2620: disable pdfjs scripting, v88 final

0102: add setup tag #1166
RFP & Presentation API
2025-09-01 01:18:30 +02:00 · 2021-04-23 14:25:54 +00:00 · 2021-04-17 07:12:20 +00:00 · 2021-04-15 07:10:54 +00:00 · 2021-04-08 01:21:14 +00:00 · 2021-04-08 01:19:42 +00:00
2 changed files with 13 additions and 10 deletions
--- a/scratchpad-scripts/arkenfox-clear-removed.js
+++ b/scratchpad-scripts/arkenfox-clear-removed.js
@ -1,7 +1,7 @@
 /***
 This will reset the preferences that have been removed completely from the arkenfox user.js.

- Last updated: 03-Apr-2021
+ Last updated: 07-Apr-2021

 For instructions see:
 https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@ -236,6 +236,8 @@
    'media.gmp-widevinecdm.visible',
    /* 87-beta */
    'browser.send_pings.require_same_host',
+    /* 88-beta */
+    'webgl.min_capability_mode',
    /* reset parrot: check your open about:config after running the script */
    '_user.js.parrot'
  ]
--- a/user.js
+++ b/user.js
@ -1,7 +1,7 @@
 /******
 * name: arkenfox user.js
-* date: 04 April 2021
-* version 87
+* date: 23 April 2021
+* version 88
 * url: https://github.com/arkenfox/user.js
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt

@ -92,7 +92,8 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 /* 0101: disable default browser check
 * [SETTING] General>Startup>Always check if Firefox is your default browser ***/
 user_pref("browser.shell.checkDefaultBrowser", false);
-/* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
+/* 0102: set startup page [SETUP-CHROME]
+ * 0=blank, 1=home, 2=last visited page, 3=resume previous session
 * [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804)
 * [SETTING] General>Startup>Restore previous session ***/
 user_pref("browser.startup.page", 0);
@ -386,8 +387,8 @@ user_pref("network.dns.disableIPv6", true);
 /* 0702: disable HTTP2
 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
 * enhance privacy, and opens up a number of server-side fingerprinting opportunities.
- * [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is
- * at 40% (December 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites
+ * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
+ * [STATS] Over 50% of sites (April 2021) and growing [5]
 * [1] https://http2.github.io/faq/
 * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
 * [3] https://http2.github.io/http2-spec/#rfc.section.10.8
@ -925,7 +926,6 @@ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70
 user_pref("webgl.disabled", true);
 user_pref("webgl.enable-webgl2", false);
 /* 2012: limit WebGL ***/
-   // user_pref("webgl.min_capability_mode", true);
 user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+]
 /* 2022: disable screensharing ***/
 user_pref("media.getusermedia.screensharing.enabled", false);
@ -1163,17 +1163,18 @@ user_pref("webchannel.allowObject.urlWhitelist", "");
 * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
 * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
 user_pref("network.IDN_show_punycode", true);
-/* 2620: enforce Firefox's built-in PDF reader [SETUP-CHROME]
+/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME]
 * This setting controls if the option "Display in Firefox" is available in the setting below
 *   and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
 * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
- *   Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly.
+ *   Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
 *   It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
 *   It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
 * CONS: You may prefer a different pdf reader for security reasons
 * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)
 * [SETTING] General>Applications>Portable Document Format (PDF) ***/
 user_pref("pdfjs.disabled", false); // [DEFAULT: false]
+user_pref("pdfjs.enableScripting", false); // [FF86+]
 /* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/
 user_pref("network.protocol-handler.external.ms-windows-store", false);
 /* 2622: enforce no system colors; they can be fingerprinted
@ -1434,7 +1435,7 @@ user_pref("privacy.firstparty.isolate", true);
   1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12)
   1382545 - reduce fingerprinting in Animation API
   1354633 - limit MediaError.message to a whitelist
-   1382533 - enable fingerprinting resistance for Presentation API
+   1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87)
      This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
 FF58+
    967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction
Author	SHA1	Message	Date
Thorin-Oakenpants	da9f912862	2620: disable pdfjs scripting, v88 final	2021-04-23 14:25:54 +00:00
Thorin-Oakenpants	9930cfbc07	0102: add setup tag #1166	2021-04-17 07:12:20 +00:00
Thorin-Oakenpants	7738e320d5	RFP & Presentation API	2021-04-15 07:10:54 +00:00
Thorin-Oakenpants	9b8735a87a	webgl.min_capability_mode	2021-04-08 01:21:14 +00:00
Thorin-Oakenpants	6c10e03ce5	2012: remove webgl.min_capability_mode as promised in `4596d721e6`	2021-04-08 01:19:42 +00:00
Thorin-Oakenpants	7ad3bb9e61	0702: use a [STATS] tag	2021-04-07 09:44:24 +00:00
Thorin-Oakenpants	5dcf639d33	oophs .. and start 88-alpha	2021-04-07 09:36:56 +00:00
Thorin-Oakenpants	2da3b0192f	update HTTP2 stats	2021-04-07 09:36:01 +00:00