Applies Arkenfox v115.1..v128.0 migration

This commit is contained in:
Samuel FORESTIER 2024-08-22 18:21:57 +02:00 committed by Samuel FORESTIER
parent 5d33d6b50e
commit b814b88b93
1 changed files with 325 additions and 213 deletions

534
user.js
View File

@ -1,6 +1,6 @@
/****** /******
* name: thunderbird user.js * name: thunderbird user.js
* date: 21 August 2024 * date: 31 August 2024
* version: v128.0-beta1 * version: v128.0-beta1
* url: https://github.com/HorlogeSkynet/thunderbird-user.js * url: https://github.com/HorlogeSkynet/thunderbird-user.js
* license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE) * license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE)
@ -27,16 +27,21 @@
[SETUP-CHROME] changes how Thunderbird itself behaves (i.e. not directly website related) [SETUP-CHROME] changes how Thunderbird itself behaves (i.e. not directly website related)
* RELEASES: https://github.com/HorlogeSkynet/thunderbird-user.js/releases * RELEASES: https://github.com/HorlogeSkynet/thunderbird-user.js/releases
* It is best to use the release that is optimized for and matches your Thunderbird version
* ESR102 * Use the thunderbird-user.js release that matches your Thunderbird version
- If you are not using thunderbird-user.js v102-1... (not a definitive list) - DON'T wait for thunderbird-user.js to update Thunderbird, nothing major changes these days
- 2815: clearOnShutdown cookies + offlineApps should be false * Each release
- 9999: switch the appropriate deprecated section(s) back on - run prefsCleaner to reset prefs made inactive, including deprecated (9999)
* If you use a previous ESR
- It is recommended to not use the updater, or you will get a later version which may cause issues.
So you should manually append your overrides (and keep a copy), and manually update when you
change ESR releases (thunderbird-user.js is already past that release)
- If you decide to keep updating, then the onus is on you - also see section 9999
* INDEX: * INDEX:
0100: STARTUP 0100: STARTUP
0200: GEOLOCATION / LANGUAGE / LOCALE 0200: GEOLOCATION
0300: QUIETER BIRD 0300: QUIETER BIRD
0400: SAFE BROWSING 0400: SAFE BROWSING
0600: BLOCK IMPLICIT OUTBOUND 0600: BLOCK IMPLICIT OUTBOUND
@ -45,7 +50,6 @@
0900: PASSWORDS 0900: PASSWORDS
1000: DISK AVOIDANCE 1000: DISK AVOIDANCE
1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP)
1400: FONTS
1600: REFERERS 1600: REFERERS
1700: CONTAINERS 1700: CONTAINERS
2000: PLUGINS / MEDIA / WEBRTC 2000: PLUGINS / MEDIA / WEBRTC
@ -53,7 +57,8 @@
2600: MISCELLANEOUS 2600: MISCELLANEOUS
2700: ETP (ENHANCED TRACKING PROTECTION) 2700: ETP (ENHANCED TRACKING PROTECTION)
2800: SHUTDOWN & SANITIZING 2800: SHUTDOWN & SANITIZING
4500: RFP (RESIST FINGERPRINTING) 4000: FPP (fingerprintingProtection)
4500: OPTIONAL RFP (resistFingerprinting)
5000: OPTIONAL OPSEC 5000: OPTIONAL OPSEC
5500: OPTIONAL HARDENING 5500: OPTIONAL HARDENING
6000: DON'T TOUCH 6000: DON'T TOUCH
@ -64,7 +69,7 @@
9200: EMAIL COMPOSITION (ENCODING / FORMAT / VIEW) 9200: EMAIL COMPOSITION (ENCODING / FORMAT / VIEW)
9300: OTHER THUNDERBIRD COMPONENTS (CHAT / CALENDAR / RSS) 9300: OTHER THUNDERBIRD COMPONENTS (CHAT / CALENDAR / RSS)
9400: THUNDERBIRD ENCRYPTION (OPENPGP / GNUPG) 9400: THUNDERBIRD ENCRYPTION (OPENPGP / GNUPG)
9999: DEPRECATED / REMOVED / LEGACY / RENAMED 9999: DEPRECATED / RENAMED
******/ ******/
@ -87,27 +92,12 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
* true=? (default), false=blank page ***/ * true=? (default), false=blank page ***/
user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtabpage.enabled", false);
/*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ /*** [SECTION 0200]: GEOLOCATION ***/
user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
/* 0201: use Mozilla geolocation service instead of Google if permission is granted [FF74+]
* Optionally enable logging to the console (defaults to false) ***/
user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
// user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF]
/* 0202: disable using the OS's geolocation service ***/ /* 0202: disable using the OS's geolocation service ***/
user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] user_pref("geo.provider.ms-windows-location", false); // [WINDOWS]
user_pref("geo.provider.use_corelocation", false); // [MAC] user_pref("geo.provider.use_corelocation", false); // [MAC]
user_pref("geo.provider.use_gpsd", false); // [LINUX]
user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX] user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX]
/* 0210: set preferred language for displaying pages
* [SETTING] General > Language & Appearance > Language > Choose the language used to display...
* [TEST] https://addons.mozilla.org/about ***/
user_pref("intl.accept_languages", "en-US, en");
/* 0210b: Set dictionary to US ***/
user_pref("spellchecker.dictionary", "en-US");
/* 0211: use en-US locale regardless of the system or region locale
* [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/
user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
/*** [SECTION 0300]: QUIETER BIRD ***/ /*** [SECTION 0300]: QUIETER BIRD ***/
user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
@ -116,6 +106,13 @@ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the
user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF] user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
/* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/ /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/
user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); user_pref("extensions.htmlaboutaddons.recommendations.enabled", false);
/* 0322: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
* [NOTE] This pref has no effect when Health Reports (0331) are disabled
* [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
user_pref("browser.discovery.enabled", false);
/* 0323: disable shopping experience [FF116+]
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1840156#c0 ***/
user_pref("browser.shopping.experience2023.enabled", false); // [DEFAULT: false]
/** TELEMETRY ***/ /** TELEMETRY ***/
/* 0330: disable new data submission [FF41+] /* 0330: disable new data submission [FF41+]
@ -148,9 +145,6 @@ user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF] user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF]
user_pref("toolkit.coverage.endpoint.base", ""); user_pref("toolkit.coverage.endpoint.base", "");
/* 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
* Defense-in-depth: currently covered by 0331 ***/
user_pref("browser.ping-centre.telemetry", false);
/** STUDIES ***/ /** STUDIES ***/
/* 0340: disable Studies /* 0340: disable Studies
@ -263,7 +257,7 @@ user_pref("network.prefetch-next", false);
/* 0602: disable DNS prefetching /* 0602: disable DNS prefetching
* [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetch", true);
// user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] user_pref("network.dns.disablePrefetchFromHTTPS", true);
/* 0603: disable predictor / prefetching ***/ /* 0603: disable predictor / prefetching ***/
user_pref("network.predictor.enabled", false); user_pref("network.predictor.enabled", false);
user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
@ -286,15 +280,15 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost
user_pref("network.proxy.socks_remote_dns", true); user_pref("network.proxy.socks_remote_dns", true);
/* 0703: disable using UNC (Uniform Naming Convention) paths [FF61+] /* 0703: disable using UNC (Uniform Naming Convention) paths [FF61+]
* [SETUP-CHROME] Can break extensions for profiles on network shares * [SETUP-CHROME] Can break extensions for profiles on network shares
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ * [1] https://bugzilla.mozilla.org/1413868 ***/
user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
/* 0704: disable GIO as a potential proxy bypass vector [FF60+] /* 0704: disable GIO as a potential proxy bypass vector [FF60+]
* Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer,
* dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+) * dav, cdda, gphoto2, trash, etc. From FF87-117, by default only sftp was accepted
* [1] https://bugzilla.mozilla.org/1433507 * [1] https://bugzilla.mozilla.org/1433507
* [2] https://en.wikipedia.org/wiki/GVfs * [2] https://en.wikipedia.org/wiki/GVfs
* [3] https://en.wikipedia.org/wiki/GIO_(software) ***/ * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] [DEFAULT: "" FF118+]
/* 0705: disable proxy direct failover for system requests [FF91+] /* 0705: disable proxy direct failover for system requests [FF91+]
* [WARNING] Default true is a security feature against malicious extensions [1] * [WARNING] Default true is a security feature against malicious extensions [1]
* [SETUP-CHROME] If you use a proxy and you trust your extensions * [SETUP-CHROME] If you use a proxy and you trust your extensions
@ -306,41 +300,59 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
* [SETUP-CHROME] If you use a proxy and you understand the security impact * [SETUP-CHROME] If you use a proxy and you understand the security impact
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/
// user_pref("network.proxy.allow_bypass", false); // user_pref("network.proxy.allow_bypass", false);
/* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+] /* 0710: enable DNS-over-HTTPS (DoH) [FF60+]
* 0=default, 2=increased (TRR (Trusted Recursive Resolver) first), 3=max (TRR only), 5=off * 0=default, 2=increased (TRR (Trusted Recursive Resolver) first), 3=max (TRR only), 5=off (no rollout)
* see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3] * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
* [SETTING] General > Network & Disk Space > Connection > Settings... > Enable DNS over HTTPS * [SETTING] Privacy & Security>DNS over HTTPS
* [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
* [2] https://wiki.mozilla.org/Security/DOH-resolver-policy * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
// * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https * [3] https://support.mozilla.org/kb/firefox-dns-over-https
* [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
// user_pref("network.trr.mode", 5); // user_pref("network.trr.mode", 3);
/* 0706: disable proxy direct failover for system requests [FF91+] /* 0712: set DoH provider
* [WARNING] Default true is a security feature against malicious extensions [1] * The custom uri is the value shown when you "Choose provider>Custom>"
* [SETUP-CHROME] If you use a proxy and you trust your extensions * [NOTE] If you USE custom then "network.trr.uri" should be set the same
* [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/ * [SETTING] Privacy & Security>DNS over HTTPS>Increased/Max>Choose provider ***/
// user_pref("network.proxy.failover_direct", false); // user_pref("network.trr.uri", "https://example.dns");
// user_pref("network.trr.custom_uri", "https://example.dns");
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
/* 0802: disable location bar domain guessing /* 0801: disable location bar making speculative connections [FF56+]
* domain guessing intercepts DNS "hostname not found errors" and resends a * [1] https://bugzilla.mozilla.org/1348275 ***/
* request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work user_pref("browser.urlbar.speculativeConnect.enabled", false);
* via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com /* 0802: disable location bar contextual suggestions
* as the 411 for DNS errors?), privacy issues (why connect to sites you didn't * [NOTE] The UI is controlled by the .enabled pref
* intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack), * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
* and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/ user_pref("browser.urlbar.quicksuggest.enabled", false); // [FF92+]
user_pref("browser.fixup.alternate.enabled", false); // [DEFAULT: false FF104+] user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+]
/* 0804: disable live search suggestions user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // [FF92+]
* [NOTE] Both must be true for the location bar to work /* 0803: disable live search suggestions
* [NOTE] Both must be true for live search to work in the location bar
* [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/ * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/
user_pref("browser.search.suggest.enabled", false); user_pref("browser.search.suggest.enabled", false);
user_pref("browser.urlbar.suggest.searches", false);
/* 0805: disable urlbar trending search suggestions [FF118+] ***/
user_pref("browser.urlbar.trending.featureGate", false);
/* 0806: disable urlbar suggestions ***/
user_pref("browser.urlbar.addons.featureGate", false); // [FF115+]
user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF]
user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false]
user_pref("browser.urlbar.yelp.featureGate", false); // [FF124+] [DEFAULT: false]
/* 0807: disable urlbar clipboard suggestions [FF118+] ***/
user_pref("browser.urlbar.clipboard.featureGate", false);
/* 0808: disable recent searches [FF120+]
* [NOTE] Recent searches are cleared with history (2811)
* [1] https://support.mozilla.org/kb/search-suggestions-firefox ***/
// user_pref("browser.urlbar.recentsearches.featureGate", false);
/* 0810: disable search and form history /* 0810: disable search and form history
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [NOTE] We also clear formdata on exit (2811) * [NOTE] We also clear formdata on exit (2811)
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/ * [2] https://bugzilla.mozilla.org/381681 ***/
user_pref("browser.formfill.enable", false); user_pref("browser.formfill.enable", false);
/* 0815: disable tab-to-search [FF85+] ***/
user_pref("browser.urlbar.suggest.engines", false);
/* 0820: disable coloring of visited links /* 0820: disable coloring of visited links
* Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
* redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
@ -352,6 +364,9 @@ user_pref("browser.formfill.enable", false);
* [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use) * [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
* [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/ * [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/
user_pref("layout.css.visited_links_enabled", false); user_pref("layout.css.visited_links_enabled", false);
/* 0830: enable separate default search engine in Private Windows and its UI setting ***/
user_pref("browser.search.separatePrivateDefault", true); // [FF70+]
user_pref("browser.search.separatePrivateDefault.ui.enabled", true); // [FF71+]
/*** [SECTION 0900]: PASSWORDS /*** [SECTION 0900]: PASSWORDS
[1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
@ -387,8 +402,8 @@ user_pref("network.auth.subresource-http-auth-allow", 1);
/*** [SECTION 1000]: DISK AVOIDANCE ***/ /*** [SECTION 1000]: DISK AVOIDANCE ***/
user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
/* 1001: disable disk cache /* 1001: disable disk cache
* [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this * [NOTE] We also clear cache on exit (2811)
* [NOTE] We also clear cache on exit (2811) ***/ * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this ***/
user_pref("browser.cache.disk.enable", false); user_pref("browser.cache.disk.enable", false);
/* 1002: disable media cache from writing to disk in Private Browsing /* 1002: disable media cache from writing to disk in Private Browsing
* [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/ * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/
@ -398,6 +413,14 @@ user_pref("media.memory_cache_max_size", 65536);
* define on which sites to save extra session data such as form content, cookies and POST data * define on which sites to save extra session data such as form content, cookies and POST data
* 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
user_pref("browser.sessionstore.privacy_level", 2); user_pref("browser.sessionstore.privacy_level", 2);
/* 1005: disable automatic Thunderbird start and session restore after reboot [FF62+] [WINDOWS]
* [1] https://bugzilla.mozilla.org/603903 ***/
user_pref("toolkit.winRegisterApplicationRestart", false);
/* 1006: disable favicons in shortcuts [WINDOWS]
* URL shortcuts use a cached randomly named .ico file which is stored in your
* profile/shortcutCache directory. The .ico remains after the shortcut is deleted
* If set to false then the shortcuts use a generic Firefox icon ***/
user_pref("browser.shell.shortcutFavicons", false);
/* 1901: disable disk cache for messages not in offline store */ /* 1901: disable disk cache for messages not in offline store */
user_pref("mail.imap.use_disk_cache2", false); user_pref("mail.imap.use_disk_cache2", false);
@ -416,7 +439,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
* but the problem is that the browser can't know that. Setting this pref to true is the only way for the * but the problem is that the browser can't know that. Setting this pref to true is the only way for the
* browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
* [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site? * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site?
* [STATS] SSL Labs (Feb 2023) reports over 99.3% of top sites have secure renegotiation [4] * [STATS] SSL Labs (May 2024) reports over 99.7% of top sites have secure renegotiation [4]
* [1] https://wiki.mozilla.org/Security:Renegotiation * [1] https://wiki.mozilla.org/Security:Renegotiation
* [2] https://datatracker.ietf.org/doc/html/rfc5746 * [2] https://datatracker.ietf.org/doc/html/rfc5746
* [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
@ -453,12 +476,6 @@ user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
user_pref("security.OCSP.require", true); user_pref("security.OCSP.require", true);
/** CERTS / HPKP (HTTP Public Key Pinning) ***/ /** CERTS / HPKP (HTTP Public Key Pinning) ***/
/* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
* 0=disable detecting Family Safety mode and importing the root
* 1=only attempt to detect Family Safety mode (don't import the root)
* 2=detect Family Safety mode and import the root
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/
user_pref("security.family_safety.mode", 0);
/* 1223: enable strict PKP (Public Key Pinning) /* 1223: enable strict PKP (Public Key Pinning)
* 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict
* [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
@ -468,7 +485,7 @@ user_pref("security.cert_pinning.enforcement_level", 2);
* 0 = disabled * 0 = disabled
* 1 = consult CRLite but only collect telemetry * 1 = consult CRLite but only collect telemetry
* 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results
* 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (FF99+, default FF100+) * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default)
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
* [2] https://blog.mozilla.org/security/tag/crlite/ ***/ * [2] https://blog.mozilla.org/security/tag/crlite/ ***/
user_pref("security.remote_settings.crlite_filters.enabled", true); user_pref("security.remote_settings.crlite_filters.enabled", true);
@ -481,7 +498,7 @@ user_pref("security.pki.crlite_mode", 2);
/** MIXED CONTENT ***/ /** MIXED CONTENT ***/
/* 1241: disable insecure passive content (such as images) on https pages ***/ /* 1241: disable insecure passive content (such as images) on https pages ***/
user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244) user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244)
/* 1244: enable HTTPS-Only mode in all windows [FF76+] /* 1244: enable HTTPS-Only mode in all windows
* When the top-level is HTTPS, insecure subresources are also upgraded (silent fail) * When the top-level is HTTPS, insecure subresources are also upgraded (silent fail)
* [TEST] http://example.com [upgrade] * [TEST] http://example.com [upgrade]
* [TEST] http://httpforever.com/ | http://http.rip [no upgrade] ***/ * [TEST] http://httpforever.com/ | http://http.rip [no upgrade] ***/
@ -512,18 +529,6 @@ user_pref("security.warn_entering_weak", true);
user_pref("security.warn_leaving_secure", true); user_pref("security.warn_leaving_secure", true);
user_pref("security.warn_viewing_mixed", true); user_pref("security.warn_viewing_mixed", true);
/*** [SECTION 1400]: FONTS ***/
user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
/* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
* Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
* In normal windows: uses the first applicable: RFP (4506) over TP over Standard
* In Private Browsing windows: uses the most restrictive between normal and private
* 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
* [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
// user_pref("layout.css.font-visibility.private", 1);
// user_pref("layout.css.font-visibility.standard", 1);
// user_pref("layout.css.font-visibility.trackingprotection", 1);
/*** [SECTION 1600]: REFERERS /*** [SECTION 1600]: REFERERS
full URI: https://example.com:8888/foo/bar.html?id=1234 full URI: https://example.com:8888/foo/bar.html?id=1234
scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port+path: https://example.com:8888/foo/bar.html
@ -541,6 +546,12 @@ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
* https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers ***/ * https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers ***/
user_pref("privacy.userContext.enabled", true); user_pref("privacy.userContext.enabled", true);
user_pref("privacy.userContext.ui.enabled", true); user_pref("privacy.userContext.ui.enabled", true);
/* 1703: set external links to open in site-specific containers [FF123+]
* [SETUP-WEB] Depending on your container extension(s) and their settings
* true=Firefox will not choose a container (so your extension can)
* false=Firefox will choose the container/no-container (default)
* [1] https://bugzilla.mozilla.org/1874599 ***/
// user_pref("browser.link.force_default_user_context_id_for_external_opens", true);
/*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
@ -548,7 +559,7 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
/* 2003: force a single network interface for ICE candidates generation [FF42+] /* 2003: force a single network interface for ICE candidates generation [FF42+]
* When using a system-wide proxy, it uses the proxy interface * When using a system-wide proxy, it uses the proxy interface
* [1] https://developer.mozilla.org/en-US/docs/Web/API/RTCIceCandidate * [1] https://developer.mozilla.org/docs/Web/API/RTCIceCandidate
* [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/ * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
user_pref("media.peerconnection.ice.default_address_only", true); user_pref("media.peerconnection.ice.default_address_only", true);
/* 2004: force exclusion of private IPs from ICE candidates [FF51+] /* 2004: force exclusion of private IPs from ICE candidates [FF51+]
@ -566,12 +577,9 @@ user_pref("dom.disable_window_move_resize", true);
/*** [SECTION 2600]: MISCELLANEOUS ***/ /*** [SECTION 2600]: MISCELLANEOUS ***/
user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
/* 2601: prevent accessibility services from accessing your browser [RESTART] /* 2603: remove temp files opened from non-PB windows with an external application
* [1] https://support.mozilla.org/kb/accessibility-services ***/ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=302433,1738574 ***/
user_pref("accessibility.force_disabled", 1); user_pref("browser.download.start_downloads_in_tmp_dir", true); // [FF102+]
/* 2603: remove temp files opened with an external application
* [1] https://bugzilla.mozilla.org/302433 ***/
user_pref("browser.helperApps.deleteTempFileOnExit", true);
/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
user_pref("browser.uitour.enabled", false); user_pref("browser.uitour.enabled", false);
user_pref("browser.uitour.url", ""); // Defense-in-depth user_pref("browser.uitour.url", ""); // Defense-in-depth
@ -603,14 +611,15 @@ user_pref("network.IDN_show_punycode", true);
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/ * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
user_pref("pdfjs.disabled", false); // [DEFAULT: false] user_pref("pdfjs.disabled", false); // [DEFAULT: false]
user_pref("pdfjs.enableScripting", false); // [FF86+] user_pref("pdfjs.enableScripting", false); // [FF86+]
/* 2623: disable permissions delegation [FF73+]
* Currently applies to cross-origin geolocation, camera, mic and screen-sharing
* permissions, and fullscreen requests. Disabling delegation means any prompts
* for these will show/use their correct 3rd party origin
* [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
user_pref("permissions.delegation.enabled", false);
/* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */ /* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */
user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: false NON-LINUX] user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: false NON-LINUX]
/* 2630: disable content analysis by DLP (Data Loss Prevention) agents
* DLP agents are background processes on managed computers that allow enterprises to monitor locally running
* applications for data exfiltration events, which they can allow/block based on customer defined DLP policies.
* 0=Block all requests, 1=Warn on all requests (which lets the user decide), 2=Allow all requests
* [1] https://github.com/chromium/content_analysis_sdk */
user_pref("browser.contentanalysis.enabled", false); // [FF121+] [DEFAULT: false]
user_pref("browser.contentanalysis.default_result", 0); // [FF127+] [DEFAULT: 0]
/** DOWNLOADS ***/ /** DOWNLOADS ***/
/* 2651: enable user interaction for security by always asking where to download /* 2651: enable user interaction for security by always asking where to download
@ -622,13 +631,13 @@ user_pref("browser.download.manager.addToRecentDocs", false);
user_pref("browser.download.always_ask_before_handling_new_types", true); user_pref("browser.download.always_ask_before_handling_new_types", true);
/** EXTENSIONS ***/ /** EXTENSIONS ***/
/* 2660: lock down allowed extension directories /* 2660: limit allowed extension directories
* [SETUP-CHROME] This will break extensions, language packs, themes and any other * 1=profile, 2=user, 4=application, 8=system, 16=temporary, 31=all
* XPI files which are installed outside of profile and application directories * The pref value represents the sum: e.g. 5 would be profile and application directories
* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ * [SETUP-CHROME] Breaks usage of files which are installed outside allowed directories
* [1] https://archive.is/DYjAM (archived) ***/ * [1] https://archive.is/DYjAM ***/
user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF]
user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] // user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+] /* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
// user_pref("extensions.webextensions.restrictedDomains", ""); // user_pref("extensions.webextensions.restrictedDomains", "");
@ -640,86 +649,132 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
* Opener and redirect heuristics are granted for 30 days, see [3] * Opener and redirect heuristics are granted for 30 days, see [3]
* [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/ * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/
* [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12
* [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ * [3] https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
// user_pref("privacy.antitracking.enableWebcompat", false); // user_pref("privacy.antitracking.enableWebcompat", false);
/* 2710: enable state partitioning of service workers [FF96+] ***/
user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+]
/* 2720: enable APS (Always Partitioning Storage) ***/
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [FF104+] [DEFAULT: true FF109+]
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [FF105+] [DEFAULT: false FF109+]
/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
/* 2810: enable Thunderbird to clear items on shutdown ***/ /* 2810: enable Thunderbird to clear items on shutdown
* [NOTE] In FF129+ clearing "siteSettings" on shutdown (2811), or manually via site data (2820) and
* via history (2830), will no longer remove sanitize on shutdown "cookie and site data" site exceptions (2815) ***/
user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.sanitize.sanitizeOnShutdown", true);
/** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/ /** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS | v2 migration is FF128+ ***/
/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME] /* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
* [NOTE] If "history" is true, downloads will also be cleared * [NOTE] If "history" is true, downloads will also be cleared ***/
* [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
* [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown_v2.cache", true); // [FF128+] [DEFAULT: true]
user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true); // [FF128+] [DEFAULT: true]
// user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
// user_pref("privacy.clearOnShutdown_v2.siteSettings", false); // [FF128+] [DEFAULT: false]
/* 2812: set Session Restore to clear on shutdown (if 2810 is true) [FF34+] /* 2812: set Session Restore to clear on shutdown (if 2810 is true) [FF34+]
* [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811) * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811)
* [NOTE] If true, this prevents resuming from crashes (also see 5008) ***/ * [NOTE] If true, this prevents resuming from crashes (also see 5008) ***/
// user_pref("privacy.clearOnShutdown.openWindows", true); // user_pref("privacy.clearOnShutdown.openWindows", true);
/** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ ***/ /** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ | v2 migration is FF128+ ***/
/* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) [SETUP-CHROME] /* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) [SETUP-CHROME]
* [NOTE] Exceptions: A "cookie" block permission also controls "offlineApps" (see note below). * [NOTE] Exceptions: A "cookie" permission also controls "offlineApps" (see note below). For cross-domain logins,
* serviceWorkers require an "Allow" permission. For cross-domain logins, add exceptions for * add exceptions for both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
* both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
* [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
* [NOTE] "sessions": Active Logins (has no site exceptions): refers to HTTP Basic Authentication [1], not logins via cookies
* [WARNING] Be selective with what sites you "Allow", as they also disable partitioning (1767271) * [WARNING] Be selective with what sites you "Allow", as they also disable partitioning (1767271)
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question) * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question)
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings
* [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
user_pref("privacy.clearOnShutdown.cookies", true); // Cookies user_pref("privacy.clearOnShutdown.cookies", true); // Cookies
user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data
user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins [DEFAULT: true]
user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); // Cookies, Site Data, Active Logins [FF128+]
/** SANITIZE MANUAL: IGNORES "ALLOW" SITE EXCEPTIONS ***/ /** SANITIZE SITE DATA: IGNORES "ALLOW" SITE EXCEPTIONS ***/
/* 2820: reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME] /* 2820: set manual "Clear Data" items [SETUP-CHROME] [FF128+]
* This dialog can also be accessed from the menu History>Clear Recent History * Thunderbird remembers your last choices. This will reset them when you start Thunderbird
* [SETTING] Privacy & Security>Browser Privacy>Cookies and Site Data>Clear Data ***/
user_pref("privacy.clearSiteData.cache", true);
user_pref("privacy.clearSiteData.cookiesAndStorage", false); // keep false until it respects "allow" site exceptions
user_pref("privacy.clearSiteData.historyFormDataAndDownloads", true);
// user_pref("privacy.clearSiteData.siteSettings", false);
/** SANITIZE HISTORY: IGNORES "ALLOW" SITE EXCEPTIONS | clearHistory migration is FF128+ ***/
/* 2830: set manual "Clear History" items, also via Ctrl-Shift-Del [SETUP-CHROME]
* Thunderbird remembers your last choices. This will reset them when you start Thunderbird * Thunderbird remembers your last choices. This will reset them when you start Thunderbird
* [NOTE] Regardless of what you set "downloads" to, as soon as the dialog * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog
* for "Clear Recent History" is opened, it is synced to the same as "history" ***/ * for "Clear Recent History" is opened, it is synced to the same as "history" ***/
user_pref("privacy.cpd.cache", true); // [DEFAULT: true] user_pref("privacy.cpd.cache", true); // [DEFAULT: true]
user_pref("privacy.clearHistory.cache", true);
user_pref("privacy.cpd.formdata", true); // [DEFAULT: true] user_pref("privacy.cpd.formdata", true); // [DEFAULT: true]
user_pref("privacy.cpd.history", true); // [DEFAULT: true] user_pref("privacy.cpd.history", true); // [DEFAULT: true]
// user_pref("privacy.cpd.downloads", true); // not used, see note above
user_pref("privacy.clearHistory.historyFormDataAndDownloads", true);
user_pref("privacy.cpd.cookies", false);
user_pref("privacy.cpd.sessions", true); // [DEFAULT: true] user_pref("privacy.cpd.sessions", true); // [DEFAULT: true]
user_pref("privacy.cpd.offlineApps", true); // [DEFAULT: false] user_pref("privacy.cpd.offlineApps", true); // [DEFAULT: false]
user_pref("privacy.cpd.cookies", true); user_pref("privacy.clearHistory.cookiesAndStorage", false);
// user_pref("privacy.cpd.downloads", true); // not used, see note above
// user_pref("privacy.cpd.openWindows", false); // Session Restore // user_pref("privacy.cpd.openWindows", false); // Session Restore
// user_pref("privacy.cpd.passwords", false); // user_pref("privacy.cpd.passwords", false);
// user_pref("privacy.cpd.siteSettings", false); // user_pref("privacy.cpd.siteSettings", false);
/* 2822: reset default "Time range to clear" for "Clear Recent History" (2820) // user_pref("privacy.clearHistory.siteSettings", false);
/** SANITIZE MANUAL: TIMERANGE ***/
/* 2840: set "Time range to clear" for "Clear Data" (2820) and "Clear History" (2830)
* Thunderbird remembers your last choice. This will reset the value when you start Thunderbird * Thunderbird remembers your last choice. This will reset the value when you start Thunderbird
* 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today
* [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown, * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown,
* which will display a blank value, and are not guaranteed to work ***/ * which will display a blank value, and are not guaranteed to work ***/
user_pref("privacy.sanitize.timeSpan", 0); user_pref("privacy.sanitize.timeSpan", 0);
/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) /*** [SECTION 4000]: FPP (fingerprintingProtection)
RFP covers a wide range of ongoing fingerprinting solutions. RFP (4501) overrides FPP
It is an all-or-nothing buy in: you cannot pick and choose what parts you want In FF118+ FPP is on by default in private windows (4001) and in FF119+ is controlled
by ETP (2701). FPP will also use Remote Services in future to relax FPP protections
on a per site basis for compatibility (4004).
https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargetsDefault.inc
1826408 - restrict fonts to system (kBaseFonts + kLangPackFonts) (Windows, Mac, some Linux)
https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
1858181 - subtly randomize canvas per eTLD+1, per session and per window-mode (FF120+)
***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!");
/* 4001: enable FPP in PB mode [FF114+]
* [NOTE] In FF119+, FPP for all modes (7016) is enabled with ETP Strict (2701) ***/
// user_pref("privacy.fingerprintingProtection.pbmode", true); // [DEFAULT: true FF118+]
/* 4002: set global FPP overrides [FF114+]
* uses "RFPTargets" [1] which despite the name these are not used by RFP
* e.g. "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC" = all targets but allow prefers-color-scheme and do not change timezone
* e.g. "-AllTargets,+CanvasRandomization,+JSDateTimeUTC" = no targets but do use FPP canvas and change timezone
* [NOTE] Not supported by arkenfox. Either use RFP or FPP at defaults
* [WARNING] Not recommended. Either use RFP or FPP at defaults
* [1] https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc ***/
// user_pref("privacy.fingerprintingProtection.overrides", "");
/* 4003: set granular FPP overrides
* JSON format: e.g."[{\"firstPartyDomain\": \"netflix.com\", \"overrides\": \"-CanvasRandomization,-FrameRate,\"}]"
* [NOTE] Not supported by arkenfox. Either use RFP or FPP at defaults ***/
// user_pref("privacy.fingerprintingProtection.granularOverrides", "");
/* 4004: disable remote FPP overrides [FF127+] ***/
// user_pref("privacy.fingerprintingProtection.remoteOverrides.enabled", false);
/*** [SECTION 4500]: OPTIONAL RFP (resistFingerprinting)
RFP overrides FPP (4000)
FF128+ Arkenfox by default uses FPP (automatically enabled with ETP Strict). For most people
this is all you need. To use RFP instead, add RFP (4501) to your overrides, and optionally
add letterboxing (4504), spoof_english (4506), and webgl (4520).
RFP is an all-or-nothing buy in: you cannot pick and choose what parts you want
[TEST] https://arkenfox.github.io/TZP/tzp.html [TEST] https://arkenfox.github.io/TZP/tzp.html
[WARNING] DO NOT USE extensions to alter RFP protected metrics [WARNING] DO NOT USE extensions to alter RFP protected metrics
418986 - limit window.screen & CSS media queries (FF41) 418986 - limit window.screen & CSS media queries (FF41)
1281949 - spoof screen orientation (FF50) 1281949 - spoof screen orientation (FF50)
1330890 - spoof timezone as UTC0 (FF55)
1360039 - spoof navigator.hardwareConcurrency as 2 (FF55) 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
1217238 - reduce precision of time exposed by javascript (FF55) 1217238 - reduce precision of time exposed by javascript (FF55)
FF56 FF56
1369303 - spoof/disable performance API
1333651 - spoof User Agent & Navigator API 1333651 - spoof User Agent & Navigator API
version: android version spoofed as ESR version: android version spoofed as ESR (FF119 or lower)
OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
1369319 - disable device sensor API 1369319 - disable device sensor API
1369357 - disable site specific zoom 1369357 - disable site specific zoom
@ -730,13 +785,12 @@ user_pref("privacy.sanitize.timeSpan", 0);
1369309 - spoof media statistics 1369309 - spoof media statistics
1382499 - reduce screen co-ordinate fingerprinting in Touch API 1382499 - reduce screen co-ordinate fingerprinting in Touch API
1217290 & 1409677 - enable some fingerprinting resistance for WebGL 1217290 & 1409677 - enable some fingerprinting resistance for WebGL
1382545 - reduce fingerprinting in Animation API
1354633 - limit MediaError.message to a whitelist 1354633 - limit MediaError.message to a whitelist
FF58+ FF58+
1372073 - spoof/block fingerprinting in MediaDevices API (FF59) 1372073 - spoof/block fingerprinting in MediaDevices API (FF59)
Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone"
Block: suppresses the ondevicechange event Block: suppresses the ondevicechange event
1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) (FF59) 1039069 - warn when language prefs are not set to "en*" (FF59)
1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59) 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59)
Spoofing mimics the content language of the document. Currently it only supports en-US. Spoofing mimics the content language of the document. Currently it only supports en-US.
Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
@ -755,20 +809,22 @@ user_pref("privacy.sanitize.timeSpan", 0);
1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80) 1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80)
1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82)
531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1) 531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1)
1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100) 1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100-115)
1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102) 1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102)
1422237 - return "srgb" with color-gamut (FF110) 1422237 - return "srgb" with color-gamut (FF110)
1794628 - return "none" with inverted-colors (FF114) 1794628 - return "none" with inverted-colors (FF114)
1554751 - return devicePixelRatio as 2 (previously FF41+ was 1) (FF127)
1787790 - normalize system fonts (FF128)
1835987 - spoof timezone as Atlantic/Reykjavik (previously FF55+ was UTC) (FF128)
***/ ***/
user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
/* 4501: enable privacy.resistFingerprinting /* 4501: enable RFP
* [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a site exception via the urlbar
* RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme
* [NOTE] pbmode applies if true and the original pref is false * [NOTE] pbmode applies if true and the original pref is false
* [1] https://bugzilla.mozilla.org/418986 ***/ * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a canvas site exception via the urlbar.
user_pref("privacy.resistFingerprinting", true); // [FF41+] * RFP also has a few side effects: mainly that timezone is GMT, and websites will prefer light theme ***/
// user_pref("privacy.resistFingerprinting", true); // [FF41+]
// user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+] // user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+]
/* 4502: set new window size rounding max values [FF55+] /* 4502: set RFP new window size max rounded values [FF55+]
* [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen
* [1] https://bugzilla.mozilla.org/1330882 ***/ * [1] https://bugzilla.mozilla.org/1330882 ***/
user_pref("privacy.window.maxInnerWidth", 1600); user_pref("privacy.window.maxInnerWidth", 1600);
@ -776,8 +832,8 @@ user_pref("privacy.window.maxInnerHeight", 900);
/* 4503: disable mozAddonManager Web API [FF57+] /* 4503: disable mozAddonManager Web API [FF57+]
* [NOTE] To allow extensions to work on AMO, you also need 2662 and 4505 * [NOTE] To allow extensions to work on AMO, you also need 2662 and 4505
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF FF57-108] user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
/* 4504: enable RFP letterboxing [FF67+] /* 4504: enable letterboxing [FF67+]
* Dynamically resizes the inner window by applying margins in stepped ranges [2] * Dynamically resizes the inner window by applying margins in stepped ranges [2]
* If you use the dimension pref, then it will only apply those resolutions. * If you use the dimension pref, then it will only apply those resolutions.
* The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000") * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000")
@ -786,24 +842,19 @@ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDE
* [WARNING] DO NOT USE: the dimension pref is only meant for testing * [WARNING] DO NOT USE: the dimension pref is only meant for testing
* [1] https://bugzilla.mozilla.org/1407366 * [1] https://bugzilla.mozilla.org/1407366
* [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/
user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] // user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
// user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF]
/* 4505: experimental RFP [FF91+] /* 4505: disable RFP by domain (comma-separated) [FF91+] ***/
* List of domains exempted from RFP (comma-separated).
* [WARNING] DO NOT USE unless testing, see [1] comment 12
* [1] https://bugzilla.mozilla.org/1635603 ***/
// user_pref("privacy.resistFingerprinting.exemptedDomains", "addons.thunderbird.net"); // user_pref("privacy.resistFingerprinting.exemptedDomains", "addons.thunderbird.net");
/* 4506: set RFP's font visibility level (1402) [FF94+] ***/ /* 4506: disable RFP spoof english prompt [FF59+]
// user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1] * 0=prompt, 1=disabled, 2=enabled
* [NOTE] When changing from value 2, preferred languages ('intl.accept_languages') is not reset.
* [SETUP-WEB] when enabled, sets 'en-US, en' for displaying pages and 'en-US' as locale.
* [SETTING] General>Language>Choose your preferred language for displaying pages>Choose>Request English... ***/
user_pref("privacy.spoof_english", 1);
/* 4510: disable using system colors /* 4510: disable using system colors
* [SETTING] General > Language and Appearance > Fonts and Colors > Colors... > Use system colors ***/ * [SETTING] General > Language and Appearance > Fonts and Colors > Colors... > Use system colors ***/
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS] user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS]
/* 4511: enforce non-native widget theme
* Security: removes/reduces system API calls, e.g. win32k API [1]
* Fingerprinting: provides a uniform look and feel across platforms [2]
* [1] https://bugzilla.mozilla.org/1381938
* [2] https://bugzilla.mozilla.org/1411425 ***/
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true]
/* 4512: enforce links targeting new windows to open in a new tab instead /* 4512: enforce links targeting new windows to open in a new tab instead
* 1=most recent window or tab, 2=new window, 3=new tab * 1=most recent window or tab, 2=new window, 3=new tab
* Stops malicious window sizes and some screen resolution leaks. * Stops malicious window sizes and some screen resolution leaks.
@ -818,8 +869,7 @@ user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
* [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js * [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js
* [2] https://searchfox.org/comm-esr102/source/mail/app/profile/all-thunderbird.js#730 ***/ * [2] https://searchfox.org/comm-esr102/source/mail/app/profile/all-thunderbird.js#730 ***/
user_pref("browser.link.open_newwindow.restriction", 0); user_pref("browser.link.open_newwindow.restriction", 0);
/* 4520: disable WebGL (Web Graphics Library) /* 4520: disable WebGL (Web Graphics Library) ***/
* [SETUP-WEB] If you need it then override it. RFP still randomizes canvas for naive scripts ***/
user_pref("webgl.disabled", true); user_pref("webgl.disabled", true);
/*** [SECTION 5000]: OPTIONAL OPSEC /*** [SECTION 5000]: OPTIONAL OPSEC
@ -866,6 +916,26 @@ user_pref("browser.sessionstore.max_tabs_undo", 0);
* Application data isolation [1] * Application data isolation [1]
* [1] https://bugzilla.mozilla.org/1281959 ***/ * [1] https://bugzilla.mozilla.org/1281959 ***/
// user_pref("browser.download.forbid_open_with", true); // user_pref("browser.download.forbid_open_with", true);
/* 5010: disable location bar suggestion types ***/
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.openpage", false);
user_pref("browser.urlbar.suggest.topsites", false); // [FF78+]
/* 5011: disable location bar dropdown
* This value controls the total number of entries to appear in the location bar dropdown ***/
user_pref("browser.urlbar.maxRichResults", 0);
/* 5012: disable location bar autofill
* [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
user_pref("browser.urlbar.autoFill", false);
/* 5013: disable browsing and download history
* [NOTE] We also clear history and downloads on exit (2811)
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
user_pref("places.history.enabled", false);
/* 5014: disable Windows jumplist [WINDOWS] ***/
user_pref("browser.taskbar.lists.enabled", false);
user_pref("browser.taskbar.lists.frequent.enabled", false);
user_pref("browser.taskbar.lists.recent.enabled", false);
user_pref("browser.taskbar.lists.tasks.enabled", false);
/* 5013: disable browsing and download history /* 5013: disable browsing and download history
* [NOTE] We also clear history and downloads on exit (2811) ***/ * [NOTE] We also clear history and downloads on exit (2811) ***/
user_pref("places.history.enabled", false); user_pref("places.history.enabled", false);
@ -911,7 +981,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
* [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js * [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
* [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
user_pref("javascript.options.asmjs", false); user_pref("javascript.options.asmjs", false);
/* 5505: disable Ion and baseline JIT to harden against JS exploits /* 5505: disable Ion and baseline JIT to harden against JS exploits [RESTART]
* [NOTE] When both Ion and JIT are disabled, and trustedprincipals * [NOTE] When both Ion and JIT are disabled, and trustedprincipals
* is enabled, then Ion can still be used by extensions (1599226) * is enabled, then Ion can still be used by extensions (1599226)
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
@ -923,7 +993,7 @@ user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN
* Vulnerabilities [1] have increasingly been found, including those known and fixed * Vulnerabilities [1] have increasingly been found, including those known and fixed
* in native programs years ago [2]. WASM has powerful low-level access, making * in native programs years ago [2]. WASM has powerful low-level access, making
* certain attacks (brute-force) and vulnerabilities more possible * certain attacks (brute-force) and vulnerabilities more possible
* [STATS] ~0.2% of websites, about half of which are for crytomining / malvertising [2][3] * [STATS] ~0.2% of websites, about half of which are for cryptomining / malvertising [2][3]
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
* [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
* [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
@ -939,8 +1009,8 @@ user_pref("browser.eme.ui.enabled", false);
/* 5509: disable IPv6 if using a VPN /* 5509: disable IPv6 if using a VPN
* This is an application level fallback. Disabling IPv6 is best done at an OS/network * This is an application level fallback. Disabling IPv6 is best done at an OS/network
* level, and/or configured properly in system wide VPN setups. * level, and/or configured properly in system wide VPN setups.
* If you see PR_CONNECT_RESET_ERROR, this pref *might* be the cause
* [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
* [SETUP-WEB] PR_CONNECT_RESET_ERROR
* [TEST] https://ipleak.org/ * [TEST] https://ipleak.org/
* [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
// user_pref("network.dns.disableIPv6", true); // user_pref("network.dns.disableIPv6", true);
@ -948,6 +1018,11 @@ user_pref("browser.eme.ui.enabled", false);
* 0=always (default), 1=only if base domains match, 2=only if hosts match * 0=always (default), 1=only if base domains match, 2=only if hosts match
* [NOTE] Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram ***/ * [NOTE] Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram ***/
user_pref("network.http.referer.XOriginPolicy", 2); user_pref("network.http.referer.XOriginPolicy", 2);
/* 5511: set DoH bootstrap address [FF89+]
* Thunderbird uses the system DNS to initially resolve the IP address of your DoH server.
* When set to a valid, working value that matches your "network.trr.uri" (0712) Thunderbird
* won't use the system DNS. If the IP doesn't match then DoH won't work ***/
// user_pref("network.trr.bootstrapAddr", "10.0.0.1"); // [HIDDEN PREF]
/* 5590: show a prompt when opening a link in external applications ***/ /* 5590: show a prompt when opening a link in external applications ***/
user_pref("security.external_protocol_requires_permission", true); user_pref("security.external_protocol_requires_permission", true);
@ -967,10 +1042,10 @@ user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000]
* [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), and enabling FPI * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), and enabling FPI
* disables those. FPI is no longer maintained except at Tor Project for Tor Browser's config ***/ * disables those. FPI is no longer maintained except at Tor Project for Tor Browser's config ***/
user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false]
/* 6009: enforce SmartBlock shims [FF81+] /* 6009: enforce SmartBlock shims (about:compat) [FF81+]
* In FF96+ these are listed in about:compat * In FF96+ these are listed in about:compat
* [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/ * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] user_pref("extensions.webcompat.enable_shims", true); // [HIDDEN PREF] [DEFAULT: true]
/* 6010: enforce no TLS 1.0/1.1 downgrades /* 6010: enforce no TLS 1.0/1.1 downgrades
* [TEST] https://tls-v1-1.badssl.com:1010/ ***/ * [TEST] https://tls-v1-1.badssl.com:1010/ ***/
user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
@ -981,21 +1056,16 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
/* 6012: enforce Quarantined Domains [FF115+] /* 6012: enforce Quarantined Domains [FF115+]
* [WHY] https://support.mozilla.org/kb/quarantined-domains */ * [WHY] https://support.mozilla.org/kb/quarantined-domains */
user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true] user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true]
/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF102+ ***/ /* 6050: prefsCleaner: previously active items removed from arkenfox 115-127 ***/
// user_pref("beacon.enabled", ""); // user_pref("accessibility.force_disabled", "");
// user_pref("browser.region.network.url", ""); // user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", "");
// user_pref("browser.region.update.enabled", ""); // user_pref("geo.provider.network.url", "");
// user_pref("browser.ssl_override_behavior", ""); // user_pref("geo.provider.network.logging.enabled", "");
// user_pref("devtools.chrome.enabled", ""); // user_pref("geo.provider.use_gpsd", "");
// user_pref("dom.disable_beforeunload", "");
// user_pref("dom.disable_open_during_load", "");
// user_pref("extensions.formautofill.available", "");
// user_pref("extensions.formautofill.addresses.supported", "");
// user_pref("extensions.formautofill.creditCards.available", "");
// user_pref("extensions.formautofill.creditCards.supported", "");
// user_pref("middlemouse.contentLoadURL", "");
/* 6051: prefsCleaner: reset previously active items removed from arkenfox FF115+ ***/
// user_pref("network.protocol-handler.external.ms-windows-store", ""); // user_pref("network.protocol-handler.external.ms-windows-store", "");
// user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", "");
// user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", "");
// user_pref("privacy.partition.serviceWorkers", "");
/*** [SECTION 7000]: DON'T BOTHER /*** [SECTION 7000]: DON'T BOTHER
Thunderbird-User.JS maintainer here : Thunderbird-User.JS maintainer here :
@ -1012,8 +1082,8 @@ user_pref("full-screen-api.enabled", false);
/* 7003: disable non-modern cipher suites [1] /* 7003: disable non-modern cipher suites [1]
* [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks * [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks
* [1] https://browserleaks.com/ssl ***/ * [1] https://browserleaks.com/ssl ***/
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: false FF109+] // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false FF109+] // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
@ -1065,12 +1135,14 @@ user_pref("dom.event.clipboardevents.enabled", false);
* [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/ * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/
// user_pref("privacy.donottrackheader.enabled", true); // user_pref("privacy.donottrackheader.enabled", true);
/* 7016: customize ETP settings /* 7016: customize ETP settings
* [NOTE] FPP (fingerprintingProtection) is ignored when RFP (4501) is enabled
* [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/ * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
// user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5 FF103+] // user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5]
// user_pref("privacy.fingerprintingProtection", true); // [FF114+] [ETP FF119+]
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true); // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+] // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+]
// user_pref("privacy.partition.network_state.ocsp_cache", true); // user_pref("privacy.partition.network_state.ocsp_cache", true); // [DEFAULT: true FF123+]
// user_pref("privacy.query_stripping.enabled", true); // [FF101+] [ETP FF102+] // user_pref("privacy.query_stripping.enabled", true); // [FF101+]
// user_pref("privacy.trackingprotection.enabled", true); // user_pref("privacy.trackingprotection.enabled", true);
// user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.socialtracking.enabled", true);
// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
@ -1078,13 +1150,12 @@ user_pref("dom.event.clipboardevents.enabled", false);
/* 7017: disable service workers /* 7017: disable service workers
* [WHY] Already isolated with TCP (2701) behind a pref (2710) ***/ * [WHY] Already isolated with TCP (2701) behind a pref (2710) ***/
// user_pref("dom.serviceWorkers.enabled", false); // user_pref("dom.serviceWorkers.enabled", false);
/* 7018: disable Web Notifications /* 7018: disable Web Notifications [FF22+]
* [WHY] Web Notifications are behind a prompt (7002) * [WHY] Web Notifications are behind a prompt (7002)
* [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/ * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/
// user_pref("dom.webnotifications.enabled", false); // [FF22+] // user_pref("dom.webnotifications.enabled", false);
// user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
/* 7019: disable Push Notifications [FF44+] /* 7019: disable Push Notifications [FF44+]
* [WHY] Push requires subscription * [WHY] Website "push" requires subscription, and the API is required for CRLite (1224)
* [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID"
* [1] https://support.mozilla.org/kb/push-notifications-firefox ***/ * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/
// user_pref("dom.push.enabled", false); // user_pref("dom.push.enabled", false);
@ -1095,6 +1166,10 @@ user_pref("dom.event.clipboardevents.enabled", false);
* [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
* [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.enabled", false);
/* 7021: enable GPC (Global Privacy Control) in non-PB windows
* [WHY] Passive and active fingerprinting. Mostly redundant with Tracking Protection
* in ETP Strict (2701) and sanitizing on close (2800s) ***/
// user_pref("privacy.globalprivacycontrol.enabled", true);
/*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
[WHY] They are insufficient to help anti-fingerprinting and do more harm than good [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
@ -1129,7 +1204,10 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan
/*** [SECTION 9000]: NON-PROJECT RELATED ***/ /*** [SECTION 9000]: NON-PROJECT RELATED ***/
user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!"); user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!");
/* 9001: disable welcome notices ***/ /* 9001: disable welcome notices ***/
user_pref("browser.startup.homepage_override.mstone", "ignore"); user_pref("browser.startup.homepage_override.mstone", "ignore"); // [HIDDEN PREF]
/* 9002: disable extensions/features recommendations as you browse [FF67+] ***/
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
/* 9090: disable return receipt sending unconditionally ***/ /* 9090: disable return receipt sending unconditionally ***/
// user_pref("mail.mdn.report.enabled", false); // user_pref("mail.mdn.report.enabled", false);
/* 9099: e-mail custom headers (examples) ***/ /* 9099: e-mail custom headers (examples) ***/
@ -1268,6 +1346,8 @@ user_pref("mail.sanitize_date_header", true);
/* 9210: Check spelling before sending /* 9210: Check spelling before sending
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=667133 ***/ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=667133 ***/
// user_pref("mail.SpellCheckBeforeSend", false); // user_pref("mail.SpellCheckBeforeSend", false);
/* 9211: Set dictionary to US ***/
user_pref("spellchecker.dictionary", "en-US");
/* 9212: Compose email in plaintext unless expressly overridden /* 9212: Compose email in plaintext unless expressly overridden
* Sometimes HTML is useful especially when used with Markdown Here * Sometimes HTML is useful especially when used with Markdown Here
* [SETTING] Account Settings > Composition & Addressing > Composition > Compose messages in HTML format * [SETTING] Account Settings > Composition & Addressing > Composition > Compose messages in HTML format
@ -1455,39 +1535,71 @@ user_pref("_user.js.parrot", "9400 syntax error: this parrot is talking in codes
* [1] https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Allow_the_use_of_external_GnuPG ***/ * [1] https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Allow_the_use_of_external_GnuPG ***/
user_pref("mail.openpgp.allow_external_gnupg", true); // [HIDDEN PREF] user_pref("mail.openpgp.allow_external_gnupg", true); // [HIDDEN PREF]
/*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED /*** [SECTION 9999]: DEPRECATED / RENAMED ***/
Documentation denoted as [-]. Items deprecated prior to FF91 have been archived at [1]
[1] https://github.com/arkenfox/user.js/issues/123
***/
user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!"); user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!");
/* ESR102.x still uses all the following prefs /* ESR115.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable active ones // [NOTE] replace the * with a slash in the line above to re-enable active ones
// FF103 // FF116
// 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810) // 4506: set RFP's font visibility level (1402) [FF94+]
// 0=keep until they expire (default), 2=keep until you close Thunderbird // [-] https://bugzilla.mozilla.org/1838415
// [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761 // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
user_pref("network.cookie.lifetimePolicy", 2); // FF117
// 6012: disable SHA-1 certificates // 1221: disable Windows Microsoft Family Safety cert [FF50+] [WINDOWS]
// [-] https://bugzilla.mozilla.org/1766687 // 0=disable detecting Family Safety mode and importing the root
// user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1] // 1=only attempt to detect Family Safety mode (don't import the root)
// FF114 // 2=detect Family Safety mode and import the root
// 2816: set cache to clear on exit [FF96+] // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686
// [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust // [-] https://bugzilla.mozilla.org/1844908
// [1] https://bugzilla.mozilla.org/1671182 user_pref("security.family_safety.mode", 0);
// [-] https://bugzilla.mozilla.org/1821651 // 7018: disable service worker Web Notifications [FF44+]
// user_pref("privacy.clearsitedata.cache.enabled", true); // [WHY] Web Notifications are behind a prompt (7002)
// 4505: experimental RFP [FF91+] // [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/
// [-] https://bugzilla.mozilla.org/1824235 // [-] https://bugzilla.mozilla.org/1842457
// user_pref("privacy.resistFingerprinting.testGranularityMask", 0); // user_pref("dom.webnotifications.serviceworker.enabled", false);
// 5017: disable Form Autofill heuristics // FF118
// Heuristics controls Form Autofill on forms without @autocomplete attributes // 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
// [-] https://bugzilla.mozilla.org/1829670 // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
// user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] // In normal windows: uses the first applicable: RFP over TP over Standard
// FF115 // In Private Browsing windows: uses the most restrictive between normal and private
// 7001: disable offline cache (appCache) // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
// [NOTE] appCache storage capability was removed in FF90 // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
// [-] https://bugzilla.mozilla.org/1677718 // [-] https://bugzilla.mozilla.org/1847599
// user_pref("browser.cache.offline.enable", false); // user_pref("layout.css.font-visibility.private", 1);
// user_pref("layout.css.font-visibility.standard", 1);
// user_pref("layout.css.font-visibility.trackingprotection", 1);
// 2623: disable permissions delegation [FF73+]
// Currently applies to cross-origin geolocation, camera, mic and screen-sharing
// permissions, and fullscreen requests. Disabling delegation means any prompts
// for these will show/use their correct 3rd party origin
// [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion
// [-] https://bugzilla.mozilla.org/1697151
// user_pref("permissions.delegation.enabled", false);
// FF119
// 0211: use en-US locale regardless of the system or region locale
// [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630
// [-] https://bugzilla.mozilla.org/1846224
// user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
// FF123
// 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
// Defense-in-depth: currently covered by 0331
// [-] https://bugzilla.mozilla.org/1868988
user_pref("browser.ping-centre.telemetry", false);
// FF126
// 9003: disable What's New toolbar icon [FF69+]
// [-] https://bugzilla.mozilla.org/1724300
user_pref("browser.messaging-system.whatsNewPanel.enabled", false);
// FF127
// 2630: disable content analysis by DLP (Data Loss Prevention) agents - replaced by default_result
// [-] https://bugzilla.mozilla.org/1880314
user_pref("browser.contentanalysis.default_allow", false);
// 4511: enforce non-native widget theme
// Security: removes/reduces system API calls, e.g. win32k API [1]
// Fingerprinting: provides a uniform look and feel across platforms [2]
// [1] https://bugzilla.mozilla.org/1381938
// [2] https://bugzilla.mozilla.org/1411425
// [-] https://bugzilla.mozilla.org/1848899
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true]
// ***/ // ***/
/* END: internal custom pref to test for syntax errors ***/ /* END: internal custom pref to test for syntax errors ***/