Skip to content

Commit cc0f053

Browse files
Thorin-OakenpantsThorin-Oakenpants
authored
v107 (#1579)
1 parent 5a36649 commit cc0f053

File tree

1 file changed

+20
-24
lines changed

1 file changed

+20
-24
lines changed

user.js

Lines changed: 20 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/******
22
* name: arkenfox user.js
3-
* date: 6 November 2022
4-
* version: 106
3+
* date: 21 November 2022
4+
* version: 107
55
* url: https://github.com/arkenfox/user.js
66
* license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
77
@@ -112,8 +112,8 @@ user_pref("geo.provider.use_gpsd", false); // [LINUX]
112112
user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX]
113113
/* 0203: disable region updates
114114
* [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/
115-
user_pref("browser.region.network.url", ""); // [FF78+]
116115
user_pref("browser.region.update.enabled", false); // [FF79+]
116+
// user_pref("browser.region.network.url", ""); // [FF78+] Defense-in-depth
117117
/* 0204: set search region
118118
* [NOTE] May not be hidden if Firefox has changed your settings due to your region (0203) ***/
119119
// user_pref("browser.search.region", "US"); // [HIDDEN PREF]
@@ -491,8 +491,8 @@ user_pref("security.remote_settings.crlite_filters.enabled", true);
491491
user_pref("security.pki.crlite_mode", 2);
492492

493493
/** MIXED CONTENT ***/
494-
/* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/
495-
user_pref("security.mixed_content.block_display_content", true);
494+
/* 1241: disable insecure passive content (such as images) on https pages ***/
495+
// user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244)
496496
/* 1244: enable HTTPS-Only mode in all windows [FF76+]
497497
* When the top-level is HTTPS, insecure subresources are also upgraded (silent fail)
498498
* [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site")
@@ -603,9 +603,6 @@ user_pref("media.eme.enabled", false);
603603
user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
604604
/* 2402: prevent scripts from moving and resizing open windows ***/
605605
user_pref("dom.disable_window_move_resize", true);
606-
/* 2403: block popup windows
607-
* [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/
608-
user_pref("dom.disable_open_during_load", true);
609606
/* 2404: limit events that can cause a popup [SETUP-WEB] ***/
610607
user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
611608

@@ -624,7 +621,7 @@ user_pref("browser.helperApps.deleteTempFileOnExit", true);
624621
user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF]
625622
/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
626623
user_pref("browser.uitour.enabled", false);
627-
user_pref("browser.uitour.url", "");
624+
// user_pref("browser.uitour.url", ""); // Defense-in-depth
628625
/* 2608: reset remote debugging to disabled
629626
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/
630627
user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false]
@@ -648,16 +645,16 @@ user_pref("webchannel.allowObject.urlWhitelist", "");
648645
* [3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox
649646
* [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
650647
user_pref("network.IDN_show_punycode", true);
651-
/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME]
648+
/* 2620: enforce PDFJS, disable PDFJS scripting
652649
* This setting controls if the option "Display in Firefox" is available in the setting below
653650
* and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
654-
* PROS: pdfjs is lightweight, open source, and more secure/vetted than most
655-
* Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
651+
* [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1]
656652
* It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
657653
* It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
658-
* CONS: You may prefer a different pdf reader for security reasons
659-
* CAVEAT: JS can still force a pdf to open in-browser by bundling its own code
660-
* [SETTING] General>Applications>Portable Document Format (PDF) ***/
654+
* [NOTE] JS can still force a pdf to open in-browser by bundling its own code
655+
* [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons
656+
* [SETTING] General>Applications>Portable Document Format (PDF)
657+
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
661658
user_pref("pdfjs.disabled", false); // [DEFAULT: false]
662659
user_pref("pdfjs.enableScripting", false); // [FF86+]
663660
/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/
@@ -717,8 +714,8 @@ user_pref("browser.contentblocking.category", "strict");
717714
/* 2710: enable state partitioning of service workers [FF96+] ***/
718715
user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+]
719716
/* 2720: enable APS (Always Partitioning Storage) ***/
720-
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [FF104+]
721-
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [FF105+]
717+
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [FF104+] [DEFAULT: true FF109+}
718+
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [FF105+] [DEFAULT: false FF109+]
722719

723720
/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
724721
user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
@@ -809,7 +806,6 @@ user_pref("privacy.sanitize.timeSpan", 0);
809806
1382545 - reduce fingerprinting in Animation API
810807
1354633 - limit MediaError.message to a whitelist
811808
FF58+
812-
967895 - spoof canvas and enable site permission prompt (FF58)
813809
1372073 - spoof/block fingerprinting in MediaDevices API (FF59)
814810
Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone"
815811
Block: suppresses the ondevicechange event
@@ -925,7 +921,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
925921
/* 5005: disable intermediate certificate caching [FF41+] [RESTART]
926922
* [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
927923
* Saved logins and passwords are not available. Reset the pref and restart to return them ***/
928-
// user_pref("security.nocertdb", true); // [HIDDEN PREF in FF101 or lower]
924+
// user_pref("security.nocertdb", true);
929925
/* 5006: disable favicons in history and bookmarks
930926
* [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your
931927
* actual history (and bookmarks) already do. Your history is more detailed, so
@@ -1053,6 +1049,7 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
10531049
// user_pref("browser.ssl_override_behavior", "");
10541050
// user_pref("devtools.chrome.enabled", "");
10551051
// user_pref("dom.disable_beforeunload", "");
1052+
// user_pref("dom.disable_open_during_load", "");
10561053
// user_pref("extensions.formautofill.available", "");
10571054
// user_pref("extensions.formautofill.addresses.supported", "");
10581055
// user_pref("extensions.formautofill.creditCards.available", "");
@@ -1082,8 +1079,8 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
10821079
/* 7003: disable non-modern cipher suites [1]
10831080
* [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks
10841081
* [1] https://browserleaks.com/ssl ***/
1085-
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
1086-
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
1082+
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false FF109+]
1083+
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: false FF109+]
10871084
// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
10881085
// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
10891086
// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
@@ -1097,7 +1094,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
10971094
/* 7005: disable SSL session IDs [FF36+]
10981095
* [WHY] Passive fingerprinting and perf costs. These are session-only
10991096
* and isolated with network partitioning (FF85+) and/or containers ***/
1100-
// user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF in FF101 or lower]
1097+
// user_pref("security.ssl.disable_session_identifiers", true);
11011098
/* 7006: onions
11021099
* [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/
11031100
// user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006
@@ -1146,8 +1143,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
11461143
// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
11471144
// user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
11481145
/* 7017: disable service workers
1149-
* [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2710)
1150-
* or blocked with TCP in 3rd parties (FF95 or lower) ***/
1146+
* [WHY] Already isolated with TCP (2701) behind a pref (2710) ***/
11511147
// user_pref("dom.serviceWorkers.enabled", false);
11521148
/* 7018: disable Web Notifications
11531149
* [WHY] Web Notifications are behind a prompt (7002)

0 commit comments

Comments
 (0)