crlite notes

Fastfox.js

@@ -3,7 +3,7 @@
  * Fastfox                                                                              *
  * "Non ducor duco"                                                                     *
  * priority: speedy browsing                                                            *
- * version: 144                                                                         *
+ * version: 146                                                                         *
  * url: https://github.com/yokoffing/Betterfox                                          *
  ***************************************************************************************/
 
@@ -543,11 +543,11 @@ user_pref("network.prefetch-next", false);
 // [2] https://www.ghacks.net/2014/05/11/seer-disable-firefox/
 // [3] https://github.com/dillbyrne/random-agent-spoofer/issues/238#issuecomment-110214518
 // [4] https://www.igvita.com/posa/high-performance-networking-in-google-chrome/#predictor
-user_pref("network.predictor.enabled", false);
+//user_pref("network.predictor.enabled", false); // [DEFAULT: false FF144+]
 
 // PREF: Network Predictor fetch for resources ahead of time
 // Prefetch page resources based on past user behavior.
-//user_pref("network.predictor.enable-prefetch", false); // DEFAULT
+//user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
 
 // PREF: make Network Predictor active when hovering over links
 // When hovering over links, Network Predictor uses past resource history to

Securefox.js

@@ -277,8 +277,8 @@ user_pref("security.OCSP.enabled", 0);
 // CRLite is faster and more private than OCSP [2].
 // 0 = disabled
 // 1 = consult CRLite but only collect telemetry
-// 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results
-// 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" [FF99+, default FF100+]
+// 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results (default)
+// 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (removed FF145)
 // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
 // [2] https://blog.mozilla.org/security/tag/crlite/
 //user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+]
@@ -322,7 +322,7 @@ user_pref("security.OCSP.enabled", 0);
 //user_pref("browser.contentanalysis.default_result", 0; // [FF127+] [DEFAULT]
 
 // PREF: disable referrer and storage access for resources injected by content scripts [FF139+]
-//user_pref("privacy.antitracking.isolateContentScriptResources", true);
+user_pref("privacy.antitracking.isolateContentScriptResources", true);
 
 // PREF: disable CSP Level 2 Reporting [FF140+]
 // [1] https://github.com/yokoffing/Betterfox/issues/415
@@ -661,16 +661,14 @@ user_pref("network.IDN_show_punycode", true);
 /******************************************************************************
  * SECTION: HTTPS-FIRST POLICY                          *
 ******************************************************************************/
-
 // PREF: HTTPS-First Policy
 // Firefox attempts to make all connections to websites secure,
 // and falls back to insecure connections only when a website
 // does not support it. Unlike HTTPS-Only Mode, Firefox
 // will NOT ask for your permission before connecting to a website
 // that doesn’t support secure connections.
-// As of August 2023, Google estimates that 5-10% of traffic
-// has remained on HTTP, allowing attackers to eavesdrop
-// on or change that data [6].
+// As of October 2025, Google estimates that 3-5% of traffic
+// is insecure, allowing attackers to eavesdrop on or change that data [8].
 // [NOTE] HTTPS-Only Mode needs to be disabled for HTTPS First to work.
 // [TEST] http://example.com [upgrade]
 // [TEST] http://httpforever.com/ [no upgrade]
@@ -681,10 +679,21 @@ user_pref("network.IDN_show_punycode", true);
 // [5] https://www.cloudflare.com/learning/ssl/why-use-https/
 // [6] https://blog.chromium.org/2023/08/towards-https-by-default.html
 // [7] https://attackanddefense.dev/2025/03/31/https-first-in-firefox-136.html
+// [8] https://security.googleblog.com/2025/10/https-by-default.html
 //user_pref("dom.security.https_first", true); // [DEFAULT FF136+]
 //user_pref("dom.security.https_first_pbm", true); // [DEFAULT FF91+]
 //user_pref("dom.security.https_first_schemeless", true); // [FF120+] [DEFAULT FF129+]
 
+// PREF: block insecure passive content (images) on HTTPS pages
+// [WARNING] This preference blocks all mixed content, including upgradable.
+// Firefox still attempts an HTTP connection if it can't find a secure one,
+// even with HTTPS First Policy. Although rare, this leaves a small risk of
+// a malicious image being served through a MITM attack.
+// Disable this pref if using HTTPS-Only Mode.
+// [NOTE] Enterprise users may need to enable this setting [1].
+// [1] https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/
+//user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see HTTPS-Only mode)
+
 /******************************************************************************
  * SECTION: HTTPS-ONLY MODE                              *
 ******************************************************************************/
@@ -693,9 +702,8 @@ user_pref("network.IDN_show_punycode", true);
 // by a server. Options to use HTTP are then provided.
 // [NOTE] When "https_only_mode" (all windows) is true,
 // "https_only_mode_pbm" (private windows only) is ignored.
-// As of August 2023, Google estimates that 5-10% of traffic
-// has remained on HTTP, allowing attackers to eavesdrop
-// on or change that data [5].
+// As of October 2025, Google estimates that 3-5% of traffic
+// is insecure, allowing attackers to eavesdrop on or change that data [6].
 // [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily
 // [SETTING] Privacy & Security>HTTPS-Only Mode
 // [TEST] http://example.com [upgrade]
@@ -705,17 +713,23 @@ user_pref("network.IDN_show_punycode", true);
 // [3] https://web.dev/why-https-matters/
 // [4] https://www.cloudflare.com/learning/ssl/why-use-https/
 // [5] https://blog.chromium.org/2023/08/towards-https-by-default.html
+// [6] https://security.googleblog.com/2025/10/https-by-default.html
 
-// PREF: enable HTTPS-only Mode
-//user_pref("dom.security.https_only_mode_pbm", true); // Private Browsing windows only
-//user_pref("dom.security.https_only_mode", true); // Normal + Private Browsing windows
+// PREF: enable HTTPS-Only mode in all windows
+// When the top-level is HTTPS, insecure subresources are also upgraded (silent fail)
+// [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site")
+// [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions)
+// [TEST] http://example.com [upgrade]
+// [TEST] http://httpforever.com/ | http://http.rip [no upgrade]
+user_pref("dom.security.https_only_mode", true); // [FF76+]
+    //user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] Private Browsing windows only
 
 // PREF: offer suggestion for HTTPS site when available
 // [1] https://x.com/leli_gibts_scho/status/1371463866606059528
-//user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
+user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
 
 // PREF: HTTP background requests in HTTPS-only Mode
-// When attempting to upgrade, if the server doesn't respond within 3 seconds[=default time],
+// When attempting to upgrade, if the server doesn't respond within a few seconds,
 // Firefox sends HTTP requests in order to check if the server supports HTTPS or not.
 // This is done to avoid waiting for a timeout which takes 90 seconds.
 // Firefox only sends top level domain when falling back to http.
@@ -724,10 +738,6 @@ user_pref("network.IDN_show_punycode", true);
 // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945
 // [2] https://blog.mozilla.org/attack-and-defense/2021/03/10/insights-into-https-only-mode/
 //user_pref("dom.security.https_only_mode_send_http_background_request", true); // DEFAULT
-    //user_pref("dom.security.https_only_fire_http_request_background_timer_ms", 3000); // DEFAULT
-
-// PREF: disable HTTPS-Only mode for local resources
-//user_pref("dom.security.https_only_mode.upgrade_local", false); // DEFAULT
 
 /******************************************************************************
  * SECTION: DNS-over-HTTPS                                                    *
@@ -924,6 +934,10 @@ user_pref("editor.truncate_user_pastes", false);
 // [DO NOT TOUCH] Icons will double-up if the website implements it natively.
 //user_pref("layout.forms.reveal-password-button.enabled", true); // always show icon in password fields
 
+// PREF: disable automatic authentication on Microsoft sites [WINDOWS]
+// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1695693,1719301
+//user_pref("network.http.windows-sso.enabled", false);
+
 /****************************************************************************
  * SECTION: ADDRESS + CREDIT CARD MANAGER                                   *
 ****************************************************************************/
@@ -935,32 +949,6 @@ user_pref("editor.truncate_user_pastes", false);
 //user_pref("extensions.formautofill.addresses.enabled", false);
 //user_pref("extensions.formautofill.creditCards.enabled", false);
 
-/******************************************************************************
- * SECTION: MIXED CONTENT + CROSS-SITE                                       *
-******************************************************************************/
-
-// PREF: block insecure passive content (images) on HTTPS pages
-// [WARNING] This preference blocks all mixed content, including upgradable.
-// Firefox still attempts an HTTP connection if it can't find a secure one,
-// even with HTTPS First Policy. Although rare, this leaves a small risk of
-// a malicious image being served through a MITM attack.
-// Disable this pref if using HTTPS-Only Mode.
-// [NOTE] Enterprise users may need to enable this setting [1].
-// [1] https://blog.mozilla.org/security/2024/06/05/firefox-will-upgrade-more-mixed-content-in-version-127/
-user_pref("security.mixed_content.block_display_content", true);
-
-// PREF: allow PDFs to load javascript
-// https://www.reddit.com/r/uBlockOrigin/comments/mulc86/firefox_88_now_supports_javascript_in_pdf_files/
-user_pref("pdfjs.enableScripting", false);
-
-// PREF: disable middle click on new tab button opening URLs or searches using clipboard [FF115+]
-// Enable if you're using LINUX.
-//user_pref("browser.tabs.searchclipboardfor.middleclick", false); // DEFAULT WINDOWS macOS
-
-// PREF: disable automatic authentication on Microsoft sites [WINDOWS]
-// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1695693,1719301
-//user_pref("network.http.windows-sso.enabled", false);
-
 /****************************************************************************
  * SECTION: EXTENSIONS                                                      *
 ****************************************************************************/
@@ -1195,6 +1183,27 @@ user_pref("privacy.userContext.ui.enabled", true);
 // If this is less than 5, then pasting code into the web console is disabled.
 //user_pref("devtools.selfxss.count", 5);
 
+// PREF: disable middle click on new tab button opening URLs or searches using clipboard [FF115+]
+// Enable if you're using LINUX.
+//user_pref("browser.tabs.searchclipboardfor.middleclick", false); // DEFAULT WINDOWS macOS
+
+// PREF: do not allow PDFs to load javascript
+// [1] https://www.reddit.com/r/uBlockOrigin/comments/mulc86/firefox_88_now_supports_javascript_in_pdf_files/
+
+// PREF: enforce PDFJS, disable PDFJS scripting
+// This setting controls if the option "Display in Firefox" is available in the setting below
+// and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With").
+// [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1].
+// It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
+// It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
+// [NOTE] JS can still force a pdf to open in-browser by bundling its own code.
+// [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons.
+// [SETTING] General>Applications>Portable Document Format (PDF)
+// [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox
+// [2] https://www.reddit.com/r/uBlockOrigin/comments/mulc86/firefox_88_now_supports_javascript_in_pdf_files/
+//user_pref("pdfjs.disabled", false); // [DEFAULT: false]
+user_pref("pdfjs.enableScripting", false); // [FF86+]
+
  /******************************************************************************
  * SECTION: SAFE BROWSING (SB)                                               *
 ******************************************************************************/

user.js

@@ -61,7 +61,6 @@ user_pref("network.dns.disablePrefetchFromHTTPS", true);
 user_pref("browser.urlbar.speculativeConnect.enabled", false);
 user_pref("browser.places.speculativeConnect.enabled", false);
 user_pref("network.prefetch-next", false);
-user_pref("network.predictor.enabled", false);
 
 /****************************************************************************
  * SECTION: SECUREFOX                                                       *
@@ -75,6 +74,7 @@ user_pref("privacy.globalprivacycontrol.enabled", true);
 
 /** OCSP & CERTS / HPKP ***/
 user_pref("security.OCSP.enabled", 0);
+user_pref("privacy.antitracking.isolateContentScriptResources", true);
 user_pref("security.csp.reporting.enabled", false);
 
 /** SSL / TLS ***/
@@ -100,16 +100,16 @@ user_pref("browser.urlbar.groupLabels.enabled", false);
 user_pref("browser.formfill.enable", false);
 user_pref("network.IDN_show_punycode", true);
 
+/** HTTPS-ONLY MODE ***/
+user_pref("dom.security.https_only_mode", true);
+user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
+
 /** PASSWORDS ***/
 user_pref("signon.formlessCapture.enabled", false);
 user_pref("signon.privateBrowsingCapture.enabled", false);
 user_pref("network.auth.subresource-http-auth-allow", 1);
 user_pref("editor.truncate_user_pastes", false);
 
-/** MIXED CONTENT + CROSS-SITE ***/
-user_pref("security.mixed_content.block_display_content", true);
-user_pref("pdfjs.enableScripting", false);
-
 /** EXTENSIONS ***/
 user_pref("extensions.enabledScopes", 5);
 
@@ -119,6 +119,9 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
 /** CONTAINERS ***/
 user_pref("privacy.userContext.ui.enabled", true);
 
+/** VARIOUS ***/
+user_pref("pdfjs.enableScripting", false);
+
 /** SAFE BROWSING ***/
 user_pref("browser.safebrowsing.downloads.remote.enabled", false);