150.0 (#478)

Securefox.js

@@ -690,45 +690,6 @@ user_pref("network.prefetch-next", false);
 //user_pref("network.early-hints.preconnect.enabled", true);
 //user_pref("network.early-hints.preconnect.max_connections", 10); // DEFAULT
 
-// PREF: Network Predictor (NP)
-// When enabled, it trains and uses Firefox's algorithm to preload page resource
-// by tracking past page resources. It uses a local file (history) of needed images,
-// scripts, etc. to request them preemptively when navigating.
-// [NOTE] By default, it only preconnects DNS, TCP, and SSL handshakes.
-// No data sends until clicking. With "network.predictor.enable-prefetch" enabled,
-// it also performs prefetches.
-// [1] https://wiki.mozilla.org/Privacy/Reviews/Necko
-// [2] https://www.ghacks.net/2014/05/11/seer-disable-firefox/
-// [3] https://github.com/dillbyrne/random-agent-spoofer/issues/238#issuecomment-110214518
-// [4] https://www.igvita.com/posa/high-performance-networking-in-google-chrome/#predictor
-//user_pref("network.predictor.enabled", false); // [DEFAULT: false FF144+]
-
-// PREF: Network Predictor fetch for resources ahead of time
-// Prefetch page resources based on past user behavior.
-//user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
-
-// PREF: make Network Predictor active when hovering over links
-// When hovering over links, Network Predictor uses past resource history to
-// preemptively request what will likely be needed instead of waiting for the document.
-// Predictive connections automatically open when hovering over links to speed up
-// loading, starting some work in advance.
-//user_pref("network.predictor.enable-hover-on-ssl", false); // DEFAULT
-
-// PREF: assign Network Predictor confidence levels
-// [NOTE] Keep in mind that Network Predictor must LEARN your browsing habits.
-// Editing these lower will cause more speculative connections to occur,
-// which reduces accuracy over time and has privacy implications.
-//user_pref("network.predictor.preresolve-min-confidence", 60); // DEFAULT
-//user_pref("network.predictor.preconnect-min-confidence", 90); // DEFAULT
-//user_pref("network.predictor.prefetch-min-confidence", 100); // DEFAULT
-
-// PREF: other Network Predictor values
-// [NOTE] Keep in mmind that Network Predictor must LEARN your browsing habits.
-//user_pref("network.predictor.prefetch-force-valid-for", 10); // DEFAULT; how long prefetched resources are considered valid and usable (in seconds) for the prediction modeling
-//user_pref("network.predictor.prefetch-rolling-load-count", 10); // DEFAULT; the maximum number of resources that Firefox will prefetch in memory at one time based on prediction modeling
-//user_pref("network.predictor.max-resources-per-entry", 250); // default=100
-//user_pref("network.predictor.max-uri-length", 1000); // default=500
-
 /******************************************************************************
  * SECTION: SEARCH / URL BAR                                                 *
 ******************************************************************************/
@@ -1298,7 +1259,7 @@ user_pref("privacy.userContext.ui.enabled", true);
     //user_pref("browser.eme.ui.enabled", false);
 
 /******************************************************************************
- * SECTION: JIT                                                              *
+ * SECTION: JIT & WASM                                                        *
 ******************************************************************************/
 // PREF: Just-In-Time Compilation
 // Around half of zero-day exploits are directly related to "just in time"
@@ -1307,8 +1268,7 @@ user_pref("privacy.userContext.ui.enabled", true);
 // [1] https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/
 // [2] https://www.youtube.com/watch?v=i7qlZeDt9o4
 
-// PREF: JavaScript JIT
+// PREF: Ion and Baseline JIT
-// PREF: disable Ion and baseline JIT to harden against JS exploits
 // [NOTE] When both Ion and JIT are disabled, and trustedprincipals
 // is enabled, then Ion can still be used by extensions [4].
 // Tor Browser doesn't even ship with these disabled by default.
@@ -1318,31 +1278,40 @@ user_pref("privacy.userContext.ui.enabled", true);
 // [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1599226
 // [5] https://wiki.mozilla.org/IonMonkey
 // [6] https://github.com/arkenfox/user.js/issues/1791#issuecomment-1891273681
-//user_pref("javascript.options.baselinejit", false);
+//user_pref("javascript.options.baselinejit", false); // DO NOT TOUCH
 //user_pref("javascript.options.ion", false);
-//user_pref("javascript.options.jit_trustedprincipals", false);
+//user_pref("javascript.options.jit_trustedprincipals", true); // HIDDEN PREF
+
+// PREF: Blinterp (JIT-like)
+// You do not need to touch blinterp unless you want to go even slower
+// than the Baseline JIT (which I do not recommend).
+//user_pref("javascript.options.blinterp", false);
 
 // PREF: WebAssembly JIT [FF52+]
 // Vulnerabilities [1] have increasingly been found, including those known and fixed
 // in native programs years ago [2]. WASM has powerful low-level access, making
 // certain attacks (brute-force) and vulnerabilities more possible.
+// trustedprincipals: This controls whether WebAssembly is allowed in "privileged" contexts
+// (like your extensions or internal browser scripts).
 // [STATS] ~0.2% of websites, about half of which are for cryptomining / malvertising [2][3]
 // [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
 // [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
 // [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes
 //user_pref("javascript.options.wasm", false);
     //user_pref("javascript.options.wasm_trustedprincipals", false);
-    //user_pref("javascript.options.wasm_baselinejit", false);
+    //user_pref("javascript.options.wasm_baselinejit", true); // DO NOT TOUCH
     //user_pref("javascript.options.wasm_optimizingjit", false);
 
 // PREF: Asm.js JIT [FF22+]
+// Asm.js is essentially the "ancestor" of WebAssembly. It was a strict subset of JavaScript
+// designed to allow browsers to pre-compile code into highly efficient machine instructions.
+// However, WebAssembly was created specifically to replace Asm.js and has done so almost entirely.
+// Disabling Asm.js removes the "legacy" risk surface without affecting your ability to run modern WebAssembly sites.
 // [1] http://asmjs.org/
 // [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
 // [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
-//user_pref("javascript.options.asmjs", false);
+// [4] https://github.com/rh0dev/slides/blob/master/OffensiveCon2018_From_Assembly_to_JavaScript_and_back.pdf
-
+//user_pref("javascript.options.asmjs", false); // DEFAULT
-// PREF: Blinterp (JIT-like)
-//user_pref("javascript.options.blinterp", false);
      
 /******************************************************************************
  * SECTION: VARIOUS                                                          *

policies.json

@@ -10,7 +10,7 @@
         "DisableDeveloperTools": false,
         "DontCheckDefaultBrowser": true,
         "DNSOverHTTPS": {
-            "Enabled": true,
+            "Enabled": false,
             "ProviderURL": "",
             "Locked": false
         },