Merge branch 'master' into Thorin-Oakenpants-patch-1

correct RFP info
grrrrr .. must. be. consistent.
2026-06-29 07:41:39 +05:30 · 2025-11-03 01:32:40 +00:00 · 2025-11-01 02:54:54 +00:00 · 2025-10-31 22:15:04 +00:00 · 2025-10-31 22:12:57 +00:00 · 2025-10-31 20:23:52 +00:00
2 changed files with 17 additions and 33 deletions
@@ -6,7 +6,7 @@
  There is an archived version at https://github.com/arkenfox/user.js/issues/123
  if you want the full list since jesus

-  Last updated: 14-August-2025
+  Last updated: 1-November-2025

  Instructions:
  - [optional] close Firefox and backup your profile
@@ -76,6 +76,10 @@
    'security.ssl3.rsa_des_ede3_sha', // 93

    /* REMOVED */
+    /* 141-153 */
+    'browser.display.use_system_colors',
+    'security.OCSP.enabled',
+    'security.OCSP.require',
    /* 129-140 */
    'dom.securecontext.allowlist_onions',
    'network.http.referer.hideOnionSource',
@@ -1,7 +1,7 @@
 /******
 *    name: arkenfox user.js
-*    date: 4 November 2025
-* version: 140
+*    date: 5 November 2025
+* version: 144
 *    urls: https://github.com/arkenfox/user.js [repo]
 *        : https://arkenfox.github.io/gui/ [interactive]
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
@@ -205,7 +205,7 @@ user_pref("network.prefetch-next", false);
 user_pref("network.dns.disablePrefetch", true);
 user_pref("network.dns.disablePrefetchFromHTTPS", true);
 /* 0603: disable predictor / prefetching ***/
-user_pref("network.predictor.enabled", false);
+user_pref("network.predictor.enabled", false); // [DEFAULT: false FF144+]
 user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
 /* 0604: disable link-mouseover opening connection to linked server
 * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/
@@ -402,29 +402,6 @@ user_pref("security.ssl.require_safe_negotiation", true);
 * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
 user_pref("security.tls.enable_0rtt_data", false);

-/** OCSP (Online Certificate Status Protocol)
-   [1] https://scotthelme.co.uk/revocation-is-broken/
-   [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
-***/
-/* 1211: enforce OCSP fetching to confirm current validity of certificates
- * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
- * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
- * It's a trade-off between security (checking) and privacy (leaking info to the CA)
- * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
- * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers...
- * [1] https://en.wikipedia.org/wiki/Ocsp ***/
-user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
-/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
- * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR | SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
- * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
- * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
- * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
- * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
- * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
- * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html
- * [3] https://letsencrypt.org/2024/12/05/ending-ocsp/ ***/
-user_pref("security.OCSP.require", true);
-
 /** CERTS / HPKP (HTTP Public Key Pinning) ***/
 /* 1223: enable strict PKP (Public Key Pinning)
 * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict
@@ -433,12 +410,13 @@ user_pref("security.cert_pinning.enforcement_level", 2);
 /* 1224: enable CRLite [FF73+]
 * 0 = disabled
 * 1 = consult CRLite but only collect telemetry
- * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results
- * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default)
+ * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results (default)
+ * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (removed FF145)
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
- * [2] https://blog.mozilla.org/security/tag/crlite/ ***/
+ * [2] https://blog.mozilla.org/security/tag/crlite/
+ * [3] https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/ ***/
 user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+]
-user_pref("security.pki.crlite_mode", 2);
+user_pref("security.pki.crlite_mode", 2); // [DEFAULT: 2 FF142+]

 /** MIXED CONTENT ***/
 /* 1241: disable insecure passive content (such as images) on https pages ***/
@@ -572,7 +550,7 @@ user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: fa
 user_pref("browser.contentanalysis.enabled", false); // [FF121+] [DEFAULT: false]
 user_pref("browser.contentanalysis.default_result", 0); // [FF127+] [DEFAULT: 0]
 /* 2635: disable referrer and storage access for resources injected by content scripts [FF139+] ***/
-   // user_pref("privacy.antitracking.isolateContentScriptResources", true);
+user_pref("privacy.antitracking.isolateContentScriptResources", true);
 /* 2640: disable CSP Level 2 Reporting [FF140+] ***/
 user_pref("security.csp.reporting.enabled", false);

@@ -662,7 +640,7 @@ user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true);
 /* 2820: set manual "Clear Data" items [SETUP-CHROME] [FF128+]
 * Firefox remembers your last choices. This will reset them when you start Firefox
 * [SETTING] Privacy & Security>Browser Privacy>Cookies and Site Data>Clear Data ***/
-user_pref("privacy.clearSiteData.cache", true);
+user_pref("privacy.clearSiteData.cache", true); // [DEFAULT: true]
 user_pref("privacy.clearSiteData.cookiesAndStorage", false); // keep false until it respects "allow" site exceptions
 user_pref("privacy.clearSiteData.historyFormDataAndDownloads", false);
   // user_pref("privacy.clearSiteData.siteSettings", false);
@@ -1063,6 +1041,8 @@ user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true]
   // user_pref("privacy.cpd.sessions", "");
 /* 6051: prefsCleaner: reset previously active items removed from arkenfox FF140+ ***/
   // user_pref("browser.display.use_system_colors", "");
+   // user_pref("security.OCSP.enabled", "");
+   // user_pref("security.OCSP.require", "");

 /*** [SECTION 7000]: DON'T BOTHER ***/
 user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
Author	SHA1	Message	Date
Thorin-Oakenpants	bfcb3659c1	Merge branch 'master' into Thorin-Oakenpants-patch-1	2025-11-03 01:32:40 +00:00
Thorin-Oakenpants	e69b54487c	correct RFP info	2025-11-01 02:54:54 +00:00
Thorin-Oakenpants	c569822cd1	grrrrr .. must. be. consistent.	2025-10-31 22:15:04 +00:00
Thorin-Oakenpants	1f58af5cf6	add document_color_use, #1965	2025-10-31 22:12:57 +00:00
Thorin-Oakenpants	8cd31371f2	browser.display.use_system_colors, #1965	2025-10-31 20:23:52 +00:00
Thorin-Oakenpants	1c76110c4c	remove 4510, #1965	2025-10-31 20:22:46 +00:00
Thorin-Oakenpants	d01f1e971e	update clearing history mentions	2025-10-31 19:04:26 +00:00
Thorin-Oakenpants	ba7f0cee9a	don't sanitize history/downloads	2025-10-31 18:37:36 +00:00
Thorin-Oakenpants	7007e28e4e	tidy	2025-10-09 07:10:19 +00:00
Thorin-Oakenpants	a05d90d612	make 2635 active it added as inactive in 140 due to bugs not fixed in time - seems stable now	2025-10-01 08:38:49 +00:00
Thorin-Oakenpants	0ef5f72c5f	tidy	2025-09-24 13:23:18 +00:00
Thorin-Oakenpants	c5087d6522	tidy	2025-08-25 11:25:44 +00:00
Thorin-Oakenpants	ff92cee8f0	update FPP info	2025-08-24 05:03:28 +00:00
Thorin-Oakenpants	934a339e41	add removed OCSP prefs to cleanup script	2025-08-20 16:10:56 +00:00
Thorin-Oakenpants	ae6242bded	remove OCSP, #1576	2025-08-20 16:01:10 +00:00
Thorin-Oakenpants	9ad1ce561f	v142	2025-08-19 10:49:32 +00:00