Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-09-01 09:28:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git:57.0
Branches Tags
Git:master Git:Thorin-Oakenpants-patch-1
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0
...
compare: Git:58.0
Branches Tags
Git:Thorin-Oakenpants-patch-1 Git:master
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0

72 Commits
57.0 ... 58.0

Author SHA1 Message Date
Thorin-Oakenpants
cc166b8091 4500 RFP keyboard stuff 2018-02-27 12:47:06 +00:00
Thorin-Oakenpants
0260176fef 4500: RFP canvas stuff 2018-02-27 11:59:37 +00:00
Thorin-Oakenpants
09e2b181e4 4500 RFP stuff 2018-02-27 11:31:03 +00:00
Thorin-Oakenpants
4dafbb89df 0330: missing comma 2018-02-24 10:54:16 +00:00
Thorin-Oakenpants
5e08ad8c60 0330: use data:, for toolkit.telemetry.server 
see 3d5276484a (commitcomment-27760142)
 2018-02-24 10:53:04 +00:00
earthlng
6366ab8afc Merge pull request #365 from claustromaniac/patch-1 
Fix updater URLs before someone bitches about it
 2018-02-24 08:07:52 +01:00
claustromaniac
2980073bca increased revision number 
OK that's it. This time it's for reals.
 2018-02-23 07:02:11 +00:00
claustromaniac
e8b9f72885 Fix updater URLs before someone bitches about it 
/raw/master/ URLs are no longer working on my end. 

That's it.

Yes, really.
 2018-02-23 06:47:38 +00:00
Thorin-Oakenpants
b502317caf Merge pull request #364 from ghacksuserjs/earthlng-patch-1 
default values cleanup
 2018-02-19 12:34:48 +00:00
Thorin-Oakenpants
5385b8c4ab remove 5017: ui.submenuDelay #360 #337 2018-02-19 12:24:28 +00:00
earthlng
17fe261170 default values cleanup 
These default values are the same in all OSes and all current Firefox versions (ESR, Release, Beta, Nightly).
Apart from alerts.showFavicons these defaults are most likely never gonna change
 2018-02-19 11:49:40 +01:00
earthlng
3d5276484a 0370 fixup 
data: works perfectly fine here. No need to use https and no need to connect to localhost because something could be listening there.
data is the fastest and best solution.
 2018-02-19 11:40:53 +01:00
Thorin-Oakenpants
542b814814 remove 5024+5025: media.* #360 2018-02-17 02:19:20 +00:00
earthlng
0473c73860 2420 + 2421 2018-02-16 18:39:01 +01:00
Thorin-Oakenpants
a6fd4d1db1 2421: baseline JIT update info 2018-02-13 07:13:59 +00:00
Thorin-Oakenpants
95251e98da spelling mistake 2018-02-08 15:33:05 +00:00
Thorin-Oakenpants
08a5410b88 1407: restart info duplicity 2018-02-07 00:49:58 +00:00
Thorin-Oakenpants
93a8f89191 Merge pull request #356 from ghacksuserjs/earthlng-patch-1 
1600 cleanup and header-rewrite
 2018-02-07 00:11:47 +00:00
Thorin-Oakenpants
4fdf322193 CSRF acronym 2018-02-06 23:57:34 +00:00
Thorin-Oakenpants
ca11a88189 minor edits 2018-02-06 23:50:30 +00:00
earthlng
a290b3ad3d 1600 cleanup and header-rewrite 2018-02-06 20:09:11 +01:00
Thorin-Oakenpants
d924c01518 ESR deprecated rewording 2018-02-06 01:10:45 +00:00
Thorin-Oakenpants
1738f9efb1 58-alpha release 2018-02-04 00:20:36 +00:00
earthlng
3ef5ba3ac7 v1.4 
- removed `network.cookie.thirdparty.sessionOnly` because it can't break sites
- added `permissions.default.shortcuts`
 2018-02-03 14:21:57 +01:00
Thorin-Oakenpants
2969ab5b13 added 2305: default permission Notifications 2018-02-03 03:56:16 +00:00
Thorin-Oakenpants
3405bae6d8 added 2632: block sites overriding FF KB shortcuts 
Note: I tested the value of 1 when changing from 2-block to make sure that it actually changed to allow in the panel. Am keeping my eye on the delete and backspace keys and will remove the line when it is fixed
 2018-02-03 03:38:06 +00:00
Thorin-Oakenpants
a4eaf9494e added 4612: default permission location 2018-02-03 02:32:51 +00:00
Thorin-Oakenpants
ea6e9be787 added 2024: default permissions camera/mic 2018-02-03 02:17:20 +00:00
Thorin-Oakenpants
0ebe5d0fa8 1405: WOFF2 info 
https://developer.mozilla.org/en-US/docs/Web/CSS/@font-face - see Compat table
 2018-01-31 13:57:34 +00:00
Thorin-Oakenpants
ff77f7260c remove 2513: Presentaion API fixes #325 2018-01-29 14:37:36 +00:00
Thorin-Oakenpants
93c3457d18 2427: js shared memory 
MZ are flipping and a flopping on the value for a while now, lets enforce as false, specially since Spectre
 2018-01-29 13:35:20 +00:00
earthlng
bc371c8c9d Update user.js 2018-01-29 14:05:13 +01:00
Thorin-Oakenpants
622b70aa37 whoops.. relocate old 1108 to 2600's not 2400s 2018-01-29 12:55:01 +00:00
Thorin-Oakenpants
c83670f708 1100's: goodbye e10s section 2018-01-30 01:25:14 +13:00
Thorin-Oakenpants
c399bb1d2d Update README.md 2018-01-25 04:25:39 +13:00
Thorin-Oakenpants
0a11a87fd0 Update README.md 2018-01-25 04:06:00 +13:00
earthlng
91521dbc84 1106: fix mistake 
default is 1! https://dxr.mozilla.org/mozilla-release/source/modules/libpref/init/all.js#3327

>1 breaks extensions apparently: https://github.com/ghacksuserjs/ghacks-user.js/issues/346
 2018-01-24 00:31:01 +01:00
Thorin-Oakenpants
14c1620994 0205: intl.locale.requested FF59+ 2018-01-22 18:49:39 +13:00
Thorin-Oakenpants
0da73d606b 0351: crash reports pref name change 2018-01-22 10:13:28 +13:00
earthlng
6a0f162d64 Update troubleshooter.js 
dom.idle-observers-api.enabled not used anymore since at least FF38
security.xpconnect.plugin.unrestricted not used anymore since at least FF10
 2018-01-19 11:06:02 +01:00
earthlng
038201fb07 Updater for Windows v4.3 
Changes:
- The script doesn't touch the `user.js` file until it really has to.
- The merge function is a bit smarter parsing files, at no significant cost.
- Fixed a minor issue with the version check.
- Minor syntactic changes here and there.
- creates timestamped backup files rather than always overwriting user.js.bak.
(use -singlebackup if you prefer a single backup file)
 2018-01-18 17:17:47 +01:00
Thorin-Oakenpants
91c8da5f12 2706->2702 merge: 3rd party cookies + sessionOnly 2018-01-18 20:26:49 +13:00
claustromaniac
22198d420a forgot to update the showhelp function 2018-01-18 01:18:05 -03:00
Thorin-Oakenpants
6becf50fe6 4500: RFP keyboard events FF59+ 2018-01-18 15:55:57 +13:00
claustromaniac
4fb3040042 replaced -multibackups with -singlebackup 
also minor changes to the merge function.
 2018-01-17 12:30:02 -03:00
Thorin-Oakenpants
5005376742 0417: disable SB data sharing 2018-01-17 17:33:45 +13:00
Thorin-Oakenpants
48f95f2ac7 2706: set 3rd party HTTP cookies as session-only 2018-01-17 17:21:06 +13:00
Thorin-Oakenpants
e5c14eb700 tidy up info on prefs that require a restart 
this is not all prefs, just some that we already documented
 2018-01-17 16:40:39 +13:00
earthlng
7a3810f6ca Update troubleshooter.js 2018-01-16 16:52:24 +01:00
claustromaniac
c8d7694fd3 I really don't like the online editor 2018-01-16 11:13:07 -03:00
claustromaniac
343f77c5e9 minor fix on the version check 
'IF !_line! GEQ 4 (' is not reliable.
 2018-01-16 10:46:57 -03:00
claustromaniac
a0ec17955d tiny change 2018-01-16 01:27:36 -03:00
claustromaniac
e195aceb54 Updater 4.3 
Changes:
	-The script doesn't touch the user.js file until it really has to.
	-The merge function is a bit smarter parsing files, at no significant cost. See examples below.
	-Minor syntactic changes here and there.
Additions:
	-New -multiBackups argument. I personally intend to use it to compare files and quickly review changes.
 2018-01-15 22:15:30 -03:00
earthlng
6882a64bf2 troubleshooter v1.2 2018-01-15 20:19:34 +01:00
Thorin-Oakenpants
806d6edc6d 1211+1212: clarify things better, fixes #334 2018-01-16 06:51:21 +13:00
earthlng
d1ab8fd10c troubleshooter v1.1 2018-01-15 17:06:22 +01:00
Thorin-Oakenpants
db97478cd1 1106: number of processes default 2018-01-16 04:11:31 +13:00
Thorin-Oakenpants
48ec3da18d 0000: about:config warning 
Ready... Steady... turn off about:config warning... GO!! Welcome to Firefox prefs 101 :)
 2018-01-15 05:32:51 +13:00
earthlng
8c35bf5d11 1212: note about pointlessness of soft-fail 2018-01-14 10:41:16 +01:00
earthlng
a3bffb83bd Update troubleshooter.js 
https://github.com/ghacksuserjs/ghacks-user.js/issues/339
 2018-01-14 09:41:30 +01:00
Thorin-Oakenpants
b30b988137 1211+1212: OCSP info tweaking, fixes #334 2018-01-12 05:26:42 +13:00
Thorin-Oakenpants
f820ecbacb 2420: asm.js info tweak, fixes #335 2018-01-12 05:08:36 +13:00
Thorin-Oakenpants
3acef78f59 4500: RFP UA spoof add 1404608 info (OS spoof) 2018-01-11 12:44:52 +13:00
earthlng
ac16b9c77b Update troubleshooter.js 
adding 'privacy.trackingprotection.enabled'. see https://github.com/ghacksuserjs/ghacks-user.js/issues/327
 2018-01-09 16:20:06 +01:00
earthlng
1069915372 Create troubleshooter.js 2018-01-09 16:03:46 +01:00
Thorin-Oakenpants
978e51b515 1603: add warning, fixes #332 2018-01-08 02:24:16 +13:00
Thorin-Oakenpants
c5374b60d8 workers/service workers uM workaround #326 2018-01-06 12:09:30 +13:00
Thorin-Oakenpants
2a2b80902a fixes/info to issues in FF58+59 
FYI, the bugzilla for the fix in the header about cookies being needed for extensions + IDB is https://bugzilla.mozilla.org/show_bug.cgi?id=1406675
 2018-01-05 12:23:56 +13:00
Thorin-Oakenpants
d82791a933 1241->active: block mixed passive content #326 2018-01-05 09:02:59 +13:00
Thorin-Oakenpants
d89e9834ff Update README.md 2018-01-05 00:29:24 +13:00
Thorin-Oakenpants
04c7ed94da add license 2018-01-02 13:30:59 +13:00
Thorin-Oakenpants
c82d6f70fe start 58 commits 2018-01-02 12:56:16 +13:00
4 changed files with 424 additions and 223 deletions
Expand all files Collapse all files

4
README.md
View File

@ -6,14 +6,14 @@ The `ghacks user.js` is a **template**, which, as provided, aims to provide as m
Everyone, experts included, should at least read the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `ghacks user.js` settings.
Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22)
Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+label%3Adiffs)
### ![](https://github.com/ghacksuserjs/ghacks-user.js/blob/master/wikipiki/bullet01.png) acknowledgments
Literally thousands of sources, references and suggestions. That said...
* Martin Brinkmann at [ghacks](https://www.ghacks.net/) <sup>1</sup>
* The ghacks community and commentators
* [12bytes](http://12bytes.org/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
* [12bytes](http://12bytes.org/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
* The 12bytes article now uses this user.js and supplements it with an additonal JS hosted right [here](https://github.com/atomGit/Firefox-user.js) at github
<sup>1</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.

232
scratchpad-scripts/troubleshooter.js Normal file
View File

@ -0,0 +1,232 @@
/*** ghacks-user.js troubleshooter.js v1.4 ***/
(function() {
if("undefined" === typeof(Services)) {
alert("about:config needs to be the active tab!");
return;
}
function getMyList(arr) {
let aRet = [];
let dummy = 0;
for (let i = 0, len = arr.length; i < len; i++) {
if (Services.prefs.prefHasUserValue(arr[i])) {
dummy = Services.prefs.getPrefType(arr[i]);
switch (dummy) {
case 32: // string (see https://dxr.mozilla.org/mozilla-central/source/modules/libpref/nsIPrefBranch.idl#31)
dummy = Services.prefs.getCharPref(arr[i]);
aRet.push({'name':arr[i],'value': dummy,'type':32});
break;
case 64: // int
dummy = Services.prefs.getIntPref(arr[i]);
aRet.push({'name':arr[i],'value': dummy,'type':64});
break;
case 128: // boolean
dummy = Services.prefs.getBoolPref(arr[i]);
aRet.push({'name':arr[i],'value': dummy,'type':128});
break;
default:
console.log("error detecting pref-type for '"+arr[i]+"' !");
}
}
}
return aRet;
}
function reapply(arr) {
for (let i = 0, len = arr.length; i < len; i++) {
switch (arr[i].type) {
case 32: // string
Services.prefs.setCharPref(arr[i].name, arr[i].value);
break;
case 64: // int
Services.prefs.setIntPref(arr[i].name, arr[i].value);
break;
case 128: // boolean
Services.prefs.setBoolPref(arr[i].name, arr[i].value);
break;
default:
console.log("error re-appyling value for '"+arr[i].name+"' !"); // should never happen
}
}
}
function myreset(arr) {
for (let i = 0, len = arr.length; i < len; i++) {
Services.prefs.clearUserPref(arr[i].name);
}
}
let ops = [
/* known culprits */
'network.cookie.cookieBehavior',
'network.http.referer.XOriginPolicy',
'privacy.firstparty.isolate',
'privacy.resistFingerprinting',
'security.mixed_content.block_display_content',
'svg.disabled',
/* Storage + Cache */
'browser.cache.offline.enable',
'dom.indexedDB.enabled',
'dom.storage.enabled',
'browser.storageManager.enabled',
'dom.storageManager.enabled',
/* Workers, Web + Push Notifications */
'dom.caches.enabled',
'dom.push.connection.enabled',
'dom.push.enabled',
'dom.push.serverURL',
'dom.serviceWorkers.enabled',
'dom.workers.enabled',
'dom.webnotifications.enabled',
'dom.webnotifications.serviceworker.enabled',
/* Fonts */
'browser.display.use_document_fonts',
'font.blacklist.underline_offset',
'gfx.downloadable_fonts.woff2.enabled',
'gfx.font_rendering.graphite.enabled',
'gfx.font_rendering.opentype_svg.enabled',
'layout.css.font-loading-api.enabled',
/* Misc */
'browser.link.open_newwindow.restriction',
'canvas.capturestream.enabled',
'dom.event.clipboardevents.enabled',
'dom.event.contextmenu.enabled',
'dom.IntersectionObserver.enabled',
'dom.popup_allowed_events',
'full-screen-api.enabled',
'geo.wifi.uri',
'intl.accept_languages',
'javascript.options.asmjs',
'javascript.options.wasm',
'permissions.default.shortcuts',
'security.csp.experimentalEnabled',
/* Hardware */
'dom.vr.enabled',
'media.ondevicechange.enabled',
/* Audio + Video */
'dom.webaudio.enabled',
'media.autoplay.enabled',
'media.flac.enabled',
'media.mp4.enabled',
'media.ogg.enabled',
'media.opus.enabled',
'media.raw.enabled',
'media.wave.enabled',
'media.webm.enabled',
'media.wmf.enabled',
/* Forms */
'browser.formfill.enable',
'signon.autofillForms',
'signon.formlessCapture.enabled',
/* HTTPS */
'security.cert_pinning.enforcement_level',
'security.family_safety.mode',
'security.mixed_content.use_hsts',
'security.OCSP.require',
'security.pki.sha1_enforcement_level',
'security.ssl.require_safe_negotiation',
'security.ssl.treat_unsafe_negotiation_as_broken',
'security.ssl3.dhe_rsa_aes_128_sha',
'security.ssl3.dhe_rsa_aes_256_sha',
'security.ssl3.ecdhe_ecdsa_aes_128_sha',
'security.ssl3.ecdhe_rsa_aes_128_sha',
'security.ssl3.rsa_aes_128_sha',
'security.ssl3.rsa_aes_256_sha',
'security.ssl3.rsa_des_ede3_sha',
'security.tls.enable_0rtt_data',
'security.tls.version.max',
'security.tls.version.min',
/* Plugins + Flash */
'plugin.default.state',
'plugin.defaultXpi.state',
'plugin.sessionPermissionNow.intervalInMinutes',
'plugin.state.flash',
/* unlikely to cause problems */
'browser.tabs.remote.allowLinkedWebInFileUriProcess',
'dom.popup_maximum',
'layout.css.visited_links_enabled',
'mathml.disabled',
'network.auth.subresource-img-cross-origin-http-auth-allow',
'network.http.redirection-limit',
'network.protocol-handler.external.ms-windows-store',
'privacy.trackingprotection.enabled',
'security.data_uri.block_toplevel_data_uri_navigations',
/* FF User-Interface */
'browser.search.suggest.enabled',
'browser.urlbar.autoFill',
'browser.urlbar.autoFill.typed',
'browser.urlbar.oneOffSearches',
'browser.urlbar.suggest.searches',
'keyword.enabled',
'last.one.without.comma'
]
// reset prefs that set the same value as FFs default value
let aTEMP = getMyList(ops);
myreset(aTEMP);
reapply(aTEMP);
const aBACKUP = getMyList(ops);
//console.log(aBACKUP.length, "user-set prefs from our list detected and their values stored.");
let myArr = aBACKUP;
let found = false;
let aDbg = [];
focus();
myreset(aBACKUP); // reset all detected prefs
if (confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) {
aDbg = myArr;
reapply(aBACKUP);
myreset(myArr.slice(0, parseInt(myArr.length/2)));
while (myArr.length >= 2) {
alert("NOW TEST AGAIN !");
if (confirm("if the problem still exists click OK, otherwise click cancel.")) {
myArr = myArr.slice(parseInt(myArr.length/2));
if (myArr.length == 1) {
alert("The problem is caused by more than 1 pref !\n\nNarrowed it down to "+ aDbg.length.toString() +" prefs, check the console ...");
break;
}
} else {
myArr = myArr.slice(0, parseInt(myArr.length/2));
aDbg = myArr;
if (myArr.length == 1) { found = true; break; }
}
reapply(aBACKUP);
myreset(myArr.slice(0, parseInt(myArr.length/2))); // reset half of the remaining prefs
}
reapply(aBACKUP);
}
else {
reapply(aBACKUP);
return;
}
if (found) {
alert("narrowed it down to:\n\n"+myArr[0].name+"\n");
myreset(myArr); // reset the culprit
}
else {
console.log("the problem is caused by a combination of the following prefs:");
for (let i = 0, len = aDbg.length; i < len; i++) {
console.log(aDbg[i].name);
}
}
})();

116
updater.bat
View File

@ -3,7 +3,7 @@ TITLE ghacks user.js updater
REM ## ghacks-user.js updater for Windows
REM ## author: @claustromaniac
REM ## version: 4.2
REM ## version: 4.4
REM ## instructions: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts
SET _myname=%~n0
@ -16,6 +16,7 @@ IF /I "%~1"=="-logp" (SET _log=1 & SET _logp=1)
IF /I "%~1"=="-multioverrides" (SET _multi=1)
IF /I "%~1"=="-merge" (SET _merge=1)
IF /I "%~1"=="-updatebatch" (SET _updateb=1)
IF /I "%~1"=="-singlebackup" (SET _singlebackup=1)
SHIFT
GOTO parse
:endparse
@ -41,7 +42,7 @@ IF DEFINED _updateb (
REM Uncomment the next line and comment the powershell call for testing.
REM COPY /B /V /Y "!_myname!.bat" "[updated]!_myname!.bat"
(
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://github.com/ghacksuserjs/ghacks-user.js/raw/master/updater.bat', '[updated]!_myname!.bat')"
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.bat', '[updated]!_myname!.bat')"
) >nul 2>&1
IF EXIST "[updated]!_myname!.bat" (
START /min CMD /C "[updated]!_myname!.bat" !_myparams!
@ -76,14 +77,14 @@ ECHO:
ECHO: ########################################
ECHO: #### user.js Updater for Windows ####
ECHO: #### by claustromaniac ####
ECHO: #### v4.2 ####
ECHO: #### v4.4 ####
ECHO: ########################################
ECHO:
SET /A "_line=0"
IF NOT EXIST user.js (
CALL :message "user.js not detected in the current directory."
) ELSE (
FOR /F "skip=1 tokens=1,2 delims=:" %%G IN (user.js) DO (
FOR /F "skip=1 tokens=1,* delims=:" %%G IN (user.js) DO (
SET /A "_line+=1"
IF !_line! GEQ 4 (GOTO exitloop)
IF !_line! EQU 1 (SET _name=%%H)
@ -91,15 +92,11 @@ IF NOT EXIST user.js (
IF !_line! EQU 3 (SET _version=%%G)
)
:exitloop
IF !_line! GEQ 4 (
IF NOT "!_name!"=="" (
IF /I NOT "!_name!"=="!_name:ghacks=!" (
CALL :message "ghacks user.js !_version:~2!,!_date!"
) ELSE (
CALL :message "Current user.js version not recognised."
)
) ELSE (
CALL :message "Current user.js version not recognised."
)
CALL :message "!_name! !_version:~2!,!_date!"
) ELSE (CALL :message "Current user.js version not recognised.")
) ELSE (CALL :message "Current user.js version not recognised.")
)
ECHO:
IF NOT DEFINED _ua (
@ -123,17 +120,12 @@ IF DEFINED _log (
ECHO:##################################################################
CALL :message "%date%, %time%"
)
IF EXIST user.js.old.bak (DEL /F user.js.old.bak)
IF EXIST user.js (
IF EXIST user.js.bak (REN user.js.bak user.js.old.bak)
REN user.js user.js.bak
CALL :message "Current user.js file backed up."
)
IF EXIST user.js.new (DEL /F "user.js.new")
CALL :message "Retrieving latest user.js file from github repository..."
(
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://github.com/ghacksuserjs/ghacks-user.js/raw/master/user.js', 'user.js')"
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js', 'user.js.new')"
) >nul 2>&1
IF EXIST user.js (
IF EXIST user.js.new (
IF DEFINED _multi (
FORFILES /P user.js-overrides /M *.js >nul 2>&1
IF NOT ERRORLEVEL 1 (
@ -141,47 +133,48 @@ IF EXIST user.js (
CALL :message "Merging..."
COPY /B /V /Y user.js-overrides\*.js user-overrides-merged.js
CALL :merge user-overrides-merged.js
COPY /B /V /Y user.js+user-overrides-merged.js user.js
CALL :merge user.js
COPY /B /V /Y user.js.new+user-overrides-merged.js user.js.new
CALL :merge user.js.new
) ELSE (
CALL :message "Appending..."
COPY /B /V /Y user.js+"user.js-overrides\*.js" user.js
COPY /B /V /Y user.js.new+"user.js-overrides\*.js" user.js.new
)
) ELSE (CALL :message "No override files found.")
ECHO:
) ELSE (
IF EXIST "user-overrides.js" (
COPY /B /V /Y user.js+"user-overrides.js" "user.js"
COPY /B /V /Y user.js.new+"user-overrides.js" "user.js.new"
IF DEFINED _merge (
CALL :message "Merging user-overrides.js..."
CALL :merge user.js
CALL :merge user.js.new
) ELSE (
CALL :message "user-overrides.js appended."
)
) ELSE (CALL :message "user-overrides.js not found.")
ECHO:
)
CALL :message "Handling backups..."
SET "changed="
IF EXIST user.js.bak (
FC user.js.bak user.js >nul && SET "changed=false" || SET "changed=true"
IF EXIST user.js (
FC user.js.new user.js >nul && SET "_changed=false" || SET "_changed=true"
)
IF "!changed!"=="true" (
IF EXIST user.js.old.bak DEL /F user.js.old.bak
IF "!_changed!"=="true" (
CALL :message "Backing up..."
IF DEFINED _singlebackup (
MOVE /Y user.js user.js.bak >nul
) ELSE (
MOVE /Y user.js "user-backup-!date:/=-!_!time::=.!.js" >nul
)
REN user.js.new user.js
CALL :message "Update complete."
) ELSE (
IF "!changed!"=="false" (
DEL /F user.js.bak
IF EXIST user.js.old.bak REN user.js.old.bak user.js.bak
IF "!_changed!"=="false" (
DEL /F user.js.new >nul
CALL :message "Update completed without changes."
) ELSE (CALL :message "Update complete.")
) ELSE (
REN user.js.new user.js
CALL :message "Update complete."
)
)
ECHO:
) ELSE (
IF EXIST user.js.bak (REN user.js.bak user.js)
IF EXIST user.js.old.bak (REN user.js.old.bak user.js.bak)
CALL :message "Update failed. Make sure PowerShell is allowed internet access."
ECHO: No changes were made.
ECHO: No changes were made.
)
IF NOT DEFINED _log (
IF NOT DEFINED _ua (PAUSE)
@ -200,27 +193,27 @@ REM ############ Merge function ############
:merge
SETLOCAL DisableDelayedExpansion
(
FOR /F "tokens=1,* delims=," %%G IN ('FINDSTR /B /I /C:"user_pref" "%~1"') DO (SET "%%G=%%H")
FOR /F tokens^=2^,^*^ delims^=^'^" %%G IN ('FINDSTR /B /R /C:"user_pref.*\)[ ]*;" "%~1"') DO (IF NOT "%%H"=="" (SET "%%G=%%H"))
FOR /F "tokens=1,* delims=:" %%I IN ('FINDSTR /N "^" "%~1"') DO (
IF ""=="%%J" (
ECHO:
SET "_temp=%%J"
SETLOCAL EnableDelayedExpansion
IF NOT "!_temp:~0,9!"=="user_pref" (
ENDLOCAL & ECHO:%%J
) ELSE (
FOR /F "delims=," %%K IN ("%%J") DO (
IF NOT [user_pref("_user.js.parrot"]==[%%K] (
IF DEFINED %%K (
SETLOCAL EnableDelayedExpansion
FOR /F "delims=" %%L IN ("!%%K!") DO (
ENDLOCAL
IF NOT "%%L"=="ALREADY MERGED" (
ECHO:%%K,%%L
SET "%%K=ALREADY MERGED"
IF "!_temp:;=!"=="!_temp!" (
ENDLOCAL & ECHO:%%J
) ELSE (
ENDLOCAL
FOR /F tokens^=2^ delims^=^'^" %%K IN ("%%J") DO (
IF NOT "_user.js.parrot"=="%%K" (
IF DEFINED %%K (
SETLOCAL EnableDelayedExpansion
FOR /F "delims=" %%L IN ("!%%K!") DO (
ENDLOCAL & ECHO:user_pref("%%K"%%L
SET "%%K="
)
)
) ELSE (
ECHO:%%J
)
) ELSE (
ECHO:%%J
) ELSE (ECHO:%%J)
)
)
)
@ -231,7 +224,7 @@ ENDLOCAL
GOTO :EOF
REM ############### Help ##################
:showhelp
MODE 80,43
MODE 80,46
CLS
CALL :message "Available arguments (case-insensitive):"
CALL :message " -log"
@ -239,7 +232,7 @@ ECHO: Write the console output to a logfile (user.js-update-log.txt)
CALL :message " -logP"
ECHO: Like -log, but also open the logfile after updating.
CALL :message " -merge"
ECHO: Merge overrides instead of appending them. One-line comments and
ECHO: Merge overrides instead of appending them. Single-line comments and
ECHO: _user.js.parrot lines are appended normally. Overrides for inactive
ECHO: user.js prefs will be appended. When -Merge and -MultiOverrides are used
ECHO: together, a user-overrides-merged.js file is also generated in the root
@ -254,6 +247,9 @@ ECHO: instead of the default user-overrides.js file. Files are appended in
ECHO: alphabetical order.
CALL :message " -unattended"
ECHO: Run without user input.
CALL :message " -singleBackup"
ECHO: Use a single backup file and overwrite it on new updates, instead of
ECHO: cumulative backups. This was the default behaviour before v4.3.
CALL :message " -updatebatch"
ECHO: Update the script itself on execution, before the normal routine.
CALL :message ""

295
user.js
View File

@ -1,10 +1,11 @@
/******
* name: ghacks user.js
* date: 20 November 2017
* version 57: I Love Rock 'n' Pants
* "Singing, I love rock and pants. So put another dime in the jukebox, baby"
* date: 3 February 2018
* version 58: Pantslide
* "I took my pants, took em down, I climbed a mountain and I turned around"
* authors: v52+ github | v51- www.ghacks.net
* url: https://github.com/ghacksuserjs/ghacks-user.js
* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
* releases: These are end-of-stable-life-cycle legacy archives.
*Always* use the master branch user.js for a current up-to-date version.
@ -19,8 +20,8 @@
3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
* Auto-installing updates for Firefox and extensions are disabled (section 0302's)
* Some user data is erased on close (section 2800), namely history (browsing, form, download)
* Cookies are denied by default (2701), we use site exceptions. This breaks extensions
that use IndexedDB, so you need to allow exceptions for those as well: see [1] below
* Cookies are denied by default (2701), we use site exceptions. In Firefox 58 and lower, this breaks
extensions that use IndexedDB, so you need to allow exceptions for those as well: see [1] below
[1] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1.1-Setting-Extension-Permission-Exceptions
* EACH RELEASE check:
- 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
@ -44,6 +45,9 @@
* [2] https://en.wikipedia.org/wiki/Warrant_canary ***/
user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");
/* 0000: disable about:config warning ***/
user_pref("general.warnOnAboutConfig", false);
/* 0001: start Firefox in PB (Private Browsing) mode
* [SETTING-56+] Options>Privacy & Security>History>Custom Settings>Always use private browsing mode
* [SETTING-ESR] Options>Privacy>History>Custom Settings>Always use private browsing mode
@ -91,6 +95,9 @@ user_pref("browser.search.geoip.url", "");
user_pref("intl.locale.matchOS", false);
/* 0204: set APP locale ***/
user_pref("general.useragent.locale", "en-US");
/* 0205: set OS & APP locale (replaces 0203 + 0204) (FF59+)
* If set to empty, the OS locales are used. If not set at all, default locale is used ***/
user_pref("intl.locale.requested", "en-US"); // (hidden pref)
/* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
* i.e. ignore all of Mozilla's various search engines in multiple locales ***/
user_pref("browser.search.geoSpecificDefaults", false);
@ -166,7 +173,7 @@ user_pref("extensions.webservice.discoverURL", "");
* [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+
user_pref("toolkit.telemetry.server", "");
user_pref("toolkit.telemetry.server", "data:,");
user_pref("toolkit.telemetry.archive.enabled", false);
user_pref("toolkit.telemetry.cachedClientID", "");
user_pref("toolkit.telemetry.newProfilePing.enabled", false); // (FF55+)
@ -189,7 +196,8 @@ user_pref("breakpad.reportURL", "");
/* 0351: disable sending of crash reports (FF44+) ***/
user_pref("browser.tabs.crashReporting.sendReport", false);
user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // (FF51+)
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51+)
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51-57)
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // (FF58+)
/* 0360: disable new tab tile ads & preload & marketing junk ***/
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.source", "data:text/plain,");
@ -197,9 +205,8 @@ user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);
/* 0370: disable "Snippets" (Mozilla content shown on about:home screen)
* MUST use HTTPS - arbitrary content injected into this page via http opens up MiTM attacks
* [1] https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service ***/
user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");
user_pref("browser.aboutHomeSnippets.updateUrl", "data:,");
/*** 0400: BLOCKLISTS / SAFE BROWSING / TRACKING PROTECTION
This section has security & tracking protection implications vs privacy concerns vs effectiveness
@ -273,6 +280,9 @@ user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); //
* [TEST] see github wiki APPENDIX C: Test Sites: Section 5
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1226490 ***/
// user_pref("browser.safebrowsing.allowOverride", false);
/* 0417: disable data sharing (FF58+) ***/
user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
/** TRACKING PROTECTION (TP)
There are NO privacy concerns here, but we strongly recommend to use uBlock Origin as well,
as it offers more comprehensive and specialized lists. It also allows per domain control. ***/
@ -591,7 +601,7 @@ user_pref("browser.cache.disk_cache_ssl", false);
* [NOTE] Not recommended unless you know what you're doing
* [1] http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers ***/
// user_pref("browser.sessionhistory.max_total_viewers", 0);
/* 1006: disable permissions manager from writing to disk (requires restart)
/* 1006: disable permissions manager from writing to disk [RESTART]
* [NOTE] This means any permission changes are session only
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=967812 ***/
// user_pref("permissions.memory_only", true); // (hidden pref)
@ -633,53 +643,7 @@ user_pref("browser.shell.shortcutFavicons", false);
// user_pref("browser.chrome.site_icons", false);
// user_pref("browser.chrome.favicons", false);
/* 1032: disable favicons in web notifications ***/
user_pref("alerts.showFavicons", false);
/*** 1100: MULTI-PROCESS (e10s)
We recommend you let Firefox handle this. Until e10s is enforced, if
- all your legacy extensions have the 'multiprocessCompatible' flag as true, then FF = e10s
- any legacy extensions have 'multiprocessCompatible' flag as false, then FF != e10s
- any legacy extensions are missing the 'multiprocessCompatible' flag, then they *might* be disabled
[1] https://blog.mozilla.org/addons/2017/02/16/the-road-to-firefox-57-compatibility-milestones/
***/
user_pref("_user.js.parrot", "1100 syntax error: the parrot's bought the farm!");
/* 1101: start the browser in e10s mode (FF48+)
* about:support>Application Basics>Multiprocess Windows ***/
// user_pref("browser.tabs.remote.autostart", true);
// user_pref("browser.tabs.remote.autostart.2", true); // (FF49+) (hidden pref)
// user_pref("browser.tabs.remote.force-enable", true); // (hidden pref)
// user_pref("extensions.e10sBlocksEnabling", false);
/* 1102: control number of content rendering processes
* [SETTING] Options>General>Performance>Custom>Content process limit
* [1] https://www.ghacks.net/2016/02/15/change-how-many-processes-multi-process-firefox-uses/
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1207306 ***/
// user_pref("dom.ipc.processCount", 4);
/* 1103: enable extension code to run in a separate process (webext-oop) (FF53+)
* [1] https://wiki.mozilla.org/WebExtensions/Implementing_APIs_out-of-process ***/
// user_pref("extensions.webextensions.remote", true);
/* 1104: enforce separate content process for file://URLs (FF53+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1147911
* [2] https://www.ghacks.net/2016/11/27/firefox-53-exclusive-content-process-for-local-files/ ***/
user_pref("browser.tabs.remote.separateFileUriProcess", true);
/* 1105: enable console shim warnings for legacy extensions with the 'multiprocessCompatible' flag as false ***/
user_pref("dom.ipc.shims.enabledWarnings", true);
/* 1106: control number of extension processes ***/
// user_pref("dom.ipc.processCount.extension", 1);
/* 1107: control number of file processes ***/
// user_pref("dom.ipc.processCount.file", 1);
/* 1108: block web content in file processes (FF55+)
* [WARNING] [SETUP] You may want to disable this for corporate or developer environments
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1343184 ***/
user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
/* 1110: set sandbox level. DO NOT MEDDLE WITH THESE. They are included to inform you NOT to play
* with them. The values are integers, but the code below deliberately contains a data mismatch
* [1] https://wiki.mozilla.org/Security/Sandbox
* [2] https://www.ghacks.net/2017/01/23/how-to-change-firefoxs-sandbox-security-level/#comment-4105173 ***/
// user_pref("security.sandbox.content.level", "donotuse");
// user_pref("dom.ipc.plugins.sandbox-level.default", "donotuse");
// user_pref("dom.ipc.plugins.sandbox-level.flash", "donotuse");
/* 1111: enable sandbox logging ***/
// user_pref("security.sandbox.logging.enabled", true);
user_pref("alerts.showFavicons", false); // default: false
/*** 1200: HTTPS ( SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS )
Note that your cipher and other settings can be used server side as a fingerprint attack
@ -732,17 +696,20 @@ user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)
/* 1210: enable OCSP Stapling
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
user_pref("security.ssl.enable_ocsp_stapling", true);
/* 1211: control use of OCSP responder servers to confirm current validity of certificates
* 0=disable, 1=validate only certificates that specify an OCSP service URL (default)
* 2=enable and use values in security.OCSP.URL and security.OCSP.signing.
/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)
* 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
* OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
* It's a trade-off between security (checking) and privacy (leaking info to the CA)
* [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
* [1] https://en.wikipedia.org/wiki/Ocsp ***/
user_pref("security.OCSP.enabled", 1);
/* 1212: enable OCSP revocation. When a CA cannot be reached to validate a cert, Firefox currently
* continues the connection. With OCSP revocation, Firefox terminates the connection instead.
* [WARNING] Since FF44 the default is false. If set to true, this will cause some site breakage
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
* It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
* could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
* [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
user_pref("security.OCSP.require", true);
/** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/
/* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+)
@ -751,7 +718,7 @@ user_pref("security.OCSP.require", true);
* 2=detect Family Safety mode and import the root
* [1] https://trac.torproject.org/projects/tor/ticket/21686 ***/
user_pref("security.family_safety.mode", 0);
/* 1221: disable intermediate certificate caching (fingerprinting attack vector)
/* 1221: disable intermediate certificate caching (fingerprinting attack vector) [RESTART]
* [NOTE] This may be better handled under FPI (ticket 1323644, part of Tor Uplift)
* [WARNING] This affects login/cert/key dbs. The effect is all credentials are session-only.
* Saved logins and passwords are not available. Reset the pref and restart to return them.
@ -774,9 +741,8 @@ user_pref("network.stricttransportsecurity.preloadlist", true);
/* 1240: disable insecure active content on https pages - mixed content
* [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
user_pref("security.mixed_content.block_active_content", true);
/* 1241: disable insecure passive content (such as images) on https pages - mixed context
* [WARNING] When set to true, this will visually break many sites (March 2017) ***/
// user_pref("security.mixed_content.block_display_content", true);
/* 1241: disable insecure passive content (such as images) on https pages - mixed context ***/
user_pref("security.mixed_content.block_display_content", true);
/* 1242: enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests (FF51+)
* Allow resources from domains with an existing HSTS cache record or in the HSTS preload list
* to be upgraded to HTTPS internally but disable sending out HSTS Priming requests, because
@ -818,7 +784,7 @@ user_pref("security.pki.sha1_enforcement_level", 1);
* [1] https://wiki.mozilla.org/Security:Renegotiation ***/
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
/* 1271: control "Add Security Exception" dialog on SSL warnings
* 0=do neither 1=pre-populate url 2+pre-populate url + pre-fetch cert (default)
* 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
* [1] https://github.com/pyllyukko/user.js/issues/210 ***/
user_pref("browser.ssl_override_behavior", 1);
/* 1272: display advanced information on Insecure Connection warning pages
@ -851,24 +817,24 @@ user_pref("browser.display.use_document_fonts", 0);
// user_pref("font.name.monospace.x-western", "Lucida Console"); // default Courier New
/* 1403: enable icon fonts (glyphs) (FF41+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=789788 ***/
user_pref("gfx.downloadable_fonts.enabled", true);
user_pref("gfx.downloadable_fonts.enabled", true); // default: true
/* 1404: disable rendering of SVG OpenType fonts
* [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
/* 1405: disable WOFF2 (Web Open Font Format) ***/
/* 1405: disable WOFF2 (Web Open Font Format) (FF35+) ***/
user_pref("gfx.downloadable_fonts.woff2.enabled", false);
/* 1406: disable CSS Font Loading API
* [SETUP] Disabling fonts can uglify the web a fair bit. ***/
user_pref("layout.css.font-loading-api.enabled", false);
/* 1407: disable special underline handling for a few fonts which you will probably never use.
* Any of these fonts on your system can be enumerated for fingerprinting. Requires restart.
/* 1407: disable special underline handling for a few fonts which you will probably never use [RESTART]
* Any of these fonts on your system can be enumerated for fingerprinting.
* [1] http://kb.mozillazine.org/Font.blacklist.underline_offset ***/
user_pref("font.blacklist.underline_offset", "");
/* 1408: disable graphite which FF49 turned back on by default
* In the past it had security issues. Update: This continues to be the case, see [1]
* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/
user_pref("gfx.font_rendering.graphite.enabled", false);
/* 1409: limit system font exposure to a whitelist (FF52+) [SETUP]
/* 1409: limit system font exposure to a whitelist (FF52+) [SETUP] [RESTART]
* If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
* [NOTE] Creating your own probably highly-unique whitelist will raise your entropy. If
* you block sites choosing fonts in 1401, this preference is irrelevant. In future,
@ -876,16 +842,14 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1121643 ***/
// user_pref("font.system.whitelist", ""); // (hidden pref)
/*** 1600: HEADERS / REFERERS [SETUP]
Except for DNT (Do Not Track), referers are best controlled by an extension.
It is important to realize that it is *cross domain* referers that need
controlling, and this is best handled by EITHER 1603 or 1604, not both.
/*** 1600: HEADERS / REFERERS
Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. Thus we enforce
the default values for 1601, 1602, 1605 and 1606 to minimize breakage, and only tweak 1603 and 1604.
Option 1: Recommended: Use an extension to block all referers, and then whitelist
sites on a granular, per domain level.
Option 2: As per the original settings below: Set XOriginPolicy (1603) to 1 (less breakage)
or 2 (more breakage) and leave XOriginTrimmingPolicy (1604) at default 0
Option 3: Set XOriginPolicy (1603) to default 0 and set XOriginTrimmingPolicy (1604) to 2
Our default settings provide the best balance between protection and amount of breakage.
To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2).
To fix broken sites, temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config,
use the site and then change the values back. If you visit those sites regularly, use an extension.
full URI: https://example.com:8888/foo/bar.html?id=1234
scheme+host+path+port: https://example.com:8888/foo/bar.html
@ -895,31 +859,29 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
***/
user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
/* 1601: ALL: control when images/links send a referer
* 0=never, 1=send only when links are clicked, 2=for links and images (default)
* [NOTE] Recommended left at default. Focus on XSS and granular cross origin referer control ***/
* 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
user_pref("network.http.sendRefererHeader", 2);
/* 1602: ALL: control the amount of information to send
* 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port
* [NOTE] Cross origin requests can be fine tuned in 1603 + 1604. Limiting same origin requests
* is rather pointless. Recommended left at default for zero same origin breakage ***/
* 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/
user_pref("network.http.referer.trimmingPolicy", 0);
/* 1603: CROSS ORIGIN: control when to send a referer [SETUP]
* 0=always (default), 1=only if base domains match, 2=only if hosts match
* [NOTE] 1=less breakage, possible leakage 2=less leakage, more breakage ***/
* 0=always (default), 1=only if base domains match, 2=only if hosts match ***/
user_pref("network.http.referer.XOriginPolicy", 1);
/* 1604: CROSS ORIGIN: control the amount of information to send (FF52+)
* 0=send full URI (default) 1=scheme+host+path+port 2=scheme+host+port ***/
* 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/
user_pref("network.http.referer.XOriginTrimmingPolicy", 0);
/* 1605: ALL: disable spoofing a referer
* Spoofing increases your exposure to cross-site request forgeries ***/
* [WARNING] Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) protections that some sites may rely on ***/
user_pref("network.http.referer.spoofSource", false);
/* 1606: ALL: set the default Referrer Policy (FF53+)
* 0=no-referer 1=same-origin 2=strict-origin-when-cross-origin
* 3=no-referrer-when-downgrade (default)
/* 1606: ALL: set the default Referrer Policy
* 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
* [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
* [1] https://www.w3.org/TR/referrer-policy/
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1304623 ***/
user_pref("network.http.referer.userControlPolicy", 3);
* [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
* [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
user_pref("network.http.referer.userControlPolicy", 3); // (FF53-FF58) default: 3
user_pref("network.http.referer.defaultPolicy", 3); // (FF59+) default: 3
user_pref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2
/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain (FF54+)
* [NOTE] Firefox cannot access .onion sites by default. We recommend you use
* TBB (Tor Browser Bundle) which is specifically designed for the dark web
@ -992,7 +954,7 @@ user_pref("media.gmp-widevinecdm.autoupdate", false);
/* 1830: disable all DRM content (EME: Encryption Media Extension) [SETUP]
* [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
user_pref("media.eme.enabled", false); // Options>Content>Play DRM Content
user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox, restart required
user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox [RESTART]
/* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
* This is the bundled codec used for video chat in WebRTC ***/
user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)
@ -1038,6 +1000,12 @@ user_pref("media.getusermedia.browser.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);
/* 2023: disable camera stuff ***/
user_pref("camera.control.face_detection.enabled", false);
/* 2024: set a default permission for Camera/Microphone (FF58+)
* 0=always ask (default), 1=allow, 2=block
* [SETTING] to add site exceptions: Page Info>Permissions>Use the Camera/Microphone
* [SETTING] to manage site exceptions: Options>Privacy>Permissions>Camera/Microphone>Settings ***/
// user_pref("permissions.default.camera", 2);
// user_pref("permissions.default.microphone", 2);
/* 2026: disable canvas capture stream
* [1] https://developer.mozilla.org/docs/Web/API/HTMLCanvasElement/captureStream ***/
user_pref("canvas.capturestream.enabled", false);
@ -1095,7 +1063,8 @@ user_pref("dom.disable_beforeunload", true);
communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
[WARNING] Disabling workers *will* break sites (e.g. Google Street View, Twitter).
It is recommended that you use a separate profile for these sorts of sites.
[UPDATE] uMatrix 1.2.0+ allows a per-scope control for workers (2301) and service workers (2302)
#Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0
[1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
[2] Worker: https://developer.mozilla.org/docs/Web/API/Worker
@ -1116,11 +1085,14 @@ user_pref("dom.workers.enabled", false);
* [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access. ***/
user_pref("dom.serviceWorkers.enabled", false);
/* 2304: disable web notifications
* [NOTE] You can still override individual domains under site permissions (FF44+)
* [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);
/* 2305: disable push notifications (FF44+)
user_pref("dom.webnotifications.enabled", false); // (FF22+)
user_pref("dom.webnotifications.serviceworker.enabled", false); // (FF44+)
/* 2305: set a default permission for Notifications (see 2304) (FF58+)
* [SETTING] to add site exceptions: Page Info>Permissions>Receive Notifications
* [SETTING] to manage site exceptions: Options>Privacy>Permissions>Notifications>Settings ***/
// user_pref("permissions.default.desktop-notification", 2); // 0=always ask (default), 1=allow, 2=block
/* 2306: disable push notifications (FF44+)
* web apps can receive messages pushed to them from a server, whether or
* not the web app is in the foreground, or even currently loaded
* [1] https://developer.mozilla.org/docs/Web/API/Push_API ***/
@ -1154,12 +1126,15 @@ user_pref("dom.idle-observers-api.enabled", false);
/* 2418: disable full-screen API
* false=block, true=ask ***/
user_pref("full-screen-api.enabled", false);
/* 2420: disable support for asm.js ( http://asmjs.org/ )
* [1] https://www.mozilla.org/security/advisories/mfsa2015-29/
* [2] https://www.mozilla.org/security/advisories/mfsa2015-50/
* [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712 ***/
/* 2420: disable asm.js (FF22+)
* [1] http://asmjs.org/
* [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
* [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
* [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
* [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
* [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
user_pref("javascript.options.asmjs", false);
/* 2421: disable Ion and baseline JIT to help harden JS against exploits such as CVE-2015-0817
/* 2421: disable Ion and baseline JIT to help harden JS against exploits
* [WARNING] Causes the odd site issue and there is also a performance loss
* [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
// user_pref("javascript.options.ion", false);
@ -1175,6 +1150,10 @@ user_pref("javascript.options.wasm", false);
* [2] https://w3c.github.io/IntersectionObserver/
* [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1243846 ***/
user_pref("dom.IntersectionObserver.enabled", false);
/* 2427: disable Shared Memory (Spectre mitigation)
* [1] https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md
* [2] https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ ***/
user_pref("javascript.options.shared_memory", false);
/*** 2500: HARDWARE FINGERPRINTING ***/
user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
@ -1201,16 +1180,6 @@ user_pref("dom.webaudio.enabled", false);
* [1] https://developer.mozilla.org/docs/Web/Events/devicechange
* [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange ***/
user_pref("media.ondevicechange.enabled", false);
/* 2513: disable Presentation API
* [WARNING] [SETUP] Optional protection depending on your connected devices
* [1] https://wiki.mozilla.org/WebAPI/PresentationAPI
* [2] https://www.w3.org/TR/presentation-api/ ***/
// user_pref("dom.presentation.enabled", false);
// user_pref("dom.presentation.controller.enabled", false);
// user_pref("dom.presentation.discoverable", false);
// user_pref("dom.presentation.discovery.enabled", false);
// user_pref("dom.presentation.receiver.enabled", false);
// user_pref("dom.presentation.session_transport.data_channel.enable", false);
/*** 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY ***/
user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
@ -1308,23 +1277,31 @@ user_pref("security.fileuri.strict_origin_policy", true);
/* 2624: enable Subresource Integrity (SRI) (FF43+)
* [1] https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
* [2] https://wiki.mozilla.org/Security/Subresource_Integrity ***/
user_pref("security.sri.enable", true);
user_pref("security.sri.enable", true); // default: true
/* 2625: disable DNS requests for hostnames with a .onion TLD (FF45+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 ***/
user_pref("network.dns.blockDotOnion", true);
/* 2626: disable optional user agent token, default is false, included for completeness
/* 2626: disable optional user agent token
* [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent/Firefox ***/
user_pref("general.useragent.compatMode.firefox", false);
user_pref("general.useragent.compatMode.firefox", false); // default: false
/* 2628: disable UITour backend so there is no chance that a remote page can use it ***/
user_pref("browser.uitour.enabled", false);
user_pref("browser.uitour.url", "");
/* 2629: disable remote JAR files being opened, regardless of content type (FF42+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1173171 ***/
user_pref("network.jar.block-remote-files", true);
/* 2630: prevent accessibility services from accessing your browser
/* 2630: prevent accessibility services from accessing your browser [RESTART]
* [SETTING] Options>Privacy & Security>Permissions>Prevent accessibility services from accessing your browser
* [1] https://support.mozilla.org/kb/accessibility-services ***/
user_pref("accessibility.force_disabled", 1);
/* 2631: block web content in file processes (FF55+)
* [WARNING] [SETUP] You may want to disable this for corporate or developer environments
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1343184 ***/
user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
/* 2632: disable websites overriding Firefox's keyboard shortcuts (FF58+)
* [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts
* [NOTE] At the time of writing, causes issues with delete and backspace keys ***/
// user_pref("permissions.default.shortcuts", 2); // 0 (default) or 1=allow, 2=block
/* 2662: disable "open with" in download dialog (FF50+)
* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
* in such a way that it is forbidden to run external applications.
@ -1377,9 +1354,9 @@ user_pref("security.block_script_with_wrong_mime", true);
* [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
user_pref("network.IDN_show_punycode", true);
/* 2673: enable CSP (Content Security Policy) (default is true)
/* 2673: enable CSP (Content Security Policy)
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
user_pref("security.csp.enable", true);
user_pref("security.csp.enable", true); // default: true
/* 2674: enable CSP 1.1 experimental hash-source directive (FF29+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=855326
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=883975 ***/
@ -1407,10 +1384,14 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
* [NOTE] This also controls access to 3rd party Web Storage, IndexedDB, Cache API and Service Worker Cache
* [1] https://www.fxsitecompat.com/en-CA/docs/2015/web-storage-indexeddb-cache-api-now-obey-third-party-cookies-preference/ ***/
user_pref("network.cookie.cookieBehavior", 2);
/* 2702: set third-party cookies (if enabled, see above pref) to session-only
/* 2702: set third-party cookies (i.e ALL) (if enabled, see above pref) to session-only
and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
[NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
.nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
* [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
* [2] http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly ***/
user_pref("network.cookie.thirdparty.sessionOnly", true);
user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // (FF58+)
/* 2703: set cookie lifetime policy
* 0=until they expire (default), 2=until you close Firefox, 3=for n days (see next pref)
* [SETTING-56+] Options>Privacy & Security>History>Custom Settings>Accept cookies from sites>Keep until
@ -1418,9 +1399,9 @@ user_pref("network.cookie.thirdparty.sessionOnly", true);
// user_pref("network.cookie.lifetimePolicy", 0);
/* 2704: set cookie lifetime in days (see above pref) - default is 90 days ***/
// user_pref("network.cookie.lifetime.days", 90);
/* 2705: disable HTTP sites setting cookies with the "secure" directive (default: true) (FF52+)
/* 2705: disable HTTP sites setting cookies with the "secure" directive (FF52+)
* [1] https://developer.mozilla.org/Firefox/Releases/52#HTTP ***/
user_pref("network.cookie.leave-secure-alone", true);
user_pref("network.cookie.leave-secure-alone", true); // default: true
/* 2710: disable DOM (Document Object Model) Storage
* [WARNING] This will break a LOT of sites' functionality.
* You are better off using an extension for more granular control ***/
@ -1433,7 +1414,7 @@ user_pref("extensions.webextensions.keepStorageOnUninstall", false);
user_pref("extensions.webextensions.keepUuidOnUninstall", false);
/* 2720: disable JS storing data permanently [SETUP]
* [WARNING] This BREAKS uBlock Origin [1.14.0+] and other extensions that require IndexedDB
* [1] https://github.com/gorhill/uBlock/releases/tag/1.14.0
* [1] https://github.com/gorhill/uBlock/releases/tag/1.14.0
* [WARNING] This *will* break other extensions including legacy, and *will* break some sites ***/
// user_pref("dom.indexedDB.enabled", false);
/* 2730: disable offline cache ***/
@ -1531,10 +1512,10 @@ user_pref("privacy.sanitize.timeSpan", 0);
** 1344170 - isolate blob: URI (FF55+)
** 1300671 - isolate data:, about: URLs (FF55+)
NOTE: FPI has some unresolved issues
** 1381197 - extensions cannot control cookies with FPI Origin Attributes
** 1418931 - IndexedDB (Offline Website Data) with FPI Origin Attributes
NOTE: FPI has some issues depending on your Firefox release
** 1418931 - [fixed in FF58+] IndexedDB (Offline Website Data) with FPI Origin Attributes
are not removed with "Clear All/Recent History" or "On Close"
** 1381197 - [fixed in FF59+] extensions cannot control cookies with FPI Origin Attributes
***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
/* 4001: enable First Party Isolation (FF51+)
@ -1565,30 +1546,38 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
** 1281949 - spoof screen orientation (FF50+)
** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
** 1330890 - spoof timezone as UTC 0 (FF55+)
FF58: Date.toLocaleFormat deprecated (818634)
FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973)
** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+)
This spoof *shouldn't* affect core chrome/Firefox performance
** 1217238 - reduce precision of time exposed by javascript (FF55+)
** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+)
** 1333651 & 1383495 & 1396468 & 1393283 - spoof Navigator API (see section 4700) (FF56+)
** 1333651 & 1383495 & 1396468 & 1393283 & 1404608 - spoof Navigator API (see section 4700) (FF56+)
FF56: The version number will be rounded down to the nearest multiple of 10
FF57+: The version number will match current ESR
FF57: The version number will match current ESR
FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage)
** 1369319 - disable device sensor API (see 4604) (FF56+)
** 1369357 - disable site specific zoom (see 4605) (FF56+)
** 1337161 - hide gamepads from content (see 4606) (FF56+)
** 1372072 - spoof network information API as "unknown" (see 4607) (FF56+)
** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
** 1372069 & 1403813 - block geolocation requests (same as if you deny a site permission) (see 4609) (FF56+)
** 1372069 & 1403813 - block geolocation requests (same as if you deny a site permission) (see 4609, 4612) (FF56+)
** 1369309 - spoof media statistics (see 4610) (FF57+)
** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
** 1217290 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
** 1382545 - reduce fingerprinting in Animation API (FF57+)
** 1354633 - limit MediaError.message to a whitelist (FF57+)
** 1382533 - enable fingerprinting resistance for Presentation API (see 2513) (FF57+)
** 1382533 - enable fingerprinting resistance for Presentation API (FF57+)
This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
** 967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
In FF59+ this is controllable via the site permissions panel, see 1413780 (FF59+)
FF59: Added to the site permissions panel (1413780)
FF60: Only prompt for canvas data extraction when triggered by user input (1376865)
** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+)
** 1039069 - warn when language prefs are set to non en-US (see 0207, 0208) (FF59+)
** 1222285 - spoof keyboard events and suppress keyboard modifier events (FF59+)
Spoofing mimics the content language of the document. Currently it only supports en-US.
Modifier events suppressed are SHIFT, CTRL and both ALT keys. Chrome is not affected.
FF60: Fixes keydown/keyup events (1438795)
***/
user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
/* 4501: enable privacy.resistFingerprinting (FF41+)
@ -1672,6 +1661,12 @@ user_pref("media.video_stats.enabled", false);
// [2] https://trac.torproject.org/projects/tor/ticket/10286
// user_pref("dom.w3c_touch_events.enabled", 0);
// * * * /
// FF58+
// 4612: [new] set a default permission for Location (FF58+)
// [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location
// [SETTING] to manage site exceptions: Options>Privacy>Permissions>Location>Settings
// user_pref("permissions.default.geo", 2); // 0=always ask (default), 1=allow, 2=block
// * * * /
// ***/
/*** 4700: RFP (4500) ALTERNATIVES - NAVIGATOR / USER AGENT (UA) SPOOFING
@ -1704,14 +1699,13 @@ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow
// user_pref("general.platform.override", "Win32"); // (hidden pref)
/* 4706: navigator.oscpu leaks in JS ***/
// user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)
/* 4707: general.useragent.locale (related, see 0204) ***/
/* 4707: general.useragent.locale (related, see 0204 deprecated FF59+) ***/
/*** 5000: PERSONAL SETTINGS [SETUP]
Settings that are handy to migrate and/or are not in the Options interface. Users
can put their own non-security/privacy/fingerprinting/tracking stuff here ***/
user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
/* 5001: disable annoying warnings ***/
user_pref("general.warnOnAboutConfig", false);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.tabs.warnOnCloseOtherTabs", false);
user_pref("browser.tabs.warnOnOpen", false);
@ -1756,9 +1750,6 @@ user_pref("network.manage-offline-status", false);
// user_pref("toolkit.cosmeticAnimations.enabled", false);
/* 5016: disable reload/stop animation (FF56+) ***/
// user_pref("browser.stopReloadAnimation.enabled", true);
/* 5017: set submenu delay in milliseconds. 0=instant while a small number allows
* a mouse pass over menu items without any submenus alarmingly shooting out ***/
user_pref("ui.submenuDelay", 150); // (hidden pref)
/* 5018: set maximum number of daily bookmark backups to keep (default is 15) ***/
user_pref("browser.bookmarks.max_backups", 2);
/* 5020: control urlbar click behaviour (with defaults) ***/
@ -1782,24 +1773,6 @@ user_pref("browser.tabs.loadDivertedInBackground", false);
/* 5023: enable "Find As You Type"
* [1] http://kb.mozillazine.org/Accessibility.typeaheadfind ***/
// user_pref("accessibility.typeaheadfind", true);
/* 5024: enable/disable MSE (Media Source Extensions)
* [1] https://www.ghacks.net/2014/05/10/enable-media-source-extensions-firefox/ ***/
// user_pref("media.mediasource.enabled", false);
// user_pref("media.mediasource.mp4.enabled", false);
// user_pref("media.mediasource.webm.audio.enabled", false);
// user_pref("media.mediasource.webm.enabled", false);
/* 5025: enable/disable various media types ***/
// user_pref("media.mp4.enabled", false);
// user_pref("media.flac.enabled", false); // (FF51+)
// user_pref("media.ogg.enabled", false);
// user_pref("media.ogg.flac.enabled", false); // (FF51+)
// user_pref("media.opus.enabled", false);
// user_pref("media.raw.enabled", false);
// user_pref("media.wave.enabled", false);
// user_pref("media.webm.enabled", false);
// user_pref("media.wmf.enabled", false); // https://www.youtube.com/html5 - for the two H.264 entries
// user_pref("media.wmf.amd.vp9.enabled", true); // (FF57+)
// user_pref("media.wmf.vp9.enabled", false);
/* 5026: disable "Reader View" ***/
// user_pref("reader.parse-on-load.enabled", false);
/* 5027: decode URLs on copy from the urlbar (FF53+)
@ -1832,7 +1805,7 @@ user_pref("network.websocket.enabled", false);
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1042135#c101
// user_pref("privacy.donottrackheader.value", 1);
// 2023: (37+) disable camera autofocus callback
// The API will be superceded by the WebRTC Capture and Stream API
// The API will be superseded by the WebRTC Capture and Stream API
// [1] https://developer.mozilla.org/docs/Archive/B2G_OS/API/CameraControl
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1107683
user_pref("camera.control.autofocus_moving_callback.enabled", false);
@ -2024,7 +1997,7 @@ user_pref("dom.telephony.enabled", false);
user_pref("dom.battery.enabled", false);
// ***/
/* ESR52 still needs all the following prefs
/* ESR52.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable them if you're using ESR52.x.x
// FF53
// 1265: block rc4 fallback