diff --git a/user.js b/user.js index 2fe08c6..5bef05c 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: thunderbird user.js -* date: 30 July 2023 -* version: v115.0-beta1 +* date: 19 October 2023 +* version: v115.0 * url: https://github.com/HorlogeSkynet/thunderbird-user.js * license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE) @@ -28,9 +28,10 @@ * RELEASES: https://github.com/HorlogeSkynet/thunderbird-user.js/releases * It is best to use the release that is optimized for and matches your Thunderbird version - * ESR91 users - - If you are not using thunderbird-user.js v91... (not a definitive list) - - 9999: switch the appropriate deprecated section(s) back on + * ESR102 + - If you are not using thunderbird-user.js v102-1... (not a definitive list) + - 2815: clearOnShutdown cookies + offlineApps should be false + - 9999: switch the appropriate deprecated section(s) back on * INDEX: @@ -39,13 +40,13 @@ 0300: QUIETER BIRD 0400: SAFE BROWSING 0600: BLOCK IMPLICIT OUTBOUND - 0700: DNS / DoH / PROXY / SOCKS / IPv6 + 0700: DNS / DoH / PROXY / SOCKS 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS 0900: PASSWORDS 1000: DISK AVOIDANCE 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) 1400: FONTS - 1600: HEADERS / REFERERS + 1600: REFERERS 1700: CONTAINERS 2000: PLUGINS / MEDIA / WEBRTC 2400: DOM (DOCUMENT OBJECT MODEL) @@ -58,7 +59,7 @@ 6000: DON'T TOUCH 7000: DON'T BOTHER 8000: DON'T BOTHER: FINGERPRINTING - 9000: PERSONAL + 9000: NON-PROJECT RELATED 9100: THUNDERBIRD (AUTO CONFIG / UI / HEADERS / ADDRESS BOOK) 9200: EMAIL COMPOSITION (ENCODING / FORMAT / VIEW) 9300: OTHER THUNDERBIRD COMPONENTS (CHAT / CALENDAR / RSS) @@ -79,14 +80,11 @@ user_pref("browser.aboutConfig.showWarning", false); /*** [SECTION 0100]: STARTUP ***/ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); -/* 0101: disable default browser check - * [SETTING] General > System Integration > Always check to see if Thunderbird is the default... ***/ -user_pref("mail.shell.checkDefaultClient", false); /* 0102: set START page [SETUP-CHROME] * [SETTING] General > Thunderbird Start Page ***/ user_pref("mailnews.start_page.enabled", false); /* 0104: set NEWTAB page - * true=Activity Stream (default), false=blank page ***/ + * true=? (default), false=blank page ***/ user_pref("browser.newtabpage.enabled", false); /*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ @@ -99,13 +97,7 @@ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/ user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] user_pref("geo.provider.use_corelocation", false); // [MAC] user_pref("geo.provider.use_gpsd", false); // [LINUX] -/* 0203: disable region updates - * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/ -user_pref("browser.region.network.url", ""); // [FF78+] -user_pref("browser.region.update.enabled", false); // [FF79+] -/* 0204: set search region - * [NOTE] May not be hidden if Thunderbird has changed your settings due to your region (0203) ***/ - // user_pref("browser.search.region", "US"); // [HIDDEN PREF] +user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX] /* 0210: set preferred language for displaying pages * [SETTING] General > Language & Appearance > Language > Choose the language used to display... * [TEST] https://addons.mozilla.org/about ***/ @@ -114,7 +106,6 @@ user_pref("intl.accept_languages", "en-US, en"); user_pref("spellchecker.dictionary", "en-US"); /* 0211: use en-US locale regardless of the system or region locale * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1] - * [TEST] https://arkenfox.github.io/TZP/tests/formatting.html * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] @@ -230,6 +221,7 @@ user_pref("mail.rights.override", true); // [DEFAULT: unset] [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ [2] https://wiki.mozilla.org/Security/Safe_Browsing [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work + [4] https://educatedguesswork.org/posts/safe-browsing-privacy/ ***/ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); /* 0401: disable SB (Safe Browsing) @@ -277,20 +269,8 @@ user_pref("network.http.speculative-parallel-limit", 0); * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=518805 ***/ user_pref("browser.meta_refresh_when_inactive.disabled", true); -/*** [SECTION 0700]: DNS / DoH / PROXY / SOCKS / IPv6 ***/ +/*** [SECTION 0700]: DNS / DoH / PROXY / SOCKS ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); -/* 0701: disable IPv6 - * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming - * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4 - * [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6 - * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an - * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, - * then this won't make much difference. If you are masking your IP, then it can only help. - * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" - * [TEST] https://ipleak.org/ - * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ -user_pref("network.dns.disableIPv6", true); -user_pref("network.notify.IPv6", false); /* 0702: set the proxy server to do any DNS lookups when using SOCKS * e.g. in Tor, this stops your local DNS server from knowing your Tor destination * as a remote Tor node will handle the DNS request @@ -317,10 +297,11 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * [WARNING] If false, this will break the fallback for some security features * [SETUP-CHROME] If you use a proxy and you understand the security impact * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/ - // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF FF95-96] + // user_pref("network.proxy.allow_bypass", false); /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+] - * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off + * 0=default, 2=increased (TRR (Trusted Recursive Resolver) first), 3=max (TRR only), 5=off * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3] + * [SETTING] General > Network & Disk Space > Connection > Settings... > Enable DNS over HTTPS * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy // * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https @@ -334,14 +315,6 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); -/* 0801: disable location bar using search - * Don't leak URL typos to a search engine, give an error message instead - * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" - * [NOTE] This does not affect explicit user action such as using search buttons in the - * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) - * [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search - * engine that respects privacy, then you probably don't need this ***/ -user_pref("keyword.enabled", false); // [DEFAULT: false] /* 0802: disable location bar domain guessing * domain guessing intercepts DNS "hostname not found errors" and resends a * request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work @@ -360,15 +333,6 @@ user_pref("browser.search.suggest.enabled", false); * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); -/* 0811: disable Form Autofill - * [NOTE] Stored data is NOT secure (uses a JSON file) - * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ -user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] -user_pref("extensions.formautofill.available", "off"); // [FF56+] -user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] -user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] -user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0820: disable coloring of visited links * Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing @@ -401,7 +365,7 @@ user_pref("signon.formlessCapture.enabled", false); user_pref("network.auth.subresource-http-auth-allow", 1); /* 0906: enforce no automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] * [1] https://support.mozilla.org/kb/windows-sso ***/ -user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false] + // user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false] /* 0910: prevent access to emails until the master password is entered * If a master password has been set, Thunderbird will prevent access to locally available emails * until the secret is provided. @@ -426,10 +390,6 @@ user_pref("media.memory_cache_max_size", 65536); * define on which sites to save extra session data such as form content, cookies and POST data * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ user_pref("browser.sessionstore.privacy_level", 2); -/* 1004: set the minimum interval between session save operations - * Increasing this can help on older machines and some websites, as well as reducing writes [1] - * [1] https://bugzilla.mozilla.org/1304389 ***/ -user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 15000] /* 1901: disable disk cache for messages not in offline store */ user_pref("mail.imap.use_disk_cache2", false); @@ -448,7 +408,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * but the problem is that the browser can't know that. Setting this pref to true is the only way for the * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site? - * [STATS] SSL Labs (July 2021) reports over 99% of top sites have secure renegotiation [4] + * [STATS] SSL Labs (Feb 2023) reports over 99.3% of top sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://datatracker.ietf.org/doc/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 @@ -471,10 +431,11 @@ user_pref("security.tls.enable_0rtt_data", false); * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) * It's a trade-off between security (checking) and privacy (leaking info to the CA) * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling - * [SETTING] Privacy & Security > Security > Certificates > Query OCSP responder servers... + * [SETTING] Privacy & Security > Security > Certificates > Query OCSP responder servers to confirm * [1] https://en.wikipedia.org/wiki/Ocsp ***/ user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] -/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB] +/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail + * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR * When a CA cannot be reached to validate a cert, Thunderbird's just continues the connection (=soft-fail) * Setting this pref to true tells Thunderbird's to instead terminate the connection (=hard-fail) * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it @@ -492,9 +453,8 @@ user_pref("security.OCSP.require", true); user_pref("security.family_safety.mode", 0); /* 1223: enable strict PKP (Public Key Pinning) * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict - * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE: If you rely on an AV (antivirus) to protect - * your web browsing by inspecting ALL your web traffic, then override to current default - * [NOTE] It needs to be set to 1 when connecting to the ProtonMail Bridge for the first time ***/ + * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + * [SETUP-INSTALL] It needs to be set to 1 when connecting to the ProtonMail Bridge for the first time ***/ user_pref("security.cert_pinning.enforcement_level", 2); /* 1224: enable CRLite [FF73+] * 0 = disabled @@ -511,12 +471,12 @@ user_pref("security.pki.crlite_mode", 2); // user_pref("security.osclientcerts.autoload", true); /** MIXED CONTENT ***/ -/* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/ -user_pref("security.mixed_content.block_display_content", true); +/* 1241: disable insecure passive content (such as images) on https pages ***/ +user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244) /* 1244: enable HTTPS-Only mode in all windows [FF76+] * When the top-level is HTTPS, insecure subresources are also upgraded (silent fail) * [TEST] http://example.com [upgrade] - * [TEST] http://httpforever.com/ [no upgrade] ***/ + * [TEST] http://httpforever.com/ | http://http.rip [no upgrade] ***/ user_pref("dom.security.https_only_mode", true); // [FF76+] user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ @@ -534,10 +494,6 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://bugzilla.mozilla.org/1353705 ***/ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); -/* 1271: control "Add Security Exception" dialog on SSL warnings - * 0=do neither, 1=pre-populate url, 2=pre-populate url + pre-fetch cert (default) - * [1] https://github.com/pyllyukko/user.js/issues/210 ***/ -user_pref("browser.ssl_override_behavior", 1); /* 1272: display advanced information on Insecure Connection warning pages * only works when it's possible to add an exception * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/) @@ -550,8 +506,6 @@ user_pref("security.warn_viewing_mixed", true); /*** [SECTION 1400]: FONTS ***/ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); -/* 1401: disable rendering of SVG OpenType fonts ***/ -user_pref("gfx.font_rendering.opentype_svg.enabled", false); /* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+] * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed * In normal windows: uses the first applicable: RFP (4506) over TP over Standard @@ -562,18 +516,13 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); // user_pref("layout.css.font-visibility.standard", 1); // user_pref("layout.css.font-visibility.trackingprotection", 1); -/*** [SECTION 1600]: HEADERS / REFERERS +/*** [SECTION 1600]: REFERERS full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port: https://example.com:8888 [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); -/* 1601: control when to send a cross-origin referer - * 0=always (default), 1=only if base domains match, 2=only if hosts match - * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram - * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/ -user_pref("network.http.referer.XOriginPolicy", 2); /* 1602: control the amount of cross-origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); @@ -587,15 +536,6 @@ user_pref("privacy.userContext.ui.enabled", true); /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); -/* 2001: disable WebRTC (Web Real-Time Communication) - * Thunderbird uses mDNS hostname obfuscation on desktop (except Windows7/8) and the - * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. after - * you grant device (microphone or camera) access - * [SETUP-HARDEN] Test first. Windows7/8 users only: behind a proxy who never use WebRTC - * [TEST] https://browserleaks.com/webrtc - * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ - * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ -user_pref("media.peerconnection.enabled", false); /* 2002: force WebRTC inside the proxy [FF70+] ***/ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); /* 2003: force a single network interface for ICE candidates generation [FF42+] @@ -610,65 +550,26 @@ user_pref("media.peerconnection.ice.no_host", true); /* 2020: disable GMP (Gecko Media Plugins) * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ user_pref("media.gmp-provider.enabled", false); -/* 2021: disable widevine CDM (Content Decryption Module) - * [NOTE] This is covered by the EME master switch (2022) ***/ -user_pref("media.gmp-widevinecdm.enabled", false); -/* 2022: disable all DRM content (EME: Encryption Media Extension) - * Optionally hide the setting which also disables the DRM prompt - * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV - * [TEST] https://bitmovin.com/demos/drm - * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ -user_pref("media.eme.enabled", false); - // user_pref("browser.eme.ui.enabled", false); -/* 2030: disable autoplay of HTML5 media [FF63+] - * 0=Allow all, 1=Block non-muted media (default), 5=Block all - * [NOTE] You can set exceptions under site permissions ***/ -user_pref("media.autoplay.default", 5); -/* 2031: disable autoplay of HTML5 media if you interacted with the site [FF78+] - * 0=sticky (default), 1=transient, 2=user - * Thunderbird's Autoplay Policy Documentation (PDF) is linked below via SUMO - * [NOTE] If you have trouble with some video sites, then add an exception (2030) - * [1] https://support.mozilla.org/questions/1293231 ***/ -user_pref("media.autoplay.blocking_policy", 2); /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); -/* 2401: disable "Confirm you want to leave" dialog on page close - * Does not prevent JS leaks of the page close event - * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload ***/ -user_pref("dom.disable_beforeunload", true); /* 2402: prevent scripts from moving and resizing open windows ***/ user_pref("dom.disable_window_move_resize", true); -/* 2403: block popup windows ***/ -user_pref("dom.disable_open_during_load", true); -/* 2404: limit events that can cause a popup [SETUP-WEB] ***/ -user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); /* 2601: prevent accessibility services from accessing your browser [RESTART] * [1] https://support.mozilla.org/kb/accessibility-services ***/ user_pref("accessibility.force_disabled", 1); -/* 2602: disable sending additional analytics to web servers - * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/ -user_pref("beacon.enabled", false); /* 2603: remove temp files opened with an external application * [1] https://bugzilla.mozilla.org/302433 ***/ user_pref("browser.helperApps.deleteTempFileOnExit", true); -/* 2604: disable page thumbnail collection ***/ -user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ user_pref("browser.uitour.enabled", false); -user_pref("browser.uitour.url", ""); -/* 2607: disable various developer tools in browser context - * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ -user_pref("devtools.chrome.enabled", false); +user_pref("browser.uitour.url", ""); // Defense-in-depth /* 2608: reset remote debugging to disabled * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] -/* 2611: disable middle mouse click opening links from clipboard - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ -user_pref("middlemouse.contentLoadURL", false); /* 2616: remove special permissions for certain mozilla domains [FF35+] * [1] resource://app/defaults/permissions ***/ user_pref("permissions.manager.defaultsUrl", ""); @@ -682,25 +583,26 @@ user_pref("webchannel.allowObject.urlWhitelist", ""); * [3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/ user_pref("network.IDN_show_punycode", true); -/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME] +/* 2620: enforce PDFJS, disable PDFJS scripting * This setting controls if the option "Display in Thunderbird" is available in the setting below * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") - * PROS: pdfjs is lightweight, open source, and more secure/vetted than most - * Exploits are rare (one serious case in seven years), treated seriously and patched quickly. + * [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1] * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. - * CONS: You may prefer a different pdf reader for security reasons - * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code ***/ + * [NOTE] JS can still force a pdf to open in-browser by bundling its own code + * [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons + * [SETTING] General > Files & Attachments > Portable Document Format (PDF) + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/ user_pref("pdfjs.disabled", false); // [DEFAULT: false] user_pref("pdfjs.enableScripting", false); // [FF86+] -/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ -user_pref("network.protocol-handler.external.ms-windows-store", false); /* 2623: disable permissions delegation [FF73+] * Currently applies to cross-origin geolocation, camera, mic and screen-sharing * permissions, and fullscreen requests. Disabling delegation means any prompts * for these will show/use their correct 3rd party origin * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/ user_pref("permissions.delegation.enabled", false); +/* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */ +user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: false NON-LINUX] /** DOWNLOADS ***/ /* 2651: enable user interaction for security by always asking where to download @@ -708,8 +610,7 @@ user_pref("permissions.delegation.enabled", false); user_pref("browser.download.useDownloadDir", false); /* 2653: disable adding downloads to the system's "recent documents" list ***/ user_pref("browser.download.manager.addToRecentDocs", false); -/* 2654: enable user interaction for security by always asking how to handle new mimetypes [FF101+] - * [SETTING] General>Files and Applications>What should Thunderbird do with other files ***/ +/* 2654: enable user interaction for security by always asking how to handle new mimetypes [FF101+] ***/ user_pref("browser.download.always_ask_before_handling_new_types", true); /** EXTENSIONS ***/ @@ -734,44 +635,45 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ // user_pref("privacy.antitracking.enableWebcompat", false); /* 2710: enable state partitioning of service workers [FF96+] ***/ -user_pref("privacy.partition.serviceWorkers", true); +user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+] +/* 2720: enable APS (Always Partitioning Storage) ***/ +user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [FF104+] [DEFAULT: true FF109+] +user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [FF105+] [DEFAULT: false FF109+] /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); -/** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/ -/* 2801: delete cookies and site data on exit - * 0=keep until they expire (default), 2=keep until you close Thunderbird - * [NOTE] A "cookie" block permission also controls localStorage/sessionStorage, indexedDB, - * sharedWorkers and serviceWorkers. serviceWorkers require an "Allow" permission - * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Thunderbird is closed - * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow - * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ -user_pref("network.cookie.lifetimePolicy", 2); -/* 2802: delete cache on exit [FF96+] - * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust - * [1] https://bugzilla.mozilla.org/1671182 ***/ - // user_pref("privacy.clearsitedata.cache.enabled", true); - -/** SANITIZE ON SHUTDOWN : ALL OR NOTHING ***/ -/* 2810: enable Thunderbird to clear items on shutdown (2811) - * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Thunderbird closes ***/ +/* 2810: enable Thunderbird to clear items on shutdown ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); + +/** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/ /* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME] - * These items do not use exceptions, it is all or nothing (1681701) * [NOTE] If "history" is true, downloads will also be cleared * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies - * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true] -user_pref("privacy.clearOnShutdown.offlineApps", true); // [DEFAULT: false] -user_pref("privacy.clearOnShutdown.cookies", true); - // user_pref("privacy.clearOnShutdown.siteSettings", false); + // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] +/* 2812: set Session Restore to clear on shutdown (if 2810 is true) [FF34+] + * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811) + * [NOTE] If true, this prevents resuming from crashes (also see 5008) ***/ + // user_pref("privacy.clearOnShutdown.openWindows", true); -/** SANITIZE MANUAL: ALL OR NOTHING ***/ +/** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ ***/ +/* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) [SETUP-CHROME] + * [NOTE] Exceptions: A "cookie" block permission also controls "offlineApps" (see note below). + * serviceWorkers require an "Allow" permission. For cross-domain logins, add exceptions for + * both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on) + * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) + * [WARNING] Be selective with what sites you "Allow", as they also disable partitioning (1767271) + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question) + * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ +user_pref("privacy.clearOnShutdown.cookies", true); // Cookies +user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data + +/** SANITIZE MANUAL: IGNORES "ALLOW" SITE EXCEPTIONS ***/ /* 2820: reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History * Thunderbird remembers your last choices. This will reset them when you start Thunderbird @@ -784,13 +686,9 @@ user_pref("privacy.cpd.sessions", true); // [DEFAULT: true] user_pref("privacy.cpd.offlineApps", true); // [DEFAULT: false] user_pref("privacy.cpd.cookies", true); // user_pref("privacy.cpd.downloads", true); // not used, see note above + // user_pref("privacy.cpd.openWindows", false); // Session Restore // user_pref("privacy.cpd.passwords", false); // user_pref("privacy.cpd.siteSettings", false); -/* 2821: clear Session Restore data when sanitizing on shutdown or manually [FF34+] - * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811) - * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008) ***/ - // user_pref("privacy.clearOnShutdown.openWindows", true); - // user_pref("privacy.cpd.openWindows", true); /* 2822: reset default "Time range to clear" for "Clear Recent History" (2820) * Thunderbird remembers your last choice. This will reset the value when you start Thunderbird * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today @@ -801,21 +699,19 @@ user_pref("privacy.sanitize.timeSpan", 0); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) RFP covers a wide range of ongoing fingerprinting solutions. It is an all-or-nothing buy in: you cannot pick and choose what parts you want + [TEST] https://arkenfox.github.io/TZP/tzp.html [WARNING] DO NOT USE extensions to alter RFP protected metrics 418986 - limit window.screen & CSS media queries (FF41) - [TEST] https://arkenfox.github.io/TZP/tzp.html#screen 1281949 - spoof screen orientation (FF50) - 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50-99) - FF53: fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044) 1330890 - spoof timezone as UTC0 (FF55) 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55) 1217238 - reduce precision of time exposed by javascript (FF55) FF56 1369303 - spoof/disable performance API 1333651 - spoof User Agent & Navigator API - version: spoofed as ESR (FF102+ this is limited to Android) + version: android version spoofed as ESR OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android 1369319 - disable device sensor API 1369357 - disable site specific zoom @@ -828,8 +724,7 @@ user_pref("privacy.sanitize.timeSpan", 0); 1217290 & 1409677 - enable some fingerprinting resistance for WebGL 1382545 - reduce fingerprinting in Animation API 1354633 - limit MediaError.message to a whitelist - FF58-90 - 967895 - spoof canvas and enable site permission prompt (FF58) + FF58+ 1372073 - spoof/block fingerprinting in MediaDevices API (FF59) Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" Block: suppresses the ondevicechange event @@ -848,19 +743,23 @@ user_pref("privacy.sanitize.timeSpan", 0); 1595823 - return audioContext sampleRate as 44100 (FF72) 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74) 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78) + 1506364 - return "no-preference" with prefers-contrast (FF80) 1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82) - FF91+ 531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1) 1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100) - 1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was capped at 100ms) (FF102) + 1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102) + 1422237 - return "srgb" with color-gamut (FF110) + 1794628 - return "none" with inverted-colors (FF114) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); -/* 4501: enable privacy.resistFingerprinting [FF41+] +/* 4501: enable privacy.resistFingerprinting * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a site exception via the urlbar * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme + * [NOTE] pbmode applies if true and the original pref is false * [1] https://bugzilla.mozilla.org/418986 ***/ -user_pref("privacy.resistFingerprinting", true); +user_pref("privacy.resistFingerprinting", true); // [FF41+] + // user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+] /* 4502: set new window size rounding max values [FF55+] * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen * [1] https://bugzilla.mozilla.org/1330882 ***/ @@ -869,7 +768,7 @@ user_pref("privacy.window.maxInnerHeight", 900); /* 4503: disable mozAddonManager Web API [FF57+] * [NOTE] To allow extensions to work on AMO, you also need 2662 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ -user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] +user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF FF57-108] /* 4504: enable RFP letterboxing [FF67+] * Dynamically resizes the inner window by applying margins in stepped ranges [2] * If you use the dimension pref, then it will only apply those resolutions. @@ -885,12 +784,11 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [WARNING] DO NOT USE unless testing, see [1] comment 12 * [1] https://bugzilla.mozilla.org/1635603 ***/ // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); - // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); /* 4506: set RFP's font visibility level (1402) [FF94+] ***/ // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1] /* 4510: disable using system colors - * [SETTING] General > Language and Appearance > Fonts and Colors > Colors > Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT false NON-WINDOWS] + * [SETTING] General > Language and Appearance > Fonts and Colors > Colors... > Use system colors ***/ +user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS] /* 4511: enforce non-native widget theme * Security: removes/reduces system API calls, e.g. win32k API [1] * Fingerprinting: provides a uniform look and feel across platforms [2] @@ -925,7 +823,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). * In fact, PB mode limits or removes the ability to control some of these, and you need to quit * Thunderbird to clear them. PB is best used as a one off window (Menu>New Private Window) to provide - * a temporary self-contained new session. Close all Private Windows to clear the PB mode session. + * a temporary self-contained new session. Close all private windows to clear the PB session. * [1] https://wiki.mozilla.org/Private_Browsing * [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/ // user_pref("browser.privatebrowsing.autostart", true); @@ -943,7 +841,7 @@ user_pref("permissions.memory_only", true); // [HIDDEN PREF] /* 5005: disable intermediate certificate caching [FF41+] [RESTART] * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only. * Saved logins and passwords are not available. Reset the pref and restart to return them ***/ - // user_pref("security.nocertdb", true); // [HIDDEN PREF in FF101 or lower] + // user_pref("security.nocertdb", true); /* 5006: disable favicons in history and bookmarks * [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your * actual history (and bookmarks) already do. Your history is more detailed, so @@ -963,8 +861,20 @@ user_pref("browser.sessionstore.resume_from_crash", false); * [NOTE] We also clear history and downloads on exit (2811) ***/ user_pref("places.history.enabled", false); /* 5016: discourage downloading to desktop - * 0=desktop, 1=downloads (default), 2=last used ***/ + * 0=desktop, 1=downloads (default), 2=custom ***/ // user_pref("browser.download.folderList", 2); +/* 5017: disable Form Autofill + * If .supportedCountries includes your region (browser.search.region) and .supported + * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON + * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ + user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] + user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] +/* 5018: limit events that can cause a pop-up ***/ +user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); +/* 5019: disable page thumbnail collection ***/ +user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] +/* 5020: disable Windows native notifications and use app notications instead [FF111+] [WINDOWS] ***/ + // user_pref("alerts.useSystemBackend.windows.notificationserver.enabled", false); /* 5901: Enforce Private Browsing for OAuth sign-in * Providers may expect a device identifier from the browser, which could cause issues with PB. As * many users could suffer from this we keep this it disabled, feel free to switch it on if yours @@ -1009,6 +919,26 @@ user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ user_pref("javascript.options.wasm", false); +/* 5507: disable rendering of SVG OpenType fonts ***/ +user_pref("gfx.font_rendering.opentype_svg.enabled", false); +/* 5508: disable all DRM content (EME: Encryption Media Extension) + * Optionally hide the UI setting which also disables the DRM prompt + * [TEST] https://bitmovin.com/demos/drm + * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ +user_pref("media.eme.enabled", false); +user_pref("browser.eme.ui.enabled", false); +/* 5509: disable IPv6 if using a VPN + * This is an application level fallback. Disabling IPv6 is best done at an OS/network + * level, and/or configured properly in system wide VPN setups. + * If you see PR_CONNECT_RESET_ERROR, this pref *might* be the cause + * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" + * [TEST] https://ipleak.org/ + * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ + // user_pref("network.dns.disableIPv6", true); +/* 5510: control when to send a cross-origin referer + * 0=always (default), 1=only if base domains match, 2=only if hosts match + * [NOTE] Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram ***/ +user_pref("network.http.referer.XOriginPolicy", 2); /* 5590: show a prompt when opening a link in external applications ***/ user_pref("security.external_protocol_requires_permission", true); @@ -1025,36 +955,38 @@ user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] /* 6008: enforce no First Party Isolation [FF51+] - * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), - * and enabling FPI disables those. FPI is no longer maintained ***/ + * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), and enabling FPI + * disables those. FPI is no longer maintained except at Tor Project for Tor Browser's config ***/ user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] /* 6009: enforce SmartBlock shims [FF81+] * In FF96+ these are listed in about:compat * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/ user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] -/* 6010: enforce/reset TLS 1.0/1.1 downgrades to session only - * [NOTE] In FF97+ the TLS 1.0/1.1 downgrade UX was removed +/* 6010: enforce no TLS 1.0/1.1 downgrades * [TEST] https://tls-v1-1.badssl.com:1010/ ***/ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] /* 6011: enforce disabling of Web Compatibility Reporter [FF56+] * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla * [WHY] To prevent wasting Mozilla's time with a custom setup ***/ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] -/* 6012: disable SHA-1 certificates ***/ -user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1 FF102+] -/* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/ - // user_pref("browser.urlbar.trimURLs", ""); - // user_pref("dom.caches.enabled", ""); - // user_pref("dom.storageManager.enabled", ""); - // user_pref("dom.storage_access.enabled", ""); - // user_pref("dom.targetBlankNoOpener.enabled", ""); - // user_pref("network.cookie.thirdparty.sessionOnly", ""); - // user_pref("network.cookie.thirdparty.nonsecureSessionOnly", ""); - // user_pref("privacy.firstparty.isolate.block_post_message", ""); - // user_pref("privacy.firstparty.isolate.restrict_opener_access", ""); - // user_pref("privacy.firstparty.isolate.use_site", ""); - // user_pref("privacy.window.name.update.enabled", ""); - // user_pref("security.insecure_connection_text.enabled", ""); +/* 6012: enforce Quarantined Domains [FF115+] + * [WHY] https://support.mozilla.org/kb/quarantined-domains */ +user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true] +/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF102+ ***/ + // user_pref("beacon.enabled", ""); + // user_pref("browser.region.network.url", ""); + // user_pref("browser.region.update.enabled", ""); + // user_pref("browser.ssl_override_behavior", ""); + // user_pref("devtools.chrome.enabled", ""); + // user_pref("dom.disable_beforeunload", ""); + // user_pref("dom.disable_open_during_load", ""); + // user_pref("extensions.formautofill.available", ""); + // user_pref("extensions.formautofill.addresses.supported", ""); + // user_pref("extensions.formautofill.creditCards.available", ""); + // user_pref("extensions.formautofill.creditCards.supported", ""); + // user_pref("middlemouse.contentLoadURL", ""); +/* 6051: prefsCleaner: reset previously active items removed from arkenfox FF115+ ***/ + // user_pref("network.protocol-handler.external.ms-windows-store", ""); /*** [SECTION 7000]: DON'T BOTHER Thunderbird-User.JS maintainer here : @@ -1063,18 +995,16 @@ user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1 FF102+] ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); /* 7001: disable APIs - * Location-Aware Browsing, Full Screen, offline cache (appCache), Virtual Reality - * [WHY] The API state is easily fingerprintable. Geo and VR are behind prompts (7002). - * appCache storage capability was removed in FF90. Full screen requires user interaction ***/ + * Location-Aware Browsing, Full Screen + * [WHY] The API state is easily fingerprintable. + * Geo is behind a prompt (7002). Full screen requires user interaction ***/ user_pref("geo.enabled", false); user_pref("full-screen-api.enabled", false); -user_pref("browser.cache.offline.enable", false); -user_pref("dom.vr.enabled", false); // [DEFAULT: false FF97+] /* 7003: disable non-modern cipher suites [1] * [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks * [1] https://browserleaks.com/ssl ***/ - // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); - // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); + // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: false FF109+] + // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false FF109+] // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS @@ -1088,13 +1018,13 @@ user_pref("dom.vr.enabled", false); // [DEFAULT: false FF97+] /* 7005: disable SSL session IDs [FF36+] * [WHY] Passive fingerprinting and perf costs. These are session-only * and isolated with network partitioning (FF85+) and/or containers ***/ - // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF in FF101 or lower] + // user_pref("security.ssl.disable_session_identifiers", true); /* 7006: onions * [WHY] Thunderbird doesn't support hidden services. Use Tor Browser ***/ // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006 // user_pref("network.http.referer.hideOnionSource", true); // 1305144 /* 7007: referers - * [WHY] Only cross-origin referers (1600s) need control ***/ + * [WHY] Only cross-origin referers (1602, 5510) matter ***/ user_pref("network.http.sendRefererHeader", 0); user_pref("network.http.referer.trimmingPolicy", 0); /* 7008: set the default Referrer Policy [FF59+] @@ -1105,7 +1035,6 @@ user_pref("network.http.referer.defaultPolicy.pbmode", 0); // [DEFAULT: 2] /* 7010: disable HTTP Alternative Services [FF37+] * [WHY] Already isolated with network partitioning (FF85+) ***/ user_pref("network.http.altsvc.enabled", false); - // user_pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+] /* 7011: disable website control over browser right-click context menu * [WHY] Just use Shift-Right-Click ***/ user_pref("dom.event.contextmenu.enabled", false); @@ -1128,7 +1057,7 @@ user_pref("dom.event.clipboardevents.enabled", false); // user_pref("privacy.donottrackheader.enabled", true); /* 7016: customize ETP settings * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/ - // user_pref("network.cookie.cookieBehavior", 5); + // user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5 FF103+] // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true); // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+] // user_pref("privacy.partition.network_state.ocsp_cache", true); @@ -1138,8 +1067,7 @@ user_pref("dom.event.clipboardevents.enabled", false); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 7017: disable service workers - * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2710) - * or blocked with TCP in 3rd parties (FF95 or lower) ***/ + * [WHY] Already isolated with TCP (2701) behind a pref (2710) ***/ // user_pref("dom.serviceWorkers.enabled", false); /* 7018: disable Web Notifications * [WHY] Web Notifications are behind a prompt (7002) @@ -1151,6 +1079,13 @@ user_pref("dom.event.clipboardevents.enabled", false); * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/ // user_pref("dom.push.enabled", false); +/* 7020: disable WebRTC (Web Real-Time Communication) + * [WHY] Firefox desktop uses mDNS hostname obfuscation and the private IP is never exposed until + * required in TRUSTED scenarios; i.e. after you grant device (microphone or camera) access + * [TEST] https://browserleaks.com/webrtc + * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ + * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ +user_pref("media.peerconnection.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING [WHY] They are insufficient to help anti-fingerprinting and do more harm than good @@ -1158,81 +1093,41 @@ user_pref("dom.event.clipboardevents.enabled", false); [NOTE] An empty User-Agent may break Microsoft Exchange OAuth2 login ***/ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan"); -/* 8001: disable APIs ***/ - // user_pref("device.sensors.enabled", false); - // user_pref("dom.enable_performance", false); - // user_pref("dom.enable_resource_timing", false); - // user_pref("dom.gamepad.enabled", false); - // user_pref("dom.netinfo.enabled", false); // [DEFAULT: false NON-ANDROID: false ANDROID FF99+] - // user_pref("dom.webaudio.enabled", false); -/* 8002: disable other ***/ - // user_pref("browser.display.use_document_fonts", 0); - // user_pref("dom.w3c_touch_events.enabled", 0); - // user_pref("media.navigator.enabled", false); - // user_pref("media.ondevicechange.enabled", false); - // user_pref("media.video_stats.enabled", false); - // user_pref("media.webspeech.synth.enabled", false); - // user_pref("webgl.enable-debug-renderer-info", false); -/* 8003: spoof ***/ - // user_pref("dom.maxHardwareConcurrency", 2); - // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] - // user_pref("general.appname.override", ""); // [HIDDEN PREF] - // user_pref("general.appversion.override", ""); // [HIDDEN PREF] - // user_pref("general.buildID.override", ""); // [HIDDEN PREF] - // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] - // user_pref("general.platform.override", ""); // [HIDDEN PREF] - // user_pref("general.useragent.override", ""); // [HIDDEN PREF] - // user_pref("ui.use_standins_for_native_colors", true); +/* 8001: prefsCleaner: reset items useless for anti-fingerprinting ***/ + // user_pref("browser.display.use_document_fonts", ""); + // user_pref("browser.zoom.siteSpecific", ""); + // user_pref("device.sensors.enabled", ""); + // user_pref("dom.enable_performance", ""); + // user_pref("dom.enable_resource_timing", ""); + // user_pref("dom.gamepad.enabled", ""); + // user_pref("dom.maxHardwareConcurrency", ""); + // user_pref("dom.w3c_touch_events.enabled", ""); + // user_pref("dom.webaudio.enabled", ""); + // user_pref("font.system.whitelist", ""); + // user_pref("general.appname.override", ""); + // user_pref("general.appversion.override", ""); + // user_pref("general.buildID.override", ""); + // user_pref("general.oscpu.override", ""); + // user_pref("general.platform.override", ""); + // user_pref("general.useragent.override", ""); + // user_pref("media.navigator.enabled", ""); + // user_pref("media.ondevicechange.enabled", ""); + // user_pref("media.video_stats.enabled", ""); + // user_pref("media.webspeech.synth.enabled", ""); + // user_pref("ui.use_standins_for_native_colors", ""); + // user_pref("webgl.enable-debug-renderer-info", ""); -/*** [SECTION 9000]: PERSONAL - Non-project related but useful. If any interest you, add them to your overrides -***/ +/*** [SECTION 9000]: NON-PROJECT RELATED ***/ user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!"); -/* WELCOME & WHAT'S NEW NOTICES ***/ -user_pref("mailnews.start_page_override.mstone", "ignore"); // master switch -/* WARNINGS ***/ - // user_pref("browser.tabs.warnOnClose", false); // [DEFAULT false FF94+] - // user_pref("browser.tabs.warnOnOpen", false); - // user_pref("full-screen-api.warning.delay", 0); - // user_pref("full-screen-api.warning.timeout", 0); -/* UPDATES ***/ - // user_pref("app.update.auto", false); // [NON-WINDOWS] disable auto app updates - // [NOTE] You will still get prompts to update, and should do so in a timely manner - // user_pref("browser.search.update", false); // disable search engine updates (e.g. OpenSearch) - // [NOTE] This does not affect Mozilla's built-in or Web Extension search engines - // user_pref("extensions.update.enabled", false); // disable extension and theme update checks - // user_pref("extensions.update.autoUpdateDefault", false); // disable installing extension and theme updates - // [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) - // user_pref("extensions.getAddons.cache.enabled", false); // disable extension metadata (extension detail tab) -/* APPEARANCE ***/ - // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent - // user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] - // 0=no-preference, 1=reduce: with RFP this only affects chrome - // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] - // 0=light, 1=dark: with RFP this only affects chrome -/* CONTENT BEHAVIOR ***/ - // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" - // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] -/* UX BEHAVIOR ***/ - // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] - // user_pref("mail.tabs.autoHide", true); // hides the tab bar if there is only one tab - // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] -/* UX FEATURES ***/ - // user_pref("reader.parse-on-load.enabled", false); // Reader View -/* OTHER ***/ - // user_pref("browser.bookmarks.max_backups", 2); - // user_pref("network.manage-offline-status", false); // see bugzilla 620472 - // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) -/* RETURN RECEIPT BEHAVIOR ***/ - // user_pref("mail.mdn.report.enabled", false); // disable return receipt sending unconditionally -/* CUSTOM HEADERS ***/ +/* 9001: disable welcome notices ***/ +user_pref("browser.startup.homepage_override.mstone", "ignore"); +/* 9090: disable return receipt sending unconditionally ***/ + // user_pref("mail.mdn.report.enabled", false); +/* 9099: e-mail custom headers (examples) ***/ // user_pref("mail.compose.other.header", "X-Custom-Header,X-Another-Custom-Header"); // corresponding values can be set in compose window ("double-arrow" drop-down) // user_pref("mail.identity.id1.headers", "References, InReplyTo"); // user_pref("mail.identity.id1.header.References", "References: <2ad46d80-c8ce-49a3-9896-16171788ac28@example.tld>\n <31ff00c2-b7cb-4063-beeb-a0bdd424c3a7@example1.tld>"); // user_pref("mail.identity.id1.header.InReplyTo", "In-Reply-To: <31ff00c2-b7cb-4063-beeb-a0bdd424c3a7@example1.tld>"); -user_pref("mail.identity.id1.headers", ""); -user_pref("mail.identity.id1.header.References", ""); -user_pref("mail.identity.id1.header.InReplyTo", ""); /*** [SECTION 9100]: THUNDERBIRD (AUTO CONFIG / UI / HEADERS / ADDRESS BOOK) Options general to Thunderbird's mail configuration and user interface @@ -1548,61 +1443,34 @@ user_pref("mail.openpgp.allow_external_gnupg", true); // [HIDDEN PREF] [1] https://github.com/arkenfox/user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!"); -/* ESR91.x still uses all the following prefs -// [NOTE] replace the * with a slash in the line above to re-enable them -// FF93 -// 7003: disable non-modern cipher suites - // [-] https://bugzilla.mozilla.org/1724072 - // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES -// FF94 -// 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] - replaced by new 1402 - // [-] https://bugzilla.mozilla.org/1715507 - // user_pref("layout.css.font-visibility.level", 1); -// FF96 -// 0302: disable auto-INSTALLING Thunderbird updates via a background service + hide the setting [FF90+] [WINDOWS] - // [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows - // [-] https://bugzilla.mozilla.org/1738983 -user_pref("app.update.background.scheduling.enabled", false); -// FF97 -// 7006: onions - replaced by new 7006 "allowlist" - // [-] https://bugzilla.mozilla.org/1744006 - // user_pref("dom.securecontext.whitelist_onions", true); // 1382359 -// FF99 -// 6003: enforce CSP (Content Security Policy) - // [1] https://developer.mozilla.org/docs/Web/HTTP/CSP - // [-] https://bugzilla.mozilla.org/1754301 -user_pref("security.csp.enable", true); // [DEFAULT: true] -// FF100 -// 7009: disable HTTP2 - replaced by network.http.http2* prefs - // [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1] - // [1] https://w3techs.com/technologies/details/ce-http2/all/all - // [-] https://bugzilla.mozilla.org/1752621 - // user_pref("network.http.spdy.enabled", false); - // user_pref("network.http.spdy.enabled.deps", false); - // user_pref("network.http.spdy.enabled.http2", false); - // user_pref("network.http.spdy.websockets", false); // [FF65+] -// FF101 -// 9211: Behavior when sending HTML message - // (0=Ask, 1=Send as plain text, 2=Send as HTML anyway, - // 3=Include both plain text and HTML message bodies in message) - // Email that is HTML should also have plaintext multipart for plain text users. - // [1] https://drewdevault.com/2016/04/11/Please-use-text-plain-for-emails.html - // [-] https://bugzilla.mozilla.org/1727493 -user_pref("mail.default_html_action", 1); -// 9213: Downgrade email to plaintext by default - // [-] https://bugzilla.mozilla.org/1727493 -user_pref("mailnews.sendformat.auto_downgrade", true); -// FF102 - // 0901: set when Thunderbird should prompt for the primary password - // 0=once per session (default), 1=every time it's needed, 2=after n minutes (0902) - // [-] https://bugzilla.mozilla.org/1767099 -user_pref("security.ask_for_password", 2); - // 0902: set how long in minutes Thunderbird should remember the primary password (0901) - // [-] https://bugzilla.mozilla.org/1767099 -user_pref("security.password_lifetime", 5); // [DEFAULT: 30] - // 6007: enforce Local Storage Next Generation (LSNG) [FF65+] - // [-] https://bugzilla.mozilla.org/1764696 -user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] +/* ESR102.x still uses all the following prefs +// [NOTE] replace the * with a slash in the line above to re-enable active ones +// FF103 +// 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810) + // 0=keep until they expire (default), 2=keep until you close Thunderbird + // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761 +user_pref("network.cookie.lifetimePolicy", 2); +// 6012: disable SHA-1 certificates + // [-] https://bugzilla.mozilla.org/1766687 + // user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1] +// FF114 +// 2816: set cache to clear on exit [FF96+] + // [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust + // [1] https://bugzilla.mozilla.org/1671182 + // [-] https://bugzilla.mozilla.org/1821651 + // user_pref("privacy.clearsitedata.cache.enabled", true); +// 4505: experimental RFP [FF91+] + // [-] https://bugzilla.mozilla.org/1824235 + // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); +// 5017: disable Form Autofill heuristics + // Heuristics controls Form Autofill on forms without @autocomplete attributes + // [-] https://bugzilla.mozilla.org/1829670 + // user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] +// FF115 + // 7001: disable offline cache (appCache) + // [NOTE] appCache storage capability was removed in FF90 + // [-] https://bugzilla.mozilla.org/1677718 + // user_pref("browser.cache.offline.enable", false); // ***/ /* END: internal custom pref to test for syntax errors ***/