Compare commits

..

16 Commits

Author SHA1 Message Date
30bb523b11 upgrade 53-beta to 53
ready for alpha release and changelog
2017-04-28 04:18:55 +12:00
b26175494b typo
earthlng!!!!  we use urlbar not URL bar .. bad earthlng :)
2017-04-26 18:18:52 +12:00
7496b873b7 3027 browser.urlbar.decodeURLsOnCopy added 2017-04-26 18:17:22 +12:00
8ca3176ab1 2426 dom.IntersectionObserver.enabled added
default is false anyway. We can readdress this if it ever gets turned on, or used for purposes other than ad networks - I suspect there's nothing really out there using it right now, and the fact 53 is false, I bet there's no big hurry to turn it on due to stability and real world usage.
2017-04-26 18:02:33 +12:00
5cf2de570a 2706 browser.storageManager.enabled added
its added as default false, but looks like we'll need to check out what options the two prefs (dom from 51 and browser from 53) when true show in the options UI
2017-04-26 17:37:48 +12:00
37b8ad66b8 2512 device.sensors.enabled references
The blog entry [2] and subsequent ticket [3] are new.
Francois mentioned the older ticket [4].
FYI: `device.sensors.enabled` was introduced in FF15 (don't think I need to add that in)
2017-04-26 12:48:57 +12:00
4d1689b7a5 forgot a closing ***/ in deprecated section
no syntax issues, calm down
2017-04-21 01:04:28 +12:00
d87bcfde58 FF53 deprecated 2017-04-20 12:47:28 +12:00
c194e21d5c Update user.js 2017-04-19 14:22:31 +02:00
49e2025bc5 add e10s section 1100 #82
noted added roadmap link to section header, reworded FF53+ multiprocessCompatibility flag as `might disable` (from `will disable`)
2017-04-18 11:12:55 +12:00
2d0e27cb43 "reader view" -> personal section -> inactive #84 2017-04-18 10:56:29 +12:00
9bbe074960 minor readme section edits 2017-04-17 23:34:44 +12:00
ec5fdfcdaa 0381: disable WebExtension sync 2017-04-16 11:50:08 +12:00
e1a5f80063 start v53 commits 2017-04-16 11:45:28 +12:00
bc70023b54 0351: crashReports enforce extra pref at default
enforces default false (future proofing, because sh*t happens), plus added the FF version numbers.
2017-04-15 18:41:14 +12:00
551427fccc 2671 svg.disabled-> inactive for FF53+ 2017-04-15 12:27:41 +12:00

122
user.js
View File

@ -1,13 +1,12 @@
/******
* name: ghacks user.js
* date: 11 March 2017
* version 52: Daypants Believer
* "Cheer up, Sleepy JEANS. Oh, what can it mean."
* date: 27 April 2017
* version 53: Achy Breaky Pants
* "But don't tell my pants, my achy breaky pants, I just don't think they'd understand"
* authors: v52+ github | v51- www.ghacks.net
* url: https://github.com/ghacksuserjs/ghacks-user.js
* releases: These are end-of-stable-life-cycle legacy archives. They are not "releases"
in the sense that they are done to coincide with when Firefox versions land.
* releases: These are end-of-stable-life-cycle legacy archives.
*Always* use the master branch user.js for a current up-to-date version.
url: https://github.com/ghacksuserjs/ghacks-user.js/releases
@ -18,6 +17,7 @@
3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
* The settings below will turn off Tracking Protection, Safe Browsing and Auto Updates
You need to read, understand, and decide about these. Don't leave yourself less secure
* Some user data is erased (section 2800), namely history (browsing, form, download)
* Site breakage WILL happen
- There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting
and these need to be balanced against Functionality & Convenience & Breakage
@ -172,7 +172,8 @@ user_pref("network.allow-experiments", false);
user_pref("breakpad.reportURL", "");
/* 0351: disable sending of crash reports (FF44+) ***/
user_pref("browser.tabs.crashReporting.sendReport", false);
user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // (FF51+)
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51+)
/* 0360: disable new tab tile ads & preload & marketing junk ***/
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
@ -200,14 +201,16 @@ user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);
user_pref("social.enabled", false); // (hidden pref)
/* 0375: disable "Reader View" [SETUP] ***/
user_pref("reader.parse-on-load.enabled", false);
/* 0376: disable FlyWeb, a set of APIs for advertising and discovering local-area web servers
* [1] https://wiki.mozilla.org/FlyWeb
* [2] http://www.ghacks.net/2016/07/26/firefox-flyweb/ ***/
user_pref("dom.flyweb.enabled", false);
/* 0380: disable sync [SETUP] ***/
user_pref("services.sync.enabled", false); // (hidden pref)
/* 0381: disable WebExtension sync
* [1] https://wiki.mozilla.org/WebExtensions/chrome.storage.sync ***/
user_pref("webextensions.storage.sync.enabled", false);
user_pref("webextensions.storage.sync.serverURL", "");
/*** 0400: QUIET FOX [PART 2] [WARNING] [SETUP]
This section has security & tracking protection implications vs privacy concerns vs effectiveness.
@ -533,6 +536,40 @@ user_pref("browser.shell.shortcutFavicons", false);
/* 1032: disable favicons in web notifications ***/
// user_pref("alerts.showFavicons", false);
/*** 1100: MULTI-PROCESS (e10s)
We recommend you let Firefox handle this. Until e10s is enforced, if
- all your add-ons have the 'multiprocessCompatible' flag as true, then FF = e10s
- any add-ons have 'multiprocessCompatible' flag as false, then FF != e10s
- any add-ons are missing the 'multiprocessCompatible' flag *might* be disabled (FF53+)
[1] https://blog.mozilla.org/addons/2017/02/16/the-road-to-firefox-57-compatibility-milestones/
***/
/* 1101: start the browser in e10s mode (FF48+)
* about:support>Application Basics>Multiprocess Windows ***/
// user_pref("browser.tabs.remote.autostart", true);
// user_pref("browser.tabs.remote.autostart.2", true); // (FF49+) (hidden pref)
// user_pref("browser.tabs.remote.force-enable", true); // (hidden pref)
// user_pref("extensions.e10sBlocksEnabling", false);
/* 1102: control number of e10s processes
* [1] http://www.ghacks.net/2016/02/15/change-how-many-processes-multi-process-firefox-uses/
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1207306 ***/
// user_pref("dom.ipc.processCount", 4);
/* 1103: enable WebExtension add-on code to run in a separate process (webext-oop) (FF53+)
* [1] https://wiki.mozilla.org/WebExtensions/Implementing_APIs_out-of-process */
// user_pref("extensions.webextensions.remote", true);
/* 1104: enforce separate content process for file://URLs (FF53+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1147911
* [2] http://www.ghacks.net/2016/11/27/firefox-53-exclusive-content-process-for-local-files/ ***/
// user_pref("browser.tabs.remote.separateFileUriProcess", true);
/* 1105: enable console shim warnings for add-ons with the 'multiprocessCompatible' flag as false ***/
user_pref("dom.ipc.shims.enabledWarnings", true);
/* 1110: set sandbox level. DO NOT MEDDLE WITH THESE. They are included to inform you NOT to play
* with them. The values are integers, but the code below deliberately contains a data mismatch
* [1] https://wiki.mozilla.org/Sandbox
* [2] http://www.ghacks.net/2017/01/23/how-to-change-firefoxs-sandbox-security-level/#comment-4105173 */
// user_pref("security.sandbox.content.level", "donotuse")
// user_pref("dom.ipc.plugins.sandbox-level.default", "donotuse");
// user_pref("dom.ipc.plugins.sandbox-level.flash, "donotuse");
/*** 1200: HTTPS ( SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS )
Note that your cipher and other settings can be used server side as a fingerprint attack
vector, see [1] (It's quite technical but the first part is easy to understand
@ -651,8 +688,6 @@ user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
* [NOTE] commented out because it still breaks too many sites ***/
// user_pref("security.ssl3.rsa_aes_128_sha", false);
// user_pref("security.ssl3.rsa_aes_256_sha", false);
/* 1265: block rc4 fallback (will be deprecated in 53) ***/
user_pref("security.tls.unrestricted_rc4_fallback", false);
/** UI (User Interface) ***/
/* 1270: display warning (red padlock) for "broken security"
* [1] https://wiki.mozilla.org/Security:Renegotiation ***/
@ -781,11 +816,6 @@ user_pref("security.xpconnect.plugin.unrestricted", false);
* includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash, Antivirus etc
* [WARNING] [SETUP] This means Firefox will not load ANY plugins. Try it. You are not missing anything. ***/
user_pref("plugin.scan.plid.all", false);
/* 1806: Acrobat, Quicktime, WMP are handled separately from 1805 above.
* The string refers to min version number allowed ***/
user_pref("plugin.scan.Acrobat", "99999");
user_pref("plugin.scan.Quicktime", "99999");
user_pref("plugin.scan.WindowsMediaPlayer", "99999");
/* 1820: disable all GMP (Gecko Media Plugins) [SETUP]
* [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
user_pref("media.gmp-provider.enabled", false);
@ -845,7 +875,6 @@ user_pref("media.webspeech.synth.enabled", false);
/* 2022: disable screensharing ***/
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");
user_pref("media.getusermedia.screensharing.allow_on_old_platforms", false);
user_pref("media.getusermedia.browser.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);
/* 2023: disable camera stuff ***/
@ -995,6 +1024,14 @@ user_pref("javascript.options.wasm", false);
/* 2425: disable ArchiveAPI i.e reading content of archives, such as zip files, directly
* in the browser, through DOM file objects. Default is false. ***/
user_pref("dom.archivereader.enabled", false);
/* 2426: disable Intersection Observer API (FF53+)
* Almost a year to complete, three versions late to stable (as default false),
* number #1 cause of crashes in nightly numerous times, and is (primarily) an
* ad network API for "ad viewability checks" down to a pixel level
* [1] https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
* [2] https://wicg.github.io/IntersectionObserver/
* [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1243846 ***/
user_pref("dom.IntersectionObserver.enabled", false);
/* 2450a: force Firefox to tell you if a website asks to store data for offline use
* [1] https://support.mozilla.org/en-US/questions/1098540
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=959985 ***/
@ -1041,7 +1078,6 @@ user_pref("media.video_stats.enabled", false);
* [1] https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/code
* [2] https://www.privacy-handbuch.de/handbuch_21v.htm ***/
user_pref("dom.keyboardevent.code.enabled", false);
user_pref("dom.beforeAfterKeyboardEvent.enabled", false);
user_pref("dom.keyboardevent.dispatch_during_composition", false);
/* 2508: disable hardware acceleration to reduce graphics fingerprinting
* [SETTING] Options>Advanced>General>Use hardware acceleration when available
@ -1063,7 +1099,10 @@ user_pref("dom.webaudio.enabled", false);
* [2] https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/ondevicechange ***/
user_pref("media.ondevicechange.enabled", false);
/* 2512: disable device sensor API
* [1] https://trac.torproject.org/projects/tor/ticket/15758 ***/
* [1] https://trac.torproject.org/projects/tor/ticket/15758
* [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
* [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1357733
* [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1292751 ***/
user_pref("device.sensors.enabled", false);
/*** 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY ***/
@ -1164,24 +1203,6 @@ user_pref("browser.uitour.url", "");
/* 2629: disable remote JAR files being opened, regardless of content type
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1215235 ***/
user_pref("network.jar.block-remote-files", true);
/* 2650: start the browser in e10s mode (FF48+)
* After restarting the browser, you can check whether it's enabled by visiting
* about:support and checking that "Multiprocess Windows" = 1
* use force-enable and extensions.e10sblocksenabling if you have add-ons ***/
// user_pref("browser.tabs.remote.autostart", true);
// user_pref("browser.tabs.remote.autostart.2", true); // (FF49+)
// user_pref("browser.tabs.remote.force-enable", true); // (hidden pref)
// user_pref("extensions.e10sBlocksEnabling", false);
/* 2651: control e10s number of container processes
* [1] http://www.ghacks.net/2016/02/15/change-how-many-processes-multi-process-firefox-uses/
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1207306 ***/
// user_pref("dom.ipc.processCount", 4);
/* 2652: enable console shim warnings for extensions that don't have the flag 'multiprocessCompatible' as true ***/
user_pref("dom.ipc.shims.enabledWarnings", true);
/* 2660: enforce separate content process for file://URLs (FF53+?)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1147911
* [2] http://www.ghacks.net/2016/11/27/firefox-53-exclusive-content-process-for-local-files/ ***/
user_pref("browser.tabs.remote.separateFileUriProcess", true);
/* 2662: disable "open with" in download dialog (FF50+)
* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
* in such a way that it is forbidden to run external applications.
@ -1220,8 +1241,9 @@ user_pref("network.proxy.autoconfig_url.include_path", false);
user_pref("security.block_script_with_wrong_mime", true);
/* 2671: disable in-content SVG (Scalable Vector Graphics) (FF53+)
* [WARNING] SVG is fairly common (~15% of the top 10K sites), so will cause some breakage
* including youtube player controls. Best left for "hardened" or specific profiles.
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 ***/
user_pref("svg.disabled", true);
// user_pref("svg.disabled", true);
/* 2672: force Punycode for Internationalized Domain Names to eliminate possible spoofing security risk
* Firefox has *some* protections to mitigate the risk, but it is better to be safe
* than sorry. The downside: it will also display legitimate IDN's punycoded, which
@ -1332,13 +1354,15 @@ user_pref("network.cookie.thirdparty.sessionOnly", true);
* [WARNING] this will break a LOT of sites' functionality.
* You are better off using an extension for more granular control ***/
// user_pref("dom.storage.enabled", false);
/* 2706: disable Storage API (FF51+)
/* 2706: disable Storage API
* The API gives sites the ability to find out how much space they can use, how much
* they are already using, and even control whether or not they need to be alerted
* before the user agent disposes of site data in order to make room for other things.
* [1] https://developer.mozilla.org/en-US/docs/Web/API/StorageManager
* [2] https://developer.mozilla.org/en-US/docs/Web/API/Storage_API ***/
user_pref("dom.storageManager.enabled", false);
* [2] https://developer.mozilla.org/en-US/docs/Web/API/Storage_API
* [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
user_pref("dom.storageManager.enabled", false); // (FF51+)
user_pref("browser.storageManager.enabled", false); // (FF53+)
/* 2707: clear localStorage and UUID when a WebExtension is uninstalled
* [NOTE] both preferences must be the same
* [1] https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/storage/local
@ -1466,7 +1490,7 @@ user_pref("browser.tabs.loadDivertedInBackground", false);
/* 3022: hide recently bookmarked items (you still have the original bookmarks) (FF49+) ***/
user_pref("browser.bookmarks.showRecentlyBookmarked", false);
/* 3023: disable automigrate (FF49+)
* default is false in FF49+ and true in FF53+
* default is false in FF49+
* need more info, but lock down for now ***/
user_pref("browser.migrate.automigrate.enabled", false);
/* 3024: enable "Find As You Type"
@ -1482,6 +1506,11 @@ user_pref("browser.migrate.automigrate.enabled", false);
// user_pref("media.wave.enabled", false);
// user_pref("media.webm.enabled", false);
// user_pref("media.wmf.enabled", false); // https://www.youtube.com/html5 - for the two H.264 entries
/* 3026: disable "Reader View" ***/
// user_pref("reader.parse-on-load.enabled", false);
/* 3027: decode URLs on copy from the urlbar (FF53+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320061 ***/
user_pref("browser.urlbar.decodeURLsOnCopy", true);
/* END: internal custom pref to test for syntax errors ***/
user_pref("ghacks_user.js.parrot", "No no he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue");
@ -1646,3 +1675,14 @@ user_pref("ghacks_user.js.parrot", "No no he's not dead, he's, he's restin'! Rem
* [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code.
* [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1313580 ***/
// user_pref("dom.battery.enabled", false);
/* 1265: (53+) block rc4 fallback ***/
// user_pref("security.tls.unrestricted_rc4_fallback", false);
/* 1806: (53+) disable Acrobat, Quicktime, WMP
* The string refers to min version number allowed ***/
// user_pref("plugin.scan.Acrobat", "99999");
// user_pref("plugin.scan.Quicktime", "99999");
// user_pref("plugin.scan.WindowsMediaPlayer", "99999");
/* 2022: (53+) disable screensharing ***/
// user_pref("media.getusermedia.screensharing.allow_on_old_platforms", false);
/* 2507: (53+) disable keyboard fingerprinting ***/
// user_pref("dom.beforeAfterKeyboardEvent.enabled", false);