Applies v91.0..v91.1 Arkenfox upstream changes

This commit is contained in:
Samuel FORESTIER 2021-10-30 11:33:39 +02:00
parent f7788b2c8a
commit a492b510df
1 changed files with 49 additions and 44 deletions

93
user.js
View File

@ -1,6 +1,6 @@
/****** /******
* name: thunderbird user.js * name: thunderbird user.js
* date: 17 October 2021 * date: 30 October 2021
* version: v91-beta * version: v91-beta
* url: https://github.com/HorlogeSkynet/thunderbird-user.js * url: https://github.com/HorlogeSkynet/thunderbird-user.js
* license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE) * license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE)
@ -46,7 +46,6 @@
2000: PLUGINS / MEDIA / WEBRTC 2000: PLUGINS / MEDIA / WEBRTC
2300: WEB WORKERS 2300: WEB WORKERS
2400: DOM (DOCUMENT OBJECT MODEL) 2400: DOM (DOCUMENT OBJECT MODEL)
2500: FINGERPRINTING
2600: MISCELLANEOUS 2600: MISCELLANEOUS
2700: PERSISTENT STORAGE 2700: PERSISTENT STORAGE
2800: SHUTDOWN 2800: SHUTDOWN
@ -102,11 +101,12 @@ user_pref("geo.provider.use_gpsd", false); // [LINUX]
/* 0203: disable region updates /* 0203: disable region updates
* [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/ * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/
user_pref("browser.region.network.url", ""); // [FF78+] user_pref("browser.region.network.url", ""); // [FF78+]
user_pref("browser.region.update.enabled", false); // [[FF79+] user_pref("browser.region.update.enabled", false); // [FF79+]
/* 0204: set search region /* 0204: set search region
* [NOTE] May not be hidden if Thunderbird has changed your settings due to your region (0203) ***/ * [NOTE] May not be hidden if Thunderbird has changed your settings due to your region (0203) ***/
// user_pref("browser.search.region", "US"); // [HIDDEN PREF] // user_pref("browser.search.region", "US"); // [HIDDEN PREF]
/* 0210: set preferred language for displaying web pages /* 0210: set preferred language for displaying pages
* [SETTING] General>Language and Appearance>Language>Choose your preferred language...
* [TEST] https://addons.mozilla.org/about ***/ * [TEST] https://addons.mozilla.org/about ***/
user_pref("intl.accept_languages", "en-US, en"); user_pref("intl.accept_languages", "en-US, en");
/* 0210b: Set dictionary to US ***/ /* 0210b: Set dictionary to US ***/
@ -147,9 +147,6 @@ user_pref("extensions.getAddons.cache.enabled", false);
/* 0306: disable search engine updates (e.g. OpenSearch) /* 0306: disable search engine updates (e.g. OpenSearch)
* [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/
user_pref("browser.search.update", false); user_pref("browser.search.update", false);
/* 0307: disable System Add-on updates ***/
user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
/** RECOMMENDATIONS ***/ /** RECOMMENDATIONS ***/
/* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/ /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/
@ -321,13 +318,12 @@ user_pref("network.proxy.socks_remote_dns", true);
* [SETUP-CHROME] Can break extensions for profiles on network shares * [SETUP-CHROME] Can break extensions for profiles on network shares
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
/* 0704: disable GIO as a potential proxy bypass vector /* 0704: disable GIO as a potential proxy bypass vector [FF60+]
* Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
* gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64) * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
* [1] https://bugzilla.mozilla.org/1433507 * [1] https://bugzilla.mozilla.org/1433507
* [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044 * [2] https://en.wikipedia.org/wiki/GVfs
* [3] https://en.wikipedia.org/wiki/GVfs * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
* [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
/* 0705: disable DNS-over-HTTPS (DoH) rollout [FF60+] /* 0705: disable DNS-over-HTTPS (DoH) rollout [FF60+]
* 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
@ -337,8 +333,11 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
* [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ * [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/
* [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
// user_pref("network.trr.mode", 5); // user_pref("network.trr.mode", 5);
/* 0706: disable proxy direct failover for system requests [FF91+] ***/ /* 0706: disable proxy direct failover for system requests [FF91+]
user_pref("network.proxy.failover_direct", false); * [WARNING] Default true is a security feature against malicious extensions [1]
* [SETUP-CHROME] If you use a proxy and you trust your extensions
* [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
// user_pref("network.proxy.failover_direct", false);
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
@ -363,14 +362,14 @@ user_pref("browser.fixup.alternate.enabled", false);
* [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine
* [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/ * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/
user_pref("browser.search.suggest.enabled", false); user_pref("browser.search.suggest.enabled", false);
/* 0808: disable search and form history /* 0810: disable search and form history
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [NOTE] We also clear formdata on exit (2803) * [NOTE] We also clear formdata on exit (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/ * [2] https://bugzilla.mozilla.org/381681 ***/
user_pref("browser.formfill.enable", false); user_pref("browser.formfill.enable", false);
/* 0809: disable Form Autofill /* 0811: disable Form Autofill
* [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Stored data is NOT secure (uses a JSON file)
* [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
* [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses
@ -380,7 +379,7 @@ user_pref("extensions.formautofill.available", "off"); // [FF56+]
user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] user_pref("extensions.formautofill.creditCards.available", false); // [FF57+]
user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
/* 0810: disable coloring of visited links /* 0820: disable coloring of visited links
* Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
* redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
* attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5]
@ -484,13 +483,14 @@ user_pref("security.tls.enable_0rtt_data", false);
[1] https://scotthelme.co.uk/revocation-is-broken/ [1] https://scotthelme.co.uk/revocation-is-broken/
[2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
***/ ***/
/* 1211: control when to use OCSP fetching (to confirm current validity of certificates) /* 1211: enforce OCSP fetching to confirm current validity of certificates
* 0=disabled, 1=enabled (default), 2=enabled for EV certificates only * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
* OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
* It's a trade-off between security (checking) and privacy (leaking info to the CA) * It's a trade-off between security (checking) and privacy (leaking info to the CA)
* [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
* [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers...
* [1] https://en.wikipedia.org/wiki/Ocsp ***/ * [1] https://en.wikipedia.org/wiki/Ocsp ***/
user_pref("security.OCSP.enabled", 1); user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB] /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB]
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
@ -516,7 +516,7 @@ user_pref("security.pki.sha1_enforcement_level", 1);
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/ * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/
user_pref("security.family_safety.mode", 0); user_pref("security.family_safety.mode", 0);
/* 1223: enable strict pinning /* 1223: enable strict pinning
* PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict * PKP (Public Key Pinning) 0=disabled, 1=allow user MiTM (such as your antivirus), 2=strict
* [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing
* by inspecting ALL your web traffic, then leave at current default=1 * by inspecting ALL your web traffic, then leave at current default=1
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/ * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/
@ -555,7 +555,7 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false);
* [2] https://bugzilla.mozilla.org/1353705 ***/ * [2] https://bugzilla.mozilla.org/1353705 ***/
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
/* 1271: control "Add Security Exception" dialog on SSL warnings /* 1271: control "Add Security Exception" dialog on SSL warnings
* 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default) * 0=do neither, 1=pre-populate url, 2=pre-populate url + pre-fetch cert (default)
* [1] https://github.com/pyllyukko/user.js/issues/210 ***/ * [1] https://github.com/pyllyukko/user.js/issues/210 ***/
user_pref("browser.ssl_override_behavior", 1); user_pref("browser.ssl_override_behavior", 1);
/* 1272: display advanced information on Insecure Connection warning pages /* 1272: display advanced information on Insecure Connection warning pages
@ -712,28 +712,6 @@ user_pref("dom.disable_open_during_load", true);
/* 2404: limit events that can cause a popup [SETUP-WEB] ***/ /* 2404: limit events that can cause a popup [SETUP-WEB] ***/
user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
/*** [SECTION 2500]: FINGERPRINTING ***/
user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
/* 2501: enforce no system colors
* [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false]
/* 2502: enforce non-native widget theme
* Security: removes/reduces system API calls, e.g. win32k API [1]
* Fingerprinting: provides a uniform look and feel across platforms [2]
* [1] https://bugzilla.mozilla.org/1381938
* [2] https://bugzilla.mozilla.org/1411425 ***/
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+]
/* 2503: open links targeting new windows in a new tab instead
* Stops malicious window sizes and some screen resolution leaks.
* You can still right-click a link and open in a new window
* [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/
user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab
user_pref("browser.link.open_newwindow.restriction", 0);
/* 2504: disable WebGL (Web Graphics Library)
* [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/
user_pref("webgl.disabled", true);
/*** [SECTION 2600]: MISCELLANEOUS ***/ /*** [SECTION 2600]: MISCELLANEOUS ***/
user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
/* 2601: prevent accessibility services from accessing your browser [RESTART] /* 2601: prevent accessibility services from accessing your browser [RESTART]
@ -808,7 +786,7 @@ user_pref("browser.download.manager.addToRecentDocs", false);
* [SETUP-CHROME] This will break extensions, language packs, themes and any other * [SETUP-CHROME] This will break extensions, language packs, themes and any other
* XPI files which are installed outside of profile and application directories * XPI files which are installed outside of profile and application directories
* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
* [1] archived: https://archive.is/DYjAM ***/ * [1] https://archive.is/DYjAM (archived) ***/
user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF]
user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+] /* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]
@ -1061,6 +1039,29 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
* [1] https://bugzilla.mozilla.org/1635603 ***/ * [1] https://bugzilla.mozilla.org/1635603 ***/
// user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid");
// user_pref("privacy.resistFingerprinting.testGranularityMask", 0); // user_pref("privacy.resistFingerprinting.testGranularityMask", 0);
/* 4510: enforce no system colors
* [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false]
/* 4511: enforce non-native widget theme
* Security: removes/reduces system API calls, e.g. win32k API [1]
* Fingerprinting: provides a uniform look and feel across platforms [2]
* [1] https://bugzilla.mozilla.org/1381938
* [2] https://bugzilla.mozilla.org/1411425 ***/
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true]
/* 4512: enforce links targeting new windows to open in a new tab instead
* 1=most recent window or tab, 2=new window, 3=new tab
* Stops malicious window sizes and some screen resolution leaks.
* You can still right-click a link and open in a new window
* [SETTING] General>Tabs>Open links in tabs instead of new windows
* [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/
user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
/* 4513: set all open window methods to abide by "browser.link.open_newwindow" (4512)
* [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js ***/
user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0]
/* 4520: disable WebGL (Web Graphics Library)
* [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/
user_pref("webgl.disabled", true);
/*** [SECTION 5000]: OPTIONAL OPSEC /*** [SECTION 5000]: OPTIONAL OPSEC
Disk avoidance, application data isolation, eyeballs... Disk avoidance, application data isolation, eyeballs...
@ -1265,6 +1266,10 @@ user_pref("gfx.downloadable_fonts.fallback_delay", -1);
* [WHY] Fingerprintable. Breakage. Cut/copy/paste require user * [WHY] Fingerprintable. Breakage. Cut/copy/paste require user
* interaction, and paste is limited to focused editable fields ***/ * interaction, and paste is limited to focused editable fields ***/
user_pref("dom.event.clipboardevents.enabled", false); user_pref("dom.event.clipboardevents.enabled", false);
/* 7014: disable System Add-on updates
* [WHY] It can compromise security. System addons ship with prefs, use those ***/
// user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
// user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
/*** [SECTION 8000]: DON'T BOTHER: NON-RFP /*** [SECTION 8000]: DON'T BOTHER: NON-RFP
[WHY] They are insufficient to help anti-fingerprinting and do more harm than good [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
@ -1671,7 +1676,7 @@ user_pref("mail.openpgp.allow_external_gnupg", true); // [HIDDEN PREF]
Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1] Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1]
[1] https://github.com/arkenfox/user.js/issues/123 [1] https://github.com/arkenfox/user.js/issues/123
***/ ***/
user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!");
/* ESR78.x still uses all the following prefs /* ESR78.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable them // [NOTE] replace the * with a slash in the line above to re-enable them
// FF79 // FF79