notkshitij/Betterfox
1
0
Fork 0
mirror of https://github.com/yokoffing/Betterfox.git synced 2026-06-12 15:40:48 +05:30
Code Issues Releases Wiki Activity

Updated Optional Hardening (markdown)

HJ
2023-10-02 13:17:32 -04:00
parent 589e0ad22e
commit 2c6b9d0c2b
1 changed files with 57 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Optional-Hardening.md
+57 -39
@@ -1,6 +1,8 @@
## Instructions ## Instructions
See [Common Overrides](https://github.com/yokoffing/Betterfox/wiki/Common-Overrides). 1) Open the `user.js` in a text editor such as Notepad.
2) Add prefs from the options below to **MY OVERRIDES**.
3) Save and close the file.
*** ***
@@ -8,9 +10,25 @@ See [Common Overrides](https://github.com/yokoffing/Betterfox/wiki/Common-Overri
*** ***
### Firefox Sync & View
Firefox [Sync](https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer) and Firefox [View](https://support.mozilla.org/en-US/kb/how-set-tab-pickup-firefox-view) may be disabled to minimize connections and remove UI that you don't use.
```javascript
// PREF: disable Firefox Sync
user_pref("identity.fxaccounts.enabled", false);
// PREF: disable Firefox View
user_pref("browser.tabs.firefox-view", false);
user_pref("browser.tabs.firefox-view-next", false); // [FF119+]
user_pref("browser.firefox-view.feature-tour", "{\"screen\":\"\",\"complete\":true}");
```
***
### Block embedded social posts on webpages ### Block embedded social posts on webpages
This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection. This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection.
``` ```javascript
// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts // PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
user_pref("urlclassifier.trackingSkipURLs", ""); user_pref("urlclassifier.trackingSkipURLs", "");
user_pref("urlclassifier.features.socialtracking.skipURLs", ""); user_pref("urlclassifier.features.socialtracking.skipURLs", "");
@@ -27,7 +45,7 @@ To add to your overrides, choose between two options below.
#### Option 1: Private windows only #### Option 1: Private windows only
Firefox will get explicit permission from you before connecting to a site insecurely in [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) (Firefox [incognito mode](https://support.mozilla.org/en-US/kb/common-myths-about-private-browsing)). Firefox will get explicit permission from you before connecting to a site insecurely in [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) (Firefox [incognito mode](https://support.mozilla.org/en-US/kb/common-myths-about-private-browsing)).
``` ```javascript
// PREF: enable HTTPS-Only Mode // PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS // Warn me before loading sites that don't support HTTPS
// when using Private Browsing windows. // when using Private Browsing windows.
@@ -37,7 +55,7 @@ user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
#### Option 2: All windows #### Option 2: All windows
Firefox will get explicit permission from you before connecting to a site insecurely in Normal and Private Browsing. Firefox will get explicit permission from you before connecting to a site insecurely in Normal and Private Browsing.
``` ```javascript
// PREF: enable HTTPS-Only Mode // PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS // Warn me before loading sites that don't support HTTPS
// in both Normal and Private Browsing windows. // in both Normal and Private Browsing windows.
@@ -47,34 +65,11 @@ user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
*** ***
### Secure DNS
Setup and enforce DNS-over-HTTPS (DoH).
#### 1) Provider
* Use the provider below for better [threat protection](https://quad9.net/service/threat-blocking/).
* :star: Create a profile with [NextDNS](https://nextdns.io/?from=xujj63g5) and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config) for greater protection from ads, trackers, and security threats.
```
// PREF: set DoH provider
user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
```
#### 2) Mode
* `3` has site-exceptions with a nice UI on the error page:
* Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
* :warning: Set to `2` if your workplace or university causes issues with alternative DNS.
```
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 3);
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
```
***
### Sanitize on close ### Sanitize on close
#### Option 1: Clear all browsing data on shutdown, except browser history #### Option 1: Clear browsing data on shutdown, except browser history
* `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed* * `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed*
``` ```javascript
// PREF: clear all browsing data on shutdown (except browser history) // PREF: clear browsing data on shutdown (except browser history)
user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true); user_pref("privacy.clearOnShutdown.cookies", true);
@@ -83,8 +78,8 @@ user_pref("browser.sessionstore.privacy_level", 2);
``` ```
#### Option 2: Clear all browsing data on shutdown #### Option 2: Clear all browsing data on shutdown
``` ```javascript
// PREF: clear browsing data on shutdown // PREF: clear all browsing data on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.history", true); user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.formdata", true); user_pref("privacy.clearOnShutdown.formdata", true);
@@ -100,8 +95,6 @@ user_pref("browser.sessionstore.privacy_level", 2);
You can allow exceptions if you want to stay logged in to some sites: You can allow exceptions if you want to stay logged in to some sites:
* Go to `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions* * Go to `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions*
* For cross-domain logins, add exceptions for both sites
* e.g. `https://www.youtube.com` (site) + `https://accounts.google.com` (single sign on)
*** ***
@@ -110,7 +103,7 @@ On Windows, Mozilla [collects information](https://techdows.com/2020/04/what-is-
Add it to your overrides if you do not use this part of the UI (or already have Firefox set as the default browser). Add it to your overrides if you do not use this part of the UI (or already have Firefox set as the default browser).
``` ```javascript
// PREF: disable telemetry of what default browser you use [WINDOWS] // PREF: disable telemetry of what default browser you use [WINDOWS]
// [NOTE] Breaks "Make Default..." button in Settings. // [NOTE] Breaks "Make Default..." button in Settings.
user_pref("default-browser-agent.enabled", false); user_pref("default-browser-agent.enabled", false);
@@ -123,7 +116,7 @@ user_pref("default-browser-agent.enabled", false);
:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)). :warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)).
``` ```javascript
// PREF: enforce certificate pinning // PREF: enforce certificate pinning
// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE // [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
user_pref("security.cert_pinning.enforcement_level", 2); user_pref("security.cert_pinning.enforcement_level", 2);
@@ -135,7 +128,7 @@ user_pref("security.cert_pinning.enforcement_level", 2);
:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption. :warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
``` ```javascript
// PREF: require safe SSL negotiation // PREF: require safe SSL negotiation
// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION // [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
user_pref("security.ssl.require_safe_negotiation", true); user_pref("security.ssl.require_safe_negotiation", true);
@@ -152,14 +145,39 @@ For subresources, the referer will only be sent to subdomains (e.g., `a.example.
Most navigational "tracking" is harmless (i.e., the same for everyone) and effectively blocking cross-site referers just breaks a lot of sites. Most navigational "tracking" is harmless (i.e., the same for everyone) and effectively blocking cross-site referers just breaks a lot of sites.
``` ```javascript
// PREF: do not to send a referrer when navigating to a different site // PREF: do not to send a referrer when navigating to a different site
user_pref("network.http.referer.XOriginPolicy", 1); user_pref("network.http.referer.XOriginPolicy", 1);
``` ```
*** ***
### Secure DNS
Setup and enforce DNS-over-HTTPS (DoH).
#### 1) Provider
* Use the provider below for better [threat protection](https://quad9.net/service/threat-blocking/).
* :star: Create a profile with [NextDNS](https://nextdns.io/?from=xujj63g5) and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config) for greater protection from ads, trackers, and security threats.
```javascript
// PREF: set DoH provider
user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
```
#### 2) Mode
* `3` has site-exceptions with a nice UI on the error page:
* Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
* :warning: Set to `2` if your workplace or university causes issues with alternative DNS.
```javascript
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 3);
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
```
***
### Fingerprinting ### Fingerprinting
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup> Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
By default, Firefox blocks [known](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/) third-party fingerprinting requests. Betterfox does not enable [additional protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) known as `privacy.resistFingerprinting`. You can read why [here](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3). By default, Firefox blocks [known](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/) third-party fingerprinting requests (`privacy.trackingprotection.fingerprinting.enabled`); and as of FF119+, ETP Strict also enables [additional fingerprinting protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) (`privacy.fingerprintingProtection`).
Betterfox does not enable [additional protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) known as `privacy.resistFingerprinting`. You can read why [here](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3).