mirror of
https://github.com/yokoffing/Betterfox.git
synced 2026-06-12 15:40:48 +05:30
Updated Optional Hardening (markdown)
yokoffing
+24
-30
@@ -44,21 +44,6 @@ user_pref("extensions.formautofill.creditCards.enabled", false);
|
|||||||
|
|
||||||
***
|
***
|
||||||
|
|
||||||
### Captive portal detection
|
|
||||||
Captive portals allow you to connect to public Wi-Fi by redirecting to login pages (think hotels, airports, etc.). You can safely disable Mozilla's [captive portal detection](https://support.mozilla.org/en-US/kb/captive-portal) on most **desktop** computers.
|
|
||||||
|
|
||||||
If you disable captive portals on a **mobile** device, then you'll need a separate browser to connect to the internet on public Wi-Fi and some [company networks](https://github.com/yokoffing/Betterfox/discussions/377).
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
// PREF: disable captive portal detection
|
|
||||||
// [WARNING] Do NOT use for mobile devices!
|
|
||||||
user_pref("captivedetect.canonicalURL", "");
|
|
||||||
user_pref("network.captive-portal-service.enabled", false);
|
|
||||||
user_pref("network.connectivity-service.enabled", false);
|
|
||||||
```
|
|
||||||
|
|
||||||
***
|
|
||||||
|
|
||||||
### Secure DNS
|
### Secure DNS
|
||||||
Setup and enforce [DNS-over-HTTPS](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) (DoH).
|
Setup and enforce [DNS-over-HTTPS](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) (DoH).
|
||||||
|
|
||||||
@@ -72,8 +57,7 @@ user_pref("network.trr.uri", "https://dns.dnswarden.com/00000000000000000000028"
|
|||||||
|
|
||||||
Alternatively, you can follow our Control D [configuration guide](https://github.com/yokoffing/Control-D-Config) for more advanced features.
|
Alternatively, you can follow our Control D [configuration guide](https://github.com/yokoffing/Control-D-Config) for more advanced features.
|
||||||
|
|
||||||
#### Enforce DoH
|
#### Option 1: Increased Protection
|
||||||
##### Option 1: Increased Protection
|
|
||||||
[Increased Protection](https://support.mozilla.org/en-US/kb/dns-over-https#w_protection-levels-explained) will switch back to your local provider if there are any issues.
|
[Increased Protection](https://support.mozilla.org/en-US/kb/dns-over-https#w_protection-levels-explained) will switch back to your local provider if there are any issues.
|
||||||
|
|
||||||
> [!TIP]
|
> [!TIP]
|
||||||
@@ -87,7 +71,7 @@ user_pref("network.trr.mode", 2);
|
|||||||
user_pref("network.trr.max-fails", 5);
|
user_pref("network.trr.max-fails", 5);
|
||||||
```
|
```
|
||||||
|
|
||||||
##### Option 2: Max Protection
|
#### Option 2: Max Protection
|
||||||
[Max Protection](https://support.mozilla.org/en-US/kb/dns-over-https#w_protection-levels-explained) displays user-friendly error pages with custom exceptions.
|
[Max Protection](https://support.mozilla.org/en-US/kb/dns-over-https#w_protection-levels-explained) displays user-friendly error pages with custom exceptions.
|
||||||
|
|
||||||
* `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Enable DNS over HTTPS using: → Max Protection*
|
* `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Enable DNS over HTTPS using: → Max Protection*
|
||||||
@@ -224,17 +208,11 @@ For Option 2, you can create exceptions to stay logged in to some sites between
|
|||||||
|
|
||||||
### JavaScript Optimization
|
### JavaScript Optimization
|
||||||
#### How compiler optimization works
|
#### How compiler optimization works
|
||||||
Browsers use a tiered system to process JavaScript.
|
Browsers use a tiered system to process JavaScript:
|
||||||
|
|
||||||
<details>
|
|
||||||
|
|
||||||
<summary>read more</summary>
|
|
||||||
|
|
||||||
1. **Interpreter**: reads the code line-by-line. This method works safely but runs slowly.
|
1. **Interpreter**: reads the code line-by-line. This method works safely but runs slowly.
|
||||||
2. **Baseline JIT (Just-In-Time)**: Compiles code that runs frequently into simple code. It boosts speed without complex logic that is easily exploitable.
|
2. **Baseline JIT (Just-In-Time)**: Compiles code that runs frequently into simple code.
|
||||||
3. **JIT Optimizing Compiler**: Aggressively improves code performance, but creates a large area for attackers to exploit. [Nearly](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/#:~:text=roughly%2045%25%20of%20CVEs%20issued%20for%20V8%20were%20related%20to%20the%20JIT%20engine) [half](https://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.html#:~:text=Of%20all%20the%20patched%20security%20bugs%20in%20V8%20with%20known%20exploitation%2C%20disabling%20the%20optimizers%20would%20have%20mitigated%20~50%25) of all patched bugs in the V8 engine stem from this [optimization tier](https://www.zellic.io/blog/pwning-v8ctf/#v8-and-just-in-time-compilation).
|
3. **Optimizing Compiler**: Aggressively improves code performance, but creates a large area for attackers to exploit. [Nearly](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/#:~:text=roughly%2045%25%20of%20CVEs%20issued%20for%20V8%20were%20related%20to%20the%20JIT%20engine) [half](https://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.html#:~:text=Of%20all%20the%20patched%20security%20bugs%20in%20V8%20with%20known%20exploitation%2C%20disabling%20the%20optimizers%20would%20have%20mitigated%20~50%25) of all patched bugs in the V8 engine stem from this [optimization tier](https://www.zellic.io/blog/pwning-v8ctf/#v8-and-just-in-time-compilation).
|
||||||
|
|
||||||
</details>
|
|
||||||
|
|
||||||
#### Option 1: Disable compiler optimization
|
#### Option 1: Disable compiler optimization
|
||||||
|
|
||||||
@@ -269,9 +247,9 @@ user_pref("javascript.options.wasm_optimizingjit", false);
|
|||||||
***
|
***
|
||||||
|
|
||||||
### Disable DRM
|
### Disable DRM
|
||||||
Privacy-conscious people often dislike Digital Rights Management (DRM) because it restricts what users can do with their devices and limits fair use rights.
|
Digital Rights Management (DRM) prevents users from copying, sharing, or changing content they bought, even for their own use. It also allows browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.
|
||||||
|
|
||||||
DRM prevents users from copying, sharing, or changing content they bought, even for their own use. It also allows browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.
|
Privacy advocates often dislike DRM because it restricts what users can do with their devices and limits fair use rights.
|
||||||
|
|
||||||
> [!WARNING]
|
> [!WARNING]
|
||||||
> Disabling DRM will prevent most popular streaming platforms from functioning properly. Spotify, Apple Music, Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV, and other streaming services will not work with DRM disabled.
|
> Disabling DRM will prevent most popular streaming platforms from functioning properly. Spotify, Apple Music, Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV, and other streaming services will not work with DRM disabled.
|
||||||
@@ -282,12 +260,28 @@ You can confirm if Encrypted Media Extension (EME) is disabled by going [here](h
|
|||||||
// PREF: disable all DRM content
|
// PREF: disable all DRM content
|
||||||
user_pref("media.eme.enabled", false);
|
user_pref("media.eme.enabled", false);
|
||||||
|
|
||||||
// PREF: hide the UI setting; this also disables the DRM prompt (optional)
|
// PREF: hide the UI setting
|
||||||
|
// This also disables the DRM prompt while browsing.
|
||||||
user_pref("browser.eme.ui.enabled", false);
|
user_pref("browser.eme.ui.enabled", false);
|
||||||
```
|
```
|
||||||
|
|
||||||
***
|
***
|
||||||
|
|
||||||
|
### Captive portal detection
|
||||||
|
Captive portals allow you to connect to public Wi-Fi by redirecting to login pages (think hotels, airports, etc.). You can safely disable Mozilla's [captive portal detection](https://support.mozilla.org/en-US/kb/captive-portal) on most **desktop** computers.
|
||||||
|
|
||||||
|
If you disable captive portals on a **mobile** device, then you'll need a separate browser to connect to the internet on public Wi-Fi and some [company networks](https://github.com/yokoffing/Betterfox/discussions/377).
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
// PREF: disable captive portal detection
|
||||||
|
// [WARNING] Do NOT use for mobile devices!
|
||||||
|
user_pref("captivedetect.canonicalURL", "");
|
||||||
|
user_pref("network.captive-portal-service.enabled", false);
|
||||||
|
user_pref("network.connectivity-service.enabled", false);
|
||||||
|
```
|
||||||
|
|
||||||
|
***
|
||||||
|
|
||||||
### Fingerprinting
|
### Fingerprinting
|
||||||
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threat-model/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
|
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threat-model/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user