finalize 62

RFP: spoof/suppress Pointer Events
https://bugzilla.mozilla.org/show_bug.cgi?id=1363508
2025-09-01 01:18:30 +02:00 · 2018-10-11 10:46:35 +00:00 · 2018-10-11 05:50:09 +00:00 · 2018-09-30 15:30:32 +00:00 · 2018-09-30 15:24:33 +00:00 · 2018-09-30 15:20:36 +00:00
3 changed files with 27 additions and 26 deletions
--- a/README.md
+++ b/README.md
@ -14,7 +14,7 @@ Literally thousands of sources, references and suggestions. That said...
 * Martin Brinkmann at [ghacks](https://www.ghacks.net/) <sup>1</sup>
 * The ghacks community and commentators
 * [12bytes](http://12bytes.org/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
-   * The 12bytes article now uses this user.js and supplements it with an additonal JS hosted right [here](https://github.com/atomGit/Firefox-user.js) at github
+   * The 12bytes article now uses this user.js and supplements it with an additonal JS hosted at [GitLab](https://gitlab.com/labwrat/Firefox-user.js/tree/master)

 <sup>1</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.

--- a/scratchpad-scripts/ghacks-clear-[removed].js
+++ b/scratchpad-scripts/ghacks-clear-[removed].js
@ -1,7 +1,7 @@
 /***
 This will reset the preferences that have been removed completely from the ghacks user.js.

- Last updated: 08-Sept-2018
+ Last updated: 30-Sept-2018

 For instructions see:
 https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@ -102,6 +102,10 @@
    /* 62-beta */
    'browser.urlbar.autoFill.typed',
    'security.tls.version.fallback-limit',
+    /* 63-beta */
+    'extensions.webextensions.keepStorageOnUninstall',
+    'extensions.webextensions.keepUuidOnUninstall',
+    'privacy.trackingprotection.ui.enabled',
    /* reset parrot: check your open about:config after running the script */
    '_user.js.parrot'
  ]
--- a/user.js
+++ b/user.js
@ -1,7 +1,7 @@
 /******
 * name: ghacks user.js
-* date: 08 September 2018
-* version 62-beta: Total Eclipse of the Pants
+* date: 10 October 2018
+* version 62: Total Eclipse of the Pants
 *   "Once upon a time there was light in my life, but now there's only pants in the dark"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
@ -216,7 +216,7 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
 * [NOTE] It includes updates for "revoked certificates"
 * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
 * [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/
-user_pref("extensions.blocklist.enabled", true);
+user_pref("extensions.blocklist.enabled", true); // default: true
 user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");
 /* 0402: enable Kinto blocklist updates (FF50+)
 * What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
@ -285,9 +285,6 @@ user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
 * [2] https://support.mozilla.org/kb/tracking-protection-firefox ***/
   // user_pref("privacy.trackingprotection.pbmode.enabled", true); // default: true
   // user_pref("privacy.trackingprotection.enabled", true);
-/* 0421: enable more Tracking Protection choices under Options>Privacy & Security>Use Tracking Protection
- * Displays three choices: "Always", "Only in private windows", "Never" ***/
-user_pref("privacy.trackingprotection.ui.enabled", true);
 /* 0422: set which Tracking Protection block list to use
 * [WARNING] We don't recommend enforcing this from here, as available block lists can change
 * [SETTING] Privacy & Security>Tracking Protection>Change Block List ***/
@ -424,7 +421,7 @@ user_pref("network.predictor.enable-prefetch", false);
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
 /* 0701: disable IPv6
 * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice
- * with VPNs. That's even assuming your ISP and/or router and/or website can hande it
+ * with VPNs. That's even assuming your ISP and/or router and/or website can handle it
 * [WARNING] This is just an application level fallback. Disabling IPv6 is best done
 * at an OS/network level, and/or configured properly in VPN setups
 * [TEST] http://ipv6leak.com/
@ -558,6 +555,10 @@ user_pref("browser.formfill.enable", false);
 * [SETTING] Privacy & Security>History>Custom Settings>Remember my browsing and download history
 * [NOTE] You can clear history and downloads on exiting Firefox (see 2803) ***/
   // user_pref("places.history.enabled", false);
+/* 0864: disable date/time picker (FF57+ default true)
+ * This can leak your locale if not en-US
+ * [1] https://trac.torproject.org/projects/tor/ticket/21787 ***/
+user_pref("dom.forms.datetime", false);
 /* 0870: disable Windows jumplist [WINDOWS] ***/
 user_pref("browser.taskbar.lists.enabled", false);
 user_pref("browser.taskbar.lists.frequent.enabled", false);
@ -610,15 +611,16 @@ user_pref("security.insecure_field_warning.contextual.enabled", true);
 user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);

 /*** 1000: CACHE [SETUP]
-     ETAG [1] and other [2] cache tracking/fingerprinting techniques can be averted by
+     ETAG [1] and other [2][3] cache tracking/fingerprinting techniques can be averted by
     disabling *BOTH* disk (1001) and memory (1003) cache. ETAGs can also be neutralized
-     by modifying response headers [3]. Another solution is to use a hardened configuration
-     with Temporary Containers [4]. Alternatively, you can *LIMIT* exposure by clearing
+     by modifying response headers [4]. Another solution is to use a hardened configuration
+     with Temporary Containers [5]. Alternatively, you can *LIMIT* exposure by clearing
     cache on close (2803). or on a regular basis manually or with an extension.
     [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
     [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
-     [3] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor
-     [4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
+     [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
+     [4] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor
+     [5] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
 ***/
 user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
 /** CACHE ***/
@ -679,7 +681,7 @@ user_pref("toolkit.winRegisterApplicationRestart", false);
 * If set to false then the shortcuts use a generic Firefox icon ***/
 user_pref("browser.shell.shortcutFavicons", false);
 /* 1031: disable favicons in tabs and new bookmarks
- * bookmark favicons are stored as data blobs in places.sqlite>moz_favicons ***/
+ * bookmark favicons are stored as data blobs in favicons.sqlite ***/
   // user_pref("browser.chrome.site_icons", false);
   // user_pref("browser.chrome.favicons", false);
 /* 1032: disable favicons in web notifications ***/
@ -777,7 +779,7 @@ user_pref("security.cert_pinning.enforcement_level", 2);
 /** MIXED CONTENT ***/
 /* 1240: disable insecure active content on https pages - mixed content
 * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
-user_pref("security.mixed_content.block_active_content", true);
+user_pref("security.mixed_content.block_active_content", true); // default: true
 /* 1241: disable insecure passive content (such as images) on https pages - mixed context ***/
 user_pref("security.mixed_content.block_display_content", true);

@ -935,7 +937,7 @@ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
 * [SETTING] Privacy & Security>Tabs>Enable Container Tabs ***/
   // user_pref("privacy.userContext.enabled", true);
 /* 1703: enable a private container for thumbnail loads (FF51+) ***/
-   // user_pref("privacy.usercontext.about_newtab_segregation.enabled", true);
+   // user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // default: true in FF61+
 /* 1704: set long press behaviour on "+ Tab" button to display container menu (FF53+)
 * 0=disables long press, 1=when clicked, the menu is shown
 * 2=the menu is shown after X milliseconds
@ -1305,12 +1307,6 @@ user_pref("browser.download.forbid_open_with", true);
 * [1] archived: https://archive.is/DYjAM ***/
 user_pref("extensions.enabledScopes", 1); // (hidden pref)
 user_pref("extensions.autoDisableScopes", 15);
-/* 2661: clear localStorage and UUID when an extension is uninstalled
- * [NOTE] Both preferences must be the same
- * [1] https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local
- * [2] https://bugzilla.mozilla.org/1213990 ***/
-user_pref("extensions.webextensions.keepStorageOnUninstall", false);
-user_pref("extensions.webextensions.keepUuidOnUninstall", false);
 /* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) (FF60+)
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
   // user_pref("extensions.webextensions.restrictedDomains", "");
@ -1332,7 +1328,7 @@ user_pref("security.csp.experimentalEnabled", true);
 * [1] https://bugzilla.mozilla.org/1331351
 * [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
 * [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/
-user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
+user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // default: true in FF59+
 /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
 * [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
 * [2] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
@ -1378,7 +1374,7 @@ user_pref("network.cookie.leave-secure-alone", true); // default: true
 * [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
   // user_pref("network.cookie.same-site.enabled", true); // default: true
 /* 2710: disable DOM (Document Object Model) Storage
- * [WARNING] This will break a LOT of sites' functionality.
+ * [WARNING] This will break a LOT of sites' functionality AND extensions!
 * You are better off using an extension for more granular control ***/
   // user_pref("dom.storage.enabled", false);
 /* 2720: enforce IndexedDB (IDB) as enabled
@ -1394,7 +1390,7 @@ user_pref("dom.indexedDB.enabled", true); // default: true
 user_pref("browser.cache.offline.enable", false);
 /* 2730b: disable offline cache on insecure sites (FF60+)
 * [1] https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ ***/
-user_pref("browser.cache.offline.insecure.enable", false);
+user_pref("browser.cache.offline.insecure.enable", false); // default: false in FF62+
 /* 2731: enforce websites to ask to store data for offline use
 * [1] https://support.mozilla.org/questions/1098540
 * [2] https://bugzilla.mozilla.org/959985 ***/
@ -1547,6 +1543,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
      FF60: Fix keydown/keyup events (1438795)
 ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
 ** 1459089 - disable OS locale in HTTP Accept-Language headers [ANDROID] (FF62+)
+ ** 1363508 - spoof/suppress Pointer Events (FF64+)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting (FF41+)
Author	SHA1	Message	Date
Thorin-Oakenpants	21b18cbe49	finalize 62	2018-10-11 10:46:35 +00:00
Thorin-Oakenpants	cbcd293e68	RFP: spoof/suppress Pointer Events https://bugzilla.mozilla.org/show_bug.cgi?id=1363508	2018-10-11 05:50:09 +00:00
earthlng	aacf5d4a0b	update 1031 description	2018-09-30 15:30:32 +00:00
earthlng	ec5fb6e3a1	removed privacy.trackingprotection.ui.enabled	2018-09-30 15:24:33 +00:00
earthlng	b2fc9bc266	remove 0421: privacy.trackingprotection.ui.enabled - pref removed in FF63 (https://bugzilla.mozilla.org/1476879) - when we added it the default was false - default is true since FF57 - it's only an UI thing ergo we don't need to move it to 9999	2018-09-30 15:20:36 +00:00
Thorin-Oakenpants	ca1cc2001f	Update README.md	2018-09-20 23:40:29 +00:00
Thorin-Oakenpants	f88af1dac6	Update README.md	2018-09-20 23:39:44 +00:00
Thorin-Oakenpants	1c6c5ea2ff	1000s: cache header section #496	2018-09-13 05:09:07 +00:00
Thorin-Oakenpants	2d316ceedd	removed webextensions.keep	2018-09-12 22:27:26 +00:00
Thorin-Oakenpants	36c791c4bc	remove 2661: webextensions.keep Added in FF51 with defaults false and never changed since	2018-09-12 22:23:59 +00:00
earthlng	ee213f2bab	infos about default values (#504 ) * more infos * add colons not all EOL comments for defaults start with `// default` (23). The common string is `default:` (27 incl. these ones) with or without preceding or trailing spaces	2018-09-13 10:17:56 +12:00
Thorin-Oakenpants	01a978e33a	add 0864: dom.forms.datetime, closes #495	2018-09-11 16:43:18 +00:00