From 99d6163360a5d28d1a2fba9f3f983bdac3467534 Mon Sep 17 00:00:00 2001
From: HJ <11689349+yokoffing@users.noreply.github.com>
Date: Sat, 19 Aug 2023 14:42:25 -0400
Subject: [PATCH] Updated Optional Hardening (markdown)

---
 Optional-Hardening.md | 63 +++++++++++++++++++++++++++++++++----------
 1 file changed, 49 insertions(+), 14 deletions(-)

diff --git a/Optional-Hardening.md b/Optional-Hardening.md
index 3396a78..d5a1a49 100644
--- a/Optional-Hardening.md
+++ b/Optional-Hardening.md
@@ -1,21 +1,56 @@
-### Optional Hardening
+## Manual options
 
-1) Change your **default search engine**.
+### Change your **default search engine**.
    * Alternatively, [select](https://support.mozilla.org/en-US/kb/change-your-default-search-settings-firefox#w_default-search-engine) a different search engine just for [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) windows.
       1) Go to *`☰` → Settings → Search → Default Search Engine*
       2) Change your default search engine to DuckDuckGo, or [add](https://github.com/yokoffing/Betterfox/blob/04c3184359c83d7b58411c3b68f40f3e9d95c373/Securefox.js#L600-L604) a premium search engine like [Kagi](https://kagi.com/).
-2) **Clear browsing data** on shutdown ([sanitize on close](https://github.com/yokoffing/Betterfox/blob/99f2e860633f307781ddb73d792358ad1bec6af5/Securefox.js#L409-L434)).
-    * You can **allow exceptions** if you want to stay logged in to some sites:
-      1) Go to *`☰` → Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions*
-      2) Check *Delete cookies and site data when Firefox is closed*.
-    * For cross-domain logins, add exceptions for both sites
-        * e.g. `https://www.youtube.com` (site) + `https://accounts.google.com` (single sign on)
 
-3) Apply preferences from the [common overrides](https://github.com/yokoffing/Betterfox/issues/87) sticky to enforce the following behavior:
-   * Enable **HTTPS-Only Mode** outside of [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) windows.
-   * Block embedded **tweets, tiktoks, Instagram and Reddit posts** from loading on third-party sites.
-   * **Hide the referrer** from different domains.
+### **Clear browsing data** on shutdown ([sanitize on close](https://github.com/yokoffing/Betterfox/blob/99f2e860633f307781ddb73d792358ad1bec6af5/Securefox.js#L409-L434)).
 
-We do not use `privacy.resistFingerprinting`. [This is why.](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3)
+* You can **allow exceptions** if you want to stay logged in to some sites:
+    1) Go to *`☰` → Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions*
+    2) Check *Delete cookies and site data when Firefox is closed*.
+* For cross-domain logins, add exceptions for both sites
+    * e.g. `https://www.youtube.com` (site) + `https://accounts.google.com` (single sign on)
 
-:warning: Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
\ No newline at end of file
+***
+
+## Overrides
+See [Common Overrides](https://github.com/yokoffing/Betterfox/wiki/Overrides) for instructions.
+
+### HTTPS-Only Mode
+We already [block](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages and [attempt](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L545-L550) to upgrade HTTP site navigation to HTTPS.
+```
+// PREF: enable HTTPS-Only Mode
+// Strict HTTPS site navigation in Normal and Private Browsing.
+user_pref("dom.security.https_only_mode", true);
+```
+
+***
+
+### Block embedded social posts on webpages
+This matches the default behavior of Strict [Enhanced Tracking Protection](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection).
+```
+// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
+user_pref("urlclassifier.trackingSkipURLs", "");
+user_pref("urlclassifier.features.socialtracking.skipURLs", "");
+```
+
+***
+
+### Hide cross-site referrer
+```
+// PREF: do not to send a referrer when navigating to a different site
+// For subresources, the referrer is only sent to subdomains:
+// e.g., from a.example.com to b.example.com.
+// [WARNING] This breaks Instagram embeds, Bing login, MangaPill, and some third-party streaming sites.
+user_pref("network.http.referer.XOriginPolicy", 1);
+```
+
+***
+
+## Fingerprinting
+:warning: Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
+
+
+We do not use `privacy.resistFingerprinting`. [This is why.](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3)
\ No newline at end of file