* move 1260 to 122x
"disable or limit SHA-1 certificates" is about certs, not ciphers.
Because CERTS is 1st in the title I moved it to the 1st item there because it's arguably also the most important of the lot (and renumbered the rest)
We can also drop HSTS from the subgroup title because there's nothing HSTS left atm.
FYI, the https://www.privacytools.io/webrtc.html test in our wiki is 404, so I gave it a strikethru and added this one. This is also handy for 2001, but do we need to double up on it? We're only disabling WebRTC because of IP leaks, so I don't see the point in testing if WebRTC is disabled.
Session Restore cannot be disabled in Normal mode, it is also used internally. FYI: PB Mode does not use Session Restore. The description is still not 100%, as it refers to what is restored, not what is kept in the recovery.jsonlz4 (at least for tabs)
flipped true in FF54: https://bugzilla.mozilla.org/show_bug.cgi?id=1026804 but unsure when the pref itself was introduced. note: other timing prefs were always in 2400's see 4602: [2411] disable resource/navigation timing / 4603: [2412] disable timing attacks
it has zero to do with privacy etc, and in fact most users will only ever encounter it once (and check the box) when they first go to about:config, so it's not even useful as an override or a new profile IMO. This removes one of three numbers that don't have a section
when argument `-l` is used, parse profiles.ini instead of just listing folders in the default profiles dir.
This allows to select profiles located outside of the default profiles directory and makes selection easier because it also shows the profile name (and selection is by number instead of having to copy-paste a path)
* Uses `perl` as a last resort if `curl` and `wget` are not available (fixes#537)
* Aborts and notifies user if none of the above are installed
* Better use of functions
* When version numbers are checked, the contents are immediately saved to a temp dir. This allows us to skip using wget/curl/perl a second time
* Improved messages for users
* Added various font colors for ease of use and aesthetics
TLS 1.0 and 1.1 are still secure. Sure, later versions are more secure, but 98% of the web is already upgraded - less than 2% of sites use < v1.2. So it's not very likely you would come across a site that requires it, but if you did, what's the point in breaking it. Mozilla and Chrome already have plans to deprecate TLS 1.0 & 1.1, and force that last 2% of sites.
TLS settings can be FP'ed without JS. By sticking with the defaults, I do not see any security issues, but an increase in potential anti-FPing. TBH, the chances of either (i.e being FP'ed with TLS as a entropy point, or being compromised due to TLS<1.2) are slim to non anyway.
Any arguments, please see @earthlng
Pants said "We do not need to keep anything for ESR users. ESR users are on v60, and we have an archived 60 for them."
This isn't even affecting ESR60 but only older versions.
* removed, renamed or hidden in v63.0
- 0301a - do you want to add the `[NOTE] Firefox currently checks every 12 hrs ...` to `0302a` ? The problem is it also checks for updates every time you open/reload about:preferences and in Menu>Help>About Firefox regardless of when the last check was.
- 0513 - removed because follow-on-search is no longer a deletable system addon
- 2703 - do we just remove `3=for n days` or add a [NOTE] that value 3 was remove in FF63 or something?
- `browser.ctrlTab.recentlyUsedOrder` replaces `browser.ctrlTab.previews` but it now defaults to true. No need to list the new one under 5000 IMO
* Update user.js
* 1031 add more info
https://bugzilla.mozilla.org/show_bug.cgi?id=1453751#c28
* 0301a: remove update-check timing info
* 2703: add version deprecation for value 3
- pref removed in FF63 (https://bugzilla.mozilla.org/1476879)
- when we added it the default was false
- default is true since FF57
- it's only an UI thing
ergo we don't need to move it to 9999
* more infos
* add colons
not all EOL comments for defaults start with `// default` (23). The common string is `default:` (27 incl. these ones) with or without preceding or trailing spaces
* replace /V with global VERIFY ON
* change working dir to script dir
The working dir doesn't necessarily match the script's path, depending on how the script is called. All relative paths and conditional statements using EXIST will fail whenever the working dir is not the script's own location. This fixes that.
* minimal stuff, mostly cosmetic
* prompt to run prefsCleaner under very specific circumstances
* improve -updatebatch option
* add version variable + display new script version on update
I think there's no way to get rid of ^M but hopefully with `*.bat -text` in `.gitattributes` it shouldn't be a problem because git won't do any line conversion on check-in/out.
This way the raw link as well as the file within the zip download should be in proper MSDOS CRLF format, and git status shouldn't report the file as modified either. ***fingerscrossed!!***
FF61 introduced quite a few changes, including removing the ability to set a blank startpage in the UI, and a new Home options tab with unified Activity Stream (AS) defaults and dropdown options. Because the only way to stop AS on startup is to enforce a blank page (pref 0102), and setting this auto changes `home+newwindow` (0103) and `newtab` (0104) to a blank page, then we're just going to go ahead and enforce that on all of them.
For more info see the discussion in #426
Both deprecated in FF61, but we'll remove them from the user.js
- `services.blocklist.signing.enforced` is default true since FF50
- `browser.storageManager.enabled` only controls "Site Data" UI visibility
2732 was just enforcing default since at least FF52, and 2733 has never been used, was only there for info. Offline Cache or appCache (2730) is already behind a prompt (2731), and is already limited (in FF60+) to HTTPS (2730b).
Note: I am not 100% sure what happens with an app update. If this is divorced from that check now, you should be able to get FF updated without any system addons. We'll have to wait until 62 needs an update to test it. In the meantime I've edited the [NOTE]. I've also left this inactive (eg imagine if they pushed a critical update for formfill), so this is an end-user decision. Added to sticky to revisit this pref
I see no point in keeping this to enforce a default that FF itself doesn't use - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox
- "... is an optional compatibility token that some Gecko-based browsers may choose to incorporate, to achieve maximum compatibility with websites that expect Firefox"
The last one-off ESR cycle of 8 releases is now behind us, new algorithm for FF60+ is back to 7 releases per ESR numbering, starting at 60... 67... etc. Note: This does not do anything for Aurora or Nightly spoofing the next ESR early (but we have until Nightly 67 before this becomes a problem). The ticket 1418162 was meant to cover this but instead was just used for the new algorithm. There is currently no ticket for the Aurora/Nightly issue - but never fear, Pants is here!! It is not forgotten, and I have emails with Tom Ritter et al on it
* updated shebang
* The script now compares its version number to the one online. If there is a newer version of `updater.sh` online it ask the user if he wants to download and run it.
* 2 parameters are supported: `-donotupdate` to disable the update-check and `-update` to auto-download and run the new version without asking
* Backup files are now saved to the directory `userjs_backups` instead of causing more bloat in the profile directory.
- massive speed improvement !! m-a-s-s-i-v-e !
- small fix to the time format used in backup filenames (replace space with zeros)
- better tolerance for special characters within preference names (which counters [the one downside that v1.2 brought along](https://github.com/ghacksuserjs/ghacks-user.js/pull/321#issuecomment-354394222)).
- other minor things, mostly to do with Delayed Expansion and the removal of it
known issue (but not really an issue):
- it skips instances of `user_pref` that have any quote or double-quote before `user_pref` (like `// "this" user_pref`)
AS is out of control. No master switch in FF60+, and in order to 100% sure nothing is collected locally (or external connections made), there are now some 28 prefs (including those coming in FF61). This is re-DICK-ulous. We're not going to bother tracking all that, let alone the labyrinth of code. All users are advised to just make sure they remove the XPI every time they update FF.
2711 is about web extension data and does not fit in the 2700s is all about websites' persistent data, i.e items that sanitizing and Storage Manager deal with. Dumping in 2600's which is getting a revamp later
* Options> and [settings]
While I'm at it, I'm changing the 21 instances of
- `[SETTING-56+]` to just `[SETTING]`
- `[SETTING-ESR]` to `[SETTING-ESR52]` because we'll leave those in until 62 (yes I know they may apply to earlier ESRs, but people should be upgraded). Thus no ambiguity with ESR60 vs ESR52 users for the overlap
This is so wrong: It is better to inform users that 3 **must** be used than rely on zero info as well as removing useful info on what the values do. All future issues with this will be directed to earthlng. Remove RFP info as RFP users should know this stuff if they turned it on. Non RFP users, who we told they can bypass it, will not have a reference to RFP now. Enforce will now be banned as a word because, "reasons".
add `browser.storageManager.enabled` back but enforce it as true - otherwise people may never pick up on the fact we dropped it and may never reset it, and never see their shiny new UI section. When it's deprecated, *then* we can remove it
pref will be removed, 99% sure it was just a pref used internally to hide it from stable during testing in beta/nightly - see https://bugzilla.mozilla.org/show_bug.cgi?id=1428306. Makes zero sense to hide this new UI section since we will be turning SM on anyway (the section is important for end users to exist and be working esp thru QuotaManager and Storage v2 changes etc).
note: picked up a leading space on 2206. Please double check for any errors or missed opportunities (I scanned it three times), 1221 is about the only one that's a bit messy I think
Note: I moved the (part`x`) bit to the end of the bugzilla from previous commit as I like the https* bit to all be in line = visually easier to parse IMO
This is a start to reducing section 2600 (which I renamed it to just miscellaneous). We can always revisit this new section and add to it down the track if required. Note: added a second ref [2] under 0703. Note: re-numbered & re-positioned deprecated prefs for SPDY
These are all at default values, no need to enforce. As for removing them, we're de-cluttering the section and these just aren't that important. Anyone who wants to play with tab ordering/focus/etc could probably use an extension (API's?) and/or easily find these and look them up
geolocation blocking via RFP will be removed (see https://bugzilla.mozilla.org/show_bug.cgi?id=1441295), and since either way you look at it (those who use RFP or not) the user.js blocks geo, so we might as well move this stuff back to section 0200
1376865 was back ported to 59, so canvas prompt fatigue will be reduced. Note: the default for non-prompts is the same as if you clicked "Don't Allow" - i.e it serves up a 10x10px white square
Cleaning up the UA spoof stuff in the sticky, as a ticket was just closed (52 is now a temporary hard-coded value: 1418672 - I guess they're running out of time), so also cleaning up the info, and consistent layout
Two issues: The code to determine the ESR number is out of whack (by one) since the next ESR is 60. 59 stable is almost here. So they have decided to hard-code the value as 52, for now. The second issue is that Aurora/Nightly are ahead of stable/ESR and can thus unmask themselves as Aurora/Nightly. The hard-coded value for now also solves this.
If you follow the sticky for RFP, you will see there is a ticket for using the update channel information (eg stable, beta, dev, nightly etc) to determine when and how calculate the version spoof in future, and they'll also rejig the numbering algorithm to account for ESR being out by one. These are tickets https://bugzilla.mozilla.org/show_bug.cgi?id=1418162 and https://bugzilla.mozilla.org/show_bug.cgi?id=1428111
These default values are the same in all OSes and all current Firefox versions (ESR, Release, Beta, Nightly).
Apart from alerts.showFavicons these defaults are most likely never gonna change
data: works perfectly fine here. No need to use https and no need to connect to localhost because something could be listening there.
data is the fastest and best solution.
Note: I tested the value of 1 when changing from 2-block to make sure that it actually changed to allow in the panel. Am keeping my eye on the delete and backspace keys and will remove the line when it is fixed
Changes:
- The script doesn't touch the `user.js` file until it really has to.
- The merge function is a bit smarter parsing files, at no significant cost.
- Fixed a minor issue with the version check.
- Minor syntactic changes here and there.
- creates timestamped backup files rather than always overwriting user.js.bak.
(use -singlebackup if you prefer a single backup file)
Changes:
-The script doesn't touch the user.js file until it really has to.
-The merge function is a bit smarter parsing files, at no significant cost. See examples below.
-Minor syntactic changes here and there.
Additions:
-New -multiBackups argument. I personally intend to use it to compare files and quickly review changes.
- Search string made case-sensitive, because Firefox preferences are.
- The script now uses regex, which allows it to understand `user.js` files formatted using single quotes, spaces and/or tabs in `user_pref` lines.
Trade-off: it can no longer reset preferences that include some special characters in their names. Not an issue for now, just something to remember.
See full discussion [here](https://github.com/ghacksuserjs/ghacks-user.js/pull/321).
- Search string made case-sensitive, because Firefox preferences are.
- The script now uses regex, which allows it to understand user.js files formatted using single quotes, spaces, or tabs.
Trade-off: it can no longer reset preferences that include some special characters in their names. Not an issue for now, just something to remember.
Fixes:
- Merge function:
*no longer has the potential to truncate super long lines. (8KB per line still IS the max!)
*no more issues with exclamation marks in user_pref lines.
Improvements:
- Overall better performance due to ECHO syntax changes.
- Merge function on steroids! Faster than ever
Changes, Additions, Substractions:
- Leading spaces are no longer ignored by the merge function. Lines to be merged must begin with user_pref.
- Added header with name, author, version.
- Added help sub-menu.
- Added special message when no override files are found when using -multiOverrides.
- Formatting changes.
Fixes:
- Merge function:
*no longer has the potential to truncate super long lines.
*no more issues with exclamation marks in user_pref lines.
Improvements:
- Overall better performance due to ECHO syntax changes.
- Merge function on steroids! Faster than ever, and no longer generates temporary files at all. As it always should have been.
Changes, Additions, Substractions:
- Leading spaces are no longer ignored by the merge function. Lines to be merged must begin with user_pref.
- Added header with name, author, version.
- Added help sub-menu.
- Added special message when no override files are found when using -multiOverrides.
- Formatting changes.
-updatebatch now will (or at least should):
*Download new batch and name it [updater]*.bat
*Open that script in a new CMD window.
*Exit
The [updated]*.bat script should:
*Copy itself overwriting the original batch (without renaming).
*Start that script in a new CMD instance.
*Exit.
The new script, with the original name, should:
*Delete the [updated]*.bat script
*Begin the normal script routine.
@earthing do you think I should still rename the scripts to .old or something before overwriting/deleting?
It ended up being a mixture of the previous commit and the fix. It writes a temporary file on the go that only holds preferences, and generates the target file at once at the end. It's slower than before, but it works.
While I figure out a fix for the missing characters...
Enclosing the whole merging loop in parentheses and replacing the source file with the entire output at once is more efficient than appending individual lines with >>%~2. The script doesn't have to wait for the HD to continue processing.
Everything in a line after a powershell call is considered as being called from PowerShell.
>nul didn't work because of that. Enclosing the line in brackets should fix it.
To account for the possibility of the user running the script silently in the background. PAUSE would leave an instance in memory doing nothing indefinitely.
I was going to use TIMEOUT but PING performs better.
- keeps all user.js.parrot lines intact
- keeps empty lines intact
- fix for keeping `!` and `^` in non-"user_pref" lines intact
+ some other minor changes + streamlining
You had it right the first time earthlng. Eg Start commits for 55-beta date shown is 9-July. 55-alpha release is dated 18-Aug and we drop the "-beta" part (look inside the release downloads). Start commits for 56-beta date shown is 12-Sept. 56-alpha release is dated 2-Oct and we drop the "-beta" part. And because you created the 57-alpha release before you reversed the date+version, that too is all good.
A `user.js` is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the [overview](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.1-Overview) wiki page.
The [ghacks user.js](https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js) is a template, which, as provided, aims ( with [extensions](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-B:-Extensions) <sup>1</sup> ) to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen).
### ![][b] ghacks user.js
The `ghacks user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen).
We aim to INFORM and giveyou CHOICES. No one size fits all, so customize it! And not all sites have the same requirements, so use [profiles](https://github.com/ghacksuserjs/ghacks-user.js/wiki/2.3-Concurrent-Profiles) with custom versions. We won't set you wrong.
Everyone, experts included, should at least read the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `ghacks user.js` settings.
INFORMATION IS POWER. So you can make informed decisions to better protect yourself online, we aim to be:
Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services.
* Accessible (provide information and simpler, less-technical descriptions if possible)
* Accountable (provide reputable references/sources, [test sites](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-C:-Test-Sites), dispel bad advice)
* Change trackable (yay! we're on github now, with commits)
* Compatible (including a [deprecated section](https://github.com/ghacksuserjs/ghacks-user.js/issues/123), [releases](https://github.com/ghacksuserjs/ghacks-user.js/releases))
* Comprehensive (including enforcing defaults and future-proofing)
* Current and up-to-date with stable (including [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/search?q=label%3Achangelog&type=Issues&utf8=%E2%9C%93))
* Detailed (preference versioning, hidden preference information, explanations, and more)
* Easy to use and discuss (sections, sub-sections, numbering)
* Helpful (including a [wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki) with features such as [extensions](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-B:-Extensions), [user scripts](https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-User-Scripts), [references](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-D:-References) and more)
* Innovative (formatting, special tags, and future plans such as branches)
Also be aware that this `user.js` is made specifically for Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
Everyone, experts included, should at least read the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few default settings we use. The rest of the [wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki) is helpful as well.
* The 12bytes article now uses this user.js and supplements it with an additonal JS hosted right [here](https://github.com/atomGit/Firefox-user.js) at github
*The 12bytesarticle now uses this user.js and supplements it with an additional JS hosted at [GitLab](https://gitlab.com/labwrat/Firefox-user.js/tree/master)
<sup>1</sup>  Important: We HIGHLY recommend using uBlock Origin, uMatrix and a cookie extension. Section 0400, if modified, allows Tracking Protection and Safe Browsing to be disabled. Do this at your own risk. See the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page for more.
<sup>1</sup> The ghacksuser.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.
<sup>2</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. It was kept up-to-date and expanded by the original author with three major updates and articles. With Martin Brinkmann's blessing, it will keep the ghacks name.
mv prefs.js "${bakfile}"|| fQuit 1"Operation aborted.\nReason: Could not create backup file $bakfile"
echo -e "\nprefs.js backed up: $bakfile"
echo"Cleaning prefs.js..."
fClean "$bakfile"
fQuit 0"All done!"
;;
Help)
echo -e "\nThis script creates a backup of your prefs.js file before doing anything."
echo -e "It should be safe, but you can follow these steps if something goes wrong:\n"
echo"1. Make sure Firefox is closed."
echo"2. Delete prefs.js in your profile folder."
echo"3. Delete Invalidprefs.js if you have one in the same folder."
echo"4. Rename or copy your latest backup to prefs.js."
echo"5. Run Firefox and see if you notice anything wrong with it."
echo"6. If you do notice something wrong, especially with your extensions, and/or with the UI, go to about:support, and restart Firefox with add-ons disabled. Then, restart it again normally, and see if the problems were solved."
echo -e "If you are able to identify the cause of your issues, please bring it up on ghacks-user.js GitHub repository.\n"
// reset prefs that set the same value as FFs default value
letaTEMP=getMyList(ops);
myreset(aTEMP);
reapply(aTEMP);
constaBACKUP=getMyList(ops);
//console.log(aBACKUP.length, "user-set prefs from our list detected and their values stored.");
letmyArr=aBACKUP;
letfound=false;
letaDbg=[];
focus();
myreset(aBACKUP);// reset all detected prefs
if(confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")){
aDbg=myArr;
reapply(aBACKUP);
myreset(myArr.slice(0,parseInt(myArr.length/2)));
while(myArr.length>=2){
alert("NOW TEST AGAIN !");
if(confirm("if the problem still exists click OK, otherwise click cancel.")){
myArr=myArr.slice(parseInt(myArr.length/2));
if(myArr.length==1){
alert("The problem is caused by more than 1 pref !\n\nNarrowed it down to "+aDbg.length.toString()+" prefs, check the console ...");
break;
}
}else{
myArr=myArr.slice(0,parseInt(myArr.length/2));
aDbg=myArr;
if(myArr.length==1){found=true;break;}
}
reapply(aBACKUP);
myreset(myArr.slice(0,parseInt(myArr.length/2)));// reset half of the remaining prefs
}
reapply(aBACKUP);
}
else{
reapply(aBACKUP);
return;
}
if(found){
alert("narrowed it down to:\n\n"+myArr[0].name+"\n");
myreset(myArr);// reset the culprit
}
else{
console.log("the problem is caused by a combination of the following prefs:");
)ELSE(ECHO Current user.js version not recognised. )
)ELSE(ECHO Current user.js version not recognised. )
)ELSE(ECHO user.js not detected in the current directory. )
ECHO.
IFNOT"%_ua%"=="true"(
ECHO This batch should be run from your Firefox profile directory. It will download the latest version of ghacks user.js from github and then append any of your own changes from user-overrides.js to it.
ECHO.
REM ECHO Visit the wiki for more detailed information.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Thorin-Oakenpants
