notkshitij/Betterfox
1
0
Fork 0
mirror of https://github.com/yokoffing/Betterfox.git synced 2026-06-12 15:40:48 +05:30
Code Issues Releases Wiki Activity

Updated Optional Hardening (markdown)

yokoffing
2026-04-21 15:51:46 -04:00
parent 5b234fb350
commit f2c7084101
1 changed files with 24 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Optional-Hardening.md
+24 -30
@@ -44,21 +44,6 @@ user_pref("extensions.formautofill.creditCards.enabled", false);
***
### Captive portal detection
Captive portals allow you to connect to public Wi-Fi by redirecting to login pages (think hotels, airports, etc.). You can safely disable Mozilla's [captive portal detection](https://support.mozilla.org/en-US/kb/captive-portal) on most **desktop** computers.
If you disable captive portals on a **mobile** device, then you'll need a separate browser to connect to the internet on public Wi-Fi and some [company networks](https://github.com/yokoffing/Betterfox/discussions/377).
```javascript
// PREF: disable captive portal detection
// [WARNING] Do NOT use for mobile devices!
user_pref("captivedetect.canonicalURL", "");
user_pref("network.captive-portal-service.enabled", false);
user_pref("network.connectivity-service.enabled", false);
```
***
### Secure DNS
Setup and enforce [DNS-over-HTTPS](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) (DoH).
@@ -72,8 +57,7 @@ user_pref("network.trr.uri", "https://dns.dnswarden.com/00000000000000000000028"
Alternatively, you can follow our Control D [configuration guide](https://github.com/yokoffing/Control-D-Config) for more advanced features.
#### Enforce DoH
##### Option 1: Increased Protection
#### Option 1: Increased Protection
[Increased Protection](https://support.mozilla.org/en-US/kb/dns-over-https#w_protection-levels-explained) will switch back to your local provider if there are any issues.
> [!TIP]
@@ -87,7 +71,7 @@ user_pref("network.trr.mode", 2);
user_pref("network.trr.max-fails", 5);
```
##### Option 2: Max Protection
#### Option 2: Max Protection
[Max Protection](https://support.mozilla.org/en-US/kb/dns-over-https#w_protection-levels-explained) displays user-friendly error pages with custom exceptions.
* `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Enable DNS over HTTPS using: → Max Protection*
@@ -224,17 +208,11 @@ For Option 2, you can create exceptions to stay logged in to some sites between
### JavaScript Optimization
#### How compiler optimization works
Browsers use a tiered system to process JavaScript.
<details>
<summary>read more</summary>
Browsers use a tiered system to process JavaScript:
1. **Interpreter**: reads the code line-by-line. This method works safely but runs slowly.
2. **Baseline JIT (Just-In-Time)**: Compiles code that runs frequently into simple code. It boosts speed without complex logic that is easily exploitable.
3. **JIT Optimizing Compiler**: Aggressively improves code performance, but creates a large area for attackers to exploit. [Nearly](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/#:~:text=roughly%2045%25%20of%20CVEs%20issued%20for%20V8%20were%20related%20to%20the%20JIT%20engine) [half](https://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.html#:~:text=Of%20all%20the%20patched%20security%20bugs%20in%20V8%20with%20known%20exploitation%2C%20disabling%20the%20optimizers%20would%20have%20mitigated%20~50%25) of all patched bugs in the V8 engine stem from this [optimization tier](https://www.zellic.io/blog/pwning-v8ctf/#v8-and-just-in-time-compilation).
</details>
2. **Baseline JIT (Just-In-Time)**: Compiles code that runs frequently into simple code.
3. **Optimizing Compiler**: Aggressively improves code performance, but creates a large area for attackers to exploit. [Nearly](https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/#:~:text=roughly%2045%25%20of%20CVEs%20issued%20for%20V8%20were%20related%20to%20the%20JIT%20engine) [half](https://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.html#:~:text=Of%20all%20the%20patched%20security%20bugs%20in%20V8%20with%20known%20exploitation%2C%20disabling%20the%20optimizers%20would%20have%20mitigated%20~50%25) of all patched bugs in the V8 engine stem from this [optimization tier](https://www.zellic.io/blog/pwning-v8ctf/#v8-and-just-in-time-compilation).
#### Option 1: Disable compiler optimization
@@ -269,9 +247,9 @@ user_pref("javascript.options.wasm_optimizingjit", false);
***
### Disable DRM
Privacy-conscious people often dislike Digital Rights Management (DRM) because it restricts what users can do with their devices and limits fair use rights.
Digital Rights Management (DRM) prevents users from copying, sharing, or changing content they bought, even for their own use. It also allows browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.
DRM prevents users from copying, sharing, or changing content they bought, even for their own use. It also allows browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.
Privacy advocates often dislike DRM because it restricts what users can do with their devices and limits fair use rights.
> [!WARNING]
> Disabling DRM will prevent most popular streaming platforms from functioning properly. Spotify, Apple Music, Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV, and other streaming services will not work with DRM disabled.
@@ -282,12 +260,28 @@ You can confirm if Encrypted Media Extension (EME) is disabled by going [here](h
// PREF: disable all DRM content
user_pref("media.eme.enabled", false);
// PREF: hide the UI setting; this also disables the DRM prompt (optional)
// PREF: hide the UI setting
// This also disables the DRM prompt while browsing.
user_pref("browser.eme.ui.enabled", false);
```
***
### Captive portal detection
Captive portals allow you to connect to public Wi-Fi by redirecting to login pages (think hotels, airports, etc.). You can safely disable Mozilla's [captive portal detection](https://support.mozilla.org/en-US/kb/captive-portal) on most **desktop** computers.
If you disable captive portals on a **mobile** device, then you'll need a separate browser to connect to the internet on public Wi-Fi and some [company networks](https://github.com/yokoffing/Betterfox/discussions/377).
```javascript
// PREF: disable captive portal detection
// [WARNING] Do NOT use for mobile devices!
user_pref("captivedetect.canonicalURL", "");
user_pref("network.captive-portal-service.enabled", false);
user_pref("network.connectivity-service.enabled", false);
```
***
### Fingerprinting
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threat-model/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>