[CARDBOOK] Prefers encrypting locally cached cards

> See: <https://github.com/arkenfox/user.js/issues/323>

.eslintrc.yml

@@ -0,0 +1,45 @@
+%YAML 1.2
+---
+
+root: true
+
+extends: 'eslint:recommended'
+
+globals:
+  # From <https://searchfox.org/mozilla-central/rev/c938c7416c633639a5c8ce4412be586eefb48005/modules/libpref/parser/src/lib.rs#296>
+  pref: true
+  user_pref: true
+  sticky: true
+  locked: true
+  sticky_pref: true
+
+rules:
+  # Expect a semicolon after each statement.
+  semi:
+    - "error"
+    - "always"
+    -
+      omitLastInOneLineBlock: false
+
+  # As internal code style, don't allow tabulation.
+  no-tabs: "error"
+  # ... nor trailing spaces !
+  no-trailing-spaces: "error"
+
+  # Expect only double-quoted strings.
+  quotes:
+    - "error"
+    - "double"
+
+  # Don't allow whitespace before semicolons.
+  semi-spacing:
+    - "error"
+    -
+      before: false
+
+  # Don't allow irregular whitespace characters in our sheet.
+  no-irregular-whitespace:
+    - "error"
+    -
+      skipStrings: false
+      skipComments: false

.github/workflows/linting.yml

@@ -0,0 +1,17 @@
+---
+name: Linting
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Run ESLint on user.js
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-node@v1
+
+      - run: npm install -g eslint
+      - run: eslint user.js

.travis.yml

@@ -1,8 +0,0 @@
-language: node_js
-node_js:
-  - 'node'
-
-before_script:
-  - npm install -g acorn
-script:
-  - acorn --silent user.js

README.md

@@ -35,6 +35,6 @@ Also be aware that this `user.js` is made specifically for Thunderbird and has o
 
 ### :blue_square: Related Projects
 
-* [~~CHEF-KOCH/TBCK~~](https://github.com/CHEF-KOCH/TBCK)
 * [Privacy Handbuch](https://www.privacy-handbuch.de/handbuch_31p.htm)
 * [Privacy Haters](http://r-36.net/scm/privacy-haters/file/README.md.html)
+* ~~CHEF-KOCH/TBCK~~

user.js

@@ -1,15 +1,14 @@
 /******
 * name: thunderbird user.js
 * date: 1 November 2020
-* version: v78-beta1
+* version: v78-beta4
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/HorlogeSkynet/thunderbird-user.js
 * license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE)
 * releases: https://github.com/HorlogeSkynet/thunderbird-user.js/releases
 
 * README:
-  0. Consider using Tor, use TorBirdy as well.
-    * https://addons.thunderbird.net/addon/torbirdy
+  0. Consider using Tor
   1. READ the full README
     * https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/README.md
   2. READ this
@@ -205,9 +204,9 @@ user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+]
  * [SETTING] Privacy & Security>Thunderbird Data Collection & Use>Allow Thunderbird to send backlogged crash reports  ***/
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+]
 /* 0370: disable UI instrumentation ***/
-user_pref("mail.instrumentation.postUrl", "")
-user_pref("mail.instrumentation.askUser", false)
-user_pref("mail.instrumentation.userOptedIn", false)
+user_pref("mail.instrumentation.postUrl", "");
+user_pref("mail.instrumentation.askUser", false);
+user_pref("mail.instrumentation.userOptedIn", false);
 /* 0390: disable Captive Portal detection
  * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
  * [2] https://wiki.mozilla.org/Necko/CaptivePortal ***/
@@ -326,6 +325,9 @@ user_pref("network.http.speculative-parallel-limit", 0);
  * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/
 user_pref("browser.send_pings", false); // [DEFAULT: false]
 user_pref("browser.send_pings.require_same_host", true);
+/* 0610: don't refresh nor reload pages when tab/window is not active or in idle state
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=518805 ***/
+user_pref("browser.meta_refresh_when_inactive.disabled", true);
 
 /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
@@ -1407,9 +1409,6 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
 /* UX BEHAVIOR ***/
    // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux]
    // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
-/* UX FEATURES: disable and hide the icons and menus ***/
-   // user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+]
-   // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
 /* OTHER ***/
    // user_pref("network.manage-offline-status", false); // see bugzilla 620472
    // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
@@ -1447,39 +1446,47 @@ user_pref("mailnews.auto_config.addons_url","");
 user_pref("mail.provider.enabled", false);
 
 /** UI (User Interface) ***/
-/* 6003: Hide tab bar
+/* 6010: Hide tab bar
  * false=Hides the tab bar if there is only one tab. (default) ***/
 user_pref("mail.tabs.autoHide", true);
-/* 6004: Show full email instead of just name from address book
+/* 6011: Show full email instead of just name from address book
  * true=Show just the display name for people in the address book (default)
  * false=Show both the email address and display name. ***/
 user_pref("mail.showCondensedAddresses", false);
-/* 6010: Disable "Filelink for Large Attachments" feature
+/* 6012: Disable "Filelink for Large Attachments" feature
  * [1] https://support.thunderbird.net/kb/filelink-large-attachments ***/
 user_pref("mail.cloud_files.enabled", false);
 user_pref("mail.cloud_files.inserted_urls.footer.link", "");
-/* 6020: Don't hide cookies and passwords related (advanced?) buttons ***/
+/* 6013: Don't hide cookies and passwords related (advanced?) buttons ***/
 user_pref("pref.privacy.disable_button.view_cookies", false);
 user_pref("pref.privacy.disable_button.cookie_exceptions", false);
 user_pref("pref.privacy.disable_button.view_passwords", false);
+/* 6014: Prevent access to emails until the master password is entered
+ * If a master password has been set, Thunderbird will prevent access to locally available emails
+ * until the secret is provided.
+ * This preference MAY mitigate risk due to intimate relationship threat in some cases (see [2])...
+ * [WARNING] This DOES NOT encrypt locally cached emails anyhow (poor man's application security)
+ * [1] https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-master-password
+ * [2] https://www.schneier.com/wp-content/uploads/2020/06/Privacy_Threats_in_Intimate_Relationships-1.pdf ***/
+user_pref("mail.password_protect_local_cache", true);  // [HIDDEN PREF]
 
 /** HEADERS ***/
-/* 6004:
+/* 6020:
  * true=Show Sender header in message pane.
  * false=Does nothing. (default) ***/
 user_pref("mailnews.headers.showSender", true);
-/* 6005:
+/* 6021:
  * true=Show User Agent header in message pane
  * false=Does nothing. (default) ***/
 user_pref("mailnews.headers.showUserAgent", false);
-/* 6006: Hello argument
+/* 6022: Hello argument
  * Lets you replace your IP address with the specified string in Received: headers when your
  * IP address is not a "fully qualified domain name" (FQDN). Typically you only need to do this
  * when you have a NAT box to prevent it from using the NAT boxes IP address.
  * If you don't set it to something in your SMTP server's domain it may increase your spam
  * score. ***/
 user_pref("mail.smtpserver.default.hello_argument", "[127.0.0.1]");
-/* 6007: Displayed dates and times
+/* 6023: Displayed dates and times
  * [SETUP-INSTALL] When your e-mail program displays the e-mail's date and time, it normally
  * converts them to your time zone. If your computer's time zone settings are wrong, then you will
  * see the wrong time (and possibly the wrong date).
@@ -1490,9 +1497,9 @@ user_pref("mail.smtpserver.default.hello_argument", "[127.0.0.1]");
  * [2] http://wiki.cacert.org/ThunderBirdAdvancedConfig
  * ***/
 user_pref("mailnews.display.original_date", false);
-/* 6008: Display the sender's Timezone when set to true ***/
+/* 6024: Display the sender's Timezone when set to true ***/
 user_pref("mailnews.display.date_senders_timezone", false);
-/* 6009: Display Time Date based on Received Header
+/* 6025: Display Time Date based on Received Header
  * Thunderbird shows the time when the message was sent, according to the sender. It is possible
  * to make Thunderbird show the time when the message arrived on your mail server, based on the
  * "Received" header. Set the following preference. New messages will show the time the message
@@ -1500,11 +1507,23 @@ user_pref("mailnews.display.date_senders_timezone", false);
    // user_pref("mailnews.use_received_date", true);
 
 /** ADDRESS BOOK ***/
-/* 6007: Address book collection
- * [SETUP-FEATURE] Disable address book email collection
- * Consider using https://addons.thunderbird.net/addon/cardbook instead ***/
+/* 6030: Address book collection [SETUP-FEATURE]
+ * Disable Thunderbird internal address book email collection
+ * Consider using CardBook extension instead (https://addons.thunderbird.net/addon/cardbook/)
+ * [SETTING] Preferences>Composition>Addressing>Automatically add outgoing e-mail addresses...
+ * [SETTING][CARDBOOK] CardBook>Preferences>Email>Collect Outgoing Email ***/
 user_pref("mail.collect_addressbook", "");  // [DEFAULT: "jsaddrbook://history.sqlite"]
 user_pref("mail.collect_email_address_outgoing", false);
+/* 6031: Only use email addresses, without their Display Names [CARDBOOK] [SETUP-FEATURE]
+ * By default, CardBook extension incorporates contacts display names in addresses fields.
+ * This could leak sensitive information to all recipients.
+ * [SETTING][CARDBOOK] CardBook>Preferences>Email>Sending Emails>Only use email addresses... ***/
+user_pref("extensions.cardbook.useOnlyEmail", true);
+/* 6032: Encrypt locally cached cards [CARDBOOK]
+ * CardBook uses a regular IndexDB to locally cache cards (unencrypted by default).
+ * [SETTING][CARDBOOK] CardBook>Preferences>Advanced>Encryption>Encrypt locally cached cards
+ * [1] https://cardbook.icu/forum/forums/topic/clear-and-easy-storage-and-backup-of-cardbook/#post-2079 ***/
+user_pref("extensions.cardbook.localDataEncryption", true);
 
 /*** [SECTION 6100]: EMAIL COMPOSITION (ENCODING / FORMAT / VIEW)
    Options that relate to composition, formatting and viewing email
@@ -1526,19 +1545,30 @@ user_pref("mailnews.send_default_charset", "UTF-8");
 /* 6104: Forces encoding in reply to be the default charset
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=234958#c2 ***/
 user_pref("mailnews.reply_in_default_charset", true);
+/* 6105: Avoid information leakage in reply header
+ * Reply header may contain sensitive information about system locale (date and/or language)
+ * 0=no header
+ * 1="<author> wrote:" (see `reply_header_authorwrotesingle` below)
+ * 2="On <date> <author> wrote:" (see `reply_header_ondateauthorwrote` below [DEFAULT])
+ * 3="<author> wrote On <date>:" (see `reply_header_authorwroteondate` below`)
+ * 4=user specified (you may use below tokens to forge your own format [DISCOURAGED]) ***/
+user_pref("mailnews.reply_header_type", 1);
+user_pref("mailnews.reply_header_authorwrotesingle", "#1 wrote:");
+   // user_pref("mailnews.reply_header_ondateauthorwrote", "On #2 #3, #1 wrote:");
+   // user_pref("mailnews.reply_header_authorwroteondate", "#1 wrote on #2 #3:");
 
 /** COMPOSITION ***/
-/* 6105: Check spelling before sending [SETUP-FEATURE]
+/* 6110: Check spelling before sending [SETUP-FEATURE]
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=667133 ***/
 user_pref("mail.SpellCheckBeforeSend", false);
-/* 6106: Behavior when sending HTML message [SETUP-FEATURE]
+/* 6111: Behavior when sending HTML message [SETUP-FEATURE]
  * (0=Ask, 1=Send as plain text, 2=Send as HTML anyway,
  * 3=Include both plain text and HTML message bodies in message)
  * Email that is HTML should also have plaintext multipart for plain text users.
  * [1] https://drewdevault.com/2016/04/11/Please-use-text-plain-for-emails.html
  * [SETTING] Edit > Preferences > Send Options > Send the message in both plain text and HTML ***/
 user_pref("mail.default_html_action", 1);
-/* 6107: Send email in plaintext unless expressly overridden.
+/* 6112: Send email in plaintext unless expressly overridden.
  * [SETUP-FEATURE] Sometimes HTML is useful especially when used with Markdown Here
  * [NOTE] Holding down shift when you click on "Write" will bypass
  * [1] http://kb.mozillazine.org/Plain_text_e-mail_%28Thunderbird%29
@@ -1546,18 +1576,18 @@ user_pref("mail.default_html_action", 1);
  * [3] https://markdown-here.com ***/
 user_pref("mail.html_compose", false);
 user_pref("mail.identity.default.compose_html", false);
-/* 6108: Downgrade email to plaintext by default
+/* 6113: Downgrade email to plaintext by default
  * [SETUP-FEATURE] Only use HTML email if you need it, see above
  * [SETTING] Edit > Preferences > Composition > Send Options > Send messages as plain-text if possible ***/
 user_pref("mailnews.sendformat.auto_downgrade", false);
-/* 6109: What classes can process incoming data.
+/* 6114: What classes can process incoming data.
  * (0=All classes (default), 1=Don't display HTML, 2=Don't display HTML and inline images,
  * 3=Don't display HTML, inline images and some other uncommon types, 100=Use a hard coded list)
  * In the past this has mitigated a vulnerability CVE-2008-0304 (rare)
  * [1] https://www.mozilla.org/en-US/security/advisories/mfsa2008-12/
  * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=677905 ***/
 user_pref("mailnews.display.disallow_mime_handlers", 3);
-/* 6110: How to display HTML parts of a message body
+/* 6115: How to display HTML parts of a message body
  * (0=Display the HTML normally (default), 1=Convert it to text and then back again
  * 2=Display the HTML source, 3=Sanitize the HTML, 4=Display all body parts)
  * (in trunk builds later than 2011-07-23)
@@ -1565,36 +1595,36 @@ user_pref("mailnews.display.disallow_mime_handlers", 3);
  * [2] https://hg.mozilla.org/comm-central/rev/c1ef44a22eb2
  * [3] https://www.bucksch.org/1/projects/mozilla/108153/ ***/
 user_pref("mailnews.display.html_as", 3);
-/* 6111: Prefer to view as plaintext or html [SETUP-FEATURE]
+/* 6116: Prefer to view as plaintext or html [SETUP-FEATURE]
  * true=Display a message as plain text when there is both a HTML and a plain
  * text version of a message body
  * false=Display a message as HTML when there is both a HTML and a plain text
  * version of a message body. (default) ***/
 user_pref("mailnews.display.prefer_plaintext", false);
-/* 6112: Inline attachments [SETUP-FEATURE]
+/* 6117: Inline attachments [SETUP-FEATURE]
  * true=Show inlinable attachments (text, images, messages) after the message.
  * false=Do not display any attachments with the message ***/
 user_pref("mail.inline_attachments", false);
-/* 6113: Big attachment warning
+/* 6118: Big attachment warning
  * [1] https://support.mozilla.org/en-US/questions/1081046
  * [2] http://forums.mozillazine.org/viewtopic.php?f=39&t=2949521 */
 user_pref("mail.compose.big_attachments.notify", true); // [DEFAULT: true]
-/* 6114: Set big attachment size to warn at */
-   // user_pref("mailnews.message_warning_size", 20971520); // DEFAULT size
+/* 6119: Set big attachment size to warn at */
+   // user_pref("mailnews.message_warning_size", 20971520); // [DEFAULT: 20971520]
 
 /** VIEW ***/
-/* 6115: Disable JavaScript
+/* 6130: Disable JavaScript
  * [NOTE] JavaScript is already disabled in message content.
  * [1] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Releases/3
  * [2] https://stackoverflow.com/questions/3054315/is-javascript-supported-in-an-email-message
  * ***/
 user_pref("javascript.enabled", false);
-/* 6116: Disable media source extensions
+/* 6131: Disable media source extensions
  * [1] https://www.ghacks.net/2014/05/10/enable-media-source-extensions-firefox ***/
 user_pref("media.mediasource.enabled", false);
-/* 6117: Disable hardware decoding support ***/
+/* 6132: Disable hardware decoding support ***/
 user_pref("media.hardware-video-decoding.enabled", false);
-/* 6118: Default image permissions
+/* 6133: Default image permissions
  * 1=Allow all images to load, regardless of origin. (Default),
  * 2=Block all images from loading.
  * 3=Prevent third-party images from loading
@@ -1636,7 +1666,8 @@ user_pref("calendar.useragent.extra", "");
 /* 6212: Set calendar timezone to avoid system detection [SETUP-INSTALL]
  * By default, extensive system detection would be performed to find user's current timezone.
  * Setting this preference to "UTC" should disable it.
- * You may also directly set it to your timezone, i.e. "Pacific/Fakaofo" ***/
+ * You may also directly set it to your timezone, i.e. "Pacific/Fakaofo"
+ * [SETTING] Edit>Preferences>Calendar>Calendar>Timezone ***/
 user_pref("calendar.timezone.local", "UTC");  // [DEFAULT: ""]
 
 /** RSS ***/
@@ -1690,9 +1721,9 @@ user_pref("_user.js.parrot", "6300 syntax error: this parrot is talking in codes
 /* These used to be inversed, however it seems upstream has changed this behavior
  * [1] https://www.privacy-handbuch.de/handbuch_31f.htm ***/
 /* 6301: Silence the Enigmail version header ***/
-user_pref("extensions.enigmail.addHeaders", false); // Default
+user_pref("extensions.enigmail.addHeaders", false); // [DEFAULT: false]
 /* 6302: Silence the Enigmail comment ***/
-user_pref("extensions.enigmail.useDefaultComment", true); // Default
+user_pref("extensions.enigmail.useDefaultComment", true); // [DEFAULT: true]
 /* 6303: Silence the version ***/
 user_pref("extensions.enigmail.agentAdditionalParam", "--no-emit-version --no-comments");
 /* 6304: Specifies the hash algorithm used by GnuPG for its cryptographic operations:
@@ -1712,7 +1743,7 @@ user_pref("extensions.enigmail.protectedHeaders", 2);
 /* 6306: Text to use as replacement for the subject, following the Memory Hole
  * standard. If nothing is defined, then "Encrypted Message" is used.
  ***/
-user_pref("extensions.enigmail.protectedSubjectText", "Encrypted Message"); // Default
+user_pref("extensions.enigmail.protectedSubjectText", "Encrypted Message"); // [DEFAULT: "Encrypted Message"]
 
 /** AUTOCRYPT ***/
 /* 6307: Choose whether to enable AutoCrypt