diff --git a/SecureFox.js b/SecureFox.js index 4dda571..2065be0 100644 --- a/SecureFox.js +++ b/SecureFox.js @@ -11,7 +11,7 @@ * SecureFox * * "Natura non constristatur." * * priority: provide sensible security and privacy * - * version: 9 January 2021 * + * version: 16 January 2021 * * url: https://github.com/yokoffing/Better-Fox * ****************************************************************************/ @@ -83,11 +83,12 @@ user_pref("network.cookie.cookieBehavior", 5); // PREF: Redirect tracking prevention + Purge site data of sites associated with tracking cookies automatically // All storage is cleared (more or less) daily from origins that are known trackers and that -// haven’t received a top-level user interaction (including scroll) within the last 45 days. +// haven’t received a top-level user interaction (including scroll) within the last 45 days. // https://www.ghacks.net/2020/08/06/how-to-enable-redirect-tracking-in-firefox/ // https://www.cookiestatus.com/firefox/#other-first-party-storage // https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Redirect_tracking_protection // https://www.ghacks.net/2020/03/04/firefox-75-will-purge-site-data-if-associated-with-tracking-cookies/ +// https://github.com/arkenfox/user.js/issues/1089 user_pref("privacy.purge_trackers.enabled", true); // user_pref("privacy.purge_trackers.logging.enabled", true); @@ -104,13 +105,16 @@ user_pref("browser.cache.cache_isolation", true); // https://github.com/privacycg/storage-partitioning user_pref("privacy.partition.network_state", true); +// PREF: Enable Local Storage Next Generation (LSNG) +user_pref("dom.storage.next_gen", true); + /****************************************************************************** * SECTION: PRELOADING/PREFETCHING * ******************************************************************************/ // DECEMBER 2020 UPDATE: // I have altered this section for a mixture of privacy and speed. -// I recommend you leave off any PREFETCH preferences if you have "Disable pre-fetching" unchecked in uBlock Origin. +// Leave off any PREFETCH preferences if you use an adblock extension and/or DNS-level adblocking due to wonky page rendering. // All PREFETCH preferences continue to be disabled here and in the user.js, but other speed improvements are enabled. // NOTE: You can set uBlock Origin to do "Disable pre-fetching" in its settings. This overrides some settings below. @@ -122,7 +126,6 @@ user_pref("network.dns.disablePrefetchFromHTTPS", true); /* default */ // PREF: Preload the autocomplete URL in the address bar. // Firefox preloads URLs that autocomplete when a user types into the address bar. -// Largely a net benefit since we have search engine suggestions turned off. // NOTE: Firefox will do the server DNS lookup and TCP and TLS handshake but not start sending or receiving HTTP data. // https://www.ghacks.net/2017/07/24/disable-preloading-firefox-autocomplete-urls/ user_pref("browser.urlbar.speculativeConnect.enabled", true); /* default */ @@ -156,8 +159,13 @@ user_pref("network.predictor.enabled", true); /* default */ user_pref("network.predictor.enable-hover-on-ssl", true); user_pref("network.predictor.enable-prefetch", false); /* default */ -// PREF: Preload New Tab page +// PREF: Disable new tab tile ads and preload +// https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping +// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source +// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping user_pref("browser.newtab.preload", true); /* default */ +// user_pref("browser.newtabpage.directory.ping", ""); +// user_pref("browser.newtabpage.activity-stream.asrouter.messageProviders", ""); /****************************************************************************** * SECTION: SEARCH / URL BAR * @@ -216,6 +224,10 @@ user_pref("security.insecure_connection_text.enabled", true); // [4] https://www.xudongz.com/blog/2017/idn-phishing/ user_pref("network.IDN_show_punycode", true); +/****************************************************************************** + * SECTION: HTTPS-ONLY MODE * +******************************************************************************/ + // PREF: Allow HTTPS-only connections // You can relax this setting per-website. // https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/ @@ -226,6 +238,16 @@ user_pref("dom.security.https_only_mode_ever_enabled", true); // user_pref("dom.security.https_only_mode_pbm", true); // user_pref("dom.security.https_only_mode_ever_enabled_pbm", true); +// PREF: Disable HTTP background requests +// When attempting to upgrade, if the server doesn't respond within 3 seconds, Firefox +// sends HTTP requests in order to check if the server supports HTTPS or not. +// This is done to avoid waiting for a timeout which takes 90 seconds. +// https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 +user_pref("dom.security.https_only_mode_send_http_background_request", false); + +// PREF: Enable HTTPS-Only mode for local resources +// user_pref("dom.security.https_only_mode.upgrade_local", true); + /****************************************************************************** * SECTION: DNS-over-HTTPS * ******************************************************************************/ @@ -334,7 +356,11 @@ user_pref("security.mixed_content.upgrade_display_content", true); // PREF: Block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks // https://bugzilla.mozilla.org/1190623 -// user_pref("security.mixed_content.block_object_subrequest", true); +user_pref("security.mixed_content.block_object_subrequest", true); + +// PREF: Block insecure downloads from secure sites +// https://bugzilla.mozilla.org/show_bug.cgi?id=1660952 +// user_pref("dom.block_download_insecure", true); /****************************************************************************** * SECTION: VARIOUS SECURITY/PRIVACY ENHANCEMENTS * @@ -375,6 +401,27 @@ user_pref("pdfjs.disabled", false); // https://quic.rocks // user_pref("network.http.http3.enabled", true); +// PREF: Enable "window.name" protection +// If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original +// string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks. +user_pref("privacy.window.name.update.enabled", true); + +// PREF: Downgrade Cross-Origin (Third-Party) Referers +// CROSS ORIGIN: control when to send a referer +// 0=always (default), 1=only if base domains match, 2=only if hosts match +// https://github.com/arkenfox/user.js/issues/1077 +// user_pref("network.http.referer.XOriginPolicy", 0); +// Control the amount of information to send. +// 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port +// user_pref("network.http.referer.XOriginTrimmingPolicy", 2); + +// PREF: CRLite +// This will reduce the number of times an OCSP server needs to be contacted and therefore increase privacy. +// https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/ +// https://github.com/arkenfox/user.js/issues/1065 +user_pref("security.pki.crlite_mode", 2); +user_pref("security.remote_settings.crlite_filters.enabled", true); + /****************************************************************************** * SECTION: GOOGLE * ******************************************************************************/ @@ -426,7 +473,6 @@ user_pref("toolkit.telemetry.updatePing.enabled", false); user_pref("toolkit.telemetry.bhrPing.enabled", false); user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); user_pref("toolkit.telemetry.coverage.opt-out", true); -user_pref("toolkit.coverage.opt-out", true); user_pref("toolkit.coverage.endpoint.base", ""); user_pref("app.shield.optoutstudies.enabled", false); user_pref("browser.discovery.enabled", false);