Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-09-01 17:38:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git:v70.0-beta
Branches Tags
Git:master Git:Thorin-Oakenpants-patch-1
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0
...
compare: Git:72.0
Branches Tags
Git:Thorin-Oakenpants-patch-1 Git:master
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0

28 Commits
v70.0-beta ... 72.0

Author SHA1 Message Date
Thorin-Oakenpants
7619e312de 72 final 2020-01-24 16:48:16 +00:00
Thorin-Oakenpants
5d2c5de11c fixup deprecated ESR-cycle version 2020-01-15 02:53:07 +00:00
Thorin-Oakenpants
e1022c2e72 72-beta 2020-01-14 17:38:22 +00:00
Thorin-Oakenpants
e431b324c8 FF72 deprecated 2020-01-08 02:53:25 +00:00
Thorin-Oakenpants
18ad40a5c6 systemUsesDarkTheme -> RFP Alts 2019-12-25 02:14:49 +00:00
rusty-snake
315de066ec typo (#870) 2019-12-24 11:49:19 +00:00
Thorin-Oakenpants
85273d0f19 0517: setting tag 2019-12-22 07:13:48 +00:00
Thorin-Oakenpants
ef293b57a7 5000s: add ui.systemUsesDarkTheme 2019-12-22 06:14:25 +00:00
Thorin-Oakenpants
79d316fd22 remove old deprecations 2019-12-19 16:37:19 +00:00
Thorin-Oakenpants
ed60588473 72-alpha start 2019-12-19 16:34:44 +00:00
Thorin-Oakenpants
07c128a190 71 final 2019-12-19 16:31:51 +00:00
Thorin-Oakenpants
5b1d56933b middlemouse.paste, see #735 2019-12-19 16:21:21 +00:00
Thorin-Oakenpants
34cfcedc1b 2402+2403, finally closes #735 2019-12-19 16:19:39 +00:00
Thorin-Oakenpants
f9146fdf24 update setting tags, minor tweaks 2019-12-18 09:46:21 +00:00
Thorin-Oakenpants
a1cdbc8324 1408 graphite, closes #1408 and 2619 puncyode 2019-12-18 07:46:44 +00:00
earthlng
cd07641a9d 2701: make sure cookieBehavior is always honored (#866) 
see #862
 2019-12-18 05:02:25 +00:00
earthlng
9c02949e04 0000: config.xhtml in FF73+ (#865) 2019-12-17 15:00:34 +00:00
Thorin-Oakenpants
1ef62a1036 media.block-autoplay-until-in-foreground #840 2019-12-12 01:24:12 +00:00
Thorin-Oakenpants
5672bc8cc8 2032 removed, 4002 inactive, closes #840 2019-12-12 01:21:17 +00:00
Thorin-Oakenpants
df1732745d 0308: seach engine updates: better info #840 2019-12-10 22:07:23 +00:00
Thorin-Oakenpants
30daf8640c FPI stuff 2019-12-09 20:18:42 +00:00
earthlng
4074a37e1d 1201 + 1270 update (#859) 
trim by a line, remove extra space, fixup on red, indicate it only applies if 1201 is false
 2019-12-07 18:26:39 +00:00
Thorin-Oakenpants
97043b0ce1 71-beta 2019-12-06 12:19:21 +00:00
Thorin-Oakenpants
42ea484017 71 deprecated (#856) 2019-12-04 14:13:49 +13:00
Thorin-Oakenpants
3f6340b69c OMG!! 2019-12-03 14:51:44 +00:00
earthlng
884e84a4cb about:config warning back to the top + active (#855) 2019-12-04 03:44:59 +13:00
Thorin-Oakenpants
560acfc94f 70 final 2019-12-03 07:31:47 +00:00
Thorin-Oakenpants
fb263f5624 favicons: 1031 better info, 1032 inactive #840 (#851) 2019-12-02 23:04:09 +13:00
2 changed files with 104 additions and 188 deletions
Expand all files Collapse all files

5
scratchpad-scripts/ghacks-clear-[removed].js
View File

@ -1,7 +1,7 @@
/***
This will reset the preferences that have been removed completely from the ghacks user.js.
Last updated: 11-November-2019
Last updated: 19-December-2019
For instructions see:
https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@ -215,6 +215,9 @@
'security.insecure_connection_icon.pbmode.enabled',
'security.insecure_connection_text.pbmode.enabled',
'webgl.dxgl.enabled',
/* 71-beta */
'media.block-autoplay-until-in-foreground',
'middlemouse.paste',
/* reset parrot: check your open about:config after running the script */
'_user.js.parrot'
]

287
user.js
View File

@ -1,8 +1,7 @@
/******
* name: ghacks user.js
* date: 24 November 2019
* version 70-beta: Pinpants Wizard
* "Ever since I was a young pants, I've played the silver ball"
* date: 24 January 2020
* version 72
* authors: v52+ github | v51- www.ghacks.net
* url: https://github.com/ghacksuserjs/ghacks-user.js
* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
@ -83,6 +82,12 @@
* [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/
user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");
/* 0000: disable about:config warning
* FF71-72: chrome://global/content/config.xul
* FF73+: chrome://global/content/config.xhtml ***/
user_pref("general.warnOnAboutConfig", false); // XUL/XHTML version
user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+]
/*** [SECTION 0100]: STARTUP ***/
user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
/* 0101: disable default browser check
@ -108,7 +113,6 @@ user_pref("browser.newtab.preload", false);
/* 0105a: disable Activity Stream telemetry ***/
user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
user_pref("browser.newtabpage.activity-stream.telemetry", false);
user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "");
/* 0105b: disable Activity Stream Snippets
* Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server
* [1] https://abouthome-snippets-service.readthedocs.io/ ***/
@ -194,7 +198,7 @@ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the
// user_pref("extensions.update.enabled", false);
/* 0302a: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+]
* [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed
* [SETTING] General>Firefox Updates>Check for updates but let you choose... ***/
* [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/
user_pref("app.update.auto", false);
/* 0302b: disable auto-INSTALLING extension and theme updates (after the check in 0301b)
* [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
@ -203,7 +207,8 @@ user_pref("app.update.auto", false);
* used when installing/updating an extension, and in daily background update checks: if false, it
* hides the expanded text description (if it exists) when you "show more details about an addon" ***/
// user_pref("extensions.getAddons.cache.enabled", false);
/* 0308: disable search update
/* 0308: disable search engine updates (e.g. OpenSearch)
* [NOTE] This does not affect Mozilla's built-in or Web Extension search engines
* [SETTING] General>Firefox Updates>Automatically update search engines ***/
user_pref("browser.search.update", false);
/* 0309: disable sending Flash crash reports ***/
@ -232,7 +237,6 @@ user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+]
user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+]
user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter
user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+]
/* 0331: disable Telemetry Coverage
* [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/
user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
@ -250,7 +254,7 @@ user_pref("datareporting.policy.dataSubmissionEnabled", false);
user_pref("app.shield.optoutstudies.enabled", false);
/* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
* [NOTE] This pref has no effect when Health Reports (0340) are disabled
* [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to make personalized extension rec.
* [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations
* [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
user_pref("browser.discovery.enabled", false);
/* 0350: disable Crash Reports ***/
@ -354,7 +358,7 @@ user_pref("browser.ping-centre.telemetry", false);
/* 0517: disable Form Autofill
* [NOTE] Stored data is NOT secure (uses a JSON file)
* [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
* [SETTING] Privacy & Security>Forms & Passwords>Autofill addresses
* [SETTING] Options>Privacy & Security>Forms and Autofill>Autofill addresses (FF74+)
* [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
* [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/
user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
@ -404,7 +408,7 @@ user_pref("network.dns.disableIPv6", true);
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
* enhance privacy, and opens up a number of server-side fingerprinting opportunities.
* [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is
* at 35% (April 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites
* at 40% (December 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites
* [1] https://http2.github.io/faq/
* [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
* [3] https://http2.github.io/http2-spec/#rfc.section.10.8
@ -511,11 +515,12 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false);
/* 0850e: disable location bar one-off searches [FF51+]
* [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/
// user_pref("browser.urlbar.oneOffSearches", false);
/* 0860: disable search and form history [SETUP-WEB]
* [WARNING] Autocomplete form data is still (in April 2019) easily read by third parties, see [1]
* [NOTE] We also clear formdata on exiting Firefox (see 2803)
/* 0860: disable search and form history
* [SETUP-WEB] Be aware thet autocomplete form data can be read by third parties, see [1] [2]
* [NOTE] We also clear formdata on exit (see 2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html ***/
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/
user_pref("browser.formfill.enable", false);
/* 0862: disable browsing and download history
* [NOTE] We also clear history and downloads on exiting Firefox (see 2803)
@ -533,11 +538,11 @@ user_pref("browser.taskbar.previews.enable", false);
user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
/* 0901: disable saving passwords
* [NOTE] This does not clear any passwords already saved
* [SETTING] Privacy & Security>Forms & Passwords>Ask to save logins and passwords for websites ***/
* [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/
// user_pref("signon.rememberSignons", false);
/* 0902: use a master password (recommended if you save passwords)
/* 0902: use a master password
* There are no preferences for this. It is all handled internally.
* [SETTING] Privacy & Security>Forms & Passwords>Use a master password
* [SETTING] Privacy & Security>Logins and Passwords>Use a master password
* [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/
/* 0903: set how often Firefox should ask for the master password
* 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/
@ -547,7 +552,8 @@ user_pref("security.ask_for_password", 2);
user_pref("security.password_lifetime", 5);
/* 0905: disable auto-filling username & password form fields
* can leak in cross-site forms *and* be spoofed
* [NOTE] Username & password is still available when you enter the field ***/
* [NOTE] Username & password is still available when you enter the field
* [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords ***/
user_pref("signon.autofillForms", false);
/* 0909: disable formless login capture for Password Manager [FF51+] ***/
user_pref("signon.formlessCapture.enabled", false);
@ -619,11 +625,14 @@ user_pref("toolkit.winRegisterApplicationRestart", false);
* profile/shortcutCache directory. The .ico remains after the shortcut is deleted.
* If set to false then the shortcuts use a generic Firefox icon ***/
user_pref("browser.shell.shortcutFavicons", false);
/* 1031: disable favicons in tabs and new bookmarks
* bookmark favicons are stored as data blobs in favicons.sqlite ***/
/* 1031: disable favicons in history and bookmarks
* Stored as data blobs in favicons.sqlite, these don't reveal anything that your
* actual history (and bookmarks) already do. Your history is more detailed, so
* control that instead; e.g. disable history, clear history on close, use PB mode
* [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/
// user_pref("browser.chrome.site_icons", false);
/* 1032: disable favicons in web notifications ***/
user_pref("alerts.showFavicons", false); // [DEFAULT: false]
// user_pref("alerts.showFavicons", false); // [DEFAULT: false]
/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
Your cipher and other settings can be used in server side fingerprinting
@ -632,8 +641,15 @@ user_pref("alerts.showFavicons", false); // [DEFAULT: false]
***/
user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
/* 1201: disable old SSL/TLS "insecure" negotiation (vulnerable to a MiTM attack)
* [1] https://wiki.mozilla.org/Security:Renegotiation ***/
/* 1201: require safe negotiation
* Blocks connections to servers that don't support RFC 5746 [2] as they're potentially
* vulnerable to a MiTM attack [3]. A server *without* RFC 5746 can be safe from the attack
* if it disables renegotiations but the problem is that the browser can't know that.
* Setting this pref to true is the only way for the browser to ensure there will be
* no unsafe renegotiations on the channel between the browser and the server.
* [1] https://wiki.mozilla.org/Security:Renegotiation
* [2] https://tools.ietf.org/html/rfc5746
* [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/
user_pref("security.ssl.require_safe_negotiation", true);
/* 1202: control TLS versions with min and max
* 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
@ -706,7 +722,7 @@ user_pref("security.family_safety.mode", 0);
// user_pref("security.nocertdb", true); // [HIDDEN PREF]
/* 1223: enforce strict pinning
* PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
* [WARNING] If you rely on an AV (antivirus) to protect your web browsing
* [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing
* by inspecting ALL your web traffic, then leave at current default=1
* [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/
user_pref("security.cert_pinning.enforcement_level", 2);
@ -739,8 +755,10 @@ user_pref("security.mixed_content.block_object_subrequest", true);
// user_pref("security.ssl3.rsa_aes_256_sha", false);
/** UI (User Interface) ***/
/* 1270: display warning (red padlock) for "broken security" (see 1201)
* [1] https://wiki.mozilla.org/Security:Renegotiation ***/
/* 1270: display warning on the padlock for "broken security" (if 1201 is false)
* Bug: warning padlock not indicated for subresources on a secure page! [2]
* [1] https://wiki.mozilla.org/Security:Renegotiation
* [2] https://bugzilla.mozilla.org/1353705 ***/
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
/* 1271: control "Add Security Exception" dialog on SSL warnings
* 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
@ -770,9 +788,10 @@ user_pref("browser.display.use_document_fonts", 0);
/* 1404: disable rendering of SVG OpenType fonts
* [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
/* 1408: disable graphite which FF49 turned back on by default
* In the past it had security issues. Update: This continues to be the case, see [1]
* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/
/* 1408: disable graphite
* Graphite has had many critical security issues in the past, see [1]
* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
* [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/
user_pref("gfx.font_rendering.graphite.enabled", false);
/* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
* If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
@ -829,8 +848,8 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0]
* [1] https://bugzilla.mozilla.org/1305144 ***/
user_pref("network.http.referer.hideOnionSource", true);
/* 1610: ALL: enable the DNT (Do Not Track) HTTP header
* [NOTE] DNT is enforced with Tracking Protection regardless of this pref
* [SETTING] Privacy & Security>Content Blocking>Send websites a "Do Not Track"... ***/
* [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref
* [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/
user_pref("privacy.donottrackheader.enabled", true);
/*** [SECTION 1700]: CONTAINERS
@ -918,9 +937,6 @@ user_pref("media.getusermedia.audiocapture.enabled", false);
// user_pref("media.autoplay.default", 5);
/* 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] ***/
user_pref("media.autoplay.enabled.user-gestures-needed", false);
/* 2032: disable autoplay of HTML5 media in non-active tabs [FF51+]
* [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/
user_pref("media.block-autoplay-until-in-foreground", true); // [DEFAULT: true]
/*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/
user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!");
@ -1012,14 +1028,12 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!
// user_pref("dom.event.contextmenu.enabled", false);
/* 2402: disable website access to clipboard events/content
* [SETUP-WEB] This will break some sites functionality such as pasting into facebook, wordpress
* this applies to onCut, onCopy, onPaste events - i.e. you have to interact with
* the website for it to look at the clipboard
* [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/
* This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
* [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one
* is default false) then enabling this pref can leak clipboard content, see [2]
* [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/
* [2] https://bugzilla.mozilla.org/1528289 */
user_pref("dom.event.clipboardevents.enabled", false);
/* 2403: disable middlemouse paste leaking clipboard content on Linux after autoscroll
* Defense in depth if clipboard events are enabled (see 2402)
* [1] https://bugzilla.mozilla.org/1528289 */
user_pref("middlemouse.paste", false); // [DEFAULT: false on Windows]
/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
* this disables document.execCommand("cut"/"copy") to protect your clipboard
* [1] https://bugzilla.mozilla.org/1170911 ***/
@ -1117,11 +1131,9 @@ user_pref("browser.uitour.url", "");
* [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
* [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
user_pref("devtools.chrome.enabled", false);
/* 2608: disable WebIDE to prevent remote debugging and ADB extension download
/* 2608: disable remote debugging
* [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+]
user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
/* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
* [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#misc
* [1] https://bugzilla.mozilla.org/1173199 ***/
@ -1148,8 +1160,8 @@ user_pref("permissions.manager.defaultsUrl", "");
/* 2617: remove webchannel whitelist ***/
user_pref("webchannel.allowObject.urlWhitelist", "");
/* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
* Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also
* display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets
* Firefox has *some* protections, but it is better to be safe than sorry
* [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
* [1] https://wiki.mozilla.org/IDN_Display_Algorithm
* [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
@ -1231,8 +1243,10 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
* 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies,
* 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+)
* [NOTE] You can set exceptions under site permissions or use an extension
* [SETTING] Privacy & Security>Content Blocking>Custom>Choose what to block>Cookies ***/
* [NOTE] Enforcing category to custom ensures ETP related prefs are always honored
* [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/
user_pref("network.cookie.cookieBehavior", 1);
user_pref("browser.contentblocking.category", "custom");
/* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only
and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
[NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
@ -1249,20 +1263,8 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
* [WARNING] This will break a LOT of sites' functionality AND extensions!
* You are better off using an extension for more granular control ***/
// user_pref("dom.storage.enabled", false);
/* 2720: enforce IndexedDB (IDB) as enabled
* IDB is required for extensions and Firefox internals (even before FF63 in [1])
* To control *website* IDB data, control allowing cookies and service workers, or use
* Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize
* on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically
* via an extension. Note that IDB currently cannot be sanitized by host.
* [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ ***/
user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true]
/* 2730: disable offline cache ***/
user_pref("browser.cache.offline.enable", false);
/* 2731: enforce websites to ask to store data for offline use
* [1] https://support.mozilla.org/questions/1098540
* [2] https://bugzilla.mozilla.org/959985 ***/
user_pref("offline-apps.allow_by_default", false);
/* 2740: disable service worker cache and cache storage
* [NOTE] We clear service worker cache on exiting Firefox (see 2803)
* [1] https://w3c.github.io/ServiceWorker/#privacy ***/
@ -1350,7 +1352,7 @@ user_pref("privacy.sanitize.timeSpan", 0);
** 1542309 - isolate top-level domain URLs when host is in the public suffix list (FF68+)
** 1506693 - isolate pdfjs range-based requests (FF68+)
** 1330467 - isolate site permissions (FF69+)
** 1534339 - isolate IPv6 (coming soon)
** 1534339 - isolate IPv6 (FF73+)
***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
/* 4001: enable First Party Isolation [FF51+]
@ -1365,7 +1367,7 @@ user_pref("privacy.firstparty.isolate", true);
* [1] https://bugzilla.mozilla.org/1319773#c22
* [2] https://bugzilla.mozilla.org/1492607
* [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
// user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
// user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR]
/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
@ -1427,7 +1429,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAUL
FF65: pointerEvent.pointerid (1492766)
** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+)
** 1407366 - enable inner window letterboxing (see 4504) (FF67+)
** 1540726 - return "light" with prefers-color-scheme (FF67+)
** 1540726 - return "light" with prefers-color-scheme (see 4616) (FF67+)
[1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme
** 1564422 - spoof audioContext outputLatency (FF70+)
** 1595823 - spoof audioContext sampleRate (FF72+)
@ -1557,6 +1559,9 @@ user_pref("dom.w3c_pointer_events.enabled", false);
// [SETUP-CHROME] Might affect CSS in themes and extensions
// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876
user_pref("ui.use_standins_for_native_colors", true);
// 4616: enforce prefers-color-scheme as light [FF67+]
// 0=light, 1=dark : This overrides your OS value
user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
// * * * /
// ***/
@ -1601,8 +1606,6 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
// user_pref("browser.tabs.warnOnOpen", false);
// user_pref("full-screen-api.warning.delay", 0);
// user_pref("full-screen-api.warning.timeout", 0);
// user_pref("general.warnOnAboutConfig", false);
// user_pref("browser.aboutConfig.showWarning", false); // [FF67+]
/* APPEARANCE ***/
// user_pref("browser.download.autohideButton", false); // [FF57+]
// user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+]
@ -1616,10 +1619,10 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
// user_pref("browser.tabs.closeWindowWithLastTab", false);
// user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+]
// user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+]
// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [WINDOWS] [MAC]
// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux]
// user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
// user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under]
/* UX: FEATURES: disable and hide the icons and menus ***/
/* UX FEATURES: disable and hide the icons and menus ***/
// user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+]
// user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
// user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART]
@ -1634,130 +1637,11 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
// user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
/*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
Documentation denoted as [-]. Items deprecated prior to FF61 have been archived at [1], which
also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets
Documentation denoted as [-]. Items deprecated in FF68 or earlier have been archived at [1],
which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets
[1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123
***/
user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!");
/* FF61
// 0501: disable experiments
// [1] https://wiki.mozilla.org/Telemetry/Experiments
// [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);
// 2612: disable remote JAR files being opened, regardless of content type [FF42+]
// [1] https://bugzilla.mozilla.org/1173171
// [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/
// [-] https://bugzilla.mozilla.org/1427726
user_pref("network.jar.block-remote-files", true);
// 2613: disable JAR from opening Unsafe File Types
// [-] https://bugzilla.mozilla.org/1427726
user_pref("network.jar.open-unsafe-types", false);
// ***/
/* FF62
// 1803: disable Java plugin
// [-] (part5) https://bugzilla.mozilla.org/1461243
user_pref("plugin.state.java", 0);
// ***/
/* FF63
// 0205: disable GeoIP-based search results
// [NOTE] May not be hidden if Firefox has changed your settings due to your locale
// [-] https://bugzilla.mozilla.org/1462015
user_pref("browser.search.countryCode", "US"); // [HIDDEN PREF]
// 0301a: disable auto-update checks for Firefox
// [SETTING] General>Firefox Updates>Never check for updates
// [-] https://bugzilla.mozilla.org/1420514
// user_pref("app.update.enabled", false);
// 0503: disable "Savant" Shield study [FF61+]
// [-] https://bugzilla.mozilla.org/1457226
user_pref("shield.savant.enabled", false);
// 1031: disable favicons in tabs and new bookmarks - merged into browser.chrome.site_icons
// [-] https://bugzilla.mozilla.org/1453751
// user_pref("browser.chrome.favicons", false);
// 2030: disable autoplay of HTML5 media - replaced by media.autoplay.default
// This may break video playback on various sites
// [-] https://bugzilla.mozilla.org/1470082
user_pref("media.autoplay.enabled", false);
// 2704: set cookie lifetime in days (see 2703)
// [-] https://bugzilla.mozilla.org/1457170
// user_pref("network.cookie.lifetime.days", 90); // [DEFAULT: 90]
// 5000's: enable "Ctrl+Tab cycles through tabs in recently used order" - replaced by browser.ctrlTab.recentlyUsedOrder
// [-] https://bugzilla.mozilla.org/1473595
// user_pref("browser.ctrlTab.previews", true);
// ***/
/* FF64
// 0516: disable Onboarding [FF55+]
// Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
// about:home or about:newtab is opened, the onboarding overlay is injected into that page
// [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]
// [1] https://wiki.mozilla.org/Firefox/Onboarding
// [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf
// [3] https://bugzilla.mozilla.org/863246#c154
// [-] https://bugzilla.mozilla.org/1462415
user_pref("browser.onboarding.enabled", false);
// 2608: disable WebIDE ADB extension downloads - both renamed
// [1] https://trac.torproject.org/projects/tor/ticket/16222
// [-] https://bugzilla.mozilla.org/1491315
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.adbAddonURL", "");
// 2681: disable CSP violation events [FF59+]
// [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent
// [-] https://bugzilla.mozilla.org/1488165
user_pref("security.csp.enable_violation_events", false);
// ***/
/* FF65
// 0850a: disable location bar autocomplete and suggestion types
// If you enforce any of the suggestion types (see the other 0850a), you MUST enforce 'autocomplete'
// - If *ALL* of the suggestion types are false, 'autocomplete' must also be false
// - If *ANY* of the suggestion types are true, 'autocomplete' must also be true
// [-] https://bugzilla.mozilla.org/1502392
user_pref("browser.urlbar.autocomplete.enabled", false);
// 0908: remove user & password info when attempting to fix an entered URL (i.e. 0802 is true)
// e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix)
// [-] https://bugzilla.mozilla.org/1510580
user_pref("browser.fixup.hide_user_pass", true); // [DEFAULT: true]
// ***/
/* FF66
// 0380: disable Browser Error Reporter [FF60+]
// [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
// [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html
// [-] https://bugzilla.mozilla.org/1509888
user_pref("browser.chrome.errorReporter.enabled", false);
user_pref("browser.chrome.errorReporter.submitUrl", "");
// 0502: disable Mozilla permission to silently opt you into tests
// [-] https://bugzilla.mozilla.org/1415625
user_pref("network.allow-experiments", false);
// ***/
/* FF67
// 2428: enforce DOMHighResTimeStamp API
// [WARNING] Required for normalization of timestamps and any timer resolution mitigations
// [-] https://bugzilla.mozilla.org/1485264
user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
// 5000's: disable CFR [FF64+] - split into two new prefs: *cfr.addons, *cfr.features
// [SETTING] General>Browsing>Recommend extensions as you browse
// [1] https://support.mozilla.org/en-US/kb/extension-recommendations
// [-] https://bugzilla.mozilla.org/1528953
// user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
// ***/
/* FF68
// 0105b: disable Activity Stream Legacy Snippets
// [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1546190,1540939
user_pref("browser.newtabpage.activity-stream.disableSnippets", true);
user_pref("browser.aboutHomeSnippets.updateUrl", "");
// 0307: disable auto updating of lightweight themes (LWT)
// Not to be confused with themes in 0301* + 0302*, which use the FF55+ Theme API
// Mozilla plan to convert existing LWTs and remove LWT support in the future, see [1]
// [1] https://blog.mozilla.org/addons/2018/09/20/future-themes-here/
// [-] (part3b) https://bugzilla.mozilla.org/1525762
user_pref("lightweightThemes.update.enabled", false);
// 2682: enable CSP 1.1 experimental hash-source directive [FF29+]
// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975
// [-] https://bugzilla.mozilla.org/1386214
user_pref("security.csp.experimentalEnabled", true);
// ***/
/* ESR68.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable them
// FF69
@ -1771,6 +1655,35 @@ user_pref("plugins.click_to_play", true); // [DEFAULT: true FF25+]
// [-] https://bugzilla.mozilla.org/1562331
// user_pref("media.autoplay.allow-muted", false);
// * * * /
// FF71
// 2608: disable WebIDE and ADB extension download
// [1] https://trac.torproject.org/projects/tor/ticket/16222
// [-] https://bugzilla.mozilla.org/1539462
user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+]
user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
// 2731: enforce websites to ask to store data for offline use
// [1] https://support.mozilla.org/questions/1098540
// [2] https://bugzilla.mozilla.org/959985
// [-] https://bugzilla.mozilla.org/1574480
user_pref("offline-apps.allow_by_default", false);
// * * * /
// FF72
// 0105a: disable Activity Stream telemetry
// [-] https://bugzilla.mozilla.org/1597697
user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "");
// 0330: disable Hybdrid Content telemetry
// [-] https://bugzilla.mozilla.org/1520491
user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+]
// 2720: enforce IndexedDB (IDB) as enabled
// IDB is required for extensions and Firefox internals (even before FF63 in [1])
// To control *website* IDB data, control allowing cookies and service workers, or use
// Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize
// on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically
// via an extension. Note that IDB currently cannot be sanitized by host.
// [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/
// [-] https://bugzilla.mozilla.org/1488583
user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true]
// * * * /
// ***/
/* END: internal custom pref to test for syntax errors ***/