diff --git a/Optional-Hardening.md b/Optional-Hardening.md index 50faa7f..2807e82 100644 --- a/Optional-Hardening.md +++ b/Optional-Hardening.md @@ -8,6 +8,16 @@ See [Common Overrides](https://github.com/yokoffing/Betterfox/wiki/Common-Overri *** +### Block embedded social posts on webpages +This matches the default behavior of Strict [Enhanced Tracking Protection](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection). +``` +// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts +user_pref("urlclassifier.trackingSkipURLs", ""); +user_pref("urlclassifier.features.socialtracking.skipURLs", ""); +``` + +*** + ### HTTPS-Only Mode We already: * [attempt](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L545-L550) to upgrade HTTP site navigation to HTTPS @@ -21,17 +31,17 @@ user_pref("dom.security.https_only_mode_error_page_user_suggestions", true); *** -### Block embedded social posts on webpages -This matches the default behavior of Strict [Enhanced Tracking Protection](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection). +### SameSite Cookies ``` -// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts -user_pref("urlclassifier.trackingSkipURLs", ""); -user_pref("urlclassifier.features.socialtracking.skipURLs", ""); +// PREF: enable SameSite Cookies +user_pref("network.cookie.sameSite.laxByDefault", true); +user_pref("network.cookie.sameSite.noneRequiresSecure", true); +user_pref("network.cookie.sameSite.schemeful", true); ``` *** -### Disable `default-browser-agent` (Windows only) +### `default-browser-agent` (Windows only) On Windows, Mozilla [collects information](https://techdows.com/2020/04/what-is-firefox-default-browser-agent-and-how-to-disable-it.html) on what you've set as your default browser. However, disabling `default-browser-agent.enabled` also breaks the `Make Default...` button to set Firefox as the default browser. Add it to your overrides if you do not use this part of the UI (or already have Firefox set as the default browser). @@ -77,7 +87,7 @@ user_pref("network.dns.skipTRR-when-parental-control-enabled", false); *** -### Hide cross-site referrer +### Cross-origin referrer Do not send a [referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) when navigating to a different site (e.g., `google.com` → `facebook.com`). For subresources, the referrer will only be sent to subdomains (e.g., `a.example.com` → `b.example.com`).