diff --git a/Firefox-Config/arken-user.js b/Firefox-Config/arken-user.js index f81e8c9..b5dc51d 100644 --- a/Firefox-Config/arken-user.js +++ b/Firefox-Config/arken-user.js @@ -114,6 +114,7 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] [DEFAULT: ""] // user_pref("network.trr.uri", "https://example.dns"); // user_pref("network.trr.custom_uri", "https://example.dns"); + /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) Your cipher and other settings can be used in server side fingerprinting [TEST] https://www.ssllabs.com/ssltest/viewMyClient.html @@ -143,104 +144,6 @@ user_pref("security.ssl.require_safe_negotiation", true); * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ user_pref("security.tls.enable_0rtt_data", false); -/** OCSP (Online Certificate Status Protocol) - [1] https://scotthelme.co.uk/revocation-is-broken/ - [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -***/ -/* 1211: enforce OCSP fetching to confirm current validity of certificates - * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only - * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) - * It's a trade-off between security (checking) and privacy (leaking info to the CA) - * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling - * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... - * [1] https://en.wikipedia.org/wiki/Ocsp ***/ -user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] -/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail - * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR | SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST - * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) - * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) - * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it - * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ - * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html - * [3] https://letsencrypt.org/2024/12/05/ending-ocsp/ ***/ -user_pref("security.OCSP.require", true); - -/** CERTS / HPKP (HTTP Public Key Pinning) ***/ -/* 1223: enable strict PKP (Public Key Pinning) - * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict - * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE ***/ -user_pref("security.cert_pinning.enforcement_level", 2); -/* 1224: enable CRLite [FF73+] - * 0 = disabled - * 1 = consult CRLite but only collect telemetry - * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results - * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default) - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 - * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ -user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+] -user_pref("security.pki.crlite_mode", 2); - -/** MIXED CONTENT ***/ -/* 1241: disable insecure passive content (such as images) on https pages ***/ - // user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244) -/* 1244: enable HTTPS-Only mode in all windows - * When the top-level is HTTPS, insecure subresources are also upgraded (silent fail) - * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site") - * [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions) - * [TEST] http://example.com [upgrade] - * [TEST] http://httpforever.com/ | http://http.rip [no upgrade] ***/ -user_pref("dom.security.https_only_mode", true); // [FF76+] - // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] -/* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ - // user_pref("dom.security.https_only_mode.upgrade_local", true); -/* 1246: disable HTTP background requests [FF82+] - * When attempting to upgrade, if the server doesn't respond within 3 seconds, Firefox sends - * a top-level HTTP request without path in order to check if the server supports HTTPS or not - * This is done to avoid waiting for a timeout which takes 90 seconds - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ -user_pref("dom.security.https_only_mode_send_http_background_request", false); - -/** UI (User Interface) ***/ -/* 1270: display warning on the padlock for "broken security" (if 1201 is false) - * Bug: warning padlock not indicated for subresources on a secure page! [2] - * [1] https://wiki.mozilla.org/Security:Renegotiation - * [2] https://bugzilla.mozilla.org/1353705 ***/ -user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); -/* 1272: display advanced information on Insecure Connection warning pages - * only works when it's possible to add an exception - * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/) - * [TEST] https://expired.badssl.com/ ***/ -user_pref("browser.xul.error_pages.expert_bad_cert", true); - -/*** [SECTION 1600]: REFERERS - full URI: https://example.com:8888/foo/bar.html?id=1234 - scheme+host+port+path: https://example.com:8888/foo/bar.html - scheme+host+port: https://example.com:8888 - [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ -***/ -user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); -/* 1602: control the amount of cross-origin information to send [FF52+] - * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ -user_pref("network.http.referer.XOriginTrimmingPolicy", 2); - -/*** [SECTION 1700]: CONTAINERS ***/ -user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!"); -/* 1701: enable Container Tabs and its UI setting [FF50+] - * [SETTING] General>Tabs>Enable Container Tabs - * https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers ***/ -user_pref("privacy.userContext.enabled", true); -user_pref("privacy.userContext.ui.enabled", true); -/* 1702: set behavior on "+ Tab" button to display container menu on left click [FF74+] - * [NOTE] The menu is always shown on long press and right click - * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/ - // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true); -/* 1703: set external links to open in site-specific containers [FF123+] - * [SETUP-WEB] Depending on your container extension(s) and their settings - * true=Firefox will not choose a container (so your extension can) - * false=Firefox will choose the container/no-container (default) - * [1] https://bugzilla.mozilla.org/1874599 ***/ - // user_pref("browser.link.force_default_user_context_id_for_external_opens", true); /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); @@ -259,10 +162,9 @@ user_pref("media.peerconnection.ice.default_address_only", true); * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ // user_pref("media.gmp-provider.enabled", false); -/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/ -user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); -/* 2402: prevent scripts from moving and resizing open windows ***/ -user_pref("dom.disable_window_move_resize", true); + + + /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); diff --git a/Firefox-Config/custom.js b/Firefox-Config/custom.js new file mode 100644 index 0000000..9441087 --- /dev/null +++ b/Firefox-Config/custom.js @@ -0,0 +1,164 @@ +DISABLE IPv6 + +/** SPECULATIVE LOADING ***/ +user_pref("browser.send_pings", false); // [DEFAULT: false] + +/** SEARCH / URL BAR ***/ +user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+] +user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // [FF92+] +user_pref("browser.urlbar.suggest.searches", false); +user_pref("browser.search.separatePrivateDefault", true); // [FF70+] + +/** PASSWORDS ***/ +user_pref("signon.autofillForms", false); +user_pref("signon.formlessCapture.enabled", false); + +/** SAFE BROWSING ***/ +user_pref("browser.safebrowsing.malware.enabled", false); +user_pref("browser.safebrowsing.phishing.enabled", false); +user_pref("browser.safebrowsing.downloads.enabled", false); +user_pref("browser.safebrowsing.downloads.remote.url", ""); // Defense-in-depth +user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); + +/** CRASH REPORTS ***/ +user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false] + +/** MOZILLA UI ***/ +user_pref("browser.shopping.experience2023.enabled", false); // [DEFAULT: false] + +/** URL BAR ***/ +user_pref("browser.urlbar.addons.featureGate", false); // [FF115+] +user_pref("browser.urlbar.fakespot.featureGate", false); // [FF130+] [DEFAULT: false] +user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF] +user_pref("browser.urlbar.pocket.featureGate", false); // [FF116+] [DEFAULT: false] +user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false] +user_pref("browser.urlbar.yelp.featureGate", false); // [FF124+] +user_pref("browser.urlbar.clipboard.featureGate", false); + +/** SSL / OCSP **/ +user_pref("security.ssl.require_safe_negotiation", true); +user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] // CHANGE IN user.js UPAR UPAR +user_pref("security.OCSP.require", true); + +**************************************************************************** + * START: MY OVERRIDES * + ****************************************************************************/ +// visit https://github.com/yokoffing/Betterfox/wiki/Common-Overrides +// visit https://github.com/yokoffing/Betterfox/wiki/Optional-Hardening +// Enter your personal overrides below this line: + +// PREF: restore login manager +user_pref("signon.rememberSignons", true); + +// PREF: restore Top Sites on New Tab page +user_pref("browser.newtabpage.activity-stream.feeds.topsites", true); + +// PREF: enable container tabs +user_pref("privacy.userContext.enabled", true); + +/**************************************************************************** + +/**************************************************************************** + * HARDENING * + ***************************************************************************/ + +// PREF: disable Firefox Sync +user_pref("identity.fxaccounts.enabled", false); + +// PREF: disable the Firefox View tour from popping up +user_pref("browser.firefox-view.feature-tour", '{"screen":"","complete":true}'); + +// PREF: enable HTTPS-Only Mode +// Warn me before loading sites that don't support HTTPS +// in both Normal and Private Browsing windows. +user_pref("dom.security.https_only_mode", true); +user_pref("dom.security.https_only_mode_error_page_user_suggestions", true); + +// PREF: disable captive portal detection +// [WARNING] Do NOT use for mobile devices! +user_pref("captivedetect.canonicalURL", ""); +user_pref("network.captive-portal-service.enabled", false); +user_pref("network.connectivity-service.enabled", false); + +// PREF: set DoH provider +user_pref("network.trr.uri", "https://family.dns.mullvad.net/dns-query"); // Hagezi Light + TIF + +// PREF: enforce DNS-over-HTTPS (DoH) +user_pref("network.trr.mode", 3); + +// PREF: enforce certificate pinning +// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE +// 1 = allow user MiTM (such as your antivirus) (default) +// 2 = strict +user_pref("security.cert_pinning.enforcement_level", 2); + +/* 1224: enable CRLite [FF73+] + * 0 = disabled + * 1 = consult CRLite but only collect telemetry + * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results + * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default) + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 + * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ +user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+] + +/* 1244: enable HTTPS-Only mode in all windows + * When the top-level is HTTPS, insecure subresources are also upgraded (silent fail) + * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site") + * [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions) + * [TEST] http://example.com [upgrade] + * [TEST] http://httpforever.com/ | http://http.rip [no upgrade] ***/ +user_pref("dom.security.https_only_mode", true); // [FF76+] +user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] + +// PREF: delete all browsing data on shutdown +user_pref("privacy.sanitize.sanitizeOnShutdown", true); +user_pref("privacy.clearOnShutdown_v2.cache", true); + +// PREF: after crashes or restarts, do not save extra session data +// such as form content, scrollbar positions, and POST data +user_pref("browser.sessionstore.privacy_level", 2); + +// PREF: disable all DRM content +user_pref("media.eme.enabled", false); + +// [SETTING] General>Language>Choose your preferred language for displaying pages>Choose>Request English... +user_pref("privacy.spoof_english", 1); + +/** CONTAINERS **/ +user_pref("privacy.userContext.enabled", true); +user_pref("privacy.userContext.ui.enabled", true); + +/** DOM (DOCUMENT OBJECT MODEL) **/ +// Prevent scripts from moving and resizing open windows +user_pref("dom.disable_window_move_resize", true); + + +/**************************************************************************** + * BEGINNING OF ARKEN FOX * + ***************************************************************************/ + +// Geo-location +user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX] + +/**************************************************************************** + * END OF ARKEN FOX * + ***************************************************************************/ + + + +/**************************************************************************************** + * OPTION: SHARPEN SCROLLING * + ****************************************************************************************/ +// credit: https://github.com/black7375/Firefox-UI-Fix +// only sharpen scrolling +user_pref("apz.overscroll.enabled", true); // DEFAULT NON-LINUX +user_pref("general.smoothScroll", true); // DEFAULT +user_pref("mousewheel.min_line_scroll_amount", 10); // adjust this number to your liking; default=5 +user_pref("general.smoothScroll.mouseWheel.durationMinMS", 80); // default=50 +user_pref("general.smoothScroll.currentVelocityWeighting", "0.15"); // default=.25 +user_pref("general.smoothScroll.stopDecelerationWeighting", "0.6"); // default=.4 +// Firefox Nightly only: +// [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1846935 +user_pref("general.smoothScroll.msdPhysics.enabled", false); // [FF122+ Nightly] + +