Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-09-01 09:28:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git:69.0
Branches Tags
Git:master Git:Thorin-Oakenpants-patch-1
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0
...
compare: Git:71.0
Branches Tags
Git:Thorin-Oakenpants-patch-1 Git:master
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0

52 Commits
69.0 ... 71.0

Author SHA1 Message Date
Thorin-Oakenpants
07c128a190 71 final 2019-12-19 16:31:51 +00:00
Thorin-Oakenpants
5b1d56933b middlemouse.paste, see #735 2019-12-19 16:21:21 +00:00
Thorin-Oakenpants
34cfcedc1b 2402+2403, finally closes #735 2019-12-19 16:19:39 +00:00
Thorin-Oakenpants
f9146fdf24 update setting tags, minor tweaks 2019-12-18 09:46:21 +00:00
Thorin-Oakenpants
a1cdbc8324 1408 graphite, closes #1408 and 2619 puncyode 2019-12-18 07:46:44 +00:00
earthlng
cd07641a9d 2701: make sure cookieBehavior is always honored (#866) 
see #862
 2019-12-18 05:02:25 +00:00
earthlng
9c02949e04 0000: config.xhtml in FF73+ (#865) 2019-12-17 15:00:34 +00:00
Thorin-Oakenpants
1ef62a1036 media.block-autoplay-until-in-foreground #840 2019-12-12 01:24:12 +00:00
Thorin-Oakenpants
5672bc8cc8 2032 removed, 4002 inactive, closes #840 2019-12-12 01:21:17 +00:00
Thorin-Oakenpants
df1732745d 0308: seach engine updates: better info #840 2019-12-10 22:07:23 +00:00
Thorin-Oakenpants
30daf8640c FPI stuff 2019-12-09 20:18:42 +00:00
earthlng
4074a37e1d 1201 + 1270 update (#859) 
trim by a line, remove extra space, fixup on red, indicate it only applies if 1201 is false
 2019-12-07 18:26:39 +00:00
Thorin-Oakenpants
97043b0ce1 71-beta 2019-12-06 12:19:21 +00:00
Thorin-Oakenpants
42ea484017 71 deprecated (#856) 2019-12-04 14:13:49 +13:00
Thorin-Oakenpants
3f6340b69c OMG!! 2019-12-03 14:51:44 +00:00
earthlng
884e84a4cb about:config warning back to the top + active (#855) 2019-12-04 03:44:59 +13:00
Thorin-Oakenpants
560acfc94f 70 final 2019-12-03 07:31:47 +00:00
Thorin-Oakenpants
fb263f5624 favicons: 1031 better info, 1032 inactive #840 (#851) 2019-12-02 23:04:09 +13:00
Thorin-Oakenpants
19b392b83d 70-beta 2019-11-24 05:23:10 +00:00
Thorin-Oakenpants
2db76c95c3 1603: breaks icloud, closes #850 2019-11-23 16:19:09 +00:00
Thorin-Oakenpants
b6fbf77dde Create ghacks-clear-FF68inclusive-[RFP-alternatives].js 2019-11-23 03:04:14 +00:00
Thorin-Oakenpants
a4ba22e912 Delete ghacks-clear-FF60inclusive-[RFP-alternatives].js 2019-11-23 03:02:59 +00:00
Thorin-Oakenpants
163e18ce6d Create ghacks-clear-FF68inclusive-[deprecated].js 2019-11-23 02:57:26 +00:00
Thorin-Oakenpants
a13027905e Delete ghacks-clear-FF60inclusive-[deprecated].js 2019-11-23 02:56:30 +00:00
Thorin-Oakenpants
8f76d9439f 2002: add FF70 bugzilla link 2019-11-22 15:26:38 +00:00
earthlng
f0980b5cb8 2002: add proxy_only_if_behind_proxy 2019-11-22 15:19:37 +00:00
Thorin-Oakenpants
450c9a9e0f simplify ciphers, closes #839 (#844) 
* simplify ciphers

- let's not encourage (remove options 1, 2) changing your cipher suite FP
- remove "it's quite technical ..." (everything is technical to someone), trim to one line
- add test link so users can just see that it's FP'able
- reinforce not to fuck with the cipher suite in the cipher's sub-section
 2019-11-23 03:23:08 +13:00
Thorin-Oakenpants
6acfdaccbd RFP stuff 2019-11-20 04:48:15 +00:00
Thorin-Oakenpants
a0e0a2a6c9 2680 tweak #840 2019-11-19 16:26:14 +00:00
Thorin-Oakenpants
f67e729197 whatsNewPanel correct version 2019-11-19 06:39:08 +00:00
rusty-snake
19526b573c 2805 note, FPI change (#842) 2019-11-19 16:31:48 +13:00
Thorin-Oakenpants
b0221ec838 1576254 version fixup 2019-11-17 10:33:02 +00:00
Thorin-Oakenpants
a3611b7cf8 changes to prefs affecting extensions 
also first word on pdfjs.disabled, to be consistent
 2019-11-14 02:39:48 +00:00
earthlng
bff1e84afa v1.6.0 2019-11-11 15:10:14 +00:00
Thorin-Oakenpants
1d31da40ec missing comma 
thanks @sebp  - 0d57cfc44a (commitcomment-35890867)
 2019-11-11 13:00:01 +00:00
Thorin-Oakenpants
0d57cfc44a about_newtab_segregation.enabled 2019-11-09 23:25:52 +00:00
Thorin-Oakenpants
0cfb2fb06d 1703: remove 
default true since FF61, and ESR60 is now EOL
 2019-11-09 23:23:34 +00:00
Thorin-Oakenpants
d5f297ed42 5000s: disable what's new 2019-11-08 18:06:35 +00:00
earthlng
c13dbdf40d 1201 update (#838) 
https://wiki.mozilla.org/Security:Renegotiation describes

> **the new default behaviour** that was introduced in experimental mozilla-central nightly versions on 2010-02-08

where the last step is

> - should the server (or a MITM) request **renegotiation**, Mozilla will terminate the connection with an error message

and then after talking about breakage ...

> The above defaults may break some client/server environments where a Server is still using old software and requires renegotiation.

mentions workarounds to reduce said breakage:

> In order to give such environments a way to keep using Firefox (et.al.) to connect to their vulnerable server infrastructure, the following preferences are available:

specifically talking about the first 2 prefs listed there, one allowing to specify a list of hosts "where renegotiation may be performed" and the 2nd one "completely disables the new protection mechanisms".
But both those prefs were removed in FF38, meaning that since then it's no longer possible to disable the default behaviour that is "should the server (or a MITM) request **renegotiation**, Mozilla will terminate the connection with an error message".

But all of this is about the **re**-negotiation part and not negotiation. And nowhere does it say "insecure" renegotiation, which, as I read it, means that FF will terminate the connection for any kind of **renegotiation**, safe or unsafe.

1201 controls the negotiation part:

> This pref controls the behaviour during the initial negotiation between client and server.
> If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack.
> Setting this preference to “true” is the only way to guarantee full protection against the attack.

I think "servers that are still using the old SSL/TLS protocol" actually means servers that **only** support the old protocols.
Servers still supporting those old protocols in addition to some new protocol versions should not be affected by this pref because FF will be able to negotiate to use one of the newer protocol versions.

Ergo lets fix the title and remove the line about renegotiation support because I think that's irrelevant.


ps. the sslpulse link is nice and I'd like to keep it somewhere but it doesn't really fit in 1201 IMO so I moved it to 1202.
 2019-11-09 05:42:21 +13:00
earthlng
6173104a9e re-add relevant deprecated items for ESR users (#837) 
makes the prefsCleaner scripts useful again for users updating from ESR60 to ESR68
 2019-11-09 05:30:03 +13:00
Thorin-Oakenpants
0c79b8b45b Update README.md 2019-11-08 13:46:20 +00:00
earthlng
895f8d01d5 FF70+: shield studies no longer tied to FHR (#836) 
https://bugzilla.mozilla.org/1569330
 2019-11-09 02:01:33 +13:00
Thorin-Oakenpants
65dfad5c76 2701: UI changes 2019-11-06 11:37:24 +00:00
earthlng
fdaf22780f Update README.md 2019-11-02 16:00:12 +00:00
Thorin-Oakenpants
16756646bb remove DoH, closes #790 2019-10-31 09:49:12 +00:00
Thorin-Oakenpants
e4f80225d8 FF72: FPI & IPv6 2019-10-28 12:12:52 +00:00
Thorin-Oakenpants
67eec9c85c pbmode insecure text/icon 
see `1273`
- we already make **all** windows do this (which overrides the pb mode setting), and these were inactive
- in FF70+ the icon pref (for PB mode and all windows) is now default true
 2019-10-27 04:50:59 +00:00
Thorin-Oakenpants
539750d2f2 FF70 hidden/default changes 2019-10-27 04:41:27 +00:00
Thorin-Oakenpants
d91226ed55 tweakin' 2019-10-20 23:59:16 +00:00
Thorin-Oakenpants
301fcd059d 1003: capacity no longer hidden 2019-10-20 23:36:48 +00:00
Thorin-Oakenpants
1cc9a08a18 remove ESR60.x deprecated 
These are archived in #123
 2019-10-20 22:40:53 +00:00
Thorin-Oakenpants
5d1857ddd8 start 70 commits 2019-10-20 22:32:37 +00:00
6 changed files with 266 additions and 221 deletions
Expand all files Collapse all files

4
README.md
View File

@ -8,7 +8,7 @@ Everyone, experts included, should at least read the [implementation](https://gi
Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services.
Also be aware that this `user.js` is made specifically for Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
Also be aware that this `user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+label%3Adiffs)
@ -18,7 +18,7 @@ Literally thousands of sources, references and suggestions. That said...
* Martin Brinkmann at [ghacks](https://www.ghacks.net/) <sup>1</sup>
* The ghacks community and commentators
* [12bytes](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
* The 12bytes article now uses this user.js and supplements it with an additional JS hosted at [GitLab](https://gitlab.com/labwrat/Firefox-user.js/tree/master)
* The 12bytes article now uses this user.js and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement)
<sup>1</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.

4
scratchpad-scripts/ghacks-clear-FF60inclusive-[RFP-alternatives].js → scratchpad-scripts/ghacks-clear-FF68inclusive-[RFP-alternatives].js
View File

@ -1,6 +1,6 @@
/***
This will reset the preferences that are under sections 4600 & 4700 in the ghacks user.js
up to and including release 60-beta. These are the prefs that are no longer necessary,
up to and including Firefox/ESR 68. These are the prefs that are no longer necessary,
or they conflict with, privacy.resistFingerprinting if you have that enabled.
For instructions see:
@ -22,6 +22,8 @@
'dom.w3c_touch_events.enabled',
'media.ondevicechange.enabled',
'webgl.enable-debug-renderer-info',
'dom.w3c_pointer_events.enabled',
'ui.use_standins_for_native_colors',
/* section 4700 */
'general.useragent.override',
'general.buildID.override',

44
scratchpad-scripts/ghacks-clear-FF60inclusive-[deprecated].js → scratchpad-scripts/ghacks-clear-FF68inclusive-[deprecated].js
View File

@ -1,6 +1,6 @@
/***
This will reset the preferences that have been deprecated by Mozilla
and used in the ghacks user.js up to and including release 60-beta
and used in the ghacks user.js up to and including Firefox/ESR 68
It is in reverse order, so feel free to remove sections that do not apply
@ -12,8 +12,43 @@
let ops = [
/* deprecated */
/* ESR52.x users can remove sections 53-60 but it is not
crucial as your user.js will reinstate them */
/* 68 */
'browser.newtabpage.activity-stream.disableSnippets',
'browser.aboutHomeSnippets.updateUrl',
'lightweightThemes.update.enabled',
'security.csp.experimentalEnabled',
/* F67 */
'dom.event.highrestimestamp.enabled',
'browser.newtabpage.activity-stream.asrouter.userprefs.cfr',
/* 66 */
'browser.chrome.errorReporter.enabled',
'browser.chrome.errorReporter.submitUrl',
'network.allow-experiments',
/* 65 */
'browser.urlbar.autocomplete.enabled',
'browser.fixup.hide_user_pass',
/* 64 */
'browser.onboarding.enabled',
'devtools.webide.autoinstallADBHelper',
'devtools.webide.adbAddonURL',
'security.csp.enable_violation_events',
/* 63 */
'browser.search.countryCode',
'app.update.enabled',
'shield.savant.enabled',
'browser.chrome.favicons',
'media.autoplay.enabled',
'network.cookie.lifetime.days',
'browser.ctrlTab.previews',
/* 62 */
'plugin.state.java',
/* 61 */
'experiments.enabled',
'experiments.manifest.uri',
'experiments.supported',
'experiments.activeExperiment',
'network.jar.block-remote-files',
'network.jar.open-unsafe-types',
/* 60 */
'browser.newtabpage.directory.source',
'browser.newtabpage.enhanced',
@ -22,7 +57,6 @@
'extensions.shield-recipe-client.api_url',
'browser.newtabpage.activity-stream.enabled',
'dom.workers.enabled',
'view_source.tab',
/* 59 */
'intl.locale.matchOS',
'general.useragent.locale',
@ -76,8 +110,6 @@
'plugin.scan.WindowsMediaPlayer',
'media.getusermedia.screensharing.allow_on_old_platforms',
'dom.beforeAfterKeyboardEvent.enabled',
/* End of ESR52.x section */
/* 52 */
'network.http.sendSecureXSiteReferrer',
'media.gmp-eme-adobe.enabled',

12
scratchpad-scripts/ghacks-clear-[removed].js
View File

@ -1,7 +1,7 @@
/***
This will reset the preferences that have been removed completely from the ghacks user.js.
Last updated: 15-October-2019
Last updated: 19-December-2019
For instructions see:
https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@ -204,14 +204,20 @@
/* 70-beta */
'browser.cache.disk_cache_ssl',
'browser.sessionhistory.max_entries',
'dom.push.connection.enabled',
'dom.push.serverURL',
'extensions.getAddons.discovery.api_url',
'extensions.htmlaboutaddons.discover.enabled',
'extensions.webservice.discoverURL',
'intl.locale.requested',
'intl.regional_prefs.use_os_locales',
'dom.push.connection.enabled',
'dom.push.serverURL',
'privacy.usercontext.about_newtab_segregation.enabled',
'security.insecure_connection_icon.pbmode.enabled',
'security.insecure_connection_text.pbmode.enabled',
'webgl.dxgl.enabled',
/* 71-beta */
'media.block-autoplay-until-in-foreground',
'middlemouse.paste',
/* reset parrot: check your open about:config after running the script */
'_user.js.parrot'
]

190
scratchpad-scripts/troubleshooter.js
View File

@ -1,65 +1,11 @@
/*** ghacks-user.js troubleshooter.js v1.5.2 ***/
/*** ghacks-user.js troubleshooter.js v1.6.0 ***/
(function() {
if("undefined" === typeof(Services)) {
alert("about:config needs to be the active tab!");
return;
}
if ("undefined" === typeof(Services)) return alert('about:config needs to be the active tab!');
function getMyList(arr) {
let aRet = [];
let dummy = 0;
for (let i = 0, len = arr.length; i < len; i++) {
if (Services.prefs.prefHasUserValue(arr[i])) {
dummy = Services.prefs.getPrefType(arr[i]);
switch (dummy) {
case 32: // string (see https://dxr.mozilla.org/mozilla-central/source/modules/libpref/nsIPrefBranch.idl#31)
dummy = Services.prefs.getCharPref(arr[i]);
aRet.push({'name':arr[i],'value': dummy,'type':32});
break;
case 64: // int
dummy = Services.prefs.getIntPref(arr[i]);
aRet.push({'name':arr[i],'value': dummy,'type':64});
break;
case 128: // boolean
dummy = Services.prefs.getBoolPref(arr[i]);
aRet.push({'name':arr[i],'value': dummy,'type':128});
break;
default:
console.log("error detecting pref-type for '"+arr[i]+"' !");
}
}
}
return aRet;
}
function reapply(arr) {
for (let i = 0, len = arr.length; i < len; i++) {
switch (arr[i].type) {
case 32: // string
Services.prefs.setCharPref(arr[i].name, arr[i].value);
break;
case 64: // int
Services.prefs.setIntPref(arr[i].name, arr[i].value);
break;
case 128: // boolean
Services.prefs.setBoolPref(arr[i].name, arr[i].value);
break;
default:
console.log("error re-appyling value for '"+arr[i].name+"' !"); // should never happen
}
}
}
function myreset(arr) {
for (let i = 0, len = arr.length; i < len; i++) {
Services.prefs.clearUserPref(arr[i].name);
}
}
let ops = [
const aPREFS = [
/* known culprits */
'network.cookie.cookieBehavior',
@ -160,56 +106,108 @@
'last.one.without.comma'
]
// any runtime-set pref that everyone will have and that can be safely reset
const oFILLER = { type: 64, name: 'extensions.blocklist.pingCountTotal', value: -1 };
// reset prefs that set the same value as FFs default value
let aTEMP = getMyList(ops);
myreset(aTEMP);
reapply(aTEMP);
function getMyList(arr) {
const aRet = [];
for (const sPname of arr) {
if (Services.prefs.prefHasUserValue(sPname)) {
const ptype = Services.prefs.getPrefType(sPname);
switch (ptype) {
case 32: // string (see https://dxr.mozilla.org/mozilla-central/source/modules/libpref/nsIPrefBranch.idl#31)
aRet.push({'type':ptype,'name':sPname,'value':Services.prefs.getCharPref(sPname)});
break;
case 64: // int
aRet.push({'type':ptype,'name':sPname,'value':Services.prefs.getIntPref(sPname)});
break;
case 128: // boolean
aRet.push({'type':ptype,'name':sPname,'value':Services.prefs.getBoolPref(sPname)});
break;
default:
console.log("error detecting pref-type for '"+sPname+"' !");
}
}
}
return aRet;
}
const aBACKUP = getMyList(ops);
//console.log(aBACKUP.length, "user-set prefs from our list detected and their values stored.");
function reapply(arr) {
for (const oPref of arr) {
switch (oPref.type) {
case 32: // string
Services.prefs.setCharPref(oPref.name, oPref.value);
break;
case 64: // int
Services.prefs.setIntPref(oPref.name, oPref.value);
break;
case 128: // boolean
Services.prefs.setBoolPref(oPref.name, oPref.value);
break;
default:
console.log("error re-appyling value for '"+oPref.name+"' !"); // should never happen
}
}
}
let myArr = aBACKUP;
let found = false;
let aDbg = [];
focus();
myreset(aBACKUP); // reset all detected prefs
if (confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) {
aDbg = myArr;
reapply(aBACKUP);
myreset(myArr.slice(0, parseInt(myArr.length/2)));
while (myArr.length >= 2) {
function myreset(arr) {
for (const oPref of arr) Services.prefs.clearUserPref(oPref.name);
}
function resetAllMatchingDefault(arr) {
const aTmp = getMyList(arr);
myreset(aTmp);
reapply(aTmp);
}
function _main(aALL) {
const _h = (arr) => Math.ceil(arr.length/2);
let aTmp = aALL, aDbg = aALL;
reapply(aALL);
myreset(aTmp.slice(0, _h(aTmp)));
while (aTmp.length) {
alert("NOW TEST AGAIN !");
if (confirm("if the problem still exists click OK, otherwise click cancel.")) {
myArr = myArr.slice(parseInt(myArr.length/2));
if (myArr.length == 1) {
alert("The problem is caused by more than 1 pref !\n\nNarrowed it down to "+ aDbg.length.toString() +" prefs, check the console ...");
break;
}
aTmp = aTmp.slice(_h(aTmp));
} else {
myArr = myArr.slice(0, parseInt(myArr.length/2));
aDbg = myArr;
if (myArr.length == 1) { found = true; break; }
aTmp = aTmp.slice(0, _h(aTmp));
aDbg = aTmp; // update narrowed down list
if (aDbg.length == 1) break;
}
reapply(aBACKUP);
myreset(myArr.slice(0, parseInt(myArr.length/2))); // reset half of the remaining prefs
reapply(aALL);
myreset(aTmp.slice(0, _h(aTmp))); // reset half of the remaining prefs
}
reapply(aBACKUP);
reapply(aALL);
if (aDbg.length == 1) return alert("narrowed it down to:\n\n"+aDbg[0].name+"\n");
if (aDbg.length == aALL.length) {
let msg = "Failed to narrow it down beyond the initial "+aALL.length+" prefs. The problem is most likely caused by at least 2 prefs!\n\n";
msg += "Either those prefs are too far apart in the list or there are exactly 2 culprits and they just happen to be at the wrong place.\n\n";
msg += "In case it's the latter, the script can add a dummy pref and you can try again - Try again?";
if (confirm(msg)) return _main([...aALL, oFILLER]);
} else if (aDbg.length > 10 && confirm("Narrowed it down to "+aDbg.length+" prefs. Try narrowing it down further?")) {
return _main(aDbg.reverse());
}
alert("Narrowed it down to "+ aDbg.length.toString() +" prefs, check the console ...");
console.log("The problem is caused by 2 or more of these prefs:");
for (const oPref of aDbg) console.log(oPref.name);
}
else {
reapply(aBACKUP);
resetAllMatchingDefault(aPREFS); // reset user-set prefs matching FFs default value
const aBAK = getMyList(aPREFS);
//console.log(aBAK.length, "user-set prefs from our list detected and their values stored.");
focus();
myreset(aBAK);
if (!confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) {
reapply(aBAK);
return;
}
if (found) {
alert("narrowed it down to:\n\n"+myArr[0].name+"\n");
myreset(myArr); // reset the culprit
}
else {
console.log("the problem is caused by a combination of the following prefs:");
for (let i = 0, len = aDbg.length; i < len; i++) {
console.log(aDbg[i].name);
}
}
_main(aBAK);
})();

233
user.js
View File

@ -1,8 +1,8 @@
/******
* name: ghacks user.js
* date: 20 September 2019
* version 69: Pants One More Time
* "When I'm not with pants I lose my mind. Give me a sign. Hit me, pants, one more time."
* date: 19 December 2019
* version 71: Dancing Pants
* "Ooh-ooh, see that girl, watch that scene, dig in the dancing pants"
* authors: v52+ github | v51- www.ghacks.net
* url: https://github.com/ghacksuserjs/ghacks-user.js
* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
@ -83,6 +83,12 @@
* [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/
user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");
/* 0000: disable about:config warning
* The XUL version can still be accessed in FF71+ @ chrome://global/content/config.xul
* and in FF73+ @ chrome://global/content/config.xhtml ***/
user_pref("general.warnOnAboutConfig", false); // for the XUL version
user_pref("browser.aboutConfig.showWarning", false); // for the new HTML version [FF71+]
/*** [SECTION 0100]: STARTUP ***/
user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
/* 0101: disable default browser check
@ -194,7 +200,7 @@ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the
// user_pref("extensions.update.enabled", false);
/* 0302a: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+]
* [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed
* [SETTING] General>Firefox Updates>Check for updates but let you choose... ***/
* [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/
user_pref("app.update.auto", false);
/* 0302b: disable auto-INSTALLING extension and theme updates (after the check in 0301b)
* [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
@ -203,7 +209,8 @@ user_pref("app.update.auto", false);
* used when installing/updating an extension, and in daily background update checks: if false, it
* hides the expanded text description (if it exists) when you "show more details about an addon" ***/
// user_pref("extensions.getAddons.cache.enabled", false);
/* 0308: disable search update
/* 0308: disable search engine updates (e.g. OpenSearch)
* [NOTE] This does not affect Mozilla's built-in or Web Extension search engines
* [SETTING] General>Firefox Updates>Automatically update search engines ***/
user_pref("browser.search.update", false);
/* 0309: disable sending Flash crash reports ***/
@ -246,12 +253,11 @@ user_pref("datareporting.healthreport.uploadEnabled", false);
* [1] https://bugzilla.mozilla.org/1195552 ***/
user_pref("datareporting.policy.dataSubmissionEnabled", false);
/* 0342: disable Studies (see 0503)
* [NOTE] This pref has no effect when Health Reports (0340) are disabled
* [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to install and run studies ***/
* [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/
user_pref("app.shield.optoutstudies.enabled", false);
/* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
* [NOTE] This pref has no effect when Health Reports (0340) are disabled
* [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to make personalized extension rec.
* [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations
* [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
user_pref("browser.discovery.enabled", false);
/* 0350: disable Crash Reports ***/
@ -355,7 +361,6 @@ user_pref("browser.ping-centre.telemetry", false);
/* 0517: disable Form Autofill
* [NOTE] Stored data is NOT secure (uses a JSON file)
* [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
* [SETTING] Privacy & Security>Forms & Passwords>Autofill addresses
* [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
* [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/
user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
@ -375,7 +380,7 @@ user_pref("network.prefetch-next", false);
* [1] https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
* [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF]
user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF ESR] [DEFAULT: true FF70+]
/* 0603: disable predictor / prefetching ***/
user_pref("network.predictor.enabled", false);
user_pref("network.predictor.enable-prefetch", false); // [FF48+]
@ -405,7 +410,7 @@ user_pref("network.dns.disableIPv6", true);
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
* enhance privacy, and opens up a number of server-side fingerprinting opportunities.
* [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is
* at 35% (April 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites
* at 40% (December 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites
* [1] https://http2.github.io/faq/
* [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
* [3] https://http2.github.io/http2-spec/#rfc.section.10.8
@ -428,16 +433,6 @@ user_pref("network.http.altsvc.oe", false);
* as a remote Tor node will handle the DNS request
* [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
user_pref("network.proxy.socks_remote_dns", true);
/* 0707: disable (or setup) DNS-over-HTTPS (DoH) [FF60+]
* TRR = Trusted Recursive Resolver
* 0=off by default, 1=race (removed in FF69), 2=TRR first, 3=TRR only,
* 4=race for stats but always use native result (removed in FF69), 5=explicitly off
* [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare)
* [1] https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
* [2] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ ***/
// user_pref("network.trr.mode", 0);
// user_pref("network.trr.bootstrapAddress", "");
// user_pref("network.trr.uri", "");
/* 0708: disable FTP [FF60+]
* [1] https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/ ***/
// user_pref("network.ftp.enabled", false);
@ -522,11 +517,12 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false);
/* 0850e: disable location bar one-off searches [FF51+]
* [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/
// user_pref("browser.urlbar.oneOffSearches", false);
/* 0860: disable search and form history [SETUP-WEB]
* [WARNING] Autocomplete form data is still (in April 2019) easily read by third parties, see [1]
* [NOTE] We also clear formdata on exiting Firefox (see 2803)
/* 0860: disable search and form history
* [SETUP-WEB] Be aware thet autocomplete form data can be read by third parties, see [1] [2]
* [NOTE] We also clear formdata on exit (see 2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html ***/
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/
user_pref("browser.formfill.enable", false);
/* 0862: disable browsing and download history
* [NOTE] We also clear history and downloads on exiting Firefox (see 2803)
@ -544,11 +540,11 @@ user_pref("browser.taskbar.previews.enable", false);
user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
/* 0901: disable saving passwords
* [NOTE] This does not clear any passwords already saved
* [SETTING] Privacy & Security>Forms & Passwords>Ask to save logins and passwords for websites ***/
* [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/
// user_pref("signon.rememberSignons", false);
/* 0902: use a master password (recommended if you save passwords)
/* 0902: use a master password
* There are no preferences for this. It is all handled internally.
* [SETTING] Privacy & Security>Forms & Passwords>Use a master password
* [SETTING] Privacy & Security>Logins and Passwords>Use a master password
* [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/
/* 0903: set how often Firefox should ask for the master password
* 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/
@ -558,7 +554,8 @@ user_pref("security.ask_for_password", 2);
user_pref("security.password_lifetime", 5);
/* 0905: disable auto-filling username & password form fields
* can leak in cross-site forms *and* be spoofed
* [NOTE] Username & password is still available when you enter the field ***/
* [NOTE] Username & password is still available when you enter the field
* [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords ***/
user_pref("signon.autofillForms", false);
/* 0909: disable formless login capture for Password Manager [FF51+] ***/
user_pref("signon.formlessCapture.enabled", false);
@ -596,7 +593,7 @@ user_pref("browser.cache.disk.enable", false);
/* 1003: disable memory cache
/* capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kilobytes ***/
// user_pref("browser.cache.memory.enable", false);
// user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF]
// user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF ESR]
/* 1006: disable permissions manager from writing to disk [RESTART]
* [NOTE] This means any permission changes are session only
* [1] https://bugzilla.mozilla.org/967812 ***/
@ -630,35 +627,37 @@ user_pref("toolkit.winRegisterApplicationRestart", false);
* profile/shortcutCache directory. The .ico remains after the shortcut is deleted.
* If set to false then the shortcuts use a generic Firefox icon ***/
user_pref("browser.shell.shortcutFavicons", false);
/* 1031: disable favicons in tabs and new bookmarks
* bookmark favicons are stored as data blobs in favicons.sqlite ***/
/* 1031: disable favicons in history and bookmarks
* Stored as data blobs in favicons.sqlite, these don't reveal anything that your
* actual history (and bookmarks) already do. Your history is more detailed, so
* control that instead; e.g. disable history, clear history on close, use PB mode
* [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/
// user_pref("browser.chrome.site_icons", false);
/* 1032: disable favicons in web notifications ***/
user_pref("alerts.showFavicons", false); // [DEFAULT: false]
// user_pref("alerts.showFavicons", false); // [DEFAULT: false]
/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
Note that your cipher and other settings can be used server side as a fingerprint attack
vector, see [1] (It's quite technical but the first part is easy to understand
and you can stop reading when you reach the second section titled "Enter Bro")
Option 1: Use defaults for ciphers (1260's). There is nothing *weak* about these, but
due to breakage, browsers can't deprecate them until the web stops using them
Option 2: Disable the ciphers in 1261, 1262 and 1263. These shouldn't break anything.
Optionally, disable the ciphers in 1264.
Your cipher and other settings can be used in server side fingerprinting
[TEST] https://www.ssllabs.com/ssltest/viewMyClient.html
[1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
***/
user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
/* 1201: disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack)
* [SETUP-WEB] <2% of secure sites do NOT support the newer "secure" renegotiation, see [2]
/* 1201: require safe negotiation
* Blocks connections to servers that don't support RFC 5746 [2] as they're potentially
* vulnerable to a MiTM attack [3]. A server *without* RFC 5746 can be safe from the attack
* if it disables renegotiations but the problem is that the browser can't know that.
* Setting this pref to true is the only way for the browser to ensure there will be
* no unsafe renegotiations on the channel between the browser and the server.
* [1] https://wiki.mozilla.org/Security:Renegotiation
* [2] https://www.ssllabs.com/ssl-pulse/ ***/
* [2] https://tools.ietf.org/html/rfc5746
* [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/
user_pref("security.ssl.require_safe_negotiation", true);
/* 1202: control TLS versions with min and max
* 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
* [WARNING] Leave these at default, otherwise you alter your TLS fingerprint.
* Firefox telemetry (April 2019) shows only 0.5% of TLS web traffic uses 1.0 or 1.1 ***/
* Firefox telemetry (April 2019) shows only 0.5% of TLS web traffic uses 1.0 or 1.1
* [1] https://www.ssllabs.com/ssl-pulse/ ***/
// user_pref("security.tls.version.min", 3);
// user_pref("security.tls.version.max", 4);
/* 1203: disable SSL session tracking [FF36+]
@ -725,7 +724,7 @@ user_pref("security.family_safety.mode", 0);
// user_pref("security.nocertdb", true); // [HIDDEN PREF]
/* 1223: enforce strict pinning
* PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
* [WARNING] If you rely on an AV (antivirus) to protect your web browsing
* [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing
* by inspecting ALL your web traffic, then leave at current default=1
* [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/
user_pref("security.cert_pinning.enforcement_level", 2);
@ -740,7 +739,7 @@ user_pref("security.mixed_content.block_display_content", true);
* [1] https://bugzilla.mozilla.org/1190623 ***/
user_pref("security.mixed_content.block_object_subrequest", true);
/** CIPHERS [see the section 1200 intro] ***/
/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] ***/
/* 1261: disable 3DES (effective key size < 128)
* [1] https://en.wikipedia.org/wiki/3des#Security
* [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
@ -758,8 +757,10 @@ user_pref("security.mixed_content.block_object_subrequest", true);
// user_pref("security.ssl3.rsa_aes_256_sha", false);
/** UI (User Interface) ***/
/* 1270: display warning (red padlock) for "broken security" (see 1201)
* [1] https://wiki.mozilla.org/Security:Renegotiation ***/
/* 1270: display warning on the padlock for "broken security" (if 1201 is false)
* Bug: warning padlock not indicated for subresources on a secure page! [2]
* [1] https://wiki.mozilla.org/Security:Renegotiation
* [2] https://bugzilla.mozilla.org/1353705 ***/
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
/* 1271: control "Add Security Exception" dialog on SSL warnings
* 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
@ -771,10 +772,8 @@ user_pref("browser.ssl_override_behavior", 1);
* [TEST] https://expired.badssl.com/ ***/
user_pref("browser.xul.error_pages.expert_bad_cert", true);
/* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/
user_pref("security.insecure_connection_icon.enabled", true); // [FF59+]
user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+]
user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
// user_pref("security.insecure_connection_icon.pbmode.enabled", true); // [FF59+] private windows only
// user_pref("security.insecure_connection_text.pbmode.enabled", true); // [FF60+] private windows only
/*** [SECTION 1400]: FONTS ***/
user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
@ -791,9 +790,10 @@ user_pref("browser.display.use_document_fonts", 0);
/* 1404: disable rendering of SVG OpenType fonts
* [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
/* 1408: disable graphite which FF49 turned back on by default
* In the past it had security issues. Update: This continues to be the case, see [1]
* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/
/* 1408: disable graphite
* Graphite has had many critical security issues in the past, see [1]
* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
* [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/
user_pref("gfx.font_rendering.graphite.enabled", false);
/* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
* If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
@ -827,7 +827,7 @@ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
// user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0]
/* 1603: CROSS ORIGIN: control when to send a referer
* 0=always (default), 1=only if base domains match, 2=only if hosts match
* [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo ***/
* [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/
user_pref("network.http.referer.XOriginPolicy", 1);
/* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
@ -850,8 +850,8 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0]
* [1] https://bugzilla.mozilla.org/1305144 ***/
user_pref("network.http.referer.hideOnionSource", true);
/* 1610: ALL: enable the DNT (Do Not Track) HTTP header
* [NOTE] DNT is enforced with Tracking Protection regardless of this pref
* [SETTING] Privacy & Security>Content Blocking>Send websites a "Do Not Track"... ***/
* [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref
* [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/
user_pref("privacy.donottrackheader.enabled", true);
/*** [SECTION 1700]: CONTAINERS
@ -869,8 +869,6 @@ user_pref("privacy.userContext.ui.enabled", true);
/* 1702: enable Container Tabs [FF50+]
* [SETTING] General>Tabs>Enable Container Tabs ***/
user_pref("privacy.userContext.enabled", true);
/* 1703: enable a private container for thumbnail loads [FF51+] ***/
user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // [DEFAULT: true in FF61+]
/* 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME]
* 0=no menu (default), 1=show when clicked, 2=show on long press
* [1] https://bugzilla.mozilla.org/1328756 ***/
@ -905,11 +903,14 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
* [1] https://www.privacytools.io/#webrtc ***/
user_pref("media.peerconnection.enabled", false);
/* 2002: limit WebRTC IP leaks if using WebRTC
* In FF70+ these settings match Mode 4 (Mode 3 in older versions) (see [3])
* [TEST] https://browserleaks.com/webrtc
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
* [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
* [2] https://wiki.mozilla.org/Media/WebRTC/Privacy
* [3] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/
user_pref("media.peerconnection.ice.default_address_only", true);
user_pref("media.peerconnection.ice.no_host", true); // [FF51+]
user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+]
/* 2010: disable WebGL (Web Graphics Library)
* [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy,
* especially with readPixels(). Some of the other entropy is lessened with RFP (see 4501)
@ -938,9 +939,6 @@ user_pref("media.getusermedia.audiocapture.enabled", false);
// user_pref("media.autoplay.default", 5);
/* 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] ***/
user_pref("media.autoplay.enabled.user-gestures-needed", false);
/* 2032: disable autoplay of HTML5 media in non-active tabs [FF51+]
* [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/
user_pref("media.block-autoplay-until-in-foreground", true); // [DEFAULT: true]
/*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/
user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!");
@ -1032,14 +1030,12 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!
// user_pref("dom.event.contextmenu.enabled", false);
/* 2402: disable website access to clipboard events/content
* [SETUP-WEB] This will break some sites functionality such as pasting into facebook, wordpress
* this applies to onCut, onCopy, onPaste events - i.e. you have to interact with
* the website for it to look at the clipboard
* [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/
* This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
* [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one
* is default false) then enabling this pref can leak clipboard content, see [2]
* [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/
* [2] https://bugzilla.mozilla.org/1528289 */
user_pref("dom.event.clipboardevents.enabled", false);
/* 2403: disable middlemouse paste leaking clipboard content on Linux after autoscroll
* Defense in depth if clipboard events are enabled (see 2402)
* [1] https://bugzilla.mozilla.org/1528289 */
user_pref("middlemouse.paste", false); // [DEFAULT: false on Windows]
/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
* this disables document.execCommand("cut"/"copy") to protect your clipboard
* [1] https://bugzilla.mozilla.org/1170911 ***/
@ -1065,6 +1061,7 @@ user_pref("javascript.options.asmjs", false);
// user_pref("javascript.options.ion", false);
// user_pref("javascript.options.baselinejit", false);
/* 2422: disable WebAssembly [FF52+] [SETUP-PERF]
* [NOTE] In FF71+ this no longer affects extensions (1576254)
* [1] https://developer.mozilla.org/docs/WebAssembly ***/
user_pref("javascript.options.wasm", false);
/* 2426: disable Intersection Observer API [FF55+]
@ -1136,16 +1133,15 @@ user_pref("browser.uitour.url", "");
* [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
* [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
user_pref("devtools.chrome.enabled", false);
/* 2608: disable WebIDE to prevent remote debugging and ADB extension download
/* 2608: disable remote debugging
* [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);
user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
/* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
* [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#misc
* [1] https://bugzilla.mozilla.org/1173199 ***/
// user_pref("mathml.disabled", true);
/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
* [NOTE] In FF70+ and ESR68.1.0+ this no longer affects extensions (1564208)
* [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
* [1] https://bugzilla.mozilla.org/1216893 ***/
// user_pref("svg.disabled", true);
@ -1166,15 +1162,15 @@ user_pref("permissions.manager.defaultsUrl", "");
/* 2617: remove webchannel whitelist ***/
user_pref("webchannel.allowObject.urlWhitelist", "");
/* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
* Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also
* display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets
* Firefox has *some* protections, but it is better to be safe than sorry
* [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
* [1] https://wiki.mozilla.org/IDN_Display_Algorithm
* [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
* [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
user_pref("network.IDN_show_punycode", true);
/* 2620: enable Firefox's built-in PDF reader [SETUP-CHROME]
/* 2620: enforce Firefox's built-in PDF reader [SETUP-CHROME]
* This setting controls if the option "Display in Firefox" is available in the setting below
* and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
* PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
@ -1222,7 +1218,8 @@ user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
// user_pref("extensions.webextensions.restrictedDomains", "");
/** SECURITY ***/
/* 2680: enable CSP (Content Security Policy)
/* 2680: enforce CSP (Content Security Policy)
* [WARNING] CSP is a very important and widespread security feature. Don't disable it!
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
user_pref("security.csp.enable", true); // [DEFAULT: true]
/* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
@ -1246,10 +1243,12 @@ user_pref("security.dialog_enable_delay", 700);
user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
/* 2701: disable 3rd-party cookies and site-data [SETUP-WEB]
* 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies,
* 3=(Block) Cookies from unvisited sites, 4=(Block) Third-party trackers (FF63+) (default FF69+)
* 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+)
* [NOTE] You can set exceptions under site permissions or use an extension
* [SETTING] Privacy & Security>Content Blocking>Custom>Choose what to block>Cookies ***/
* [NOTE] Enforcing category to custom ensures ETP related prefs are always honored
* [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/
user_pref("network.cookie.cookieBehavior", 1);
user_pref("browser.contentblocking.category", "custom");
/* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only
and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
[NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
@ -1276,10 +1275,6 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true]
/* 2730: disable offline cache ***/
user_pref("browser.cache.offline.enable", false);
/* 2731: enforce websites to ask to store data for offline use
* [1] https://support.mozilla.org/questions/1098540
* [2] https://bugzilla.mozilla.org/959985 ***/
user_pref("offline-apps.allow_by_default", false);
/* 2740: disable service worker cache and cache storage
* [NOTE] We clear service worker cache on exiting Firefox (see 2803)
* [1] https://w3c.github.io/ServiceWorker/#privacy ***/
@ -1337,6 +1332,7 @@ user_pref("privacy.cpd.sessions", true); // Active Logins
user_pref("privacy.cpd.siteSettings", false); // Site Preferences
/* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
* [NOTE] Not needed if Session Restore is not used (see 0102) or is already cleared with history (see 2803)
* [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (see 1022)
* [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/
// user_pref("privacy.clearOnShutdown.openWindows", true);
// user_pref("privacy.cpd.openWindows", true);
@ -1366,6 +1362,7 @@ user_pref("privacy.sanitize.timeSpan", 0);
** 1542309 - isolate top-level domain URLs when host is in the public suffix list (FF68+)
** 1506693 - isolate pdfjs range-based requests (FF68+)
** 1330467 - isolate site permissions (FF69+)
** 1534339 - isolate IPv6 (FF73+)
***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
/* 4001: enable First Party Isolation [FF51+]
@ -1380,8 +1377,8 @@ user_pref("privacy.firstparty.isolate", true);
* [1] https://bugzilla.mozilla.org/1319773#c22
* [2] https://bugzilla.mozilla.org/1492607
* [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
// user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF]
// user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
// user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR]
/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
This master switch will be used for a wide range of items, many of which will
@ -1445,6 +1442,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAUL
** 1540726 - return "light" with prefers-color-scheme (FF67+)
[1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme
** 1564422 - spoof audioContext outputLatency (FF70+)
** 1595823 - spoof audioContext sampleRate (FF72+)
***/
user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
/* 4501: enable privacy.resistFingerprinting [FF41+]
@ -1615,8 +1613,6 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
// user_pref("browser.tabs.warnOnOpen", false);
// user_pref("full-screen-api.warning.delay", 0);
// user_pref("full-screen-api.warning.timeout", 0);
// user_pref("general.warnOnAboutConfig", false);
// user_pref("browser.aboutConfig.showWarning", false); // [FF67+]
/* APPEARANCE ***/
// user_pref("browser.download.autohideButton", false); // [FF57+]
// user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+]
@ -1630,19 +1626,21 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
// user_pref("browser.tabs.closeWindowWithLastTab", false);
// user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+]
// user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+]
// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [WINDOWS] [MAC]
// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux]
// user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
// user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under]
/* UX FEATURES: disable and hide the icons and menus ***/
// user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+]
// user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
// user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART]
// user_pref("reader.parse-on-load.enabled", false); // Reader View
/* OTHER ***/
// user_pref("browser.bookmarks.max_backups", 2);
// user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+]
// [SETTING] General>Browsing>Recommend extensions as you browse
// user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+]
// [SETTING] General>Browsing>Recommend features as you browse
// user_pref("extensions.pocket.enabled", false); // disable and hide Pocket [FF46+]
// user_pref("identity.fxaccounts.enabled", false); // disable and hide Firefox Accounts and Sync [FF60+] [RESTART]
// user_pref("network.manage-offline-status", false); // see bugzilla 620472
// user_pref("reader.parse-on-load.enabled", false); // "Reader View"
// user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
/*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
@ -1651,9 +1649,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
[1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123
***/
user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!");
/* ESR60.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable them
// FF61
/* FF61
// 0501: disable experiments
// [1] https://wiki.mozilla.org/Telemetry/Experiments
// [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801
@ -1669,13 +1665,13 @@ user_pref("network.jar.block-remote-files", true);
// 2613: disable JAR from opening Unsafe File Types
// [-] https://bugzilla.mozilla.org/1427726
user_pref("network.jar.open-unsafe-types", false);
// * * * /
// FF62
// ***/
/* FF62
// 1803: disable Java plugin
// [-] (part5) https://bugzilla.mozilla.org/1461243
user_pref("plugin.state.java", 0);
// * * * /
// FF63
// ***/
/* FF63
// 0205: disable GeoIP-based search results
// [NOTE] May not be hidden if Firefox has changed your settings due to your locale
// [-] https://bugzilla.mozilla.org/1462015
@ -1700,8 +1696,8 @@ user_pref("media.autoplay.enabled", false);
// 5000's: enable "Ctrl+Tab cycles through tabs in recently used order" - replaced by browser.ctrlTab.recentlyUsedOrder
// [-] https://bugzilla.mozilla.org/1473595
// user_pref("browser.ctrlTab.previews", true);
// * * * /
// FF64
// ***/
/* FF64
// 0516: disable Onboarding [FF55+]
// Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
// about:home or about:newtab is opened, the onboarding overlay is injected into that page
@ -1720,8 +1716,8 @@ user_pref("devtools.webide.adbAddonURL", "");
// [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent
// [-] https://bugzilla.mozilla.org/1488165
user_pref("security.csp.enable_violation_events", false);
// * * * /
// FF65
// ***/
/* FF65
// 0850a: disable location bar autocomplete and suggestion types
// If you enforce any of the suggestion types (see the other 0850a), you MUST enforce 'autocomplete'
// - If *ALL* of the suggestion types are false, 'autocomplete' must also be false
@ -1732,8 +1728,8 @@ user_pref("browser.urlbar.autocomplete.enabled", false);
// e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix)
// [-] https://bugzilla.mozilla.org/1510580
user_pref("browser.fixup.hide_user_pass", true); // [DEFAULT: true]
// * * * /
// FF66
// ***/
/* FF66
// 0380: disable Browser Error Reporter [FF60+]
// [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
// [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html
@ -1743,8 +1739,8 @@ user_pref("browser.chrome.errorReporter.submitUrl", "");
// 0502: disable Mozilla permission to silently opt you into tests
// [-] https://bugzilla.mozilla.org/1415625
user_pref("network.allow-experiments", false);
// * * * /
// FF67
// ***/
/* FF67
// 2428: enforce DOMHighResTimeStamp API
// [WARNING] Required for normalization of timestamps and any timer resolution mitigations
// [-] https://bugzilla.mozilla.org/1485264
@ -1754,8 +1750,8 @@ user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
// [1] https://support.mozilla.org/en-US/kb/extension-recommendations
// [-] https://bugzilla.mozilla.org/1528953
// user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
// * * * /
// FF68
// ***/
/* FF68
// 0105b: disable Activity Stream Legacy Snippets
// [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1546190,1540939
user_pref("browser.newtabpage.activity-stream.disableSnippets", true);
@ -1770,7 +1766,6 @@ user_pref("lightweightThemes.update.enabled", false);
// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975
// [-] https://bugzilla.mozilla.org/1386214
user_pref("security.csp.experimentalEnabled", true);
// * * * /
// ***/
/* ESR68.x still uses all the following prefs
@ -1781,11 +1776,23 @@ user_pref("security.csp.experimentalEnabled", true);
// user_pref("gfx.downloadable_fonts.woff2.enabled", false);
// 1802: enforce click-to-play for plugins
// [-] https://bugzilla.mozilla.org/1519434
user_pref("plugins.click_to_play", true); // [DEFAULT: true in FF25+]
user_pref("plugins.click_to_play", true); // [DEFAULT: true FF25+]
// 2033: disable autoplay for muted videos [FF63+] - replaced by 'media.autoplay.default' options (2030)
// [-] https://bugzilla.mozilla.org/1562331
// user_pref("media.autoplay.allow-muted", false);
// * * * /
// FF71
// 2608: disable WebIDE and ADB extension download
// [1] https://trac.torproject.org/projects/tor/ticket/16222
// [-] https://bugzilla.mozilla.org/1539462
user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+]
user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
// 2731: enforce websites to ask to store data for offline use
// [1] https://support.mozilla.org/questions/1098540
// [2] https://bugzilla.mozilla.org/959985
// [-] https://bugzilla.mozilla.org/1574480
user_pref("offline-apps.allow_by_default", false);
// * * * /
// ***/
/* END: internal custom pref to test for syntax errors ***/