2019-11-24 01:00:00 +01:00
/ * * * * * *
2020-10-31 22:22:23 +01:00
* name : thunderbird user . js
2024-04-21 20:29:29 +02:00
* date : 21 April 2024
2023-10-19 22:08:02 +02:00
* version : v115 . 0
2019-11-24 11:59:26 +01:00
* url : https : //github.com/HorlogeSkynet/thunderbird-user.js
* license : MIT ( https : //github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE)
2019-11-24 01:00:00 +01:00
* README :
2021-09-12 19:33:39 +02:00
1. Consider using Tor if it meets your needs or fits your threat model
2022-07-14 13:05:16 +02:00
* https : //2019.www.torproject.org/about/torusers.html
2. Read the entire wiki
2021-09-12 19:33:39 +02:00
* https : //github.com/HorlogeSkynet/thunderbird-user.js/wiki
3. If you skipped step 2 , return to step 2
4. Make changes
2022-07-14 13:05:16 +02:00
* There are often trade - offs and conflicts between security vs privacy vs anti - tracking
2021-09-12 19:33:39 +02:00
and these need to be balanced against functionality & convenience & breakage
* Some site breakage and unintended consequences will happen . Everyone ' s experience will differ
2022-07-14 13:05:16 +02:00
e . g . some user data is erased on exit ( section 2800 ) , change this to suit your needs
2021-09-12 19:33:39 +02:00
* While not 100 % definitive , search for "[SETUP" tags
e . g . wanna re - enable account auto configuration ? check 9101 & 9102
5. Some tag info
2020-03-23 14:49:08 +01:00
[ SETUP - INSTALL ] if you experience any issue during Thunderbird setting up , read it
[ SETUP - FEATURE ] if you miss some ( expected ) Thunderbird features , read it
[ SETUP - SECURITY ] it ' s one item , read it
[ SETUP - WEB ] can cause some websites to break
2021-09-12 19:33:39 +02:00
[ SETUP - CHROME ] changes how Thunderbird itself behaves ( i . e . not directly website related )
2019-11-24 01:00:00 +01:00
2022-07-14 13:05:16 +02:00
* RELEASES : https : //github.com/HorlogeSkynet/thunderbird-user.js/releases
* It is best to use the release that is optimized for and matches your Thunderbird version
2023-10-19 22:08:02 +02:00
* ESR102
- If you are not using thunderbird - user . js v102 - 1. . . ( not a definitive list )
- 2815 : clearOnShutdown cookies + offlineApps should be false
- 9999 : switch the appropriate deprecated section ( s ) back on
2022-07-14 13:05:16 +02:00
2019-11-24 01:00:00 +01:00
* INDEX :
2021-09-12 19:33:39 +02:00
2019-11-24 18:51:29 +01:00
0100 : STARTUP
2020-11-01 19:08:14 +01:00
0200 : GEOLOCATION / LANGUAGE / LOCALE
2021-09-12 19:33:39 +02:00
0300 : QUIETER BIRD
0400 : SAFE BROWSING
2019-11-24 18:51:29 +01:00
0600 : BLOCK IMPLICIT OUTBOUND
2023-10-19 22:08:02 +02:00
0700 : DNS / DoH / PROXY / SOCKS
2021-09-12 19:33:39 +02:00
0800 : LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
0900 : PASSWORDS
1000 : DISK AVOIDANCE
1200 : HTTPS ( SSL / TLS / OCSP / CERTS / HPKP )
2019-11-24 18:51:29 +01:00
1400 : FONTS
2023-10-19 22:08:02 +02:00
1600 : REFERERS
2021-09-12 19:33:39 +02:00
1700 : CONTAINERS
2000 : PLUGINS / MEDIA / WEBRTC
2400 : DOM ( DOCUMENT OBJECT MODEL )
2019-11-24 18:51:29 +01:00
2600 : MISCELLANEOUS
2023-10-19 19:48:36 +02:00
2700 : ETP ( ENHANCED TRACKING PROTECTION )
2022-07-14 13:05:16 +02:00
2800 : SHUTDOWN & SANITIZING
2019-11-24 18:51:29 +01:00
4500 : RFP ( RESIST FINGERPRINTING )
2021-09-12 19:33:39 +02:00
5000 : OPTIONAL OPSEC
5500 : OPTIONAL HARDENING
6000 : DON ' T TOUCH
7000 : DON ' T BOTHER
2022-07-14 13:05:16 +02:00
8000 : DON ' T BOTHER : FINGERPRINTING
2023-10-19 22:08:02 +02:00
9000 : NON - PROJECT RELATED
2021-09-12 19:33:39 +02:00
9100 : THUNDERBIRD ( AUTO CONFIG / UI / HEADERS / ADDRESS BOOK )
9200 : EMAIL COMPOSITION ( ENCODING / FORMAT / VIEW )
9300 : OTHER THUNDERBIRD COMPONENTS ( CHAT / CALENDAR / RSS )
2022-10-01 17:41:20 +02:00
9400 : THUNDERBIRD ENCRYPTION ( OPENPGP / GNUPG )
2019-11-24 18:51:29 +01:00
9999 : DEPRECATED / REMOVED / LEGACY / RENAMED
2019-11-24 01:00:00 +01:00
* * * * * * /
/ * S T A R T : i n t e r n a l c u s t o m p r e f t o t e s t f o r s y n t a x e r r o r s
2021-09-12 19:33:39 +02:00
* [ NOTE ] Not all syntax errors cause parsing to abort i . e . reaching the last debug pref
* no longer necessarily means that all prefs have been applied . Check the console right
2019-11-24 01:00:00 +01:00
* after startup for any warnings / error messages related to non - applied prefs
* [ 1 ] https : //blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/
user _pref ( "_user.js.parrot" , "START: Oh yes, the Norwegian Blue... what's wrong with it?" ) ;
2021-09-12 19:33:39 +02:00
/* 0000: disable about:config warning ***/
user _pref ( "browser.aboutConfig.showWarning" , false ) ;
2020-11-01 19:08:14 +01:00
2019-11-24 01:00:00 +01:00
/*** [SECTION 0100]: STARTUP ***/
user _pref ( "_user.js.parrot" , "0100 syntax error: the parrot's dead!" ) ;
2021-09-12 19:33:39 +02:00
/ * 0 1 0 2 : s e t S T A R T p a g e [ S E T U P - C H R O M E ]
2022-01-08 17:22:44 +01:00
* [ SETTING ] General > Thunderbird Start Page * * * /
2019-11-24 01:00:00 +01:00
user _pref ( "mailnews.start_page.enabled" , false ) ;
2021-10-17 18:24:37 +02:00
/ * 0 1 0 4 : s e t N E W T A B p a g e
2023-10-19 22:08:02 +02:00
* true = ? ( default ) , false = blank page * * * /
2021-10-17 18:24:37 +02:00
user _pref ( "browser.newtabpage.enabled" , false ) ;
2019-11-24 01:00:00 +01:00
2020-11-01 19:08:14 +01:00
/*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/
2019-11-24 01:00:00 +01:00
user _pref ( "_user.js.parrot" , "0200 syntax error: the parrot's definitely deceased!" ) ;
2021-09-12 19:33:39 +02:00
/ * 0 2 0 1 : u s e M o z i l l a g e o l o c a t i o n s e r v i c e i n s t e a d o f G o o g l e i f p e r m i s s i o n i s g r a n t e d [ F F 7 4 + ]
2020-11-01 19:08:14 +01:00
* Optionally enable logging to the console ( defaults to false ) * * * /
user _pref ( "geo.provider.network.url" , "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%" ) ;
// user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF]
2021-09-12 19:33:39 +02:00
/* 0202: disable using the OS's geolocation service ***/
2020-11-01 19:08:14 +01:00
user _pref ( "geo.provider.ms-windows-location" , false ) ; // [WINDOWS]
user _pref ( "geo.provider.use_corelocation" , false ) ; // [MAC]
user _pref ( "geo.provider.use_gpsd" , false ) ; // [LINUX]
2023-10-19 22:08:02 +02:00
user _pref ( "geo.provider.use_geoclue" , false ) ; // [FF102+] [LINUX]
2021-10-30 11:33:39 +02:00
/ * 0 2 1 0 : s e t p r e f e r r e d l a n g u a g e f o r d i s p l a y i n g p a g e s
2022-01-08 17:22:44 +01:00
* [ SETTING ] General > Language & Appearance > Language > Choose the language used to display ...
2019-11-24 18:51:29 +01:00
* [ TEST ] https : //addons.mozilla.org/about ***/
2019-11-24 01:00:00 +01:00
user _pref ( "intl.accept_languages" , "en-US, en" ) ;
2020-11-01 19:08:14 +01:00
/* 0210b: Set dictionary to US ***/
2019-11-24 01:00:00 +01:00
user _pref ( "spellchecker.dictionary" , "en-US" ) ;
2022-07-14 13:05:16 +02:00
/ * 0 2 1 1 : u s e e n - U S l o c a l e r e g a r d l e s s o f t h e s y s t e m o r r e g i o n l o c a l e
2021-09-12 19:33:39 +02:00
* [ SETUP - WEB ] May break some input methods e . g xim / ibus for CJK languages [ 1 ]
* [ 1 ] https : //bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/
2020-11-01 19:08:14 +01:00
user _pref ( "javascript.use_us_english_locale" , true ) ; // [HIDDEN PREF]
2019-11-24 01:00:00 +01:00
2022-07-23 15:07:40 +02:00
/*** [SECTION 0300]: QUIETER BIRD ***/
2019-11-24 01:00:00 +01:00
user _pref ( "_user.js.parrot" , "0300 syntax error: the parrot's not pinin' for the fjords!" ) ;
2021-09-12 19:33:39 +02:00
/** RECOMMENDATIONS ***/
/* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/
2019-11-24 01:00:00 +01:00
user _pref ( "extensions.getAddons.showPane" , false ) ; // [HIDDEN PREF]
2019-11-24 18:51:29 +01:00
/* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/
user _pref ( "extensions.htmlaboutaddons.recommendations.enabled" , false ) ;
2021-09-12 19:33:39 +02:00
/** TELEMETRY ***/
/ * 0 3 3 0 : d i s a b l e n e w d a t a s u b m i s s i o n [ F F 4 1 + ]
* If disabled , no policy is shown or upload takes place , ever
2023-10-20 14:32:06 +02:00
* [ 1 ] https : //bugzilla.mozilla.org/1195552
* [ 2 ] https : //searchfox.org/comm-esr115/source/mail/components/telemetry/README.md#165 ***/
2021-09-12 19:33:39 +02:00
user _pref ( "datareporting.policy.dataSubmissionEnabled" , false ) ;
2023-10-20 14:32:06 +02:00
user _pref ( "datareporting.policy.dataSubmissionPolicyBypassNotification" , true ) ;
2021-09-12 19:33:39 +02:00
/ * 0 3 3 1 : d i s a b l e H e a l t h R e p o r t s
2022-01-08 17:22:44 +01:00
* [ SETTING ] Privacy & Security > Thunderbird Data Collection and Use > Allow Thunderbird to send technical ... * * * /
2021-09-12 19:33:39 +02:00
user _pref ( "datareporting.healthreport.uploadEnabled" , false ) ;
/ * 0 3 3 2 : d i s a b l e t e l e m e t r y
2022-07-14 13:05:16 +02:00
* The "unified" pref affects the behavior of the "enabled" pref
2021-09-12 19:33:39 +02:00
* - If "unified" is false then "enabled" controls the telemetry module
* - If "unified" is true then "enabled" only controls whether to record extended data
* [ NOTE ] "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease ( true ) or release builds ( false ) [ 2 ]
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
* [ 2 ] https : //medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
user _pref ( "toolkit.telemetry.unified" , false ) ;
2021-09-12 19:33:39 +02:00
user _pref ( "toolkit.telemetry.enabled" , false ) ; // see [NOTE]
2019-11-24 01:00:00 +01:00
user _pref ( "toolkit.telemetry.server" , "data:," ) ;
user _pref ( "toolkit.telemetry.archive.enabled" , false ) ;
user _pref ( "toolkit.telemetry.newProfilePing.enabled" , false ) ; // [FF55+]
user _pref ( "toolkit.telemetry.shutdownPingSender.enabled" , false ) ; // [FF55+]
user _pref ( "toolkit.telemetry.updatePing.enabled" , false ) ; // [FF56+]
user _pref ( "toolkit.telemetry.bhrPing.enabled" , false ) ; // [FF57+] Background Hang Reporter
user _pref ( "toolkit.telemetry.firstShutdownPing.enabled" , false ) ; // [FF57+]
2021-09-12 19:33:39 +02:00
/ * 0 3 3 3 : d i s a b l e T e l e m e t r y C o v e r a g e
2022-07-23 15:46:53 +02:00
* [ 1 ] https : //blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/
2021-10-31 09:42:26 +01:00
user _pref ( "toolkit.telemetry.coverage.opt-out" , true ) ; // [HIDDEN PREF]
user _pref ( "toolkit.coverage.opt-out" , true ) ; // [FF64+] [HIDDEN PREF]
user _pref ( "toolkit.coverage.endpoint.base" , "" ) ;
2021-09-12 19:33:39 +02:00
/ * 0 3 3 4 : d i s a b l e P i n g C e n t r e t e l e m e t r y ( u s e d i n s e v e r a l S y s t e m A d d - o n s ) [ F F 5 7 + ]
* Defense - in - depth : currently covered by 0331 * * * /
user _pref ( "browser.ping-centre.telemetry" , false ) ;
/** STUDIES ***/
/ * 0 3 4 0 : d i s a b l e S t u d i e s
2020-11-03 18:56:53 +01:00
* [ NOTE ] This option is missing from Thunderbird ' s preferences panel ( hidden ? ) * * * /
2019-11-24 01:00:00 +01:00
user _pref ( "app.shield.optoutstudies.enabled" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 0 3 4 1 : d i s a b l e N o r m a n d y / S h i e l d [ F F 6 0 + ]
* Shield is a telemetry system that can push and test "recipes"
* [ 1 ] https : //mozilla.github.io/normandy/ ***/
user _pref ( "app.normandy.enabled" , false ) ;
user _pref ( "app.normandy.api_url" , "" ) ;
/** CRASH REPORTS ***/
2019-11-24 01:00:00 +01:00
/* 0350: disable Crash Reports ***/
user _pref ( "breakpad.reportURL" , "" ) ;
user _pref ( "browser.tabs.crashReporting.sendReport" , false ) ; // [FF44+]
2021-09-12 19:33:39 +02:00
// user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] [DEFAULT: false]
/ * 0 3 5 1 : e n f o r c e n o s u b m i s s i o n o f b a c k l o g g e d C r a s h R e p o r t s [ F F 5 8 + ]
2022-01-08 17:22:44 +01:00
* [ SETTING ] Privacy & Security > Thunderbird Data Collection and Use > Allow Thunderbird to send backlogged crash reports ... * * * /
2021-09-12 19:33:39 +02:00
user _pref ( "browser.crashReports.unsubmittedCheck.autoSubmit2" , false ) ; // [DEFAULT: false]
/** OTHER ***/
/ * 0 3 6 0 : d i s a b l e C a p t i v e P o r t a l d e t e c t i o n
* [ 1 ] https : //www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy ***/
user _pref ( "captivedetect.canonicalURL" , "" ) ;
user _pref ( "network.captive-portal-service.enabled" , false ) ; // [FF52+]
/ * 0 3 6 1 : d i s a b l e N e t w o r k C o n n e c t i v i t y c h e c k s [ F F 6 5 + ]
* [ 1 ] https : //bugzilla.mozilla.org/1460537 ***/
user _pref ( "network.connectivity-service.enabled" , false ) ;
2020-11-03 18:56:53 +01:00
/* 0370: disable UI instrumentation ***/
2020-11-04 21:05:32 +01:00
user _pref ( "mail.instrumentation.postUrl" , "" ) ;
user _pref ( "mail.instrumentation.askUser" , false ) ;
user _pref ( "mail.instrumentation.userOptedIn" , false ) ;
2020-11-12 14:36:38 +01:00
/ * 0 3 7 1 : d i s a b l e a b o u t : r i g h t s n o t i f i c a t i o n o n f r e s h p r o f i l e s
* When a profile is loaded for the first time , a bottom notification appears with a button
* showing "Know your rights..." . If clicked , the _special _ page about : rights appears .
* When ` mail.rights.override ` is unset ( default ) , Thunderbird falls - back on ` mail.rights.version `
* value . If it ' s unset ( default too ) or lower than the current version , notification is displayed .
* false = always show the notification
* true = never show the notification
2022-07-14 13:05:16 +02:00
* [ 1 ] https : //searchfox.org/comm-esr102/source/mail/base/content/specialTabs.js#1266 ***/
2020-11-12 14:36:38 +01:00
user _pref ( "mail.rights.override" , true ) ; // [DEFAULT: unset]
2023-07-15 19:13:06 +02:00
// user_pref("mail.rights.version", 1); // [DEFAULT: unset]
2022-09-03 10:00:56 +02:00
/ * 0 3 7 2 : a l l o w T h u n d e r b i r d u s a g e w i t h o u t a n y c o n f i g u r e d e m a i l a c c o u n t [ S E T U P - I N S T A L L ]
* [ NOTE ] Only enable this if you don ' t plan to use emails at all and want to hide the account setup * * * /
// user_pref("app.use_without_mail_account", true);
2023-02-28 17:13:11 +01:00
/* 0373: disable warning when customizing "From address" ***/
// user_pref("mail.compose.warned_about_customize_from", true);
2023-10-20 14:37:07 +02:00
/ * 0 3 7 4 : p r e v e n t d o n a t i o n a p p e a l p a g e o p e n i n g o n f r e s h p r o f i l e s
* $url Web page is opened if $viewed is lower than $version ( and 0330 policy bypass notification is disabled )
* [ 1 ] https : //searchfox.org/comm-esr115/source/mail/base/content/messenger.js#455 ***/
// user_pref("app.donation.eoy.version", 2);
user _pref ( "app.donation.eoy.version.viewed" , 999 ) ;
// user_pref("app.donation.eoy.url", "https://www.thunderbird.net/thunderbird/115.0/appeal/");
2022-07-23 14:56:03 +02:00
/ * 0 3 8 0 : d i s a b l e t h e n e w / u n r e a d m e s s a g e c o u n t b a d g e o n t a s k b a r i c o n
2021-10-17 17:42:22 +02:00
* [ 1 ] https : //www.thunderbird.net/en-US/thunderbird/91.0.2/releasenotes/#whatsnew */
// user_pref("mail.biff.show_badge", false); // [WINDOWS]
2022-07-23 14:56:03 +02:00
/* 0381: show the number of "new" messages on taskbar icon (not the number of unread ones) ***/
// user_pref("mail.biff.use_new_count_in_badge", true);
2022-07-23 15:34:01 +02:00
/ * 0 3 9 0 : d i s a b l e n e w e m a i l a l e r t s
* [ SETTING ] General > Incoming Mails > When new messages arrive > Show an alert * * * /
// user_pref("mail.biff.show_alert", false);
/ * 0 3 9 1 : c o n t r o l t h e k i n d o f i n f o r m a t i o n d i s c l o s e d i n n e w e m a i l a l e r t s
2022-10-01 11:18:23 +02:00
* These preferences MAY be appreciated in environments with inquisitive eyes wandering behind your screen .
2022-07-23 15:34:01 +02:00
* [ SETTING ] General > Incoming Mails > When new messages arrive > Show an alert > Customize ... * * * /
2022-10-01 11:18:23 +02:00
// user_pref("mail.biff.alert.show_preview", false);
// user_pref("mail.biff.alert.show_subject", false);
// user_pref("mail.biff.alert.show_sender", false);
2022-07-23 15:34:01 +02:00
// user_pref("mail.biff.alert.preview_length", 40); // [HIDDEN PREF]
2019-11-24 01:00:00 +01:00
2021-09-12 19:33:39 +02:00
/ * * * [ S E C T I O N 0 4 0 0 ] : S A F E B R O W S I N G ( S B )
SB has taken many steps to preserve privacy . If required , a full url is never sent
to Google , only a part - hash of the prefix , hidden with noise of other real part - hashes .
2022-07-14 13:05:16 +02:00
Thunderbird takes measures such as stripping out identifying parameters and since SBv4 ( FF57 + )
2021-09-12 19:33:39 +02:00
doesn ' t even use cookies . ( # Turn on browser . safebrowsing . debug to monitor this activity )
[ 1 ] https : //feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
[ 2 ] https : //wiki.mozilla.org/Security/Safe_Browsing
[ 3 ] https : //support.mozilla.org/kb/how-does-phishing-and-malware-protection-work
2023-10-19 22:08:02 +02:00
[ 4 ] https : //educatedguesswork.org/posts/safe-browsing-privacy/
2020-11-01 19:08:14 +01:00
* * * /
2021-09-12 19:33:39 +02:00
user _pref ( "_user.js.parrot" , "0400 syntax error: the parrot's passed on!" ) ;
/ * 0 4 0 1 : d i s a b l e S B ( S a f e B r o w s i n g )
2022-01-08 17:22:44 +01:00
* [ WARNING ] Do this at your own risk ! These are the master switches * * * /
2020-11-01 19:08:14 +01:00
// user_pref("browser.safebrowsing.malware.enabled", false);
// user_pref("browser.safebrowsing.phishing.enabled", false);
2021-09-12 19:33:39 +02:00
/ * 0 4 0 2 : d i s a b l e S B c h e c k s f o r d o w n l o a d s ( b o t h l o c a l l o o k u p s + r e m o t e )
2022-01-08 17:22:44 +01:00
* This is the master switch for the safebrowsing . downloads * prefs ( 0403 , 0404 ) * * * /
2020-11-01 19:08:14 +01:00
// user_pref("browser.safebrowsing.downloads.enabled", false);
2021-09-12 19:33:39 +02:00
/ * 0 4 0 3 : d i s a b l e S B c h e c k s f o r d o w n l o a d s ( r e m o t e )
* To verify the safety of certain executable files , Thunderbird may submit some information about the
2020-11-01 19:08:14 +01:00
* file , including the name , origin , size and a cryptographic hash of the contents , to the Google
2021-09-12 19:33:39 +02:00
* Safe Browsing service which helps Thunderbird determine whether or not the file should be blocked
2022-07-14 13:05:16 +02:00
* [ SETUP - SECURITY ] If you do not understand this , or you want this protection , then override this * * * /
2019-11-24 01:00:00 +01:00
user _pref ( "browser.safebrowsing.downloads.remote.enabled" , false ) ;
2022-07-14 13:05:16 +02:00
// user_pref("browser.safebrowsing.downloads.remote.url", ""); // Defense-in-depth
2022-01-08 17:22:44 +01:00
/* 0404: disable SB checks for unwanted software ***/
2020-11-01 19:08:14 +01:00
// user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
// user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
2021-09-12 19:33:39 +02:00
/ * 0 4 0 5 : d i s a b l e " i g n o r e t h i s w a r n i n g " o n S B w a r n i n g s [ F F 4 5 + ]
2019-11-24 01:00:00 +01:00
* If clicked , it bypasses the block for that session . This is a means for admins to enforce SB
2022-07-14 13:05:16 +02:00
* [ TEST ] see https : //github.com/arkenfox/user.js/wiki/Appendix-A-Test-Sites#-mozilla
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //bugzilla.mozilla.org/1226490 ***/
// user_pref("browser.safebrowsing.allowOverride", false);
/*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/
user _pref ( "_user.js.parrot" , "0600 syntax error: the parrot's no more!" ) ;
/ * 0 6 0 1 : d i s a b l e l i n k p r e f e t c h i n g
* [ 1 ] https : //developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ ***/
user _pref ( "network.prefetch-next" , false ) ;
/ * 0 6 0 2 : d i s a b l e D N S p r e f e t c h i n g
2021-09-12 19:33:39 +02:00
* [ 1 ] https : //developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
2019-11-24 01:00:00 +01:00
user _pref ( "network.dns.disablePrefetch" , true ) ;
2021-09-12 19:33:39 +02:00
// user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true]
2019-11-24 18:51:29 +01:00
/* 0603: disable predictor / prefetching ***/
2019-11-24 01:00:00 +01:00
user _pref ( "network.predictor.enabled" , false ) ;
2022-07-14 13:05:16 +02:00
user _pref ( "network.predictor.enable-prefetch" , false ) ; // [FF48+] [DEFAULT: false]
2021-09-12 19:33:39 +02:00
/ * 0 6 0 4 : d i s a b l e l i n k - m o u s e o v e r o p e n i n g c o n n e c t i o n t o l i n k e d s e r v e r
* [ 1 ] https : //news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/
2019-11-24 01:00:00 +01:00
user _pref ( "network.http.speculative-parallel-limit" , 0 ) ;
2022-07-14 13:05:16 +02:00
/ * 0 6 1 0 : e n f o r c e n o " H y p e r l i n k A u d i t i n g " ( c l i c k t r a c k i n g )
2020-11-01 19:08:14 +01:00
* [ 1 ] https : //www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/
2021-09-12 19:33:39 +02:00
// user_pref("browser.send_pings", false); // [DEFAULT: false]
2020-11-07 21:51:50 +01:00
/ * 0 6 1 0 : d o n ' t r e f r e s h n o r r e l o a d p a g e s w h e n t a b / w i n d o w i s n o t a c t i v e o r i n i d l e s t a t e
* [ 1 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=518805 ***/
user _pref ( "browser.meta_refresh_when_inactive.disabled" , true ) ;
2019-11-24 01:00:00 +01:00
2023-10-19 22:08:02 +02:00
/*** [SECTION 0700]: DNS / DoH / PROXY / SOCKS ***/
2019-11-24 01:00:00 +01:00
user _pref ( "_user.js.parrot" , "0700 syntax error: the parrot's given up the ghost!" ) ;
2021-09-12 19:33:39 +02:00
/ * 0 7 0 2 : s e t t h e p r o x y s e r v e r t o d o a n y D N S l o o k u p s w h e n u s i n g S O C K S
2019-11-24 01:00:00 +01:00
* e . g . in Tor , this stops your local DNS server from knowing your Tor destination
* as a remote Tor node will handle the DNS request
2020-11-01 19:08:14 +01:00
* [ 1 ] https : //trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
2019-11-24 01:00:00 +01:00
user _pref ( "network.proxy.socks_remote_dns" , true ) ;
2021-09-12 19:33:39 +02:00
/ * 0 7 0 3 : d i s a b l e u s i n g U N C ( U n i f o r m N a m i n g C o n v e n t i o n ) p a t h s [ F F 6 1 + ]
2019-11-24 01:00:00 +01:00
* [ SETUP - CHROME ] Can break extensions for profiles on network shares
2020-11-01 19:08:14 +01:00
* [ 1 ] https : //gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
2019-11-24 01:00:00 +01:00
user _pref ( "network.file.disable_unc_paths" , true ) ; // [HIDDEN PREF]
2021-10-30 11:33:39 +02:00
/ * 0 7 0 4 : d i s a b l e G I O a s a p o t e n t i a l p r o x y b y p a s s v e c t o r [ F F 6 0 + ]
2022-07-14 13:05:16 +02:00
* Gvfs / GIO has a set of supported protocols like obex , network , archive , computer ,
* dav , cdda , gphoto2 , trash , etc . By default only sftp is accepted ( FF87 + )
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //bugzilla.mozilla.org/1433507
2021-10-30 11:33:39 +02:00
* [ 2 ] https : //en.wikipedia.org/wiki/GVfs
* [ 3 ] https : //en.wikipedia.org/wiki/GIO_(software) ***/
2019-11-24 01:00:00 +01:00
user _pref ( "network.gio.supported-protocols" , "" ) ; // [HIDDEN PREF]
2022-07-14 13:05:16 +02:00
/ * 0 7 0 5 : d i s a b l e p r o x y d i r e c t f a i l o v e r f o r s y s t e m r e q u e s t s [ F F 9 1 + ]
* [ WARNING ] Default true is a security feature against malicious extensions [ 1 ]
* [ SETUP - CHROME ] If you use a proxy and you trust your extensions
* [ 1 ] https : //blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
// user_pref("network.proxy.failover_direct", false);
/ * 0 7 0 6 : d i s a b l e p r o x y b y p a s s f o r s y s t e m r e q u e s t f a i l u r e s [ F F 9 5 + ]
* RemoteSettings , UpdateService , Telemetry [ 1 ]
* [ WARNING ] If false , this will break the fallback for some security features
* [ SETUP - CHROME ] If you use a proxy and you understand the security impact
* [ 1 ] https : //bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/
2023-10-19 22:08:02 +02:00
// user_pref("network.proxy.allow_bypass", false);
2022-07-14 13:05:16 +02:00
/ * 0 7 1 0 : d i s a b l e D N S - o v e r - H T T P S ( D o H ) r o l l o u t [ F F 6 0 + ]
2023-10-19 22:08:02 +02:00
* 0 = default , 2 = increased ( TRR ( Trusted Recursive Resolver ) first ) , 3 = max ( TRR only ) , 5 = off
2022-07-14 13:05:16 +02:00
* see "doh-rollout.home-region" : USA 2019 , Canada 2021 , Russia / Ukraine 2022 [ 3 ]
2023-10-19 22:08:02 +02:00
* [ SETTING ] General > Network & Disk Space > Connection > Settings ... > Enable DNS over HTTPS
2021-09-12 19:33:39 +02:00
* [ 1 ] https : //hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
* [ 2 ] https : //wiki.mozilla.org/Security/DOH-resolver-policy
2022-07-14 13:05:16 +02:00
// * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
2021-09-12 19:33:39 +02:00
* [ 4 ] https : //www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
// user_pref("network.trr.mode", 5);
2021-10-30 11:33:39 +02:00
/ * 0 7 0 6 : d i s a b l e p r o x y d i r e c t f a i l o v e r f o r s y s t e m r e q u e s t s [ F F 9 1 + ]
* [ WARNING ] Default true is a security feature against malicious extensions [ 1 ]
* [ SETUP - CHROME ] If you use a proxy and you trust your extensions
* [ 1 ] https : //blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
// user_pref("network.proxy.failover_direct", false);
2021-09-12 19:33:39 +02:00
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
2019-11-24 01:00:00 +01:00
user _pref ( "_user.js.parrot" , "0800 syntax error: the parrot's ceased to be!" ) ;
2019-11-24 18:51:29 +01:00
/ * 0 8 0 2 : d i s a b l e l o c a t i o n b a r d o m a i n g u e s s i n g
* domain guessing intercepts DNS "hostname not found errors" and resends a
* request ( e . g . by adding www or . com ) . This is inconsistent use ( e . g . FQDNs ) , does not work
* via Proxy Servers ( different error ) , is a flawed use of DNS ( TLDs : why treat . com
* as the 411 for DNS errors ? ) , privacy issues ( why connect to sites you didn ' t
* intend to ) , can leak sensitive data ( e . g . query strings : e . g . Princeton attack ) ,
* and is a security risk ( e . g . common typos & malicious sites set up to exploit this ) * * * /
2022-07-23 15:45:15 +02:00
user _pref ( "browser.fixup.alternate.enabled" , false ) ; // [DEFAULT: false FF104+]
2021-09-12 19:33:39 +02:00
/ * 0 8 0 4 : d i s a b l e l i v e s e a r c h s u g g e s t i o n s
* [ NOTE ] Both must be true for the location bar to work
2022-07-14 13:05:16 +02:00
* [ SETUP - CHROME ] Override this if you trust and use a privacy respecting search engine * * * /
2019-11-24 18:51:29 +01:00
user _pref ( "browser.search.suggest.enabled" , false ) ;
2021-10-30 11:33:39 +02:00
/ * 0 8 1 0 : d i s a b l e s e a r c h a n d f o r m h i s t o r y
2021-09-12 19:33:39 +02:00
* [ SETUP - WEB ] Be aware that autocomplete form data can be read by third parties [ 1 ] [ 2 ]
2022-07-14 13:05:16 +02:00
* [ NOTE ] We also clear formdata on exit ( 2811 )
2020-11-01 19:08:14 +01:00
* [ 1 ] https : //blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [ 2 ] https : //bugzilla.mozilla.org/381681 ***/
2019-11-24 01:00:00 +01:00
user _pref ( "browser.formfill.enable" , false ) ;
2021-10-30 11:33:39 +02:00
/ * 0 8 2 0 : d i s a b l e c o l o r i n g o f v i s i t e d l i n k s
2021-09-12 19:33:39 +02:00
* Bulk rapid history sniffing was mitigated in 2010 [ 1 ] [ 2 ] . Slower and more expensive
* redraw timing attacks were largely mitigated in FF77 + [ 3 ] . Using RFP ( 4501 ) further hampers timing
2022-07-14 13:05:16 +02:00
* attacks . Don ' t forget clearing history on exit ( 2811 ) . However , social engineering [ 2 # limits ] [ 4 ] [ 5 ]
2021-09-12 19:33:39 +02:00
* and advanced targeted timing attacks could still produce usable results
* [ 1 ] https : //developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
* [ 2 ] https : //dbaron.org/mozilla/visited-privacy
* [ 3 ] https : //bugzilla.mozilla.org/1632765
* [ 4 ] https : //earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
* [ 5 ] https : //lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/
user _pref ( "layout.css.visited_links_enabled" , false ) ;
2019-11-24 01:00:00 +01:00
2021-09-18 20:15:26 +02:00
/ * * * [ S E C T I O N 0 9 0 0 ] : P A S S W O R D S
[ 1 ] https : //support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
2019-11-24 01:00:00 +01:00
* * * /
2021-09-18 20:15:26 +02:00
user _pref ( "_user.js.parrot" , "0900 syntax error: the parrot's expired!" ) ;
/ * 0 9 0 3 : d i s a b l e a u t o - f i l l i n g u s e r n a m e & p a s s w o r d f o r m f i e l d s
* can leak in cross - site forms * and * be spoofed
* [ NOTE ] Username & password is still available when you enter the field
2022-07-14 13:05:16 +02:00
* [ 1 ] https : //freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
* [ 2 ] https : //homes.esat.kuleuven.be/~asenol/leaky-forms/ ***/
2021-09-18 20:15:26 +02:00
user _pref ( "signon.autofillForms" , false ) ;
/* 0904: disable formless login capture for Password Manager [FF51+] ***/
user _pref ( "signon.formlessCapture.enabled" , false ) ;
/ * 0 9 0 5 : l i m i t ( o r d i s a b l e ) H T T P a u t h e n t i c a t i o n c r e d e n t i a l s d i a l o g s t r i g g e r e d b y s u b - r e s o u r c e s [ F F 4 1 + ]
* hardens against potential credentials phishing
* 0 = don ' t allow sub - resources to open HTTP authentication credentials dialogs
* 1 = don ' t allow cross - origin sub - resources to open HTTP authentication credentials dialogs
* 2 = allow sub - resources to open HTTP authentication credentials dialogs ( default ) * * * /
user _pref ( "network.auth.subresource-http-auth-allow" , 1 ) ;
/ * 0 9 0 6 : e n f o r c e n o a u t o m a t i c a u t h e n t i c a t i o n o n M i c r o s o f t s i t e s [ F F 9 1 + ] [ W I N D O W S 1 0 + ]
* [ 1 ] https : //support.mozilla.org/kb/windows-sso ***/
2023-10-19 22:08:02 +02:00
// user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false]
2021-09-18 20:15:26 +02:00
/ * 0 9 1 0 : p r e v e n t a c c e s s t o e m a i l s u n t i l t h e m a s t e r p a s s w o r d i s e n t e r e d
* If a master password has been set , Thunderbird will prevent access to locally available emails
* until the secret is provided .
* This preference MAY mitigate risk due to intimate relationship threat in some cases ( see [ 2 ] ) ...
* [ WARNING ] This DOES NOT encrypt locally cached emails anyhow ( poor man ' s application security )
2021-10-17 18:54:35 +02:00
* [ WARNING ] This preference is very buggy , you might not manage to start Thunderbird when it ' s switched on
2021-09-18 20:15:26 +02:00
* [ 1 ] https : //support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-master-password
* [ 2 ] https : //www.schneier.com/wp-content/uploads/2020/06/Privacy_Threats_in_Intimate_Relationships-1.pdf ***/
2021-10-17 18:54:35 +02:00
// user_pref("mail.password_protect_local_cache", true); // [HIDDEN PREF]
2021-09-18 20:15:26 +02:00
/*** [SECTION 1000]: DISK AVOIDANCE ***/
2019-11-24 01:00:00 +01:00
user _pref ( "_user.js.parrot" , "1000 syntax error: the parrot's gone to meet 'is maker!" ) ;
2019-11-24 18:51:29 +01:00
/ * 1 0 0 1 : d i s a b l e d i s k c a c h e
2021-09-18 20:15:26 +02:00
* [ SETUP - CHROME ] If you think disk cache helps perf , then feel free to override this
2022-07-14 13:05:16 +02:00
* [ NOTE ] We also clear cache on exit ( 2811 ) * * * /
2019-11-24 01:00:00 +01:00
user _pref ( "browser.cache.disk.enable" , false ) ;
2021-09-18 20:15:26 +02:00
/ * 1 0 0 2 : d i s a b l e m e d i a c a c h e f r o m w r i t i n g t o d i s k i n P r i v a t e B r o w s i n g
2022-07-14 13:05:16 +02:00
* [ NOTE ] MSE ( Media Source Extensions ) are already stored in - memory in PB * * * /
2021-09-18 20:15:26 +02:00
user _pref ( "browser.privatebrowsing.forceMediaMemoryCache" , true ) ; // [FF75+]
user _pref ( "media.memory_cache_max_size" , 65536 ) ;
/ * 1 0 0 3 : d i s a b l e s t o r i n g e x t r a s e s s i o n d a t a [ S E T U P - C H R O M E ]
* define on which sites to save extra session data such as form content , cookies and POST data
* 0 = everywhere , 1 = unencrypted sites , 2 = nowhere * * * /
user _pref ( "browser.sessionstore.privacy_level" , 2 ) ;
2023-07-30 12:16:10 +02:00
/* 1901: disable disk cache for messages not in offline store */
user _pref ( "mail.imap.use_disk_cache2" , false ) ;
2019-11-24 01:00:00 +01:00
2021-09-18 20:15:26 +02:00
/ * * * [ S E C T I O N 1 2 0 0 ] : H T T P S ( S S L / T L S / O C S P / C E R T S / H P K P )
2020-11-01 19:08:14 +01:00
Your cipher and other settings can be used in server side fingerprinting
[ TEST ] https : //www.ssllabs.com/ssltest/viewMyClient.html
[ TEST ] https : //browserleaks.com/ssl
[ TEST ] https : //ja3er.com/
2019-11-24 01:00:00 +01:00
[ 1 ] https : //www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
* * * /
user _pref ( "_user.js.parrot" , "1200 syntax error: the parrot's a stiff!" ) ;
/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
2020-11-01 19:08:14 +01:00
/ * 1 2 0 1 : r e q u i r e s a f e n e g o t i a t i o n
2022-07-14 13:05:16 +02:00
* Blocks connections to servers that don 't support RFC 5746 [2] as they' re potentially vulnerable to a
* MiTM attack [ 3 ] . A server without RFC 5746 can be safe from the attack if it disables renegotiations
* but the problem is that the browser can ' t know that . Setting this pref to true is the only way for the
* browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
* [ SETUP - WEB ] SSL _ERROR _UNSAFE _NEGOTIATION : is it worth overriding this for that one site ?
2023-10-19 22:08:02 +02:00
* [ STATS ] SSL Labs ( Feb 2023 ) reports over 99.3 % of top sites have secure renegotiation [ 4 ]
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //wiki.mozilla.org/Security:Renegotiation
2022-07-14 13:05:16 +02:00
* [ 2 ] https : //datatracker.ietf.org/doc/html/rfc5746
2021-09-18 20:15:26 +02:00
* [ 3 ] https : //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
* [ 4 ] https : //www.ssllabs.com/ssl-pulse/ ***/
2019-11-24 01:00:00 +01:00
user _pref ( "security.ssl.require_safe_negotiation" , true ) ;
2020-11-01 19:08:14 +01:00
/ * 1 2 0 6 : d i s a b l e T L S 1 . 3 0 - R T T ( r o u n d - t r i p t i m e ) [ F F 5 1 + ]
2022-07-14 13:05:16 +02:00
* This data is not forward secret , as it is encrypted solely under keys derived using
* the offered PSK . There are no guarantees of non - replay between connections
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //github.com/tlswg/tls13-spec/issues/1001
2022-07-14 13:05:16 +02:00
* [ 2 ] https : //www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt
* [ 3 ] https : //blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
2019-11-24 01:00:00 +01:00
user _pref ( "security.tls.enable_0rtt_data" , false ) ;
/ * * O C S P ( O n l i n e C e r t i f i c a t e S t a t u s P r o t o c o l )
2021-09-18 20:15:26 +02:00
[ 1 ] https : //scotthelme.co.uk/revocation-is-broken/
[ 2 ] https : //blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
* * * /
2021-10-30 11:33:39 +02:00
/ * 1 2 1 1 : e n f o r c e O C S P f e t c h i n g t o c o n f i r m c u r r e n t v a l i d i t y o f c e r t i f i c a t e s
2019-11-24 01:00:00 +01:00
* 0 = disabled , 1 = enabled ( default ) , 2 = enabled for EV certificates only
* OCSP ( non - stapled ) leaks information about the sites you visit to the CA ( cert authority )
* It ' s a trade - off between security ( checking ) and privacy ( leaking info to the CA )
* [ NOTE ] This pref only controls OCSP fetching and does not affect OCSP stapling
2023-10-19 22:08:02 +02:00
* [ SETTING ] Privacy & Security > Security > Certificates > Query OCSP responder servers to confirm
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //en.wikipedia.org/wiki/Ocsp ***/
2021-10-30 11:33:39 +02:00
user _pref ( "security.OCSP.enabled" , 1 ) ; // [DEFAULT: 1]
2023-10-19 22:08:02 +02:00
/ * 1 2 1 2 : s e t O C S P f e t c h f a i l u r e s ( n o n - s t a p l e d , s e e 1 2 1 1 ) t o h a r d - f a i l
* [ SETUP - WEB ] SEC _ERROR _OCSP _SERVER _ERROR
2022-07-14 13:05:16 +02:00
* When a CA cannot be reached to validate a cert , Thunderbird ' s just continues the connection ( = soft - fail )
* Setting this pref to true tells Thunderbird ' s to instead terminate the connection ( = hard - fail )
2019-11-24 01:00:00 +01:00
* It is pointless to soft - fail when an OCSP fetch fails : you cannot confirm a cert is still valid ( it
* could have been revoked ) and / or you could be under attack ( e . g . malicious blocking of OCSP servers )
* [ 1 ] https : //blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
* [ 2 ] https : //www.imperialviolet.org/2014/04/19/revchecking.html ***/
user _pref ( "security.OCSP.require" , true ) ;
/** CERTS / HPKP (HTTP Public Key Pinning) ***/
/ * 1 2 2 1 : d i s a b l e W i n d o w s 8 . 1 ' s M i c r o s o f t F a m i l y S a f e t y c e r t [ F F 5 0 + ] [ W I N D O W S ]
* 0 = disable detecting Family Safety mode and importing the root
* 1 = only attempt to detect Family Safety mode ( don ' t import the root )
* 2 = detect Family Safety mode and import the root
2020-11-01 19:08:14 +01:00
* [ 1 ] https : //gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/
2019-11-24 01:00:00 +01:00
user _pref ( "security.family_safety.mode" , 0 ) ;
2022-07-23 15:45:15 +02:00
/ * 1 2 2 3 : e n a b l e s t r i c t P K P ( P u b l i c K e y P i n n i n g )
* 0 = disabled , 1 = allow user MiTM ( default ; such as your antivirus ) , 2 = strict
2023-10-19 22:08:02 +02:00
* [ SETUP - WEB ] MOZILLA _PKIX _ERROR _KEY _PINNING _FAILURE
* [ SETUP - INSTALL ] It needs to be set to 1 when connecting to the ProtonMail Bridge for the first time * * * /
2019-11-24 01:00:00 +01:00
user _pref ( "security.cert_pinning.enforcement_level" , 2 ) ;
2021-09-18 20:15:26 +02:00
/ * 1 2 2 4 : e n a b l e C R L i t e [ F F 7 3 + ]
2022-07-14 13:05:16 +02:00
* 0 = disabled
* 1 = consult CRLite but only collect telemetry
* 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results
* 3 = consult CRLite and enforce "Not Revoked" results , but defer to OCSP for "Revoked" ( FF99 + , default FF100 + )
* [ 1 ] https : //bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
2021-09-18 20:15:26 +02:00
* [ 2 ] https : //blog.mozilla.org/security/tag/crlite/ ***/
user _pref ( "security.remote_settings.crlite_filters.enabled" , true ) ;
user _pref ( "security.pki.crlite_mode" , 2 ) ;
2022-02-13 12:44:18 +01:00
/ * 1 2 2 5 : e n a b l e l o a d i n g o f c l i e n t c e r t i f i c a t e s s t o r e d i n O S c e r t i f i c a t e s t o r a g e
2022-07-23 15:46:53 +02:00
* Bug : this does * * NOT * * work for S / MIME [ 1 ]
* [ 1 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=1726442 ***/
2022-02-13 12:44:18 +01:00
// user_pref("security.osclientcerts.autoload", true);
2019-11-24 01:00:00 +01:00
/** MIXED CONTENT ***/
2023-10-19 22:08:02 +02:00
/* 1241: disable insecure passive content (such as images) on https pages ***/
user _pref ( "security.mixed_content.block_display_content" , true ) ; // Defense-in-depth (see 1244)
2021-09-18 20:15:26 +02:00
/ * 1 2 4 4 : e n a b l e H T T P S - O n l y m o d e i n a l l w i n d o w s [ F F 7 6 + ]
* When the top - level is HTTPS , insecure subresources are also upgraded ( silent fail )
* [ TEST ] http : //example.com [upgrade]
2023-10-19 22:08:02 +02:00
* [ TEST ] http : //httpforever.com/ | http://http.rip [no upgrade] ***/
2021-09-18 20:15:26 +02:00
user _pref ( "dom.security.https_only_mode" , true ) ; // [FF76+]
user _pref ( "dom.security.https_only_mode_pbm" , true ) ; // [FF80+]
/* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/
user _pref ( "dom.security.https_only_mode.upgrade_local" , true ) ;
/ * 1 2 4 6 : d i s a b l e H T T P b a c k g r o u n d r e q u e s t s [ F F 8 2 + ]
2022-07-14 13:05:16 +02:00
* When attempting to upgrade , if the server doesn ' t respond within 3 seconds , Thunderbird sends
* a top - level HTTP request without path in order to check if the server supports HTTPS or not
2021-09-18 20:15:26 +02:00
* This is done to avoid waiting for a timeout which takes 90 seconds
* [ 1 ] https : //bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/
user _pref ( "dom.security.https_only_mode_send_http_background_request" , false ) ;
2019-11-24 01:00:00 +01:00
/** UI (User Interface) ***/
2020-11-01 19:08:14 +01:00
/ * 1 2 7 0 : d i s p l a y w a r n i n g o n t h e p a d l o c k f o r " b r o k e n s e c u r i t y " ( i f 1 2 0 1 i s f a l s e )
* Bug : warning padlock not indicated for subresources on a secure page ! [ 2 ]
* [ 1 ] https : //wiki.mozilla.org/Security:Renegotiation
2021-09-18 20:15:26 +02:00
* [ 2 ] https : //bugzilla.mozilla.org/1353705 ***/
2019-11-24 01:00:00 +01:00
user _pref ( "security.ssl.treat_unsafe_negotiation_as_broken" , true ) ;
/ * 1 2 7 2 : d i s p l a y a d v a n c e d i n f o r m a t i o n o n I n s e c u r e C o n n e c t i o n w a r n i n g p a g e s
* only works when it ' s possible to add an exception
* i . e . it doesn ' t work for HSTS discrepancies ( https : //subdomain.preloaded-hsts.badssl.com/)
* [ TEST ] https : //expired.badssl.com/ ***/
user _pref ( "browser.xul.error_pages.expert_bad_cert" , true ) ;
2019-11-30 22:34:58 +01:00
/* 1280: display warnings when insecure HTTP connections are made ***/
user _pref ( "security.warn_entering_weak" , true ) ;
user _pref ( "security.warn_leaving_secure" , true ) ;
user _pref ( "security.warn_viewing_mixed" , true ) ;
2019-11-24 01:00:00 +01:00
2019-11-24 18:51:29 +01:00
/*** [SECTION 1400]: FONTS ***/
user _pref ( "_user.js.parrot" , "1400 syntax error: the parrot's bereft of life!" ) ;
2022-07-14 13:05:16 +02:00
/ * 1 4 0 2 : l i m i t f o n t v i s i b i l i t y ( W i n d o w s , M a c , s o m e L i n u x ) [ F F 9 4 + ]
2021-09-18 20:15:26 +02:00
* Uses hardcoded lists with two parts : kBaseFonts + kLangPackFonts [ 1 ] , bundled fonts are auto - allowed
2022-07-14 13:05:16 +02:00
* In normal windows : uses the first applicable : RFP ( 4506 ) over TP over Standard
* In Private Browsing windows : uses the most restrictive between normal and private
2021-09-18 20:15:26 +02:00
* 1 = only base system fonts , 2 = also fonts from optional language packs , 3 = also user - installed fonts
* [ 1 ] https : //searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
2022-07-14 13:05:16 +02:00
// user_pref("layout.css.font-visibility.private", 1);
// user_pref("layout.css.font-visibility.standard", 1);
// user_pref("layout.css.font-visibility.trackingprotection", 1);
2019-11-24 01:00:00 +01:00
2023-10-19 22:08:02 +02:00
/ * * * [ S E C T I O N 1 6 0 0 ] : R E F E R E R S
2021-09-19 16:11:46 +02:00
full URI : https : //example.com:8888/foo/bar.html?id=1234
scheme + host + port + path : https : //example.com:8888/foo/bar.html
scheme + host + port : https : //example.com:8888
[ 1 ] https : //feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
2019-11-24 01:00:00 +01:00
* * * /
user _pref ( "_user.js.parrot" , "1600 syntax error: the parrot rests in peace!" ) ;
2021-09-19 16:11:46 +02:00
/ * 1 6 0 2 : c o n t r o l t h e a m o u n t o f c r o s s - o r i g i n i n f o r m a t i o n t o s e n d [ F F 5 2 + ]
2019-11-24 01:00:00 +01:00
* 0 = send full URI ( default ) , 1 = scheme + host + port + path , 2 = scheme + host + port * * * /
2021-09-19 16:11:46 +02:00
user _pref ( "network.http.referer.XOriginTrimmingPolicy" , 2 ) ;
2022-07-14 13:05:16 +02:00
/*** [SECTION 1700]: CONTAINERS ***/
2021-09-19 16:11:46 +02:00
user _pref ( "_user.js.parrot" , "1700 syntax error: the parrot's bit the dust!" ) ;
2022-07-14 13:05:16 +02:00
/ * 1 7 0 1 : e n a b l e C o n t a i n e r T a b s a n d i t s U I s e t t i n g [ F F 5 0 + ]
* https : //wiki.mozilla.org/Security/Contextual_Identity_Project/Containers ***/
2021-09-19 16:11:46 +02:00
user _pref ( "privacy.userContext.enabled" , true ) ;
user _pref ( "privacy.userContext.ui.enabled" , true ) ;
/*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
2019-11-24 18:51:29 +01:00
user _pref ( "_user.js.parrot" , "2000 syntax error: the parrot's snuffed it!" ) ;
2022-07-14 13:05:16 +02:00
/* 2002: force WebRTC inside the proxy [FF70+] ***/
user _pref ( "media.peerconnection.ice.proxy_only_if_behind_proxy" , true ) ;
/ * 2 0 0 3 : f o r c e a s i n g l e n e t w o r k i n t e r f a c e f o r I C E c a n d i d a t e s g e n e r a t i o n [ F F 4 2 + ]
* When using a system - wide proxy , it uses the proxy interface
* [ 1 ] https : //developer.mozilla.org/en-US/docs/Web/API/RTCIceCandidate
* [ 2 ] https : //wiki.mozilla.org/Media/WebRTC/Privacy ***/
2019-11-24 18:51:29 +01:00
user _pref ( "media.peerconnection.ice.default_address_only" , true ) ;
2022-07-14 13:05:16 +02:00
/ * 2 0 0 4 : f o r c e e x c l u s i o n o f p r i v a t e I P s f r o m I C E c a n d i d a t e s [ F F 5 1 + ]
* [ SETUP - HARDEN ] This will protect your private IP even in TRUSTED scenarios after you
* grant device access , but often results in breakage on video - conferencing platforms * * * /
user _pref ( "media.peerconnection.ice.no_host" , true ) ;
2021-09-19 16:11:46 +02:00
/ * 2 0 2 0 : d i s a b l e G M P ( G e c k o M e d i a P l u g i n s )
* [ 1 ] https : //wiki.mozilla.org/GeckoMediaPlugins ***/
user _pref ( "media.gmp-provider.enabled" , false ) ;
2019-11-24 18:51:29 +01:00
2021-09-19 16:11:46 +02:00
/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/
2019-11-24 18:51:29 +01:00
user _pref ( "_user.js.parrot" , "2400 syntax error: the parrot's kicked the bucket!" ) ;
2021-09-19 16:11:46 +02:00
/* 2402: prevent scripts from moving and resizing open windows ***/
user _pref ( "dom.disable_window_move_resize" , true ) ;
2019-11-24 18:51:29 +01:00
2019-11-24 01:00:00 +01:00
/*** [SECTION 2600]: MISCELLANEOUS ***/
user _pref ( "_user.js.parrot" , "2600 syntax error: the parrot's run down the curtain!" ) ;
2021-09-19 16:11:46 +02:00
/ * 2 6 0 1 : p r e v e n t a c c e s s i b i l i t y s e r v i c e s f r o m a c c e s s i n g y o u r b r o w s e r [ R E S T A R T ]
2020-11-03 18:56:53 +01:00
* [ 1 ] https : //support.mozilla.org/kb/accessibility-services ***/
user _pref ( "accessibility.force_disabled" , 1 ) ;
2021-09-19 16:11:46 +02:00
/ * 2 6 0 3 : r e m o v e t e m p f i l e s o p e n e d w i t h a n e x t e r n a l a p p l i c a t i o n
* [ 1 ] https : //bugzilla.mozilla.org/302433 ***/
user _pref ( "browser.helperApps.deleteTempFileOnExit" , true ) ;
/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
user _pref ( "browser.uitour.enabled" , false ) ;
2023-10-19 22:08:02 +02:00
user _pref ( "browser.uitour.url" , "" ) ; // Defense-in-depth
2021-09-19 16:11:46 +02:00
/ * 2 6 0 8 : r e s e t r e m o t e d e b u g g i n g t o d i s a b l e d
2020-11-01 19:08:14 +01:00
* [ 1 ] https : //gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/
user _pref ( "devtools.debugger.remote-enabled" , false ) ; // [DEFAULT: false]
2021-09-19 16:11:46 +02:00
/ * 2 6 1 6 : r e m o v e s p e c i a l p e r m i s s i o n s f o r c e r t a i n m o z i l l a d o m a i n s [ F F 3 5 + ]
* [ 1 ] resource : //app/defaults/permissions ***/
user _pref ( "permissions.manager.defaultsUrl" , "" ) ;
/* 2617: remove webchannel whitelist ***/
user _pref ( "webchannel.allowObject.urlWhitelist" , "" ) ;
/ * 2 6 1 9 : u s e P u n y c o d e i n I n t e r n a t i o n a l i z e d D o m a i n N a m e s t o e l i m i n a t e p o s s i b l e s p o o f i n g
2020-11-01 19:08:14 +01:00
* [ SETUP - WEB ] Might be undesirable for non - latin alphabet users since legitimate IDN ' s are also punycoded
2019-11-24 01:00:00 +01:00
* [ TEST ] https : //www.xn--80ak6aa92e.com/ (www.apple.com)
* [ 1 ] https : //wiki.mozilla.org/IDN_Display_Algorithm
* [ 2 ] https : //en.wikipedia.org/wiki/IDN_homograph_attack
2021-09-19 16:11:46 +02:00
* [ 3 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox
2019-11-24 01:00:00 +01:00
* [ 4 ] https : //www.xudongz.com/blog/2017/idn-phishing/ ***/
user _pref ( "network.IDN_show_punycode" , true ) ;
2023-10-19 22:08:02 +02:00
/ * 2 6 2 0 : e n f o r c e P D F J S , d i s a b l e P D F J S s c r i p t i n g
2021-09-19 16:11:46 +02:00
* This setting controls if the option "Display in Thunderbird" is available in the setting below
* and by effect controls whether PDFs are handled in - browser or externally ( "Ask" or "Open With" )
2023-10-19 22:08:02 +02:00
* [ WHY ] pdfjs is lightweight , open source , and secure : the last exploit was June 2015 [ 1 ]
2021-09-19 16:11:46 +02:00
* It doesn ' t break "state separation" of browser content ( by not sharing with OS , independent apps ) .
* It maintains disk avoidance and application data isolation . It ' s convenient . You can still save to disk .
2023-10-19 22:08:02 +02:00
* [ NOTE ] JS can still force a pdf to open in - browser by bundling its own code
* [ SETUP - CHROME ] You may prefer a different pdf reader for security / workflow reasons
* [ SETTING ] General > Files & Attachments > Portable Document Format ( PDF )
* [ 1 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
2021-09-19 16:11:46 +02:00
user _pref ( "pdfjs.disabled" , false ) ; // [DEFAULT: false]
user _pref ( "pdfjs.enableScripting" , false ) ; // [FF86+]
/ * 2 6 2 3 : d i s a b l e p e r m i s s i o n s d e l e g a t i o n [ F F 7 3 + ]
* Currently applies to cross - origin geolocation , camera , mic and screen - sharing
* permissions , and fullscreen requests . Disabling delegation means any prompts
* for these will show / use their correct 3 rd party origin
* [ 1 ] https : //groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
user _pref ( "permissions.delegation.enabled" , false ) ;
2023-10-19 22:08:02 +02:00
/* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */
user _pref ( "browser.tabs.searchclipboardfor.middleclick" , false ) ; // [DEFAULT: false NON-LINUX]
2019-11-24 01:00:00 +01:00
2021-10-17 18:24:37 +02:00
/** DOWNLOADS ***/
/ * 2 6 5 1 : e n a b l e u s e r i n t e r a c t i o n f o r s e c u r i t y b y a l w a y s a s k i n g w h e r e t o d o w n l o a d
2022-01-08 17:22:44 +01:00
* [ SETUP - CHROME ] On Android this blocks longtapping and saving images * * * /
2021-10-17 18:24:37 +02:00
user _pref ( "browser.download.useDownloadDir" , false ) ;
2022-07-14 13:05:16 +02:00
/* 2653: disable adding downloads to the system's "recent documents" list ***/
2021-10-17 18:24:37 +02:00
user _pref ( "browser.download.manager.addToRecentDocs" , false ) ;
2023-10-19 22:08:02 +02:00
/* 2654: enable user interaction for security by always asking how to handle new mimetypes [FF101+] ***/
2022-07-14 13:05:16 +02:00
user _pref ( "browser.download.always_ask_before_handling_new_types" , true ) ;
2021-10-17 18:24:37 +02:00
/** EXTENSIONS ***/
/ * 2 6 6 0 : l o c k d o w n a l l o w e d e x t e n s i o n d i r e c t o r i e s
* [ SETUP - CHROME ] This will break extensions , language packs , themes and any other
* XPI files which are installed outside of profile and application directories
* [ 1 ] https : //mike.kaply.com/2012/02/21/understanding-add-on-scopes/
2021-10-30 11:33:39 +02:00
* [ 1 ] https : //archive.is/DYjAM (archived) ***/
2021-10-17 18:24:37 +02:00
user _pref ( "extensions.enabledScopes" , 5 ) ; // [HIDDEN PREF]
user _pref ( "extensions.autoDisableScopes" , 15 ) ; // [DEFAULT: 15]
/ * 2 6 6 2 : d i s a b l e w e b e x t e n s i o n r e s t r i c t i o n s o n c e r t a i n m o z i l l a d o m a i n s ( y o u a l s o n e e d 4 5 0 3 ) [ F F 6 0 + ]
* [ 1 ] https : //bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
// user_pref("extensions.webextensions.restrictedDomains", "");
2023-10-19 19:48:36 +02:00
/*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/
2022-09-10 14:19:29 +02:00
user _pref ( "_user.js.parrot" , "2700 syntax error: the parrot's joined the bleedin' choir invisible!" ) ;
2023-10-19 19:48:36 +02:00
/ * 2 7 0 2 : d i s a b l e E T P w e b c o m p a t f e a t u r e s [ F F 9 3 + ]
2022-09-10 14:19:29 +02:00
* [ SETUP - HARDEN ] Includes skip lists , heuristics ( SmartBlock ) and automatic grants
* Opener and redirect heuristics are granted for 30 days , see [ 3 ]
* [ 1 ] https : //blog.mozilla.org/security/2021/07/13/smartblock-v2/
* [ 2 ] https : //hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12
* [ 3 ] https : //developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
// user_pref("privacy.antitracking.enableWebcompat", false);
2023-10-19 19:48:36 +02:00
/* 2710: enable state partitioning of service workers [FF96+] ***/
2023-10-19 22:08:02 +02:00
user _pref ( "privacy.partition.serviceWorkers" , true ) ; // [DEFAULT: true FF105+]
/* 2720: enable APS (Always Partitioning Storage) ***/
user _pref ( "privacy.partition.always_partition_third_party_non_cookie_storage" , true ) ; // [FF104+] [DEFAULT: true FF109+]
user _pref ( "privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage" , false ) ; // [FF105+] [DEFAULT: false FF109+]
2022-09-10 14:19:29 +02:00
2022-07-14 13:05:16 +02:00
/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
2019-11-24 01:00:00 +01:00
user _pref ( "_user.js.parrot" , "2800 syntax error: the parrot's bleedin' demised!" ) ;
2023-10-19 22:08:02 +02:00
/* 2810: enable Thunderbird to clear items on shutdown ***/
2020-11-03 18:56:53 +01:00
user _pref ( "privacy.sanitize.sanitizeOnShutdown" , true ) ;
2023-10-19 22:08:02 +02:00
/** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/
2022-07-14 13:05:16 +02:00
/ * 2 8 1 1 : s e t / e n f o r c e w h a t i t e m s t o c l e a r o n s h u t d o w n ( i f 2 8 1 0 i s t r u e ) [ S E T U P - C H R O M E ]
2021-09-19 16:11:46 +02:00
* [ NOTE ] If "history" is true , downloads will also be cleared
2022-07-14 13:05:16 +02:00
* [ NOTE ] "sessions" : Active Logins : refers to HTTP Basic Authentication [ 1 ] , not logins via cookies
2021-09-19 16:11:46 +02:00
* [ 1 ] https : //en.wikipedia.org/wiki/Basic_access_authentication ***/
2022-07-14 13:05:16 +02:00
user _pref ( "privacy.clearOnShutdown.cache" , true ) ; // [DEFAULT: true]
user _pref ( "privacy.clearOnShutdown.downloads" , true ) ; // [DEFAULT: true]
user _pref ( "privacy.clearOnShutdown.formdata" , true ) ; // [DEFAULT: true]
user _pref ( "privacy.clearOnShutdown.history" , true ) ; // [DEFAULT: true]
user _pref ( "privacy.clearOnShutdown.sessions" , true ) ; // [DEFAULT: true]
2023-10-19 22:08:02 +02:00
// user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
/ * 2 8 1 2 : s e t S e s s i o n R e s t o r e t o c l e a r o n s h u t d o w n ( i f 2 8 1 0 i s t r u e ) [ F F 3 4 + ]
* [ NOTE ] Not needed if Session Restore is not used ( 0102 ) or it is already cleared with history ( 2811 )
* [ NOTE ] If true , this prevents resuming from crashes ( also see 5008 ) * * * /
// user_pref("privacy.clearOnShutdown.openWindows", true);
/** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ ***/
/ * 2 8 1 5 : s e t " C o o k i e s " a n d " S i t e D a t a " t o c l e a r o n s h u t d o w n ( i f 2 8 1 0 i s t r u e ) [ S E T U P - C H R O M E ]
* [ NOTE ] Exceptions : A "cookie" block permission also controls "offlineApps" ( see note below ) .
* serviceWorkers require an "Allow" permission . For cross - domain logins , add exceptions for
* both sites e . g . https : //www.youtube.com (site) + https://accounts.google.com (single sign on)
* [ NOTE ] "offlineApps" : Offline Website Data : localStorage , service worker cache , QuotaManager ( IndexedDB , asm - cache )
* [ WARNING ] Be selective with what sites you "Allow" , as they also disable partitioning ( 1767271 )
* [ SETTING ] to add site exceptions : Ctrl + I > Permissions > Cookies > Allow ( when on the website in question )
* [ SETTING ] to manage site exceptions : Options > Privacy & Security > Permissions > Settings * * * /
user _pref ( "privacy.clearOnShutdown.cookies" , true ) ; // Cookies
user _pref ( "privacy.clearOnShutdown.offlineApps" , true ) ; // Site Data
2022-07-14 13:05:16 +02:00
2023-10-19 22:08:02 +02:00
/** SANITIZE MANUAL: IGNORES "ALLOW" SITE EXCEPTIONS ***/
2022-07-14 13:05:16 +02:00
/ * 2 8 2 0 : r e s e t d e f a u l t i t e m s t o c l e a r w i t h C t r l - S h i f t - D e l [ S E T U P - C H R O M E ]
2019-11-24 01:00:00 +01:00
* This dialog can also be accessed from the menu History > Clear Recent History
2021-09-19 16:11:46 +02:00
* Thunderbird remembers your last choices . This will reset them when you start Thunderbird
* [ NOTE ] Regardless of what you set "downloads" to , as soon as the dialog
* for "Clear Recent History" is opened , it is synced to the same as "history" * * * /
2022-07-14 13:05:16 +02:00
user _pref ( "privacy.cpd.cache" , true ) ; // [DEFAULT: true]
user _pref ( "privacy.cpd.formdata" , true ) ; // [DEFAULT: true]
user _pref ( "privacy.cpd.history" , true ) ; // [DEFAULT: true]
user _pref ( "privacy.cpd.sessions" , true ) ; // [DEFAULT: true]
2022-07-23 15:45:15 +02:00
user _pref ( "privacy.cpd.offlineApps" , true ) ; // [DEFAULT: false]
user _pref ( "privacy.cpd.cookies" , true ) ;
2021-09-19 16:11:46 +02:00
// user_pref("privacy.cpd.downloads", true); // not used, see note above
2023-10-19 22:08:02 +02:00
// user_pref("privacy.cpd.openWindows", false); // Session Restore
2022-07-23 15:45:15 +02:00
// user_pref("privacy.cpd.passwords", false);
// user_pref("privacy.cpd.siteSettings", false);
2022-07-14 13:05:16 +02:00
/ * 2 8 2 2 : r e s e t d e f a u l t " T i m e r a n g e t o c l e a r " f o r " C l e a r R e c e n t H i s t o r y " ( 2 8 2 0 )
2021-09-19 16:11:46 +02:00
* Thunderbird remembers your last choice . This will reset the value when you start Thunderbird
* 0 = everything , 1 = last hour , 2 = last two hours , 3 = last four hours , 4 = today
* [ NOTE ] Values 5 ( last 5 minutes ) and 6 ( last 24 hours ) are not listed in the dropdown ,
* which will display a blank value , and are not guaranteed to work * * * /
2019-11-24 01:00:00 +01:00
user _pref ( "privacy.sanitize.timeSpan" , 0 ) ;
/ * * * [ S E C T I O N 4 5 0 0 ] : R F P ( R E S I S T F I N G E R P R I N T I N G )
2021-09-19 20:03:16 +02:00
RFP covers a wide range of ongoing fingerprinting solutions .
It is an all - or - nothing buy in : you cannot pick and choose what parts you want
2023-10-19 22:08:02 +02:00
[ TEST ] https : //arkenfox.github.io/TZP/tzp.html
2019-11-24 01:00:00 +01:00
2021-09-19 20:03:16 +02:00
[ WARNING ] DO NOT USE extensions to alter RFP protected metrics
2019-11-24 01:00:00 +01:00
2021-09-19 20:03:16 +02:00
418986 - limit window . screen & CSS media queries ( FF41 )
1281949 - spoof screen orientation ( FF50 )
1330890 - spoof timezone as UTC0 ( FF55 )
1360039 - spoof navigator . hardwareConcurrency as 2 ( FF55 )
1217238 - reduce precision of time exposed by javascript ( FF55 )
FF56
1369303 - spoof / disable performance API
1333651 - spoof User Agent & Navigator API
2023-10-19 22:08:02 +02:00
version : android version spoofed as ESR
2022-07-14 13:05:16 +02:00
OS : JS spoofed as Windows 10 , OS 10.15 , Android 10 , or Linux | HTTP Headers spoofed as Windows or Android
2021-09-19 20:03:16 +02:00
1369319 - disable device sensor API
1369357 - disable site specific zoom
1337161 - hide gamepads from content
1372072 - spoof network information API as "unknown" when dom . netinfo . enabled = true
1333641 - reduce fingerprinting in WebSpeech API
FF57
1369309 - spoof media statistics
1382499 - reduce screen co - ordinate fingerprinting in Touch API
1217290 & 1409677 - enable some fingerprinting resistance for WebGL
1382545 - reduce fingerprinting in Animation API
1354633 - limit MediaError . message to a whitelist
2023-10-19 22:08:02 +02:00
FF58 +
2021-09-19 20:03:16 +02:00
1372073 - spoof / block fingerprinting in MediaDevices API ( FF59 )
Spoof : enumerate devices as one "Internal Camera" and one "Internal Microphone"
Block : suppresses the ondevicechange event
1039069 - warn when language prefs are not set to "en*" ( also see 0210 , 0211 ) ( FF59 )
1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events ( FF59 )
2019-11-24 01:00:00 +01:00
Spoofing mimics the content language of the document . Currently it only supports en - US .
Modifier events suppressed are SHIFT and both ALT keys . Chrome is not affected .
2021-09-19 20:03:16 +02:00
1337157 - disable WebGL debug renderer info ( FF60 )
1459089 - disable OS locale in HTTP Accept - Language headers ( ANDROID ) ( FF62 )
1479239 - return "no-preference" with prefers - reduced - motion ( FF63 )
1363508 - spoof / suppress Pointer Events ( FF64 )
1492766 - spoof pointerEvent . pointerid ( FF65 )
1485266 - disable exposure of system colors to CSS or canvas ( FF67 )
1494034 - return "light" with prefers - color - scheme ( FF67 )
1564422 - spoof audioContext outputLatency ( FF70 )
1595823 - return audioContext sampleRate as 44100 ( FF72 )
1607316 - spoof pointer as coarse and hover as none ( ANDROID ) ( FF74 )
1621433 - randomize canvas ( previously FF58 + returned an all - white canvas ) ( FF78 )
2023-10-19 22:08:02 +02:00
1506364 - return "no-preference" with prefers - contrast ( FF80 )
2021-09-19 20:03:16 +02:00
1653987 - limit font visibility to bundled and "Base Fonts" ( Windows , Mac , some Linux ) ( FF80 )
1461454 - spoof smooth = true and powerEfficient = false for supported media in MediaCapabilities ( FF82 )
531915 - use fdlibm ' s sin , cos and tan in jsmath ( FF93 , ESR91 . 1 )
2022-07-14 13:05:16 +02:00
1756280 - enforce navigator . pdfViewerEnabled as true and plugins / mimeTypes as hard - coded values ( FF100 )
2023-10-19 22:08:02 +02:00
1692609 - reduce JS timing precision to 16.67 ms ( previously FF55 + was 100 ms ) ( FF102 )
1422237 - return "srgb" with color - gamut ( FF110 )
1794628 - return "none" with inverted - colors ( FF114 )
2019-11-24 01:00:00 +01:00
* * * /
user _pref ( "_user.js.parrot" , "4500 syntax error: the parrot's popped 'is clogs" ) ;
2023-10-19 22:08:02 +02:00
/ * 4 5 0 1 : e n a b l e p r i v a c y . r e s i s t F i n g e r p r i n t i n g
2021-09-19 20:03:16 +02:00
* [ SETUP - WEB ] RFP can cause some website breakage : mainly canvas , use a site exception via the urlbar
* RFP also has a few side effects : mainly timezone is UTC0 , and websites will prefer light theme
2023-10-19 22:08:02 +02:00
* [ NOTE ] pbmode applies if true and the original pref is false
2021-09-19 20:03:16 +02:00
* [ 1 ] https : //bugzilla.mozilla.org/418986 ***/
2023-10-19 22:08:02 +02:00
user _pref ( "privacy.resistFingerprinting" , true ) ; // [FF41+]
// user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+]
2022-07-14 13:05:16 +02:00
/ * 4 5 0 2 : s e t n e w w i n d o w s i z e r o u n d i n g m a x v a l u e s [ F F 5 5 + ]
* [ SETUP - CHROME ] sizes round down in hundreds : width to 200 s and height to 100 s , to fit your screen
2021-09-19 20:03:16 +02:00
* [ 1 ] https : //bugzilla.mozilla.org/1330882 ***/
2022-07-14 13:05:16 +02:00
user _pref ( "privacy.window.maxInnerWidth" , 1600 ) ;
user _pref ( "privacy.window.maxInnerHeight" , 900 ) ;
2019-11-24 01:00:00 +01:00
/ * 4 5 0 3 : d i s a b l e m o z A d d o n M a n a g e r W e b A P I [ F F 5 7 + ]
2024-04-21 20:29:29 +02:00
* [ NOTE ] To allow extensions to work on AMO , you also need 2662 and 4505
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
2023-10-19 22:08:02 +02:00
user _pref ( "privacy.resistFingerprinting.block_mozAddonManager" , true ) ; // [HIDDEN PREF FF57-108]
2021-09-19 20:03:16 +02:00
/ * 4 5 0 4 : e n a b l e R F P l e t t e r b o x i n g [ F F 6 7 + ]
* Dynamically resizes the inner window by applying margins in stepped ranges [ 2 ]
* If you use the dimension pref , then it will only apply those resolutions .
* The format is "width1xheight1, width2xheight2, ..." ( e . g . "800x600, 1000x1000" )
* [ SETUP - WEB ] This is independent of RFP ( 4501 ) . If you ' re not using RFP , or you are but
* dislike the margins , then flip this pref , keeping in mind that it is effectively fingerprintable
* [ WARNING ] DO NOT USE : the dimension pref is only meant for testing
* [ 1 ] https : //bugzilla.mozilla.org/1407366
* [ 2 ] https : //hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/
user _pref ( "privacy.resistFingerprinting.letterboxing" , true ) ; // [HIDDEN PREF]
// user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF]
2021-10-17 18:24:37 +02:00
/ * 4 5 0 5 : e x p e r i m e n t a l R F P [ F F 9 1 + ]
2024-04-21 20:29:29 +02:00
* List of domains exempted from RFP ( comma - separated ) .
2021-10-17 18:24:37 +02:00
* [ WARNING ] DO NOT USE unless testing , see [ 1 ] comment 12
* [ 1 ] https : //bugzilla.mozilla.org/1635603 ***/
2024-04-21 20:29:29 +02:00
// user_pref("privacy.resistFingerprinting.exemptedDomains", "addons.thunderbird.net");
2022-07-14 13:05:16 +02:00
/* 4506: set RFP's font visibility level (1402) [FF94+] ***/
// user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
/ * 4 5 1 0 : d i s a b l e u s i n g s y s t e m c o l o r s
2023-10-19 22:08:02 +02:00
* [ SETTING ] General > Language and Appearance > Fonts and Colors > Colors ... > Use system colors * * * /
user _pref ( "browser.display.use_system_colors" , false ) ; // [DEFAULT: false NON-WINDOWS]
2021-10-30 11:33:39 +02:00
/ * 4 5 1 1 : e n f o r c e n o n - n a t i v e w i d g e t t h e m e
* Security : removes / reduces system API calls , e . g . win32k API [ 1 ]
* Fingerprinting : provides a uniform look and feel across platforms [ 2 ]
* [ 1 ] https : //bugzilla.mozilla.org/1381938
* [ 2 ] https : //bugzilla.mozilla.org/1411425 ***/
user _pref ( "widget.non-native-theme.enabled" , true ) ; // [DEFAULT: true]
/ * 4 5 1 2 : e n f o r c e l i n k s t a r g e t i n g n e w w i n d o w s t o o p e n i n a n e w t a b i n s t e a d
* 1 = most recent window or tab , 2 = new window , 3 = new tab
* Stops malicious window sizes and some screen resolution leaks .
* You can still right - click a link and open in a new window
2022-07-14 13:05:16 +02:00
* [ NOTE ] Thunderbird only supports 3 ( see [ 2 ] )
2021-10-30 11:33:39 +02:00
* [ TEST ] https : //arkenfox.github.io/TZP/tzp.html#screen
2022-07-14 13:05:16 +02:00
* [ 1 ] https : //gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881
* [ 2 ] https : //searchfox.org/comm-esr102/source/mail/app/profile/all-thunderbird.js#721 ***/
2021-10-30 11:33:39 +02:00
user _pref ( "browser.link.open_newwindow" , 3 ) ; // [DEFAULT: 3]
/ * 4 5 1 3 : s e t a l l o p e n w i n d o w m e t h o d s t o a b i d e b y " b r o w s e r . l i n k . o p e n _ n e w w i n d o w " ( 4 5 1 2 )
2022-07-14 13:05:16 +02:00
* [ NOTE ] Thunderbird only supports 0 ( see [ 2 ] )
* [ 1 ] https : //searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js
* [ 2 ] https : //searchfox.org/comm-esr102/source/mail/app/profile/all-thunderbird.js#730 ***/
user _pref ( "browser.link.open_newwindow.restriction" , 0 ) ;
2021-10-30 11:33:39 +02:00
/ * 4 5 2 0 : d i s a b l e W e b G L ( W e b G r a p h i c s L i b r a r y )
2022-07-14 13:05:16 +02:00
* [ SETUP - WEB ] If you need it then override it . RFP still randomizes canvas for naive scripts * * * /
2021-10-30 11:33:39 +02:00
user _pref ( "webgl.disabled" , true ) ;
2019-11-24 01:00:00 +01:00
2021-09-19 20:03:16 +02:00
/ * * * [ S E C T I O N 5 0 0 0 ] : O P T I O N A L O P S E C
Disk avoidance , application data isolation , eyeballs ...
2019-11-24 18:51:29 +01:00
* * * /
2021-09-19 20:03:16 +02:00
user _pref ( "_user.js.parrot" , "5000 syntax error: the parrot's taken 'is last bow" ) ;
/ * 5 0 0 1 : s t a r t T h u n d e r b i r d i n P B ( P r i v a t e B r o w s i n g ) m o d e
* [ NOTE ] In this mode all windows are "private windows" and the PB mode icon is not displayed
* [ NOTE ] The P in PB mode can be misleading : it means no "persistent" disk state such as history ,
* caches , searches , cookies , localStorage , IndexedDB etc ( which you can achieve in normal mode ) .
* In fact , PB mode limits or removes the ability to control some of these , and you need to quit
* Thunderbird to clear them . PB is best used as a one off window ( Menu > New Private Window ) to provide
2023-10-19 22:08:02 +02:00
* a temporary self - contained new session . Close all private windows to clear the PB session .
2021-09-19 20:03:16 +02:00
* [ 1 ] https : //wiki.mozilla.org/Private_Browsing
* [ 2 ] https : //support.mozilla.org/kb/common-myths-about-private-browsing ***/
// user_pref("browser.privatebrowsing.autostart", true);
/ * 5 0 0 2 : d i s a b l e m e m o r y c a c h e
* capacity : - 1 = determine dynamically ( default ) , 0 = none , n = memory capacity in kibibytes * * * /
user _pref ( "browser.cache.memory.enable" , false ) ;
user _pref ( "browser.cache.memory.capacity" , 0 ) ;
/ * 5 0 0 3 : d i s a b l e s a v i n g p a s s w o r d s
2022-11-27 15:36:16 +01:00
* [ NOTE ] This does not clear any already saved passwords and will make TB ask for it every time * * * /
// user_pref("signon.rememberSignons", false);
2022-07-18 19:56:56 +02:00
/ * 5 0 0 4 : d i s a b l e p e r m i s s i o n s m a n a g e r f r o m r e a d i n g o r w r i t i n g t o d i s k [ F F 4 1 + ] [ R E S T A R T ]
* [ SETUP - CHROME ] This means any permission changes ( cookie or mail remote content ) are session only
2021-09-19 20:03:16 +02:00
* [ 1 ] https : //bugzilla.mozilla.org/967812 ***/
user _pref ( "permissions.memory_only" , true ) ; // [HIDDEN PREF]
/ * 5 0 0 5 : d i s a b l e i n t e r m e d i a t e c e r t i f i c a t e c a c h i n g [ F F 4 1 + ] [ R E S T A R T ]
* [ NOTE ] This affects login / cert / key dbs . The effect is all credentials are session - only .
* Saved logins and passwords are not available . Reset the pref and restart to return them * * * /
2023-10-19 22:08:02 +02:00
// user_pref("security.nocertdb", true);
2021-09-19 20:03:16 +02:00
/ * 5 0 0 6 : d i s a b l e f a v i c o n s i n h i s t o r y a n d b o o k m a r k s
* [ NOTE ] Stored as data blobs in favicons . sqlite , these don ' t reveal anything that your
* actual history ( and bookmarks ) already do . Your history is more detailed , so
2022-07-14 13:05:16 +02:00
* control that instead ; e . g . disable history , clear history on exit , use PB mode
2021-09-19 20:03:16 +02:00
* [ NOTE ] favicons . sqlite is sanitized on Thunderbird close * * * /
user _pref ( "browser.chrome.site_icons" , false ) ;
/* 5007: exclude "Undo Closed Tabs" in Session Restore ***/
user _pref ( "browser.sessionstore.max_tabs_undo" , 0 ) ;
2022-07-23 15:45:15 +02:00
/ * 5 0 0 8 : d i s a b l e r e s u m i n g s e s s i o n f r o m c r a s h
* [ TEST ] about : crashparent * * * /
2021-09-19 20:03:16 +02:00
user _pref ( "browser.sessionstore.resume_from_crash" , false ) ;
/ * 5 0 0 9 : d i s a b l e " o p e n w i t h " i n d o w n l o a d d i a l o g [ F F 5 0 + ]
* Application data isolation [ 1 ]
* [ 1 ] https : //bugzilla.mozilla.org/1281959 ***/
// user_pref("browser.download.forbid_open_with", true);
/ * 5 0 1 3 : d i s a b l e b r o w s i n g a n d d o w n l o a d h i s t o r y
2022-07-14 13:05:16 +02:00
* [ NOTE ] We also clear history and downloads on exit ( 2811 ) * * * /
2021-09-19 20:03:16 +02:00
user _pref ( "places.history.enabled" , false ) ;
/ * 5 0 1 6 : d i s c o u r a g e d o w n l o a d i n g t o d e s k t o p
2023-10-19 22:08:02 +02:00
* 0 = desktop , 1 = downloads ( default ) , 2 = custom * * * /
2021-09-19 20:03:16 +02:00
// user_pref("browser.download.folderList", 2);
2023-10-19 22:08:02 +02:00
/ * 5 0 1 7 : d i s a b l e F o r m A u t o f i l l
* If . supportedCountries includes your region ( browser . search . region ) and . supported
* is "detect" ( default ) , then the UI will show . Stored data is not secure , uses JSON
* [ 1 ] https : //wiki.mozilla.org/Firefox/Features/Form_Autofill ***/
user _pref ( "extensions.formautofill.addresses.enabled" , false ) ; // [FF55+]
user _pref ( "extensions.formautofill.creditCards.enabled" , false ) ; // [FF56+]
/* 5018: limit events that can cause a pop-up ***/
user _pref ( "dom.popup_allowed_events" , "click dblclick mousedown pointerdown" ) ;
/* 5019: disable page thumbnail collection ***/
user _pref ( "browser.pagethumbnails.capturing_disabled" , true ) ; // [HIDDEN PREF]
/* 5020: disable Windows native notifications and use app notications instead [FF111+] [WINDOWS] ***/
// user_pref("alerts.useSystemBackend.windows.notificationserver.enabled", false);
2023-07-30 12:16:10 +02:00
/ * 5 9 0 1 : E n f o r c e P r i v a t e B r o w s i n g f o r O A u t h s i g n - i n
* Providers may expect a device identifier from the browser , which could cause issues with PB . As
* many users could suffer from this we keep this it disabled , feel free to switch it on if yours
* supports it . * /
// user_pref("mailnews.oauth.usePrivateBrowser", true);
2021-09-19 20:03:16 +02:00
/ * * * [ S E C T I O N 5 5 0 0 ] : O P T I O N A L H A R D E N I N G
2022-07-14 13:05:16 +02:00
Thunderbird - User . JS maintainer here :
Whereas not recommended by upstream arkenfox , we disable each one of those Web
features as we focus on keeping Thunderbird an email client and not a browser .
2021-09-19 20:03:16 +02:00
* * * /
user _pref ( "_user.js.parrot" , "5500 syntax error: this is an ex-parrot!" ) ;
/ * 5 5 0 1 : d i s a b l e M a t h M L ( M a t h e m a t i c a l M a r k u p L a n g u a g e ) [ F F 5 1 + ]
* [ 1 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml ***/
user _pref ( "mathml.disabled" , true ) ; // 1173199
/ * 5 5 0 2 : d i s a b l e i n - c o n t e n t S V G ( S c a l a b l e V e c t o r G r a p h i c s ) [ F F 5 3 + ]
* [ 1 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg ***/
user _pref ( "svg.disabled" , true ) ; // 1216893
/ * 5 5 0 3 : d i s a b l e g r a p h i t e
* [ 1 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
* [ 2 ] https : //en.wikipedia.org/wiki/Graphite_(SIL) ***/
user _pref ( "gfx.font_rendering.graphite.enabled" , false ) ;
/ * 5 5 0 4 : d i s a b l e a s m . j s [ F F 2 2 + ]
* [ 1 ] http : //asmjs.org/
* [ 2 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
* [ 3 ] https : //rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
user _pref ( "javascript.options.asmjs" , false ) ;
/ * 5 5 0 5 : d i s a b l e I o n a n d b a s e l i n e J I T t o h a r d e n a g a i n s t J S e x p l o i t s
2022-07-14 13:05:16 +02:00
* [ NOTE ] When both Ion and JIT are disabled , and trustedprincipals
* is enabled , then Ion can still be used by extensions ( 1599226 )
* [ 1 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
* [ 2 ] https : //microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ ***/
2021-09-19 20:03:16 +02:00
user _pref ( "javascript.options.ion" , false ) ;
user _pref ( "javascript.options.baselinejit" , false ) ;
user _pref ( "javascript.options.jit_trustedprincipals" , true ) ; // [FF75+] [HIDDEN PREF]
/ * 5 5 0 6 : d i s a b l e W e b A s s e m b l y [ F F 5 2 + ]
* Vulnerabilities [ 1 ] have increasingly been found , including those known and fixed
* in native programs years ago [ 2 ] . WASM has powerful low - level access , making
* certain attacks ( brute - force ) and vulnerabilities more possible
2021-10-17 17:05:45 +02:00
* [ STATS ] ~ 0.2 % of websites , about half of which are for crytomining / malvertising [ 2 ] [ 3 ]
2021-09-19 20:03:16 +02:00
* [ 1 ] https : //cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
* [ 2 ] https : //spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
* [ 3 ] https : //www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
user _pref ( "javascript.options.wasm" , false ) ;
2023-10-19 22:08:02 +02:00
/* 5507: disable rendering of SVG OpenType fonts ***/
user _pref ( "gfx.font_rendering.opentype_svg.enabled" , false ) ;
/ * 5 5 0 8 : d i s a b l e a l l D R M c o n t e n t ( E M E : E n c r y p t i o n M e d i a E x t e n s i o n )
* Optionally hide the UI setting which also disables the DRM prompt
* [ TEST ] https : //bitmovin.com/demos/drm
* [ 1 ] https : //www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
user _pref ( "media.eme.enabled" , false ) ;
user _pref ( "browser.eme.ui.enabled" , false ) ;
/ * 5 5 0 9 : d i s a b l e I P v 6 i f u s i n g a V P N
* This is an application level fallback . Disabling IPv6 is best done at an OS / network
* level , and / or configured properly in system wide VPN setups .
* If you see PR _CONNECT _RESET _ERROR , this pref * might * be the cause
* [ NOTE ] PHP defaults to IPv6 with "localhost" . Use "php -S 127.0.0.1:PORT"
* [ TEST ] https : //ipleak.org/
* [ 1 ] https : //www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
// user_pref("network.dns.disableIPv6", true);
/ * 5 5 1 0 : c o n t r o l w h e n t o s e n d a c r o s s - o r i g i n r e f e r e r
* 0 = always ( default ) , 1 = only if base domains match , 2 = only if hosts match
* [ NOTE ] Will cause breakage : older modems / routers and some sites e . g banks , vimeo , icloud , instagram * * * /
user _pref ( "network.http.referer.XOriginPolicy" , 2 ) ;
2022-02-13 12:50:38 +01:00
/* 5590: show a prompt when opening a link in external applications ***/
user _pref ( "security.external_protocol_requires_permission" , true ) ;
2021-09-19 20:03:16 +02:00
/*** [SECTION 6000]: DON'T TOUCH ***/
user _pref ( "_user.js.parrot" , "6000 syntax error: the parrot's 'istory!" ) ;
/ * 6 0 0 1 : e n f o r c e M o z i l l a ' s b l o c k l i s t
* [ WHY ] It includes updates for "revoked certificates"
* [ 1 ] https : //blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ ***/
user _pref ( "extensions.blocklist.enabled" , true ) ; // [DEFAULT: true]
/ * 6 0 0 2 : e n f o r c e n o r e f e r e r s p o o f i n g
* [ WHY ] Spoofing can affect CSRF ( Cross - Site Request Forgery ) protections * * * /
user _pref ( "network.http.referer.spoofSource" , false ) ; // [DEFAULT: false]
/ * 6 0 0 4 : e n f o r c e a s e c u r i t y d e l a y o n s o m e c o n f i r m a t i o n d i a l o g s s u c h a s i n s t a l l , o p e n / s a v e
* [ 1 ] https : //www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
user _pref ( "security.dialog_enable_delay" , 1000 ) ; // [DEFAULT: 1000]
2023-10-19 19:48:36 +02:00
/ * 6 0 0 8 : e n f o r c e n o F i r s t P a r t y I s o l a t i o n [ F F 5 1 + ]
2023-10-19 22:08:02 +02:00
* [ WARNING ] Replaced with network partitioning ( FF85 + ) and TCP ( 2701 ) , and enabling FPI
* disables those . FPI is no longer maintained except at Tor Project for Tor Browser ' s config * * * /
2023-10-19 19:48:36 +02:00
user _pref ( "privacy.firstparty.isolate" , false ) ; // [DEFAULT: false]
2022-07-14 13:05:16 +02:00
/ * 6 0 0 9 : e n f o r c e S m a r t B l o c k s h i m s [ F F 8 1 + ]
* In FF96 + these are listed in about : compat
* [ 1 ] https : //blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
user _pref ( "extensions.webcompat.enable_shims" , true ) ; // [DEFAULT: true]
2023-10-19 22:08:02 +02:00
/ * 6 0 1 0 : e n f o r c e n o T L S 1 . 0 / 1 . 1 d o w n g r a d e s
2022-07-14 13:05:16 +02:00
* [ TEST ] https : //tls-v1-1.badssl.com:1010/ ***/
user _pref ( "security.tls.version.enable-deprecated" , false ) ; // [DEFAULT: false]
/ * 6 0 1 1 : e n f o r c e d i s a b l i n g o f W e b C o m p a t i b i l i t y R e p o r t e r [ F F 5 6 + ]
* Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla
* [ WHY ] To prevent wasting Mozilla ' s time with a custom setup * * * /
user _pref ( "extensions.webcompat-reporter.enabled" , false ) ; // [DEFAULT: false]
2023-10-19 22:08:02 +02:00
/ * 6 0 1 2 : e n f o r c e Q u a r a n t i n e d D o m a i n s [ F F 1 1 5 + ]
* [ WHY ] https : //support.mozilla.org/kb/quarantined-domains */
user _pref ( "extensions.quarantinedDomains.enabled" , true ) ; // [DEFAULT: true]
/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF102+ ***/
// user_pref("beacon.enabled", "");
// user_pref("browser.region.network.url", "");
// user_pref("browser.region.update.enabled", "");
// user_pref("browser.ssl_override_behavior", "");
// user_pref("devtools.chrome.enabled", "");
// user_pref("dom.disable_beforeunload", "");
// user_pref("dom.disable_open_during_load", "");
// user_pref("extensions.formautofill.available", "");
// user_pref("extensions.formautofill.addresses.supported", "");
// user_pref("extensions.formautofill.creditCards.available", "");
// user_pref("extensions.formautofill.creditCards.supported", "");
// user_pref("middlemouse.contentLoadURL", "");
/* 6051: prefsCleaner: reset previously active items removed from arkenfox FF115+ ***/
// user_pref("network.protocol-handler.external.ms-windows-store", "");
2021-09-19 20:03:16 +02:00
2021-10-17 17:33:16 +02:00
/ * * * [ S E C T I O N 7 0 0 0 ] : D O N ' T B O T H E R
Thunderbird - User . JS maintainer here :
Actually we do , TB is an e - mail client , not a ( bloated ) browser .
Thus some of below preferences have been set , despite upstream ( Arkenfox ) warnings .
* * * /
2021-09-19 20:03:16 +02:00
user _pref ( "_user.js.parrot" , "7000 syntax error: the parrot's pushing up daisies!" ) ;
/ * 7 0 0 1 : d i s a b l e A P I s
2023-10-19 22:08:02 +02:00
* Location - Aware Browsing , Full Screen
* [ WHY ] The API state is easily fingerprintable .
* Geo is behind a prompt ( 7002 ) . Full screen requires user interaction * * * /
2021-10-17 17:33:16 +02:00
user _pref ( "geo.enabled" , false ) ;
user _pref ( "full-screen-api.enabled" , false ) ;
2021-09-19 20:03:16 +02:00
/ * 7 0 0 3 : d i s a b l e n o n - m o d e r n c i p h e r s u i t e s [ 1 ]
* [ WHY ] Passive fingerprinting . Minimal / non - existent threat of downgrade attacks
* [ 1 ] https : //browserleaks.com/ssl ***/
2023-10-19 22:08:02 +02:00
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: false FF109+]
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false FF109+]
2021-09-19 20:03:16 +02:00
// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
// user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS
// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
/ * 7 0 0 4 : c o n t r o l T L S v e r s i o n s
2022-07-14 13:05:16 +02:00
* [ WHY ] Passive fingerprinting and security * * * /
2021-09-19 20:03:16 +02:00
// user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
// user_pref("security.tls.version.max", 4);
/ * 7 0 0 5 : d i s a b l e S S L s e s s i o n I D s [ F F 3 6 + ]
2022-07-14 13:05:16 +02:00
* [ WHY ] Passive fingerprinting and perf costs . These are session - only
* and isolated with network partitioning ( FF85 + ) and / or containers * * * /
2023-10-19 22:08:02 +02:00
// user_pref("security.ssl.disable_session_identifiers", true);
2021-09-19 20:03:16 +02:00
/ * 7 0 0 6 : o n i o n s
2022-07-14 13:05:16 +02:00
* [ WHY ] Thunderbird doesn ' t support hidden services . Use Tor Browser * * * /
// user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006
2021-09-19 20:03:16 +02:00
// user_pref("network.http.referer.hideOnionSource", true); // 1305144
/ * 7 0 0 7 : r e f e r e r s
2023-10-19 22:08:02 +02:00
* [ WHY ] Only cross - origin referers ( 1602 , 5510 ) matter * * * /
2021-10-17 17:33:16 +02:00
user _pref ( "network.http.sendRefererHeader" , 0 ) ;
user _pref ( "network.http.referer.trimmingPolicy" , 0 ) ;
2021-09-19 20:03:16 +02:00
/ * 7 0 0 8 : s e t t h e d e f a u l t R e f e r r e r P o l i c y [ F F 5 9 + ]
* 0 = no - referer , 1 = same - origin , 2 = strict - origin - when - cross - origin , 3 = no - referrer - when - downgrade
* [ WHY ] Defaults are fine . They can be overridden by a site - controlled Referrer Policy * * * /
2022-07-14 13:05:16 +02:00
user _pref ( "network.http.referer.defaultPolicy" , 0 ) ; // [DEFAULT: 2]
2021-10-17 17:33:16 +02:00
user _pref ( "network.http.referer.defaultPolicy.pbmode" , 0 ) ; // [DEFAULT: 2]
2021-09-19 20:03:16 +02:00
/ * 7 0 1 0 : d i s a b l e H T T P A l t e r n a t i v e S e r v i c e s [ F F 3 7 + ]
2022-07-14 13:05:16 +02:00
* [ WHY ] Already isolated with network partitioning ( FF85 + ) * * * /
2021-10-17 17:33:16 +02:00
user _pref ( "network.http.altsvc.enabled" , false ) ;
2021-09-19 20:03:16 +02:00
/ * 7 0 1 1 : d i s a b l e w e b s i t e c o n t r o l o v e r b r o w s e r r i g h t - c l i c k c o n t e x t m e n u
* [ WHY ] Just use Shift - Right - Click * * * /
2021-10-17 17:33:16 +02:00
user _pref ( "dom.event.contextmenu.enabled" , false ) ;
2021-09-19 20:03:16 +02:00
/ * 7 0 1 2 : d i s a b l e i c o n f o n t s ( g l y p h s ) a n d l o c a l f a l l b a c k r e n d e r i n g
* [ WHY ] Breakage , font fallback is equivalency , also RFP
* [ 1 ] https : //bugzilla.mozilla.org/789788
* [ 2 ] https : //gitlab.torproject.org/legacy/trac/-/issues/8455 ***/
2021-10-17 17:33:16 +02:00
user _pref ( "gfx.downloadable_fonts.enabled" , false ) ; // [FF41+]
user _pref ( "gfx.downloadable_fonts.fallback_delay" , - 1 ) ;
2021-09-19 20:03:16 +02:00
/ * 7 0 1 3 : d i s a b l e C l i p b o a r d A P I
* [ WHY ] Fingerprintable . Breakage . Cut / copy / paste require user
* interaction , and paste is limited to focused editable fields * * * /
2021-10-17 17:33:16 +02:00
user _pref ( "dom.event.clipboardevents.enabled" , false ) ;
2021-10-30 11:33:39 +02:00
/ * 7 0 1 4 : d i s a b l e S y s t e m A d d - o n u p d a t e s
* [ WHY ] It can compromise security . System addons ship with prefs , use those * * * /
// user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
// user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
2023-10-19 19:48:36 +02:00
/ * 7 0 1 5 : e n a b l e t h e D N T ( D o N o t T r a c k ) H T T P h e a d e r
* [ WHY ] DNT is enforced with Tracking Protection which is used in ETP Strict ( 2701 ) * * * /
// user_pref("privacy.donottrackheader.enabled", true);
/ * 7 0 1 6 : c u s t o m i z e E T P s e t t i n g s
* [ WHY ] Arkenfox only supports strict ( 2701 ) which sets these at runtime * * * /
2023-10-19 22:08:02 +02:00
// user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5 FF103+]
2023-10-19 19:48:36 +02:00
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+]
// user_pref("privacy.partition.network_state.ocsp_cache", true);
// user_pref("privacy.query_stripping.enabled", true); // [FF101+] [ETP FF102+]
// user_pref("privacy.trackingprotection.enabled", true);
// user_pref("privacy.trackingprotection.socialtracking.enabled", true);
// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
// user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
2022-07-14 13:05:16 +02:00
/ * 7 0 1 7 : d i s a b l e s e r v i c e w o r k e r s
2023-10-19 22:08:02 +02:00
* [ WHY ] Already isolated with TCP ( 2701 ) behind a pref ( 2710 ) * * * /
2022-07-14 13:05:16 +02:00
// user_pref("dom.serviceWorkers.enabled", false);
/ * 7 0 1 8 : d i s a b l e W e b N o t i f i c a t i o n s
* [ WHY ] Web Notifications are behind a prompt ( 7002 )
* [ 1 ] https : //blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/
// user_pref("dom.webnotifications.enabled", false); // [FF22+]
// user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
/ * 7 0 1 9 : d i s a b l e P u s h N o t i f i c a t i o n s [ F F 4 4 + ]
* [ WHY ] Push requires subscription
* [ NOTE ] To remove all subscriptions , reset "dom.push.userAgentID"
* [ 1 ] https : //support.mozilla.org/kb/push-notifications-firefox ***/
// user_pref("dom.push.enabled", false);
2023-10-19 22:08:02 +02:00
/ * 7 0 2 0 : d i s a b l e W e b R T C ( W e b R e a l - T i m e C o m m u n i c a t i o n )
* [ WHY ] Firefox desktop uses mDNS hostname obfuscation and the private IP is never exposed until
* required in TRUSTED scenarios ; i . e . after you grant device ( microphone or camera ) access
* [ TEST ] https : //browserleaks.com/webrtc
* [ 1 ] https : //groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
* [ 2 ] https : //datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
user _pref ( "media.peerconnection.enabled" , false ) ;
2022-07-14 13:05:16 +02:00
/ * * * [ S E C T I O N 8 0 0 0 ] : D O N ' T B O T H E R : F I N G E R P R I N T I N G
2021-09-19 20:03:16 +02:00
[ WHY ] They are insufficient to help anti - fingerprinting and do more harm than good
[ WARNING ] DO NOT USE with RFP . RFP already covers these and they can interfere
2022-05-23 17:05:15 +02:00
[ NOTE ] An empty User - Agent may break Microsoft Exchange OAuth2 login
2021-09-19 20:03:16 +02:00
* * * /
user _pref ( "_user.js.parrot" , "8000 syntax error: the parrot's crossed the Jordan" ) ;
2023-10-19 22:08:02 +02:00
/* 8001: prefsCleaner: reset items useless for anti-fingerprinting ***/
// user_pref("browser.display.use_document_fonts", "");
// user_pref("browser.zoom.siteSpecific", "");
// user_pref("device.sensors.enabled", "");
// user_pref("dom.enable_performance", "");
// user_pref("dom.enable_resource_timing", "");
// user_pref("dom.gamepad.enabled", "");
// user_pref("dom.maxHardwareConcurrency", "");
// user_pref("dom.w3c_touch_events.enabled", "");
// user_pref("dom.webaudio.enabled", "");
// user_pref("font.system.whitelist", "");
// user_pref("general.appname.override", "");
// user_pref("general.appversion.override", "");
// user_pref("general.buildID.override", "");
// user_pref("general.oscpu.override", "");
// user_pref("general.platform.override", "");
// user_pref("general.useragent.override", "");
// user_pref("media.navigator.enabled", "");
// user_pref("media.ondevicechange.enabled", "");
// user_pref("media.video_stats.enabled", "");
// user_pref("media.webspeech.synth.enabled", "");
// user_pref("ui.use_standins_for_native_colors", "");
// user_pref("webgl.enable-debug-renderer-info", "");
/*** [SECTION 9000]: NON-PROJECT RELATED ***/
2021-10-17 17:05:45 +02:00
user _pref ( "_user.js.parrot" , "9000 syntax error: the parrot's cashed in 'is chips!" ) ;
2023-10-19 22:08:02 +02:00
/* 9001: disable welcome notices ***/
user _pref ( "browser.startup.homepage_override.mstone" , "ignore" ) ;
/* 9090: disable return receipt sending unconditionally ***/
// user_pref("mail.mdn.report.enabled", false);
/* 9099: e-mail custom headers (examples) ***/
2022-05-25 09:05:41 +02:00
// user_pref("mail.compose.other.header", "X-Custom-Header,X-Another-Custom-Header"); // corresponding values can be set in compose window ("double-arrow" drop-down)
2019-11-24 01:00:00 +01:00
// user_pref("mail.identity.id1.headers", "References, InReplyTo");
// user_pref("mail.identity.id1.header.References", "References: <2ad46d80-c8ce-49a3-9896-16171788ac28@example.tld>\n <31ff00c2-b7cb-4063-beeb-a0bdd424c3a7@example1.tld>");
// user_pref("mail.identity.id1.header.InReplyTo", "In-Reply-To: <31ff00c2-b7cb-4063-beeb-a0bdd424c3a7@example1.tld>");
2021-09-12 19:33:39 +02:00
/*** [SECTION 9100]: THUNDERBIRD (AUTO CONFIG / UI / HEADERS / ADDRESS BOOK )
2019-11-24 01:00:00 +01:00
Options general to Thunderbird ' s mail configuration and user interface
2021-09-12 19:33:39 +02:00
[ 1 ] https : //searchfox.org/comm-esr91/source/
2019-11-24 01:00:00 +01:00
[ 2 ] http : //kb.mozillazine.org/Mail_and_news_settings
* * * /
2021-09-12 19:33:39 +02:00
user _pref ( "_user.js.parrot" , "9100 syntax error: this parrot is blind!" ) ;
2019-11-24 01:00:00 +01:00
/** AUTO CONFIG ***/
2021-09-12 19:33:39 +02:00
/ * 9 1 0 1 : D i s a b l e a u t o - c o n f i g u r a t i o n [ S E T U P - I N S T A L L ]
2020-11-01 22:57:55 +01:00
* These options disable auto - configuration of mail servers in Thunderbird .
2019-11-24 01:00:00 +01:00
* Such settings require a query to Mozilla which could have privacy implications
2019-12-26 16:20:47 +01:00
* if the user wishes to keep the existence of the mail provider private .
2023-07-30 12:16:10 +02:00
* We also enforce ( valid ) SSL / TLS connections if auto - configuration happens to be enabled .
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration ***/
user _pref ( "mailnews.auto_config.guess.enabled" , false ) ;
user _pref ( "mailnews.auto_config.fetchFromISP.enabled" , false ) ;
user _pref ( "mailnews.auto_config.fetchFromISP.sendEmailAddress" , false ) ;
user _pref ( "mailnews.auto_config.fetchFromExchange.enabled" , false ) ;
2023-07-30 12:16:10 +02:00
user _pref ( "mailnews.auto_config.guess.sslOnly" , true ) ;
user _pref ( "mailnews.auto_config.guess.requireGoodCert" , true ) ; // [DEFAULT: true]
2019-11-24 01:00:00 +01:00
user _pref ( "mailnews.auto_config_url" , "" ) ;
user _pref ( "mailnews.auto_config.addons_url" , "" ) ;
2021-09-12 19:33:39 +02:00
/ * 9 1 0 2 : D i s a b l e a c c o u n t p r o v i s i o n i n g [ S E T U P - I N S T A L L ]
2020-11-01 22:57:55 +01:00
* This option allows users to create a new email account through partner providers .
* [ 1 ] https : //developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Account_Provisioner ***/
user _pref ( "mail.provider.enabled" , false ) ;
2019-11-24 01:00:00 +01:00
/** UI (User Interface) ***/
2021-09-12 19:33:39 +02:00
/ * 9 1 1 1 : S h o w f u l l e m a i l i n s t e a d o f j u s t n a m e f r o m a d d r e s s b o o k
2019-11-24 01:00:00 +01:00
* true = Show just the display name for people in the address book ( default )
* false = Show both the email address and display name . * * * /
user _pref ( "mail.showCondensedAddresses" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 1 1 2 : D i s a b l e " F i l e l i n k f o r L a r g e A t t a c h m e n t s " f e a t u r e
2019-11-30 22:34:58 +01:00
* [ 1 ] https : //support.thunderbird.net/kb/filelink-large-attachments ***/
user _pref ( "mail.cloud_files.enabled" , false ) ;
2021-09-12 19:33:39 +02:00
/* 9113: Don't hide cookies and passwords related (advanced?) buttons ***/
2019-11-30 22:34:58 +01:00
user _pref ( "pref.privacy.disable_button.view_cookies" , false ) ;
user _pref ( "pref.privacy.disable_button.cookie_exceptions" , false ) ;
user _pref ( "pref.privacy.disable_button.view_passwords" , false ) ;
2019-11-24 01:00:00 +01:00
/** HEADERS ***/
2021-09-12 19:33:39 +02:00
/ * 9 1 2 0 :
2019-11-24 01:00:00 +01:00
* true = Show Sender header in message pane .
* false = Does nothing . ( default ) * * * /
user _pref ( "mailnews.headers.showSender" , true ) ;
2021-09-12 19:33:39 +02:00
/ * 9 1 2 1 :
2019-11-24 01:00:00 +01:00
* true = Show User Agent header in message pane
* false = Does nothing . ( default ) * * * /
user _pref ( "mailnews.headers.showUserAgent" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 1 2 2 : H e l l o a r g u m e n t
2019-11-24 01:00:00 +01:00
* Lets you replace your IP address with the specified string in Received : headers when your
* IP address is not a "fully qualified domain name" ( FQDN ) . Typically you only need to do this
* when you have a NAT box to prevent it from using the NAT boxes IP address .
* If you don 't set it to something in your SMTP server' s domain it may increase your spam
* score . * * * /
user _pref ( "mail.smtpserver.default.hello_argument" , "[127.0.0.1]" ) ;
2021-09-12 19:33:39 +02:00
/ * 9 1 2 3 : D i s p l a y e d d a t e s a n d t i m e s
2020-03-23 11:41:07 +01:00
* [ SETUP - INSTALL ] When your e - mail program displays the e - mail ' s date and time , it normally
* converts them to your time zone . If your computer ' s time zone settings are wrong , then you will
* see the wrong time ( and possibly the wrong date ) .
* To turn this conversion off , you can use a preference setting .
2019-11-24 01:00:00 +01:00
* It affects the headers that you see in e - mails that you open or preview , but it does not affect
* the Date column in folders .
* [ 1 ] http : //kb.mozillazine.org/Time_and_time_zone_settings
* [ 2 ] http : //wiki.cacert.org/ThunderBirdAdvancedConfig
* * * * /
user _pref ( "mailnews.display.original_date" , false ) ;
2021-09-12 19:33:39 +02:00
/* 9124: Display the sender's Timezone when set to true ***/
2019-11-24 01:00:00 +01:00
user _pref ( "mailnews.display.date_senders_timezone" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 1 2 5 : D i s p l a y T i m e D a t e b a s e d o n R e c e i v e d H e a d e r
2019-11-24 01:00:00 +01:00
* Thunderbird shows the time when the message was sent , according to the sender . It is possible
* to make Thunderbird show the time when the message arrived on your mail server , based on the
* "Received" header . Set the following preference . New messages will show the time the message
* was received , rather than when it was sent . * * * /
2020-05-01 08:49:08 +02:00
// user_pref("mailnews.use_received_date", true);
2023-07-30 12:16:10 +02:00
/* 9126: Send minimal User-Agent in outgoing email messages (default) */
user _pref ( "mailnews.headers.sendUserAgent" , true ) ;
user _pref ( "mailnews.headers.useMinimalUserAgent" , true ) ;
2019-11-24 01:00:00 +01:00
/** ADDRESS BOOK ***/
2021-09-12 19:33:39 +02:00
/ * 9 1 3 0 : A d d r e s s b o o k c o l l e c t i o n [ S E T U P - F E A T U R E ]
2020-11-07 19:05:58 +01:00
* Disable Thunderbird internal address book email collection
* Consider using CardBook extension instead ( https : //addons.thunderbird.net/addon/cardbook/)
2022-01-08 17:22:44 +01:00
* [ SETTING ] Preferences > Composition > Addressing > Automatically add outgoing e - mail addresses ...
* [ SETTING ] [ CARDBOOK ] CardBook > Preferences > Email > Collect Outgoing Email * * * /
2021-12-14 14:24:05 +01:00
// user_pref("mail.collect_addressbook", "jsaddrbook://history.sqlite");
2019-11-24 01:00:00 +01:00
user _pref ( "mail.collect_email_address_outgoing" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 1 3 1 : O n l y u s e e m a i l a d d r e s s e s , w i t h o u t t h e i r D i s p l a y N a m e s [ C A R D B O O K ] [ S E T U P - F E A T U R E ]
2020-11-07 19:00:33 +01:00
* By default , CardBook extension incorporates contacts display names in addresses fields .
* This could leak sensitive information to all recipients .
2022-01-08 17:22:44 +01:00
* [ SETTING ] [ CARDBOOK ] CardBook > Preferences > Email > Sending Emails > Only use email addresses ... * * * /
2020-11-07 19:00:33 +01:00
user _pref ( "extensions.cardbook.useOnlyEmail" , true ) ;
2019-11-24 01:00:00 +01:00
2021-09-12 19:33:39 +02:00
/*** [SECTION 9200]: EMAIL COMPOSITION (ENCODING / FORMAT / VIEW )
2019-11-24 01:00:00 +01:00
Options that relate to composition , formatting and viewing email
* * * /
2021-09-12 19:33:39 +02:00
user _pref ( "_user.js.parrot" , "9200 syntax error: this parrot has got no mail!" ) ;
2019-11-24 01:00:00 +01:00
/** ENCODING ***/
2021-09-12 19:33:39 +02:00
/ * 9 2 0 5 : A v o i d i n f o r m a t i o n l e a k a g e i n r e p l y h e a d e r
2020-11-04 10:43:38 +01:00
* Reply header may contain sensitive information about system locale ( date and / or language )
* 0 = no header
* 1 = "<author> wrote:" ( see ` reply_header_authorwrotesingle ` below )
* 2 = "On <date> <author> wrote:" ( see ` reply_header_ondateauthorwrote ` below [ DEFAULT ] )
* 3 = "<author> wrote On <date>:" ( see ` reply_header_authorwroteondate ` below ` )
* 4 = user specified ( you may use below tokens to forge your own format [ DISCOURAGED ] ) * * * /
user _pref ( "mailnews.reply_header_type" , 1 ) ;
user _pref ( "mailnews.reply_header_authorwrotesingle" , "#1 wrote:" ) ;
// user_pref("mailnews.reply_header_ondateauthorwrote", "On #2 #3, #1 wrote:");
// user_pref("mailnews.reply_header_authorwroteondate", "#1 wrote on #2 #3:");
2022-05-23 18:49:57 +02:00
/ * 9 2 0 6 : P r e v e n t s p e l l c h e c k i n g d i c t i o n a r y l e a k a g e t h r o u g h C o n t e n t - L a n g u a g e h e a d e r
* [ 1 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=1370217 ***/
user _pref ( "mail.suppress_content_language" , true ) ;
/ * 9 2 0 7 : S a n i t i z e D a t e h e a d e r t o c o n v e r t d a t e t o U T C a n d r o u n d t o c l o s e s t m i n u t e
* [ 1 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=1603359 ***/
user _pref ( "mail.sanitize_date_header" , true ) ;
2019-11-24 01:00:00 +01:00
/** COMPOSITION ***/
2023-07-15 18:56:50 +02:00
/ * 9 2 1 0 : C h e c k s p e l l i n g b e f o r e s e n d i n g
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=667133 ***/
2023-07-15 18:56:50 +02:00
// user_pref("mail.SpellCheckBeforeSend", false);
2022-07-23 14:40:22 +02:00
/ * 9 2 1 2 : C o m p o s e e m a i l i n p l a i n t e x t u n l e s s e x p r e s s l y o v e r r i d d e n
2020-03-23 11:41:07 +01:00
* [ SETUP - FEATURE ] Sometimes HTML is useful especially when used with Markdown Here
2022-07-23 14:40:22 +02:00
* [ SETTING ] Account Settings > Composition & Addressing > Composition > Compose messages in HTML format
2019-11-24 01:00:00 +01:00
* [ NOTE ] Holding down shift when you click on "Write" will bypass
* [ 1 ] http : //kb.mozillazine.org/Plain_text_e-mail_%28Thunderbird%29
* [ 2 ] https : //support.mozilla.org/en-US/questions/1004181
* [ 3 ] https : //markdown-here.com ***/
user _pref ( "mail.html_compose" , false ) ;
user _pref ( "mail.identity.default.compose_html" , false ) ;
2022-07-23 14:40:22 +02:00
/ * 9 2 1 3 : S e n d o n l y p l a i n t e x t e m a i l b y d e f a u l t
* [ SETUP - FEATURE ] Only use HTML email if you need it , see [ 1 ]
2022-09-10 14:20:05 +02:00
* [ SETTING ] Composition > Composition > Sending Format
2022-07-23 14:40:22 +02:00
* Email that is HTML should also have plaintext multipart for plain text users .
* 0 = auto ( default , send only plain text if the message is free of any rich formatting
or inserted elements . Otherwise send both a HTML part and plain text alternative part )
* 1 = plain text ( only send a plain text part , losing any rich formatting or inserted elements )
* 2 = HTML ( only send a HTML part )
* 3 = both ( send both the HTML part and the plain text alternative part )
* [ 1 ] https : //drewdevault.com/2016/04/11/Please-use-text-plain-for-emails.html ***/
user _pref ( "mail.default_send_format" , 1 ) ;
2021-09-12 19:33:39 +02:00
/ * 9 2 1 4 : W h a t c l a s s e s c a n p r o c e s s i n c o m i n g d a t a .
2019-11-24 01:00:00 +01:00
* ( 0 = All classes ( default ) , 1 = Don 't display HTML, 2=Don' t display HTML and inline images ,
* 3 = Don ' t display HTML , inline images and some other uncommon types , 100 = Use a hard coded list )
* In the past this has mitigated a vulnerability CVE - 2008 - 0304 ( rare )
* [ 1 ] https : //www.mozilla.org/en-US/security/advisories/mfsa2008-12/
* [ 2 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=677905 ***/
2020-11-01 22:57:55 +01:00
user _pref ( "mailnews.display.disallow_mime_handlers" , 3 ) ;
2021-09-12 19:33:39 +02:00
/ * 9 2 1 5 : H o w t o d i s p l a y H T M L p a r t s o f a m e s s a g e b o d y
2019-11-24 01:00:00 +01:00
* ( 0 = Display the HTML normally ( default ) , 1 = Convert it to text and then back again
* 2 = Display the HTML source , 3 = Sanitize the HTML , 4 = Display all body parts )
* ( in trunk builds later than 2011 - 07 - 23 )
* [ 1 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=602718
* [ 2 ] https : //hg.mozilla.org/comm-central/rev/c1ef44a22eb2
* [ 3 ] https : //www.bucksch.org/1/projects/mozilla/108153/ ***/
user _pref ( "mailnews.display.html_as" , 3 ) ;
2023-07-30 12:48:36 +02:00
user _pref ( "mail.html_sanitize.drop_conditional_css" , true ) ; // [DEFAULT: true]
2022-06-11 12:20:49 +02:00
/ * 9 2 1 6 : P r e f e r t o v i e w a s p l a i n t e x t o r H T M L [ S E T U P - F E A T U R E ]
2019-11-24 01:00:00 +01:00
* true = Display a message as plain text when there is both a HTML and a plain
* text version of a message body
* false = Display a message as HTML when there is both a HTML and a plain text
* version of a message body . ( default ) * * * /
user _pref ( "mailnews.display.prefer_plaintext" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 2 1 7 : I n l i n e a t t a c h m e n t s [ S E T U P - F E A T U R E ]
2019-11-24 01:00:00 +01:00
* true = Show inlinable attachments ( text , images , messages ) after the message .
* false = Do not display any attachments with the message * * * /
user _pref ( "mail.inline_attachments" , false ) ;
2023-07-15 19:03:42 +02:00
// user_pref("mail.inline_attachments.text", false);
2021-09-12 19:33:39 +02:00
/ * 9 2 1 8 : B i g a t t a c h m e n t w a r n i n g
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //support.mozilla.org/en-US/questions/1081046
* [ 2 ] http : //forums.mozillazine.org/viewtopic.php?f=39&t=2949521 */
user _pref ( "mail.compose.big_attachments.notify" , true ) ; // [DEFAULT: true]
2021-09-12 19:33:39 +02:00
/* 9219: Set big attachment size to warn at */
2022-02-13 12:54:05 +01:00
user _pref ( "mail.compose.big_attachments.threshold_kb" , 9220 ) ; // [DEFAULT: 5120]
2020-11-08 16:18:57 +01:00
// user_pref("mailnews.message_warning_size", 20971520); // [DEFAULT: 20971520]
2022-07-14 16:00:48 +02:00
/* 9220: Set public recipients number from which BCC is advised ***/
// user_pref("mail.compose.warn_public_recipients.threshold", 15); // [DEFAULT: 15]
/* 9221: Show an alert if the warning above has not been addressed ***/
user _pref ( "mail.compose.warn_public_recipients.aggressive" , true ) ;
2022-09-10 17:16:47 +02:00
/ * 9 2 2 2 : D i s a b l e l i n k p r e v i e w s
* [ SETTING ] Composition > Composition > Add link previews when pasting URLs * * * /
user _pref ( "mail.compose.add_link_preview" , false ) ; // [DEFAULT: false]
2019-11-24 01:00:00 +01:00
/** VIEW ***/
2021-09-12 19:33:39 +02:00
/ * 9 2 3 0 : D i s a b l e J a v a S c r i p t
2019-11-24 01:00:00 +01:00
* [ NOTE ] JavaScript is already disabled in message content .
* [ 1 ] https : //developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Releases/3
* [ 2 ] https : //stackoverflow.com/questions/3054315/is-javascript-supported-in-an-email-message
* * * * /
user _pref ( "javascript.enabled" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 2 3 1 : D i s a b l e m e d i a s o u r c e e x t e n s i o n s
2019-11-24 01:00:00 +01:00
* [ 1 ] https : //www.ghacks.net/2014/05/10/enable-media-source-extensions-firefox ***/
user _pref ( "media.mediasource.enabled" , false ) ;
2021-09-12 19:33:39 +02:00
/* 9232: Disable hardware decoding support ***/
2019-11-24 01:00:00 +01:00
user _pref ( "media.hardware-video-decoding.enabled" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 2 3 3 : D e f a u l t i m a g e p e r m i s s i o n s
2019-11-24 01:00:00 +01:00
* 1 = Allow all images to load , regardless of origin . ( Default ) ,
* 2 = Block all images from loading .
* 3 = Prevent third - party images from loading
* [ 1 ] http : //kb.mozillazine.org/Permissions.default.image ***/
user _pref ( "permissions.default.image" , 2 ) ;
2022-01-08 17:55:30 +01:00
/ * 9 2 4 0 : B u i l t i n p h i s h i n g / s c a m m i n g d e t e c t i o n
* [ NOTE ] These preferences are enabled by default and should not usually be touched .
* [ 1 ] https : //searchfox.org/comm-central/source/mail/modules/PhishingDetector.jsm ***/
user _pref ( "mail.phishing.detection.enabled" , true ) ;
user _pref ( "mail.phishing.detection.disallow_form_actions" , true ) ;
user _pref ( "mail.phishing.detection.ipaddresses" , true ) ;
user _pref ( "mail.phishing.detection.mismatched_hosts" , true ) ;
2022-09-10 17:20:49 +02:00
/ * 9 2 5 0 : D i s a b l e r e m o t e c o n t e n t l o a d i n g
* [ SETTING ] Privacy & Security > Privacy > Mail content > Allow remote content in messages * * * /
user _pref ( "mailnews.message_display.disable_remote_image" , true ) ; // [DEFAULT: true]
2019-11-24 01:00:00 +01:00
2021-09-12 19:33:39 +02:00
/*** [SECTION 9300]: OTHER THUNDERBIRD COMPONENTS (CHAT / CALENDAR / RSS )
2020-11-03 18:56:53 +01:00
Options that relate to other Thunderbird components such as the chat client , calendar and RSS )
2019-11-24 01:00:00 +01:00
* * * /
2021-09-12 19:33:39 +02:00
user _pref ( "_user.js.parrot" , "9300 syntax error: this parrot is not tweeting!" ) ;
2019-11-24 01:00:00 +01:00
/** CHAT ***/
2021-09-12 19:33:39 +02:00
/* 9301: Disable chat functionality [SETUP-FEATURE] ***/
2019-11-24 01:00:00 +01:00
user _pref ( "mail.chat.enabled" , false ) ;
2021-09-12 19:33:39 +02:00
/* 9302: Disable logging of group chats ***/
2019-11-24 01:00:00 +01:00
user _pref ( "purple.logging.log_chats" , false ) ;
2021-09-12 19:33:39 +02:00
/* 9303: Disable logging of 1 to 1 conversations ***/
2019-11-24 01:00:00 +01:00
user _pref ( "purple.logging.log_ims" , false ) ;
2021-09-12 19:33:39 +02:00
/* 9304: Disable logging of system messages ***/
2019-11-24 01:00:00 +01:00
user _pref ( "purple.logging.log_system" , false ) ;
2021-09-12 19:33:39 +02:00
/* 9305: Disable typing notifications ***/
2019-11-24 01:00:00 +01:00
user _pref ( "purple.conversations.im.send_typing" , false ) ;
2021-09-12 19:33:39 +02:00
/ * 9 3 0 6 : W h e n c h a t i s e n a b l e d , d o n o t c o n n e c t t o a c c o u n t s a u t o m a t i c a l l y
2019-11-30 22:34:58 +01:00
* 0 = Do not connect / show the account manager ,
* 1 = Connect automatically . ( Default ) * * * /
// user_pref("messenger.startup.action", 0);
2021-09-12 19:33:39 +02:00
/* 9307: When chat is enabled, do not report idle status ***/
2020-11-08 22:50:22 +01:00
// user_pref("messenger.status.reportIdle", false);
2022-02-13 13:00:15 +01:00
/* 9308: Disable chat desktop notifications ***/
// user_pref("mail.chat.show_desktop_notifications", false);
/ * 9 3 0 9 : D e c i d e h o w m u c h i n f o r m a t i o n w i l l b e s h o w n i n c h a t n o t i f i c a t i o n s
* 0 = Show all info ( sender , chat message message preview ) ,
* 1 = Show sender ' s info only ( not message preview ) ,
* 2 = No info ( fill dummy values ) . * * * /
user _pref ( "mail.chat.notification_info" , 2 ) ;
2019-11-24 01:00:00 +01:00
/** CALENDAR ***/
2021-09-12 19:33:39 +02:00
/ * 9 3 1 2 : S e t c a l e n d a r t i m e z o n e t o a v o i d s y s t e m d e t e c t i o n [ S E T U P - I N S T A L L ]
2020-11-03 18:56:53 +01:00
* By default , extensive system detection would be performed to find user ' s current timezone .
* Setting this preference to "UTC" should disable it .
2020-11-07 19:19:32 +01:00
* You may also directly set it to your timezone , i . e . "Pacific/Fakaofo"
2022-01-08 17:22:44 +01:00
* [ SETTING ] Calendar > Calendar > Timezone * * * /
2020-11-03 18:56:53 +01:00
user _pref ( "calendar.timezone.local" , "UTC" ) ; // [DEFAULT: ""]
2022-07-23 15:19:38 +02:00
/* 9313: Disable calendar service performing event "extraction" from email content ***/
user _pref ( "calendar.extract.service.enabled" , false ) ; // [DEFAULT: false]
2019-11-24 01:00:00 +01:00
/** RSS ***/
2020-11-12 14:42:14 +01:00
/ * * T h e s e f e a t u r e s d o n ' t a c t u a l l y d o a n y t h i n g a s t h e y a r e n ' t i m p l e m e n t e d
2022-07-14 13:05:16 +02:00
* [ 1 ] https : //searchfox.org/comm-esr102/source/mail/base/content/mailWindowOverlay.js#1082
2020-11-12 14:42:14 +01:00
* [ 2 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=458606#c9
2021-09-12 19:33:39 +02:00
/ * 9 3 2 0 : W h a t c l a s s e s c a n p r o c e s s i n c o m i n g d a t a .
2019-11-24 01:00:00 +01:00
* ( 0 = All classes ( default ) , 1 = Don 't display HTML, 2=Don' t display HTML and inline images ,
* 3 = Don ' t display HTML , inline images and some other uncommon types , 100 = Use a hard coded list )
2020-11-12 14:42:14 +01:00
* [ 1 ] https : //www.privacy-handbuch.de/handbuch_31j.htm
2019-11-24 01:00:00 +01:00
user _pref ( "rss.display.disallow_mime_handlers" , 3 ) ;
2021-09-12 19:33:39 +02:00
/ * 9 3 2 1 : H o w t o d i s p l a y H T M L p a r t s o f a m e s s a g e b o d y
2019-11-24 01:00:00 +01:00
* ( 0 = Display the HTML normally ( default ) , 1 = Convert it to text and then back again
* 2 = Display the HTML source , 3 = Sanitize the HTML , 4 = Display all body parts )
* ( in trunk builds later than 2011 - 07 - 23 )
* [ 1 ] https : //bugzilla.mozilla.org/show_bug.cgi?id=602718
* [ 2 ] https : //hg.mozilla.org/comm-central/rev/c1ef44a22eb2
2020-11-12 14:42:14 +01:00
* [ 3 ] https : //www.bucksch.org/1/projects/mozilla/108153/
2019-11-24 01:00:00 +01:00
user _pref ( "rss.display.html_as" , 1 ) ;
2022-06-11 12:20:49 +02:00
/ * 9 3 2 2 : P r e f e r t o v i e w a s p l a i n t e x t o r H T M L
2019-11-24 01:00:00 +01:00
* true = Display a message as plain text when there is both a HTML and a plain
* text version of a message body
* false = Display a message as HTML when there is both a HTML and a plain text
2020-11-12 14:42:14 +01:00
* version of a message body . ( default )
2019-11-24 01:00:00 +01:00
user _pref ( "rss.display.prefer_plaintext" , true ) ;
2020-11-12 14:42:14 +01:00
* * /
2021-09-12 19:33:39 +02:00
/ * 9 3 2 3 : F e e d m e s s a g e d i s p l a y ( s u m m a r y o r w e b p a g e ) , o n o p e n .
2019-11-24 01:00:00 +01:00
* Action on double click or enter in threadpane for a feed message .
* 0 = open content - base url in new window , 1 = open summary in new window ,
* 2 = toggle load summary and content - base url in message pane ,
* 3 = load content - base url in browser
* [ 1 ] http : //forums.mozillazine.org/viewtopic.php?f=39&t=2502335 ***/
user _pref ( "rss.show.content-base" , 3 ) ;
2021-09-12 19:33:39 +02:00
/ * 9 3 2 4 : F e e d m e s s a g e d i s p l a y ( s u m m a r y o r w e b p a g e ) , o n s e l e c t .
2019-11-24 01:00:00 +01:00
* 0 = global override , load web page , 1 = global override , load summary ,
* 2 = use default feed folder setting from Subscribe dialog ; if no setting default to 1 * * * /
user _pref ( "rss.show.summary" , 1 ) ;
2021-09-12 19:33:39 +02:00
/ * 9 3 2 5 : F e e d m e s s a g e a d d i t i o n a l w e b p a g e d i s p l a y .
2019-11-24 01:00:00 +01:00
* 0 = no action , 1 = load web page in default browser , on select * * * /
user _pref ( "rss.message.loadWebPageOnSelect" , 0 ) ;
2022-10-01 17:41:20 +02:00
/*** [SECTION 9400]: THUNDERBIRD ENCRYPTION (OPENPGP / GNUPG )
2022-01-08 17:40:56 +01:00
Options that relate to e - mail encryption in Thunderbird .
[ 1 ] https : //wiki.mozilla.org/Thunderbird:OpenPGP
[ 2 ] https : //support.mozilla.org/kb/openpgp-thunderbird-howto-and-faq
2019-11-24 01:00:00 +01:00
* * * /
2021-09-12 19:33:39 +02:00
user _pref ( "_user.js.parrot" , "9400 syntax error: this parrot is talking in codes!" ) ;
2019-11-24 01:00:00 +01:00
2022-10-01 17:41:20 +02:00
/** OPENPGP ***/
/* 9400: disable OpenPGP "encryption is possible" reminder ***/
// user_pref("mail.openpgp.remind_encryption_possible", false); // [TB102+]
2020-11-01 22:57:55 +01:00
/** GNUPG ***/
2021-09-12 19:33:39 +02:00
/ * 9 4 0 9 : A l l o w t h e u s e o f e x t e r n a l G n u P G
2020-11-01 22:57:55 +01:00
* Whenever RNP fails to decrypt a message , Thunderbird will tray against system GnuPG
* [ 1 ] https : //wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Allow_the_use_of_external_GnuPG ***/
user _pref ( "mail.openpgp.allow_external_gnupg" , true ) ; // [HIDDEN PREF]
2019-11-24 01:00:00 +01:00
/*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
2022-07-14 13:05:16 +02:00
Documentation denoted as [ - ] . Items deprecated prior to FF91 have been archived at [ 1 ]
2021-10-17 17:05:45 +02:00
[ 1 ] https : //github.com/arkenfox/user.js/issues/123
2019-11-24 01:00:00 +01:00
* * * /
2021-10-31 09:42:26 +01:00
user _pref ( "_user.js.parrot" , "9999 syntax error: the parrot's shuffled off 'is mortal coil!" ) ;
2023-10-19 22:08:02 +02:00
/ * E S R 1 0 2 . x s t i l l u s e s a l l t h e f o l l o w i n g p r e f s
// [NOTE] replace the * with a slash in the line above to re-enable active ones
// FF103
// 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810)
// 0=keep until they expire (default), 2=keep until you close Thunderbird
// [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761
user _pref ( "network.cookie.lifetimePolicy" , 2 ) ;
// 6012: disable SHA-1 certificates
// [-] https://bugzilla.mozilla.org/1766687
// user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1]
// FF114
// 2816: set cache to clear on exit [FF96+]
// [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust
// [1] https://bugzilla.mozilla.org/1671182
// [-] https://bugzilla.mozilla.org/1821651
// user_pref("privacy.clearsitedata.cache.enabled", true);
// 4505: experimental RFP [FF91+]
// [-] https://bugzilla.mozilla.org/1824235
// user_pref("privacy.resistFingerprinting.testGranularityMask", 0);
// 5017: disable Form Autofill heuristics
// Heuristics controls Form Autofill on forms without @autocomplete attributes
// [-] https://bugzilla.mozilla.org/1829670
// user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
// FF115
// 7001: disable offline cache (appCache)
// [NOTE] appCache storage capability was removed in FF90
// [-] https://bugzilla.mozilla.org/1677718
// user_pref("browser.cache.offline.enable", false);
2019-11-24 01:00:00 +01:00
// ***/
/* END: internal custom pref to test for syntax errors ***/
user _pref ( "_user.js.parrot" , "SUCCESS: No no he's not dead, he's, he's restin'!" ) ;