4500 RFP keyboard stuff

see 3d5276484a (commitcomment-27760142)

updater.bat

@@ -3,7 +3,7 @@ TITLE ghacks user.js updater
 
 REM ## ghacks-user.js updater for Windows
 REM ## author: @claustromaniac
-REM ## version: 4.3
+REM ## version: 4.4
 REM ## instructions: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts
 
 SET _myname=%~n0
@@ -42,7 +42,7 @@ IF DEFINED _updateb (
 		REM Uncomment the next line and comment the powershell call for testing.
 		REM COPY /B /V /Y "!_myname!.bat" "[updated]!_myname!.bat"
 		(
-			powershell -Command "(New-Object Net.WebClient).DownloadFile('https://github.com/ghacksuserjs/ghacks-user.js/raw/master/updater.bat', '[updated]!_myname!.bat')"
+			powershell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.bat', '[updated]!_myname!.bat')"
 		) >nul 2>&1
 		IF EXIST "[updated]!_myname!.bat" (
 			START /min CMD /C "[updated]!_myname!.bat" !_myparams!
@@ -77,7 +77,7 @@ ECHO:
 ECHO:                ########################################
 ECHO:                ####  user.js Updater for Windows   ####
 ECHO:                ####       by claustromaniac        ####
-ECHO:                ####             v4.3               ####
+ECHO:                ####             v4.4               ####
 ECHO:                ########################################
 ECHO:
 SET /A "_line=0"
@@ -123,7 +123,7 @@ IF DEFINED _log (
 IF EXIST user.js.new (DEL /F "user.js.new")
 CALL :message "Retrieving latest user.js file from github repository..."
 (
-	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://github.com/ghacksuserjs/ghacks-user.js/raw/master/user.js', 'user.js.new')"
+	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js', 'user.js.new')"
 ) >nul 2>&1
 IF EXIST user.js.new (
 	IF DEFINED _multi (
@@ -140,7 +140,6 @@ IF EXIST user.js.new (
 				COPY /B /V /Y user.js.new+"user.js-overrides\*.js" user.js.new
 			)
 		) ELSE (CALL :message "No override files found.")
-		ECHO:
 	) ELSE (
 		IF EXIST "user-overrides.js" (
 			COPY /B /V /Y user.js.new+"user-overrides.js" "user.js.new"
@@ -151,7 +150,6 @@ IF EXIST user.js.new (
 				CALL :message "user-overrides.js appended."
 			)
 		) ELSE (CALL :message "user-overrides.js not found.")
-		ECHO:
 	)
 	IF EXIST user.js (
 		FC user.js.new user.js >nul && SET "_changed=false" || SET "_changed=true"
@@ -174,7 +172,6 @@ IF EXIST user.js.new (
 			CALL :message "Update complete."
 		)
 	)
-	ECHO:
 ) ELSE (
 	CALL :message "Update failed. Make sure PowerShell is allowed internet access."
 	ECHO:  No changes were made.

user.js

@@ -173,7 +173,7 @@ user_pref("extensions.webservice.discoverURL", "");
  * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
 user_pref("toolkit.telemetry.unified", false);
 user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+
-user_pref("toolkit.telemetry.server", "");
+user_pref("toolkit.telemetry.server", "data:,");
 user_pref("toolkit.telemetry.archive.enabled", false);
 user_pref("toolkit.telemetry.cachedClientID", "");
 user_pref("toolkit.telemetry.newProfilePing.enabled", false); // (FF55+)
@@ -205,9 +205,8 @@ user_pref("browser.newtabpage.enabled", false);
 user_pref("browser.newtabpage.enhanced", false);
 user_pref("browser.newtabpage.introShown", true);
 /* 0370: disable "Snippets" (Mozilla content shown on about:home screen)
- * MUST use HTTPS - arbitrary content injected into this page via http opens up MiTM attacks
  * [1] https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service ***/
-user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");
+user_pref("browser.aboutHomeSnippets.updateUrl", "data:,");
 
 /*** 0400: BLOCKLISTS / SAFE BROWSING / TRACKING PROTECTION
      This section has security & tracking protection implications vs privacy concerns vs effectiveness
@@ -644,7 +643,7 @@ user_pref("browser.shell.shortcutFavicons", false);
    // user_pref("browser.chrome.site_icons", false);
    // user_pref("browser.chrome.favicons", false);
 /* 1032: disable favicons in web notifications ***/
-user_pref("alerts.showFavicons", false);
+user_pref("alerts.showFavicons", false); // default: false
 
 /*** 1200: HTTPS ( SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS )
    Note that your cipher and other settings can be used server side as a fingerprint attack
@@ -818,7 +817,7 @@ user_pref("browser.display.use_document_fonts", 0);
    // user_pref("font.name.monospace.x-western", "Lucida Console"); // default Courier New
 /* 1403: enable icon fonts (glyphs) (FF41+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=789788 ***/
-user_pref("gfx.downloadable_fonts.enabled", true);
+user_pref("gfx.downloadable_fonts.enabled", true); // default: true
 /* 1404: disable rendering of SVG OpenType fonts
  * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
 user_pref("gfx.font_rendering.opentype_svg.enabled", false);
@@ -828,7 +827,7 @@ user_pref("gfx.downloadable_fonts.woff2.enabled", false);
  * [SETUP] Disabling fonts can uglify the web a fair bit. ***/
 user_pref("layout.css.font-loading-api.enabled", false);
 /* 1407: disable special underline handling for a few fonts which you will probably never use [RESTART]
- * Any of these fonts on your system can be enumerated for fingerprinting. Requires restart.
+ * Any of these fonts on your system can be enumerated for fingerprinting.
  * [1] http://kb.mozillazine.org/Font.blacklist.underline_offset ***/
 user_pref("font.blacklist.underline_offset", "");
 /* 1408: disable graphite which FF49 turned back on by default
@@ -843,16 +842,14 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1121643 ***/
    // user_pref("font.system.whitelist", ""); // (hidden pref)
 
-/*** 1600: HEADERS / REFERERS [SETUP]
+/*** 1600: HEADERS / REFERERS
-     Except for DNT (Do Not Track), referers are best controlled by an extension.
+     Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. Thus we enforce
-     It is important to realize that it is *cross domain* referers that need
+     the default values for 1601, 1602, 1605 and 1606 to minimize breakage, and only tweak 1603 and 1604.
-     controlling, and this is best handled by EITHER 1603 or 1604, not both.
 
-     Option 1: Recommended: Use an extension to block all referers, and then whitelist
+     Our default settings provide the best balance between protection and amount of breakage.
-               sites on a granular, per domain level.
+     To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2).
-     Option 2: As per the original settings below: Set XOriginPolicy (1603) to 1 (less breakage)
+     To fix broken sites, temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config,
-               or 2 (more breakage) and leave XOriginTrimmingPolicy (1604) at default 0
+     use the site and then change the values back. If you visit those sites regularly, use an extension.
-     Option 3: Set XOriginPolicy (1603) to default 0 and set XOriginTrimmingPolicy (1604) to 2
 
                     full URI: https://example.com:8888/foo/bar.html?id=1234
        scheme+host+path+port: https://example.com:8888/foo/bar.html
@@ -862,32 +859,29 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
  ***/
 user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
 /* 1601: ALL: control when images/links send a referer
- * 0=never, 1=send only when links are clicked, 2=for links and images (default)
+ * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
- * [NOTE] Recommended left at default. Focus on XSS and granular cross origin referer control ***/
 user_pref("network.http.sendRefererHeader", 2);
 /* 1602: ALL: control the amount of information to send
- * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port
+ * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/
- * [NOTE] Cross origin requests can be fine tuned in 1603 + 1604. Limiting same origin requests
- * is rather pointless. Recommended left at default for zero same origin breakage ***/
 user_pref("network.http.referer.trimmingPolicy", 0);
 /* 1603: CROSS ORIGIN: control when to send a referer [SETUP]
- * 0=always (default), 1=only if base domains match, 2=only if hosts match
+ * 0=always (default), 1=only if base domains match, 2=only if hosts match ***/
- * [NOTE] 1=less breakage, possible leakage 2=less leakage, more breakage
- * [WARNING] Reset to default 0 if you have issues accessing your modem/router ***/
 user_pref("network.http.referer.XOriginPolicy", 1);
 /* 1604: CROSS ORIGIN: control the amount of information to send (FF52+)
- * 0=send full URI (default) 1=scheme+host+path+port 2=scheme+host+port ***/
+ * 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/
 user_pref("network.http.referer.XOriginTrimmingPolicy", 0);
 /* 1605: ALL: disable spoofing a referer
- * Spoofing increases your exposure to cross-site request forgeries ***/
+ * [WARNING] Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) protections that some sites may rely on ***/
 user_pref("network.http.referer.spoofSource", false);
-/* 1606: ALL: set the default Referrer Policy (FF53+)
+/* 1606: ALL: set the default Referrer Policy
- * 0=no-referer 1=same-origin 2=strict-origin-when-cross-origin
+ * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
- * 3=no-referrer-when-downgrade (default)
  * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
  * [1] https://www.w3.org/TR/referrer-policy/
- * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1304623 ***/
+ * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
-user_pref("network.http.referer.userControlPolicy", 3);
+ * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
+user_pref("network.http.referer.userControlPolicy", 3); // (FF53-FF58) default: 3
+user_pref("network.http.referer.defaultPolicy", 3); // (FF59+) default: 3
+user_pref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2
 /* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain (FF54+)
  * [NOTE] Firefox cannot access .onion sites by default. We recommend you use
  * TBB (Tor Browser Bundle) which is specifically designed for the dark web
@@ -1132,13 +1126,15 @@ user_pref("dom.idle-observers-api.enabled", false);
 /* 2418: disable full-screen API
  * false=block, true=ask ***/
 user_pref("full-screen-api.enabled", false);
-/* 2420: disable asm.js (http://asmjs.org/) (FF22+)
+/* 2420: disable asm.js (FF22+)
- * [1] https://www.mozilla.org/security/advisories/mfsa2015-29/
+ * [1] http://asmjs.org/
- * [2] https://www.mozilla.org/security/advisories/mfsa2015-50/
+ * [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
- * [3] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
+ * [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
- * [4] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 ***/
+ * [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
+ * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
+ * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
 user_pref("javascript.options.asmjs", false);
-/* 2421: disable Ion and baseline JIT to help harden JS against exploits such as CVE-2015-0817
+/* 2421: disable Ion and baseline JIT to help harden JS against exploits
  * [WARNING] Causes the odd site issue and there is also a performance loss
  * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
    // user_pref("javascript.options.ion", false);
@@ -1281,13 +1277,13 @@ user_pref("security.fileuri.strict_origin_policy", true);
 /* 2624: enable Subresource Integrity (SRI) (FF43+)
  * [1] https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
  * [2] https://wiki.mozilla.org/Security/Subresource_Integrity ***/
-user_pref("security.sri.enable", true);
+user_pref("security.sri.enable", true); // default: true
 /* 2625: disable DNS requests for hostnames with a .onion TLD (FF45+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 ***/
 user_pref("network.dns.blockDotOnion", true);
-/* 2626: disable optional user agent token, default is false, included for completeness
+/* 2626: disable optional user agent token
  * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent/Firefox ***/
-user_pref("general.useragent.compatMode.firefox", false);
+user_pref("general.useragent.compatMode.firefox", false); // default: false
 /* 2628: disable UITour backend so there is no chance that a remote page can use it ***/
 user_pref("browser.uitour.enabled", false);
 user_pref("browser.uitour.url", "");
@@ -1358,9 +1354,9 @@ user_pref("security.block_script_with_wrong_mime", true);
  * [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
  * [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
 user_pref("network.IDN_show_punycode", true);
-/* 2673: enable CSP (Content Security Policy) (default is true)
+/* 2673: enable CSP (Content Security Policy)
  * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
-user_pref("security.csp.enable", true);
+user_pref("security.csp.enable", true); // default: true
 /* 2674: enable CSP 1.1 experimental hash-source directive (FF29+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=855326
  * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=883975 ***/
@@ -1403,9 +1399,9 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // (FF58+)
    // user_pref("network.cookie.lifetimePolicy", 0);
 /* 2704: set cookie lifetime in days (see above pref) - default is 90 days ***/
    // user_pref("network.cookie.lifetime.days", 90);
-/* 2705: disable HTTP sites setting cookies with the "secure" directive (default: true) (FF52+)
+/* 2705: disable HTTP sites setting cookies with the "secure" directive (FF52+)
  * [1] https://developer.mozilla.org/Firefox/Releases/52#HTTP ***/
-user_pref("network.cookie.leave-secure-alone", true);
+user_pref("network.cookie.leave-secure-alone", true); // default: true
 /* 2710: disable DOM (Document Object Model) Storage
  * [WARNING] This will break a LOT of sites' functionality.
  * You are better off using an extension for more granular control ***/
@@ -1550,14 +1546,16 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
  ** 1281949 - spoof screen orientation (FF50+)
  ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
  ** 1330890 - spoof timezone as UTC 0 (FF55+)
+      FF58: Date.toLocaleFormat deprecated (818634)
+      FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973)
  ** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+)
       This spoof *shouldn't* affect core chrome/Firefox performance
  ** 1217238 - reduce precision of time exposed by javascript (FF55+)
  ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+)
  ** 1333651 & 1383495 & 1396468 & 1393283 & 1404608 - spoof Navigator API (see section 4700) (FF56+)
       FF56: The version number will be rounded down to the nearest multiple of 10
-      FF57+: The version number will match current ESR
+      FF57: The version number will match current ESR
-      FF59+: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage)
+      FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage)
  ** 1369319 - disable device sensor API (see 4604) (FF56+)
  ** 1369357 - disable site specific zoom (see 4605) (FF56+)
  ** 1337161 - hide gamepads from content (see 4606) (FF56+)
@@ -1572,12 +1570,14 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
  ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+)
       This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
  **  967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
-      In FF59+ this is controllable via the site permissions panel, see 1413780 (FF59+)
+      FF59: Added to the site permissions panel (1413780)
+      FF60: Only prompt for canvas data extraction when triggered by user input (1376865)
  ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+)
  ** 1039069 - warn when language prefs are set to non en-US (see 0207, 0208) (FF59+)
  ** 1222285 - spoof keyboard events and suppress keyboard modifier events (FF59+)
       Spoofing mimics the content language of the document. Currently it only supports en-US.
       Modifier events suppressed are SHIFT, CTRL and both ALT keys. Chrome is not affected.
+      FF60: Fixes keydown/keyup events (1438795)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting (FF41+)
@@ -1750,9 +1750,6 @@ user_pref("network.manage-offline-status", false);
    // user_pref("toolkit.cosmeticAnimations.enabled", false);
 /* 5016: disable reload/stop animation (FF56+) ***/
    // user_pref("browser.stopReloadAnimation.enabled", true);
-/* 5017: set submenu delay in milliseconds. 0=instant while a small number allows
- * a mouse pass over menu items without any submenus alarmingly shooting out ***/
-user_pref("ui.submenuDelay", 150); // (hidden pref)
 /* 5018: set maximum number of daily bookmark backups to keep (default is 15) ***/
 user_pref("browser.bookmarks.max_backups", 2);
 /* 5020: control urlbar click behaviour (with defaults) ***/
@@ -1776,24 +1773,6 @@ user_pref("browser.tabs.loadDivertedInBackground", false);
 /* 5023: enable "Find As You Type"
  * [1] http://kb.mozillazine.org/Accessibility.typeaheadfind ***/
    // user_pref("accessibility.typeaheadfind", true);
-/* 5024: enable/disable MSE (Media Source Extensions)
- * [1] https://www.ghacks.net/2014/05/10/enable-media-source-extensions-firefox/ ***/
-   // user_pref("media.mediasource.enabled", false);
-   // user_pref("media.mediasource.mp4.enabled", false);
-   // user_pref("media.mediasource.webm.audio.enabled", false);
-   // user_pref("media.mediasource.webm.enabled", false);
-/* 5025: enable/disable various media types ***/
-   // user_pref("media.mp4.enabled", false);
-   // user_pref("media.flac.enabled", false); // (FF51+)
-   // user_pref("media.ogg.enabled", false);
-   // user_pref("media.ogg.flac.enabled", false); // (FF51+)
-   // user_pref("media.opus.enabled", false);
-   // user_pref("media.raw.enabled", false);
-   // user_pref("media.wave.enabled", false);
-   // user_pref("media.webm.enabled", false);
-   // user_pref("media.wmf.enabled", false); // https://www.youtube.com/html5 - for the two H.264 entries
-   // user_pref("media.wmf.amd.vp9.enabled", true); // (FF57+)
-   // user_pref("media.wmf.vp9.enabled", false);
 /* 5026: disable "Reader View" ***/
    // user_pref("reader.parse-on-load.enabled", false);
 /* 5027: decode URLs on copy from the urlbar (FF53+)
@@ -1826,7 +1805,7 @@ user_pref("network.websocket.enabled", false);
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1042135#c101
    // user_pref("privacy.donottrackheader.value", 1);
 // 2023: (37+) disable camera autofocus callback
-   // The API will be superceded by the WebRTC Capture and Stream API
+   // The API will be superseded by the WebRTC Capture and Stream API
    // [1] https://developer.mozilla.org/docs/Archive/B2G_OS/API/CameraControl
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1107683
 user_pref("camera.control.autofocus_moving_callback.enabled", false);
@@ -2018,7 +1997,7 @@ user_pref("dom.telephony.enabled", false);
 user_pref("dom.battery.enabled", false);
 // ***/
 
-/* ESR52 still needs all the following prefs
+/* ESR52.x still uses all the following prefs
 // [NOTE] replace the * with a slash in the line above to re-enable them if you're using ESR52.x.x
 // FF53
 // 1265: block rc4 fallback