
user_pref("network.http.referer.defaultPolicy.pbmode", 2); // default
|
||||
|
||||
// PREF: Set the default Referrer Policy applied to third-party trackers when the
|
||||
// default cookie policy is set to reject third-party trackers; to be used
|
||||
// unless overriden by the site.
|
||||
// [NOTE] Trim referrers from trackers to origins by default ***/
|
||||
// 0=no-referrer, 1=same-origin, 2=strict-origin-when-cross-origin (default),
|
||||
// 3=no-referrer-when-downgrade.
|
||||
user_pref("network.http.referer.defaultPolicy.trackers", 1);
|
||||
user_pref("network.http.referer.defaultPolicy.trackers.pbmode", 1);
|
||||
|
||||
// PREF: control when to send a cross-origin referer
|
||||
// 0=always (default), 1=only if base domains match, 2=only if hosts match
|
||||
user_pref("network.http.referer.XOriginPolicy", 0); // default
|
||||
// Control the amount of information to send.
|
||||
// 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port
|
||||
// [NOTE] Known to cause issues with some sites (e.g., Vimeo, iCloud, Instagram) ***/
|
||||
// user_pref("network.http.referer.XOriginPolicy", 2);
|
||||
|
||||
// PREF: control the amount of cross-origin information to send
|
||||
// 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
|
||||
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
|
||||
|
||||
// PREF: disable relaxing referer for cross-site navigations
|
||||
user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true); // default in v. 97
|
||||
user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.pbmode", true); // default
|
||||
|
||||
/******************************************************************************
|
||||
* SECTION: VARIOUS *
|
||||
******************************************************************************/
|
||||
@@ -621,27 +816,33 @@ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/
|
||||
// PREF: Enable logging geolocation to the console
|
||||
// user_pref("geo.provider.network.logging.enabled", true);
|
||||
|
||||
// PREF: disable using the OS's geolocation service
|
||||
user_pref("geo.provider.ms-windows-location", false); // [WINDOWS]
|
||||
user_pref("geo.provider.use_corelocation", false); // [MAC]
|
||||
user_pref("geo.provider.use_gpsd", false); // [LINUX]
|
||||
|
||||
// PREF: disable region updates
|
||||
// [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html
|
||||
user_pref("browser.region.network.url", "");
|
||||
user_pref("browser.region.update.enabled", false);
|
||||
|
||||
// PREF: Enforce Firefox blocklist for extensions + No hiding tabs
|
||||
// This includes updates for "revoked certificates".
|
||||
// [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
|
||||
// [2] https://trac.torproject.org/projects/tor/ticket/16931
|
||||
user_pref("extensions.blocklist.enabled", true); // default
|
||||
|
||||
// PREF: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+]
|
||||
// PREF: disable auto-INSTALLING Firefox updates [NON-WINDOWS] [move to Pesky]
|
||||
// [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed
|
||||
// [SETTING] General>Firefox Updates>Check for updates but let you choose to install them
|
||||
user_pref("app.update.auto", false);
|
||||
// user_pref("app.update.auto", false);
|
||||
|
||||
// PREF: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS]
|
||||
// [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running
|
||||
// [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/
|
||||
user_pref("app.update.background.scheduling.enabled", false);
|
||||
// PREF: disable search engine updates (e.g. OpenSearch) [move to Pesky]
|
||||
// [NOTE] This does not affect Mozilla's built-in or Web Extension search engines
|
||||
// user_pref("browser.search.update", false);
|
||||
|
||||
// PREF: Disable automatic extension updates
|
||||
// PREF: Disable automatic extension updates [move to Pesky]
|
||||
// user_pref("extensions.update.enabled", false);
|
||||
// user_pref("extensions.autoupdate.enabled", false);
|
||||
// user_pref("extensions.update.url", "");
|
||||
// user_pref("extensions.update.background.url", "");
|
||||
|
||||
/******************************************************************************
|
||||
* SECTION: TELEMETRY *
|
||||
@@ -665,7 +866,7 @@ user_pref("corroborator.enabled", false);
|
||||
// Telemetry Coverage
|
||||
user_pref("toolkit.telemetry.coverage.opt-out", true);
|
||||
user_pref("toolkit.coverage.opt-out", true);
|
||||
// user_pref("toolkit.coverage.endpoint.base", "");
|
||||
user_pref("toolkit.coverage.endpoint.base", "");
|
||||
|
||||
// Health Reports
|
||||
// [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical data.
|
||||
@@ -714,7 +915,7 @@ user_pref("extensions.abuseReport.enabled", false);
|
||||
// PREF: Normandy/Shield [extensions tracking]
|
||||
// Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
|
||||
user_pref("app.normandy.enabled", false);
|
||||
// user_pref("app.normandy.api_url", "");
|
||||
user_pref("app.normandy.api_url", "");
|
||||
|
||||
// PREF: PingCentre telemetry (used in several System Add-ons)
|
||||
// Currently blocked by 'datareporting.healthreport.uploadEnabled'
|
||||
|
||||
Reference in New Issue
Block a user