64-beta

dyslexia and/or dementia
5000s: disable CFR
2025-09-01 09:28:31 +02:00 · 2018-12-12 17:17:33 +00:00 · 2018-12-12 16:52:12 +00:00 · 2018-12-12 16:34:27 +00:00 · 2018-12-12 13:22:58 +00:00 · 2018-12-12 13:21:24 +00:00
2 changed files with 73 additions and 62 deletions
--- a/scratchpad-scripts/ghacks-clear-[removed].js
+++ b/scratchpad-scripts/ghacks-clear-[removed].js
@ -1,7 +1,7 @@
 /***
 This will reset the preferences that have been removed completely from the ghacks user.js.

- Last updated: 18-Mov-2018
+ Last updated: 12-Dec-2018

 For instructions see:
 https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@ -108,6 +108,15 @@
    'privacy.trackingprotection.ui.enabled',
    /* 64-beta */
    'browser.eme.ui.enabled',
+    'browser.sessionstore.max_windows_undo',
+    'network.auth.subresource-img-cross-origin-http-auth-allow',
+    'media.peerconnection.ice.tcp',
+    'media.peerconnection.identity.enabled',
+    'media.peerconnection.identity.timeout',
+    'media.peerconnection.turn.disable',
+    'media.peerconnection.use_document_iceservers',
+    'media.peerconnection.video.enabled',
+    'media.navigator.video.enabled',
    /* reset parrot: check your open about:config after running the script */
    '_user.js.parrot'
  ]
--- a/user.js
+++ b/user.js
@ -1,8 +1,8 @@
 /******
 * name: ghacks user.js
-* date: 11 December 2018
-* version 63: Pants Romance
-*   "Rah rah ah-ah-ah! Ro mah ro-mah-mah. Gaga oh-la-la! Want your pants romance"
+* date: 12 December 2018
+* version 64-beta: Crocodile Pants
+*   "I remember when Pants was young, me and Suzie had so much fun"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
 * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
@ -51,7 +51,7 @@
     0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
     0900: PASSWORDS
     1000: CACHE / SESSION (RE)STORE / FAVICONS
-     1200: HTTPS (SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS)
+     1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
     1400: FONTS
     1600: HEADERS / REFERERS
     1700: CONTAINERS
@ -86,6 +86,7 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 * [SETTING] General>Startup>Always check if Firefox is your default browser ***/
 user_pref("browser.shell.checkDefaultBrowser", false);
 /* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
+ * [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804)
 * [SETTING] General>Startup>Restore previous session ***/
 user_pref("browser.startup.page", 0);
 /* 0103: set HOME+NEWWINDOW page
@ -109,12 +110,12 @@ user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "");
 * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server
 * [1] https://abouthome-snippets-service.readthedocs.io/ ***/
 user_pref("browser.newtabpage.activity-stream.disableSnippets", true);
-user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // has setting (see 0105)
+user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
 user_pref("browser.aboutHomeSnippets.updateUrl", "");
 /* 0105c: disable AS Top Stories, Pocket-based and/or sponsored content ***/
-user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); // has setting (see 0105)
-user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); // has setting (see 0105)
-user_pref("browser.newtabpage.activity-stream.showSponsored", false); // has setting (see 0105)
+user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
+user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
+user_pref("browser.newtabpage.activity-stream.showSponsored", false);
 /* 0105d: disable AS recent Highlights in the Library [FF57+] ***/
   // user_pref("browser.library.activity-stream.enabled", false);
 /* 0110: start Firefox in PB (Private Browsing) mode
@ -231,12 +232,20 @@ user_pref("datareporting.healthreport.uploadEnabled", false);
 * If disabled, no policy is shown or upload takes place, ever
 * [1] https://bugzilla.mozilla.org/1195552 ***/
 user_pref("datareporting.policy.dataSubmissionEnabled", false);
+/* 0335: disable Telemetry Coverage [FF64+]
+ * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/
+user_pref("toolkit.coverage.opt-out", true); // [HIDDEN PREF]
 /* 0350: disable crash reports ***/
 user_pref("breakpad.reportURL", "");
 /* 0351: disable sending of crash reports ***/
 user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+]
 user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+]
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+]
+/* 0370: disable Pocket [FF46+]
+ * Pocket is a third party (now owned by Mozilla) "save for later" cloud service
+ * [1] https://en.wikipedia.org/wiki/Pocket_(application)
+ * [2] https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ ***/
+user_pref("extensions.pocket.enabled", false);
 /* 0380: disable Browser Error Reporter [FF60+]
 * [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
 * [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html ***/
@ -383,25 +392,12 @@ user_pref("app.shield.optoutstudies.enabled", false);
 /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
 * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0333) ***/
 user_pref("browser.ping-centre.telemetry", false);
-/* 0510: disable Pocket [FF46+]
- * Pocket is a third party (now owned by Mozilla) "save for later" cloud service
- * [1] https://en.wikipedia.org/wiki/Pocket_(application)
- * [2] https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ ***/
-user_pref("extensions.pocket.enabled", false);
 /* 0515: disable Screenshots
 * alternatively in FF60+, disable uploading to the Screenshots server
 * [1] https://github.com/mozilla-services/screenshots
 * [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/
   // user_pref("extensions.screenshots.disabled", true); // [FF55+]
   // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+]
-/* 0516: disable Onboarding [FF55+]
- * Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
- * about:home or about:newtab is opened, the onboarding overlay is injected into that page
- * [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]
- * [1] https://wiki.mozilla.org/Firefox/Onboarding
- * [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf
- * [3] https://bugzilla.mozilla.org/863246#c154 ***/
-user_pref("browser.onboarding.enabled", false);
 /* 0517: disable Form Autofill
 * [NOTE] Stored data is NOT secure (uses a JSON file)
 * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
@ -647,9 +643,6 @@ user_pref("signon.formlessCapture.enabled", false);
 * [2] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 ***/
 user_pref("signon.autofillForms.http", false);
 user_pref("security.insecure_field_warning.contextual.enabled", true);
-/* 0911: prevent cross-origin images from triggering an HTTP-Authentication prompt [FF55+]
- * [1] https://bugzilla.mozilla.org/1357835 ***/
-user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);

 /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS [SETUP-CHROME]
     ETAG [1] and other [2][3] cache tracking/fingerprinting techniques can be averted by
@ -693,18 +686,15 @@ user_pref("browser.cache.disk_cache_ssl", false);
   // user_pref("network.dnsCacheExpiration", 60);

 /** SESSIONS & SESSION RESTORE ***/
-/* 1020: limit Session Restore to last active tab and window
- * [SETUP-CHROME] This also disables the "Recently Closed Tabs" feature
- * It does not affect "Recently Closed Windows" or any history. ***/
-user_pref("browser.sessionstore.max_tabs_undo", 0);
-user_pref("browser.sessionstore.max_windows_undo", 0);
+/* 1020: exclude "Undo Closed Tabs" in Session Restore ***/
+   // user_pref("browser.sessionstore.max_tabs_undo", 0);
 /* 1021: disable storing extra session data [SETUP-CHROME]
 * extra session data contains contents of forms, scrollbar positions, cookies and POST data
 * define on which sites to save extra session data:
 * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
 user_pref("browser.sessionstore.privacy_level", 2);
 /* 1022: disable resuming session from crash ***/
-user_pref("browser.sessionstore.resume_from_crash", false);
+   // user_pref("browser.sessionstore.resume_from_crash", false);
 /* 1023: set the minimum interval between session save operations
 * Increasing this can help on older machines and some websites, as well as reducing writes, see [1]
 * Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc
@ -729,14 +719,13 @@ user_pref("browser.shell.shortcutFavicons", false);
 /* 1032: disable favicons in web notifications ***/
 user_pref("alerts.showFavicons", false); // [DEFAULT: false]

-/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS)
+/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
   Note that your cipher and other settings can be used server side as a fingerprint attack
   vector, see [1] (It's quite technical but the first part is easy to understand
   and you can stop reading when you reach the second section titled "Enter Bro")

-   Option 1: Use Firefox defaults for the 1260's items (item 1260 default for SHA-1, is local
-             only anyway). There is nothing *weak* about Firefox's defaults, but Mozilla (and
-             other browsers) will always lag for fear of breakage and upset end-users
+   Option 1: Use defaults for ciphers (1260's). There is nothing *weak* about these, but
+             due to breakage, browsers can't deprecate them until the web stops using them
   Option 2: Disable the ciphers in 1261, 1262 and 1263. These shouldn't break anything.
             Optionally, disable the ciphers in 1264.

@ -795,21 +784,31 @@ user_pref("security.OCSP.enabled", 1);
 * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
 user_pref("security.OCSP.require", true);

-/** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/
-/* 1220: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
+/** CERTS / HPKP (HTTP Public Key Pinning) ***/
+/* 1220: disable or limit SHA-1 certificates
+ * 0=all SHA1 certs are allowed
+ * 1=all SHA1 certs are blocked
+ * 2=deprecated option that now maps to 1
+ * 3=only allowed for locally-added roots (e.g. anti-virus)
+ * 4=only allowed for locally-added roots or for certs in 2015 and earlier
+ * [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and
+ * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
+ * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
+user_pref("security.pki.sha1_enforcement_level", 1);
+/* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
 * 0=disable detecting Family Safety mode and importing the root
 * 1=only attempt to detect Family Safety mode (don't import the root)
 * 2=detect Family Safety mode and import the root
 * [1] https://trac.torproject.org/projects/tor/ticket/21686 ***/
 user_pref("security.family_safety.mode", 0);
-/* 1221: disable intermediate certificate caching (fingerprinting attack vector) [RESTART]
+/* 1222: disable intermediate certificate caching (fingerprinting attack vector) [RESTART]
 * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
 * Saved logins and passwords are not available. Reset the pref and restart to return them.
 * [TEST] https://fiprinca.0x90.eu/poc/
 * [1] https://bugzilla.mozilla.org/1334485 - related bug
 * [2] https://bugzilla.mozilla.org/1216882 - related bug (see comment 9) ***/
   // user_pref("security.nocertdb", true); // [HIDDEN PREF]
-/* 1222: enforce strict pinning
+/* 1223: enforce strict pinning
 * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
 * [WARNING] If you rely on an AV (antivirus) to protect your web browsing
 * by inspecting ALL your web traffic, then leave at current default=1
@ -827,16 +826,6 @@ user_pref("security.mixed_content.block_display_content", true);
 user_pref("security.mixed_content.block_object_subrequest", true);

 /** CIPHERS [see the section 1200 intro] ***/
-/* 1260: disable or limit SHA-1
- * 0=all SHA1 certs are allowed
- * 1=all SHA1 certs are blocked (including perfectly valid ones from 2015 and earlier)
- * 2=deprecated option that now maps to 1
- * 3=only allowed for locally-added roots (e.g. anti-virus)
- * 4=only allowed for locally-added roots or for certs in 2015 and earlier
- * [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and
- * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
- * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
-user_pref("security.pki.sha1_enforcement_level", 1);
 /* 1261: disable 3DES (effective key size < 128)
 * [1] https://en.wikipedia.org/wiki/3des#Security
 * [2] http://en.citizendium.org/wiki/Meet-in-the-middle_attack
@ -1032,18 +1021,11 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
 /* 2001: disable WebRTC (Web Real-Time Communication)
 * [1] https://www.privacytools.io/#webrtc ***/
 user_pref("media.peerconnection.enabled", false);
-user_pref("media.peerconnection.use_document_iceservers", false);
-user_pref("media.peerconnection.video.enabled", false);
-user_pref("media.peerconnection.identity.enabled", false);
-user_pref("media.peerconnection.identity.timeout", 1);
-user_pref("media.peerconnection.turn.disable", true);
-user_pref("media.peerconnection.ice.tcp", false);
-user_pref("media.navigator.video.enabled", false); // video capability for WebRTC
 /* 2002: limit WebRTC IP leaks if using WebRTC
 * [TEST] https://browserleaks.com/webrtc
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
 * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
-user_pref("media.peerconnection.ice.default_address_only", true); // [FF42-FF50]
+user_pref("media.peerconnection.ice.default_address_only", true);
 user_pref("media.peerconnection.ice.no_host", true); // [FF51+]
 /* 2010: disable WebGL (Web Graphics Library), force bare minimum feature set if used & disable WebGL extensions
 * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
@ -1281,11 +1263,11 @@ user_pref("browser.uitour.url", "");
 * [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
 * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
 user_pref("devtools.chrome.enabled", false);
-/* 2608: disable WebIDE to prevent remote debugging and extension downloads
+/* 2608: disable WebIDE to prevent remote debugging and ADB extension download
 * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
-user_pref("devtools.webide.autoinstallADBHelper", false);
 user_pref("devtools.debugger.remote-enabled", false);
 user_pref("devtools.webide.enabled", false);
+user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
 /* 2609: disable MathML (Mathematical Markup Language) [FF51+]
 * [TEST] http://browserspy.dk/mathml.php
 * [1] https://bugzilla.mozilla.org/1173199 ***/
@ -1373,9 +1355,6 @@ user_pref("xpinstall.whitelist.required", true); // [DEFAULT: true]
 /* 2680: enable CSP (Content Security Policy)
 * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
 user_pref("security.csp.enable", true); // [DEFAULT: true]
-/* 2681: disable CSP violation events [FF59+]
- * [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent ***/
-user_pref("security.csp.enable_violation_events", false);
 /* 2682: enable CSP 1.1 experimental hash-source directive [FF29+]
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975 ***/
 user_pref("security.csp.experimentalEnabled", true);
@ -1759,6 +1738,9 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
   // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
 /* OTHER ***/
   // user_pref("browser.bookmarks.max_backups", 2);
+   // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false); // disable CFR [FF64+]
+      // [SETTING] General>Browsing>Recommend extensions as you browse
+      // [1] https://support.mozilla.org/en-US/kb/extension-recommendations
   // user_pref("identity.fxaccounts.enabled", false); // disable and hide Firefox Accounts and Sync [FF60+] [RESTART]
   // user_pref("network.manage-offline-status", false); // see Bugzilla 620472
   // user_pref("reader.parse-on-load.enabled", false); // "Reader View"
@ -2207,6 +2189,26 @@ user_pref("media.autoplay.enabled", false);
   // [-] https://bugzilla.mozilla.org/1473595
   // user_pref("browser.ctrlTab.previews", true);
 // * * * /
+// FF64
+// 0516: disable Onboarding [FF55+]
+   // Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
+   // about:home or about:newtab is opened, the onboarding overlay is injected into that page
+   // [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]
+   // [1] https://wiki.mozilla.org/Firefox/Onboarding
+   // [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf
+   // [3] https://bugzilla.mozilla.org/863246#c154
+   // [-] https://bugzilla.mozilla.org/1462415
+user_pref("browser.onboarding.enabled", false);
+// 2608: disable WebIDE ADB extension downloads - both renamed
+   // [1] https://trac.torproject.org/projects/tor/ticket/16222
+   // [-] https://bugzilla.mozilla.org/1491315
+user_pref("devtools.webide.autoinstallADBHelper", false);
+user_pref("devtools.webide.adbAddonURL", "");
+// 2681: disable CSP violation events [FF59+]
+   // [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent
+   // [-] https://bugzilla.mozilla.org/1488165
+user_pref("security.csp.enable_violation_events", false);
+// * * * /
 // ***/

 /* END: internal custom pref to test for syntax errors ***/
Author	SHA1	Message	Date
Thorin-Oakenpants	e60abd6c44	64-beta	2018-12-12 17:17:33 +00:00
Thorin-Oakenpants	d55b8176ad	dyslexia and/or dementia	2018-12-12 16:52:12 +00:00
Thorin-Oakenpants	31adbba774	5000s: disable CFR	2018-12-12 16:34:27 +00:00
Thorin-Oakenpants	3c247a2c5b	Update ghacks-clear-[removed].js	2018-12-12 13:22:58 +00:00
Thorin-Oakenpants	879f0abf28	2201: more garbage	2018-12-12 13:21:24 +00:00
Thorin-Oakenpants	d97d0ec0f5	media.peerconnection* covered by user_pref("media.peerconnection.enabled", false);	2018-12-12 13:09:03 +00:00
earthlng	3916e38681	taking out the garbage (#590 )	2018-12-13 02:02:38 +13:00
Thorin-Oakenpants	51ac69874b	0105* remove // has setting	2018-12-12 11:58:48 +00:00
earthlng	2d956d04f3	move 1260 to 122x (#591 ) * move 1260 to 122x "disable or limit SHA-1 certificates" is about certs, not ciphers. Because CERTS is 1st in the title I moved it to the 1st item there because it's arguably also the most important of the lot (and renumbered the rest) We can also drop HSTS from the subgroup title because there's nothing HSTS left atm.	2018-12-13 00:52:49 +13:00
Thorin-Oakenpants	9d6bfb650c	disable Telemetry Coverage (#589 )	2018-12-13 00:29:29 +13:00
Thorin-Oakenpants	ccdd4decf0	Pocket: 0510->0370 Pocket is no longer a System Add-on in FF64+	2018-12-12 08:25:25 +00:00
Thorin-Oakenpants	f0fbfd3086	network.auth.subresource-img-cross-origin-http-auth-allow #585	2018-12-11 17:44:19 +00:00
Thorin-Oakenpants	88b747ef36	0911: remove it, #585 it is default false in FF59+	2018-12-11 17:42:19 +00:00
Thorin-Oakenpants	c6ebe36165	1022: resume from crash=>inactive, closes #575	2018-12-11 17:28:21 +00:00
Thorin-Oakenpants	7684e83aba	0102 add SR info #575	2018-12-11 17:18:26 +00:00
Thorin-Oakenpants	4f37975566	browser.sessionstore.max_windows_undo #575	2018-12-11 16:49:38 +00:00
Thorin-Oakenpants	26b874bed7	1020: remove max_windows #575	2018-12-11 16:43:11 +00:00
earthlng	61be5ae563	all Deprecations + new ADB extension prefs (#587 )	2018-12-12 05:07:28 +13:00
Thorin-Oakenpants	ef1e61ebcd	start 64-alpha	2018-12-11 16:05:07 +00:00