Git/thunderbird-user.js
1
0
Fork 0
mirror of https://github.com/HorlogeSkynet/thunderbird-user.js.git synced 2025-09-01 01:18:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git:version/115-esr
Branches Tags
Git:master Git:thunderbird/esr_140 Git:version/128-esr Git:version/115-esr Git:version/91-esr Git:version/78-esr Git:cardbook/enforce_local_cache_encryption
Git:v128.0 Git:v115.0 Git:v102.2 Git:v102.1 Git:v102.0 Git:v91.2 Git:v91.1 Git:v78.2 Git:v91.0 Git:v78.1 Git:v78.0 Git:v78-beta6 Git:v78-beta5 Git:v78-beta4 Git:v78-beta3 Git:v78-beta2 Git:v78-beta1 Git:v68.0 Git:v68-beta5 Git:v68-beta4 Git:v68-beta3 Git:v68-beta2 Git:v68-beta1 Git:v60
..
compare: Git:master
Branches Tags
Git:thunderbird/esr_140 Git:master Git:version/128-esr Git:version/115-esr Git:version/91-esr Git:version/78-esr Git:cardbook/enforce_local_cache_encryption
Git:v128.0 Git:v115.0 Git:v102.2 Git:v102.1 Git:v102.0 Git:v91.2 Git:v91.1 Git:v78.2 Git:v91.0 Git:v78.1 Git:v78.0 Git:v78-beta6 Git:v78-beta5 Git:v78-beta4 Git:v78-beta3 Git:v78-beta2 Git:v78-beta1 Git:v68.0 Git:v68-beta5 Git:v68-beta4 Git:v68-beta3 Git:v68-beta2 Git:v68-beta1 Git:v60

12 Commits
version/11 ... master

Author SHA1 Message Date
Samuel FORESTIER
2b839ae6ca [META] Updates copyrights for 2025 2025-01-05 15:01:56 +01:00
Samuel FORESTIER
7f75658282 Adds SETUP-CHROME tag to 5590 (see #31) 
Co-Authored-By: Daniel Rudolf <github.com@daniel-rudolf.de>
 2025-01-05 15:01:24 +01:00
Samuel FORESTIER
eec031aa69 Prevents MUA information leakage through User-Agent header 
> closes #60
 2024-11-16 12:13:33 +01:00
Samuel FORESTIER
8e9bc01c00 Adds (adapted) upstream .gitattributes 2024-11-09 16:30:25 +01:00
Phong Tran
4d986fffc6 Add thunderbird as recognized version 2024-11-09 15:15:06 +00:00
Phong Tran
8f7158ebe2 Convert scripts to dos CRLF 2024-11-09 15:15:06 +00:00
Samuel FORESTIER
b6d6d1564b Bumps to 128.0 2024-11-07 21:24:00 +01:00
Samuel FORESTIER
6183dda54a Vendors Arkenfox updater/prefsCleaner scripts 
Also see related : arkenfox/user.js#910

> closes #1, #10, #29, #35 and #41
 2024-11-07 20:21:24 +00:00
Samuel FORESTIER
b814b88b93 Applies Arkenfox v115.1..v128.0 migration 2024-11-07 20:21:24 +00:00
Samuel FORESTIER
5d33d6b50e Fixes ESLint configuration filename in GitHub pull request template 2024-11-07 20:21:24 +00:00
Samuel FORESTIER
100b5537e9 Resets mail.showCondensedAddresses (9111) as it's disabled by default 2024-11-07 20:21:24 +00:00
Samuel FORESTIER
55cf3041a7 Adds preferences from TB 128 ESR mailnews.js 2024-11-07 20:21:24 +00:00
8 changed files with 1408 additions and 223 deletions
Expand all files Collapse all files

15
.gitattributes vendored Normal file
View File

@ -0,0 +1,15 @@
* text=auto
*.js text
*.md text
*.yml text
*.sh text
## *.bat text eol=crlf
*.bat -text
*.png binary
.gitattributes export-ignore
*.yml export-ignore
/wiki export-ignore
/.github export-ignore

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -25,4 +25,4 @@
<!--- Put an `X` in all the boxes that apply : -->
- [ ] My changes looks good ;
- [ ] I agree that my code may be modified in the future ;
- [ ] My code follows the code style of this project (see `.eslintrc.yml`).
- [ ] My code follows the code style of this project (see `.eslint.config.mjs`).

2
LICENSE
View File

@ -1,6 +1,6 @@
MIT License
Copyright (c) 2019-2024 HorlogeSkynet
Copyright (c) 2019-2025 HorlogeSkynet
Copyright (c) 2019 dngray
Copyright (c) 2019 arkenfox [prev. ghacksuserjs]

134
prefsCleaner.bat Normal file
View File

@ -0,0 +1,134 @@
@ECHO OFF & SETLOCAL DisableDelayedExpansion
TITLE prefs.js cleaner
REM ## prefs.js cleaner for Windows
REM ## /!\ This script is a vendored/adapted version of Arkenfox own prefsCleaner.bat /!\
REM ## author: @claustromaniac
REM ## version: 2.7
CD /D "%~dp0"
IF /I "%~1"=="-unattended" (SET _ua=1)
:begin
ECHO:
ECHO:
ECHO ########################################
ECHO #### prefs.js cleaner for Windows ####
ECHO #### by claustromaniac ####
ECHO #### v2.7 ####
ECHO ########################################
ECHO:
CALL :message "This script should be run from your Thunderbird profile directory."
ECHO It will remove any entries from prefs.js that also exist in user.js.
CALL :message "This will allow inactive preferences to be reset to their default values."
ECHO This Thunderbird profile shouldn't be in use during the process.
CALL :message ""
TIMEOUT 1 /nobreak >nul
IF NOT DEFINED _ua (
CHOICE /C SHE /N /M "Start [S] Help [H] Exit [E]"
CLS
IF ERRORLEVEL 3 (EXIT /B)
IF ERRORLEVEL 2 (GOTO :showhelp)
)
IF NOT EXIST "user.js" (CALL :abort "user.js not found in the current directory." 30)
IF NOT EXIST "prefs.js" (CALL :abort "prefs.js not found in the current directory." 30)
CALL :strlenCheck
CALL :FFcheck
CALL :message "Backing up prefs.js..."
FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
COPY /B /V /Y prefs.js "prefs-backup-%ldt%.js"
CALL :message "Cleaning prefs.js..."
CALL :cleanup
CALL :message "All done!"
TIMEOUT 5 >nul
ENDLOCAL
EXIT /B
REM ########## Abort Function ###########
:abort
CALL :message %1
TIMEOUT %~2 >nul
EXIT
REM ########## Message Function #########
:message
ECHO:
ECHO: %~1
ECHO:
GOTO :EOF
REM ### string length Check Function ####
:strlenCheck
SET /a cnt=0
setlocal ENABLEDELAYEDEXPANSION
FOR /F "tokens=1,* delims=:" %%G IN ('FINDSTR /N "^" prefs.js') DO (
ECHO:%%H >nul
SET /a cnt += 1
IF /I "%%G" NEQ "!cnt!" (
ECHO:
CALL :message "ERROR: line !cnt! in prefs.js is too long."
(CALL :abort "Aborting ..." 30)
)
)
endlocal
GOTO :EOF
REM ####### Thunderbird Check Function ######
:FFcheck
TASKLIST /FI "IMAGENAME eq thunderbird.exe" 2>NUL | FIND /I /N "thunderbird.exe">NUL
IF NOT ERRORLEVEL 1 (
CLS
CALL :message "Thunderbird is still running."
ECHO If you're not currently using this profile you can continue, otherwise
CALL :message "close Thunderbird first!"
ECHO:
PAUSE
CLS
CALL :message "Resuming..."
TIMEOUT 5 /nobreak >nul
)
GOTO :EOF
REM ######### Cleanup Function ##########
:cleanup
FOR /F tokens^=2^ delims^=^'^" %%G IN ('FINDSTR /R /C:"^[^\"']*user_pref[ ]*\([ ]*[\"'][^\"']*[\"'][ ]*," user.js') DO (
IF NOT ""=="%%G" (SET "[%%G]=1")
)
(
FOR /F "tokens=1,* delims=:" %%G IN ('FINDSTR /N "^" prefs.js') DO (
IF ""=="%%H" (
ECHO:
) ELSE (
FOR /F tokens^=1^,2^ delims^=^"^' %%I IN ("%%H") DO (
IF NOT DEFINED [%%J] (ECHO:%%H)
)
)
)
)>tempcleanedprefs
MOVE /Y tempcleanedprefs prefs.js
GOTO :EOF
REM ############### Help ##################
:showhelp
MODE 80,34
CLS
CALL :message "This script creates a backup of your prefs.js file before doing anything."
ECHO It should be safe, but you can follow these steps if something goes wrong:
ECHO:
CALL :message " 1. Make sure Thunderbird is closed."
ECHO 2. Delete prefs.js in your profile folder.
CALL :message " 3. Delete Invalidprefs.js if you have one in the same folder."
ECHO 4. Rename or copy your latest backup to prefs.js.
CALL :message " 5. Run Thunderbird and see if you notice anything wrong with it."
ECHO 6. If you do notice something wrong, especially with your extensions,
CALL :message " and/or with the UI, go to about:support, and restart Thunderbird with"
ECHO add-ons disabled. Then, restart it again normally, and see if the
CALL :message " problems were solved."
ECHO:
CALL :message "If you are able to identify the cause of your issues, please bring it up"
ECHO on thunderbird user.js GitHub repository.
ECHO:
ECHO:
PAUSE
CLS
GOTO :begin
REM #####################################

186
prefsCleaner.sh Executable file
View File

@ -0,0 +1,186 @@
#!/usr/bin/env bash
## prefs.js cleaner for Linux/Mac
## /!\ This script is a vendored/adapted version of Arkenfox own prefsCleaner.sh /!\
## author: @claustromaniac
## version: 2.1
## special thanks to @overdodactyl and @earthlng for a few snippets that I stol..*cough* borrowed from the updater.sh
## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in update_prefsCleaner() )
readonly CURRDIR=$(pwd)
## get the full path of this script (readlink for Linux, greadlink for Mac with coreutils installed)
SCRIPT_FILE=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
## fallback for Macs without coreutils
[ -z "$SCRIPT_FILE" ] && SCRIPT_FILE=${BASH_SOURCE[0]}
AUTOUPDATE=true
QUICKSTART=false
## download method priority: curl -> wget
DOWNLOAD_METHOD=''
if command -v curl >/dev/null; then
DOWNLOAD_METHOD='curl --max-redirs 3 -so'
elif command -v wget >/dev/null; then
DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O'
else
AUTOUPDATE=false
echo -e "No curl or wget detected.\nAutomatic self-update disabled!"
fi
fQuit() {
## change directory back to the original working directory
cd "${CURRDIR}"
[ "$1" -eq 0 ] && echo -e "\n$2" || echo -e "\n$2" >&2
exit $1
}
fUsage() {
echo -e "\nUsage: $0 [-ds]"
echo -e "
Optional Arguments:
-s Start immediately
-d Don't auto-update prefsCleaner.sh"
}
download_file() { # expects URL as argument ($1)
declare -r tf=$(mktemp)
$DOWNLOAD_METHOD "${tf}" "$1" &>/dev/null && echo "$tf" || echo '' # return the temp-filename or empty string on error
}
fFF_check() {
# there are many ways to see if thunderbird is running or not, some more reliable than others
# this isn't elegant and might not be future-proof but should at least be compatible with any environment
while [ -e lock ]; do
echo -e "\nThis Thunderbird profile seems to be in use. Close Thunderbird and try again.\n" >&2
read -r -p "Press any key to continue."
done
}
## returns the version number of a prefsCleaner.sh file
get_prefsCleaner_version() {
echo "$(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")"
}
## updates the prefsCleaner.sh file based on the latest public version
update_prefsCleaner() {
declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/prefsCleaner.sh')"
[ -z "$tmpfile" ] && echo -e "Error! Could not download prefsCleaner.sh" && return 1 # check if download failed
[[ $(get_prefsCleaner_version "$SCRIPT_FILE") == $(get_prefsCleaner_version "$tmpfile") ]] && return 0
mv "$tmpfile" "$SCRIPT_FILE"
chmod u+x "$SCRIPT_FILE"
"$SCRIPT_FILE" "$@" -d
exit 0
}
fClean() {
# the magic happens here
prefs="@@"
prefexp="user_pref[ ]*\([ ]*[\"']([^\"']+)[\"'][ ]*,"
while read -r line; do
if [[ "$line" =~ $prefexp && $prefs != *"@@${BASH_REMATCH[1]}@@"* ]]; then
prefs="${prefs}${BASH_REMATCH[1]}@@"
fi
done <<< "$(grep -E "$prefexp" user.js)"
while IFS='' read -r line || [[ -n "$line" ]]; do
if [[ "$line" =~ ^$prefexp ]]; then
if [[ $prefs != *"@@${BASH_REMATCH[1]}@@"* ]]; then
echo "$line"
fi
else
echo "$line"
fi
done < "$1" > prefs.js
}
fStart() {
if [ ! -e user.js ]; then
fQuit 1 "user.js not found in the current directory."
elif [ ! -e prefs.js ]; then
fQuit 1 "prefs.js not found in the current directory."
fi
fFF_check
mkdir -p prefsjs_backups
bakfile="prefsjs_backups/prefs.js.backup.$(date +"%Y-%m-%d_%H%M")"
mv prefs.js "${bakfile}" || fQuit 1 "Operation aborted.\nReason: Could not create backup file $bakfile"
echo -e "\nprefs.js backed up: $bakfile"
echo "Cleaning prefs.js..."
fClean "$bakfile"
fQuit 0 "All done!"
}
while getopts "sd" opt; do
case $opt in
s)
QUICKSTART=true
;;
d)
AUTOUPDATE=false
;;
esac
done
## change directory to the Thunderbird profile directory
cd "$(dirname "${SCRIPT_FILE}")"
# Check if running as root and if any files have the owner as root/wheel.
if [ "${EUID:-"$(id -u)"}" -eq 0 ]; then
fQuit 1 "You shouldn't run this with elevated privileges (such as with doas/sudo)."
elif [ -n "$(find ./ -user 0)" ]; then
printf 'It looks like this script was previously run with elevated privileges,
you will need to change ownership of the following files to your user:\n'
find . -user 0
fQuit 1
fi
[ "$AUTOUPDATE" = true ] && update_prefsCleaner "$@"
echo -e "\n\n"
echo " ╔══════════════════════════╗"
echo " ║ prefs.js cleaner ║"
echo " ║ by claustromaniac ║"
echo " ║ v2.1 ║"
echo " ╚══════════════════════════╝"
echo -e "\nThis script should be run from your Thunderbird profile directory.\n"
echo "It will remove any entries from prefs.js that also exist in user.js."
echo "This will allow inactive preferences to be reset to their default values."
echo -e "\nThis Thunderbird profile shouldn't be in use during the process.\n"
[ "$QUICKSTART" = true ] && fStart
echo -e "\nIn order to proceed, select a command below by entering its corresponding number.\n"
select option in Start Help Exit; do
case $option in
Start)
fStart
;;
Help)
fUsage
echo -e "\nThis script creates a backup of your prefs.js file before doing anything."
echo -e "It should be safe, but you can follow these steps if something goes wrong:\n"
echo "1. Make sure Thunderbird is closed."
echo "2. Delete prefs.js in your profile folder."
echo "3. Delete Invalidprefs.js if you have one in the same folder."
echo "4. Rename or copy your latest backup to prefs.js."
echo "5. Run Thunderbird and see if you notice anything wrong with it."
echo "6. If you do notice something wrong, especially with your extensions, and/or with the UI, go to about:support, and restart Thunderbird with add-ons disabled. Then, restart it again normally, and see if the problems were solved."
echo -e "If you are able to identify the cause of your issues, please bring it up on the thunderbird user.js GitHub repository.\n"
;;
Exit)
fQuit 0
;;
esac
done
fQuit 0

323
updater.bat Normal file
View File

@ -0,0 +1,323 @@
@ECHO OFF & SETLOCAL EnableDelayedExpansion
TITLE thunderbird user.js updater
REM ## thunderbird user.js updater for Windows
REM ## /!\ This script is a vendored/adapted version of Arkenfox own updater.bat /!\
REM ## author: @claustromaniac
REM ## version: 4.19
REM ## instructions: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-windows
SET v=4.19
VERIFY ON
CD /D "%~dp0"
SET _myname=%~n0
SET _myparams=%*
:parse
IF "%~1"=="" (GOTO endparse)
IF /I "%~1"=="-unattended" (SET _ua=1)
IF /I "%~1"=="-log" (SET _log=1)
IF /I "%~1"=="-logp" (SET _log=1 & SET _logp=1)
IF /I "%~1"=="-multioverrides" (SET _multi=1)
IF /I "%~1"=="-merge" (SET _merge=1)
IF /I "%~1"=="-updatebatch" (SET _updateb=1)
IF /I "%~1"=="-singlebackup" (SET _singlebackup=1)
IF /I "%~1"=="-esr" (SET _esr=1)
SHIFT
GOTO parse
:endparse
FOR /F %%i IN ('PowerShell -Command "[Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12'"') DO (
IF "%%i" == "False" (
CALL :message "Your PowerShell version doesn't support TLS1.2 ^!"
ECHO: Instructions to update PowerShell are on the arkenfox wiki
PAUSE
EXIT
)
)
IF DEFINED _updateb (
REM The normal flow here goes from phase 1 to phase 2 and then phase 3.
IF NOT "!_myname:~0,9!"=="[updated]" (
IF EXIST "[updated]!_myname!.bat" (
REM ## Phase 3 ##: The new script, with the original name, will:
REM * Delete the [updated]*.bat and *.bat.old scripts
REM * Begin the normal routine
FC "[updated]!_myname!.bat" "!_myname!.bat.old" >nul
IF NOT "!errorlevel!"=="0" (
CALL :message "Script updated to version !v!"
TIMEOUT 3 >nul
)
REN "[updated]!_myname!.bat" "[updated]!_myname!.bat.old"
DEL /F "!_myname!.bat.old" "[updated]!_myname!.bat.old"
GOTO begin
)
REM ## Phase 1 ##
REM * Download new batch and name it [updated]*.bat
REM * Start that script in a new CMD window
REM * Exit
CALL :message "Updating script..."
REM Uncomment the next line and comment out the PowerShell call for testing.
REM COPY /B /Y "!_myname!.bat" "[updated]!_myname!.bat" >nul
CALL :psdownload https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/updater.bat "[updated]!_myname!.bat"
IF EXIST "[updated]!_myname!.bat" (
START /min CMD /C "[updated]!_myname!.bat" !_myparams!
) ELSE (
CALL :message "Failed. Make sure PowerShell is allowed internet access."
TIMEOUT 120 >nul
)
) ELSE (
IF "!_myname!"=="[updated]" (
CALL :message "The [updated] label is reserved. Rename this script and try again."
TIMEOUT 300 >nul
) ELSE (
REM ## Phase 2 ##: The [updated]*.bat script will:
REM * Rename the old script and make a copy of itself with the original name.
REM * Run that copy in a new CMD instance
REM * Exit
IF EXIST "!_myname:~9!.bat" ( REN "!_myname:~9!.bat" "!_myname:~9!.bat.old" )
COPY /B /Y "!_myname!.bat" "!_myname:~9!.bat"
START CMD /C "!_myname:~9!.bat" !_myparams!
)
)
EXIT /B
)
:begin
CLS
ECHO:
ECHO:
ECHO: ########################################
ECHO: #### user.js Updater for Windows ####
ECHO: #### by claustromaniac ####
ECHO: #### v!v! ####
ECHO: ########################################
ECHO:
SET /A "_line=0"
IF NOT EXIST user.js (
CALL :message "user.js not detected in the current directory."
) ELSE (
FOR /F "skip=1 tokens=1,* delims=:" %%G IN (user.js) DO (
SET /A "_line+=1"
IF !_line! GEQ 4 (GOTO exitloop)
IF !_line! EQU 1 (SET _name=%%H)
IF !_line! EQU 2 (SET _date=%%H)
IF !_line! EQU 3 (SET _version=%%H)
)
:exitloop
IF NOT "!_name!"=="" (
SET "_tempvar="
IF /I NOT "!_name!"=="!_name:thunderbird=!" SET _tempvar=1
IF !_tempvar! EQU 1 (
CALL :message "!_name! !_version:~2!,!_date!"
) ELSE (CALL :message "Current user.js version not recognised.")
) ELSE (CALL :message "Current user.js version not recognised.")
)
ECHO:
IF NOT DEFINED _ua (
CALL :message "This batch should be run from your Thunderbird profile directory."
ECHO: It will download the latest version of thunderbird user.js from github and then
CALL :message "append any of your own changes from user-overrides.js to it."
CALL :message "Visit the wiki for more detailed information."
ECHO:
TIMEOUT 1 /nobreak >nul
CHOICE /C SHE /N /M "Start [S] Help [H] Exit [E]"
CLS
IF ERRORLEVEL 3 (EXIT /B)
IF ERRORLEVEL 2 (GOTO :showhelp)
)
IF DEFINED _log (
CALL :log >>user.js-update-log.txt 2>&1
IF DEFINED _logp (START user.js-update-log.txt)
EXIT /B
:log
SET _log=2
ECHO:##################################################################
ECHO: %date%, %time%
)
IF EXIST user.js.new (DEL /F "user.js.new")
CALL :message "Retrieving latest user.js file from github repository..."
CALL :psdownload https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/user.js "user.js.new"
IF EXIST user.js.new (
IF DEFINED _esr (
CALL :message "Activating ESR section..."
CALL :activate user.js.new ".x still uses all the following prefs"
)
IF DEFINED _multi (
FORFILES /P user.js-overrides /M *.js >nul 2>&1
IF NOT ERRORLEVEL 1 (
IF DEFINED _merge (
CALL :message "Merging..."
COPY /B /Y user.js-overrides\*.js user-overrides-merged.js
CALL :merge user-overrides-merged.js
COPY /B /Y user.js.new+user-overrides-merged.js user.js.new
CALL :merge user.js.new
) ELSE (
CALL :message "Appending..."
COPY /B /Y user.js.new+"user.js-overrides\*.js" user.js.new
)
) ELSE (CALL :message "No override files found.")
) ELSE (
IF EXIST "user-overrides.js" (
COPY /B /Y user.js.new+"user-overrides.js" "user.js.new"
IF DEFINED _merge (
CALL :message "Merging user-overrides.js..."
CALL :merge user.js.new
) ELSE (
CALL :message "user-overrides.js appended."
)
) ELSE (CALL :message "user-overrides.js not found.")
)
IF EXIST user.js (
FC user.js.new user.js >nul && SET "_changed=false" || SET "_changed=true"
)
IF "!_changed!"=="true" (
CALL :message "Backing up..."
IF DEFINED _singlebackup (
MOVE /Y user.js user.js.bak >nul
) ELSE (
FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
MOVE /Y user.js "user-backup-!ldt!.js" >nul
)
REN user.js.new user.js
CALL :message "Update complete."
) ELSE (
IF "!_changed!"=="false" (
DEL /F user.js.new >nul
CALL :message "Update completed without changes."
) ELSE (
REN user.js.new user.js
CALL :message "Update complete."
SET "_changed=true"
)
)
) ELSE (
CALL :message "Update failed. Make sure PowerShell is allowed internet access."
ECHO: No changes were made.
)
IF NOT DEFINED _log (
IF NOT DEFINED _ua (
IF EXIST prefsCleaner.bat (
IF "!_changed!"=="true" (
CALL :message "Would you like to run the prefsCleaner now?"
CHOICE /C YN /N /M "(Y/N) "
IF "1"=="!errorlevel!" ( START "" cmd.exe /C "prefsCleaner.bat" )
) ELSE (PAUSE)
) ELSE (PAUSE)
)
)
EXIT /B
::::::::::::::: Message :::::::::::::::
:message
SETLOCAL DisableDelayedExpansion
IF NOT "2"=="%_log%" (ECHO:)
ECHO: %~1
IF NOT "2"=="%_log%" (ECHO:)
ENDLOCAL
GOTO :EOF
::::::::::::::: Download :::::::::::::::
:psdownload
(
PowerShell -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object Net.WebClient).DownloadFile('%~1', '%~2')"
) >nul 2>&1
GOTO :EOF
::::::::::::::: Activate Section :::::::::::::::
:activate
:: arg1 = file
:: arg2 = line substring
SETLOCAL DisableDelayedExpansion
(
FOR /F "tokens=1,* delims=:" %%G IN ('FINDSTR /N "^" "%~1"') DO (
SET "_temp=%%H"
SETLOCAL EnableDelayedExpansion
IF "!_temp:%~2=!"=="!_temp!" (
ENDLOCAL & ECHO:%%H
) ELSE (
ECHO://!_temp:~2!
ENDLOCAL
)
)
)>updatertempfile
MOVE /Y updatertempfile "%~1" >nul
ENDLOCAL
GOTO :EOF
::::::::::::::: Merge :::::::::::::::
:merge
SETLOCAL DisableDelayedExpansion
FOR /F tokens^=2^,^*^ delims^=^'^" %%G IN ('FINDSTR /R /C:"^user_pref[ ]*\([ ]*[\"'].*[\"'][ ]*,.*\)[ ]*;" "%~1"') DO (SET "[%%G]=%%H")
FOR /F tokens^=2^,^*^ delims^=^' %%G IN ('FINDSTR /R /C:"^//// --- comment-out --- '[^'][^']*'.*" "%~1"') DO (SET "__unset__%%G=1")
(
FOR /F "tokens=1,* delims=:" %%I IN ('FINDSTR /N "^" "%~1"') DO (
SET "_temp=%%J"
SETLOCAL EnableDelayedExpansion
IF NOT "!_temp:~0,9!"=="user_pref" (
ENDLOCAL & ECHO:%%J
) ELSE (
IF "!_temp:;=!"=="!_temp!" (
ENDLOCAL & ECHO:%%J
) ELSE (
ENDLOCAL
FOR /F tokens^=2^ delims^=^'^" %%K IN ("%%J") DO (
IF NOT "_user.js.parrot"=="%%K" (
IF DEFINED __unset__%%K (
ECHO://%%J
) ELSE (
IF DEFINED [%%K] (
SETLOCAL EnableDelayedExpansion
FOR /F "delims=" %%L IN ("![%%K]!") DO (
ENDLOCAL & ECHO:user_pref("%%K"%%L
SET "[%%K]="
)
)
)
) ELSE (ECHO:%%J)
)
)
)
)
)>updatertempfile
MOVE /Y updatertempfile "%~1" >nul
ENDLOCAL
GOTO :EOF
::::::::::::::: Help :::::::::::::::
:showhelp
MODE 80,54
CLS
CALL :message "Available arguments (case-insensitive):"
CALL :message " -esr"
ECHO: Activate ESR related preferences
CALL :message " -log"
ECHO: Write the console output to a logfile (user.js-update-log.txt)
CALL :message " -logP"
ECHO: Like -log, but also open the logfile after updating.
CALL :message " -merge"
ECHO: Merge overrides instead of appending them. Single-line comments and
ECHO: _user.js.parrot lines are appended normally. Overrides for inactive
ECHO: user.js prefs will be appended. When -Merge and -MultiOverrides are used
ECHO: together, a user-overrides-merged.js file is also generated in the root
ECHO: directory for quick reference. It contains only the merged data from
ECHO: override files and can be safely discarded after updating, or used as the
ECHO: new user-overrides.js. When there are conflicting records for the same
ECHO: pref, the value of the last one declared will be used. Visit the wiki
ECHO: for usage examples and more detailed information.
CALL :message " -multiOverrides"
ECHO: Use any and all .js files in a user.js-overrides sub-folder as overrides
ECHO: instead of the default user-overrides.js file. Files are appended in
ECHO: alphabetical order.
CALL :message " -unattended"
ECHO: Run without user input.
CALL :message " -singleBackup"
ECHO: Use a single backup file and overwrite it on new updates, instead of
ECHO: cumulative backups. This was the default behaviour before v4.3.
CALL :message " -updateBatch"
ECHO: Update the script itself on execution, before the normal routine.
CALL :message ""
PAUSE
MODE 80,25
GOTO :begin

408
updater.sh Executable file
View File

@ -0,0 +1,408 @@
#!/usr/bin/env bash
## thunderbird user.js updater for macOS and Linux
## /!\ This script is a vendored/adapted version of Arkenfox own updater.sh /!\
## version: 4.0
## Author: Pat Johnson (@overdodactyl)
## Additional contributors: @earthlng, @ema-pe, @claustromaniac, @infinitewarp
## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in update_updater() )
# Check if running as root
if [ "${EUID:-"$(id -u)"}" -eq 0 ]; then
printf "You shouldn't run this with elevated privileges (such as with doas/sudo).\n"
exit 1
fi
readonly CURRDIR=$(pwd)
SCRIPT_FILE=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
[ -z "$SCRIPT_FILE" ] && SCRIPT_FILE=${BASH_SOURCE[0]}
readonly SCRIPT_DIR=$(dirname "${SCRIPT_FILE}")
#########################
# Base variables #
#########################
# Colors used for printing
RED='\033[0;31m'
BLUE='\033[0;34m'
BBLUE='\033[1;34m'
GREEN='\033[0;32m'
ORANGE='\033[0;33m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# Argument defaults
UPDATE='check'
CONFIRM='yes'
OVERRIDE='user-overrides.js'
BACKUP='multiple'
COMPARE=false
SKIPOVERRIDE=false
VIEW=false
PROFILE_PATH=false
ESR=false
# Download method priority: curl -> wget
DOWNLOAD_METHOD=''
if command -v curl >/dev/null; then
DOWNLOAD_METHOD='curl --max-redirs 3 -so'
elif command -v wget >/dev/null; then
DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O'
else
echo -e "${RED}This script requires curl or wget.\nProcess aborted${NC}"
exit 1
fi
show_banner() {
echo -e "${BBLUE}
############################################################################
#### ####
#### thunderbird user.js ####
#### Hardening the Privacy and Security Settings of Thunderbird ####
#### Maintained by @Thorin-Oakenpants and @earthlng ####
#### Updater for macOS and Linux by @overdodactyl ####
#### ####
############################################################################"
echo -e "${NC}\n"
echo -e "Documentation for this script is available here: ${CYAN}https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-maclinux${NC}\n"
}
#########################
# Arguments #
#########################
usage() {
echo
echo -e "${BLUE}Usage: $0 [-bcdehlnrsuv] [-p PROFILE] [-o OVERRIDE]${NC}" 1>&2 # Echo usage string to standard error
echo -e "
Optional Arguments:
-h Show this help message and exit.
-p PROFILE Path to your Thunderbird profile (if different than the dir of this script)
IMPORTANT: If the path contains spaces, wrap the entire argument in quotes.
-l Choose your Thunderbird profile from a list
-u Update updater.sh and execute silently. Do not seek confirmation.
-d Do not look for updates to updater.sh.
-s Silently update user.js. Do not seek confirmation.
-b Only keep one backup of each file.
-c Create a diff file comparing old and new user.js within userjs_diffs.
-o OVERRIDE Filename or path to overrides file (if different than user-overrides.js).
If used with -p, paths should be relative to PROFILE or absolute paths
If given a directory, all files inside will be appended recursively.
You can pass multiple files or directories by passing a comma separated list.
Note: If a directory is given, only files inside ending in the extension .js are appended
IMPORTANT: Do not add spaces between files/paths. Ex: -o file1.js,file2.js,dir1
IMPORTANT: If any file/path contains spaces, wrap the entire argument in quotes.
Ex: -o \"override folder\"
-n Do not append any overrides, even if user-overrides.js exists.
-v Open the resulting user.js file.
-r Only download user.js to a temporary file and open it.
-e Activate ESR related preferences."
echo
exit 1
}
#########################
# File Handling #
#########################
download_file() { # expects URL as argument ($1)
declare -r tf=$(mktemp)
$DOWNLOAD_METHOD "${tf}" "$1" &>/dev/null && echo "$tf" || echo '' # return the temp-filename or empty string on error
}
open_file() { # expects one argument: file_path
if [ "$(uname)" == 'Darwin' ]; then
open "$1"
elif [ "$(uname -s | cut -c -5)" == "Linux" ]; then
xdg-open "$1"
else
echo -e "${RED}Error: Sorry, opening files is not supported for your OS.${NC}"
fi
}
readIniFile() { # expects one argument: absolute path of profiles.ini
declare -r inifile="$1"
# tempIni will contain: [ProfileX], Name=, IsRelative= and Path= (and Default= if present) of the only (if) or the selected (else) profile
if [ "$(grep -c '^\[Profile' "${inifile}")" -eq "1" ]; then ### only 1 profile found
tempIni="$(grep '^\[Profile' -A 4 "${inifile}")"
else
echo -e "Profiles found:\n"
## cmd-substitution to strip trailing newlines and in quotes to keep internal ones:
echo "$(grep --color=never -E 'Default=[^1]|\[Profile[0-9]*\]|Name=|Path=|^$' "${inifile}")"
echo ''
read -p 'Select the profile number ( 0 for Profile0, 1 for Profile1, etc ) : ' -r
echo -e "\n"
if [[ $REPLY =~ ^(0|[1-9][0-9]*)$ ]]; then
tempIni="$(grep "^\[Profile${REPLY}" -A 4 "${inifile}")" || {
echo -e "${RED}Profile${REPLY} does not exist!${NC}" && exit 1
}
else
echo -e "${RED}Invalid selection!${NC}" && exit 1
fi
fi
# extracting 0 or 1 from the "IsRelative=" line
declare -r pathisrel=$(sed -n 's/^IsRelative=\([01]\)$/\1/p' <<< "${tempIni}")
# extracting only the path itself, excluding "Path="
PROFILE_PATH=$(sed -n 's/^Path=\(.*\)$/\1/p' <<< "${tempIni}")
# update global variable if path is relative
[[ ${pathisrel} == "1" ]] && PROFILE_PATH="$(dirname "${inifile}")/${PROFILE_PATH}"
}
getProfilePath() {
declare -r f1=~/Library/Application\ Support/Thunderbird/profiles.ini
declare -r f2=~/.thunderbird/profiles.ini
if [ "$PROFILE_PATH" = false ]; then
PROFILE_PATH="$SCRIPT_DIR"
elif [ "$PROFILE_PATH" = 'list' ]; then
if [[ -f "$f1" ]]; then
readIniFile "$f1" # updates PROFILE_PATH or exits on error
elif [[ -f "$f2" ]]; then
readIniFile "$f2"
else
echo -e "${RED}Error: Sorry, -l is not supported for your OS${NC}"
exit 1
fi
#else
# PROFILE_PATH already set by user with -p
fi
}
#########################
# Update updater.sh #
#########################
# Returns the version number of a updater.sh file
get_updater_version() {
echo "$(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")"
}
# Update updater.sh
# Default: Check for update, if available, ask user if they want to execute it
# Args:
# -d: New version will not be looked for and update will not occur
# -u: Check for update, if available, execute without asking
update_updater() {
[ "$UPDATE" = 'no' ] && return 0 # User signified not to check for updates
declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/updater.sh')"
[ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed
if [[ $(get_updater_version "$SCRIPT_FILE") < $(get_updater_version "${tmpfile}") ]]; then
if [ "$UPDATE" = 'check' ]; then
echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}"
read -p "" -n 1 -r
echo -e "\n\n"
[[ $REPLY =~ ^[Yy]$ ]] || return 0 # Update available, but user chooses not to update
fi
else
return 0 # No update available
fi
mv "${tmpfile}" "$SCRIPT_FILE"
chmod u+x "$SCRIPT_FILE"
"$SCRIPT_FILE" "$@" -d
exit 0
}
#########################
# Update user.js #
#########################
# Returns version number of a user.js file
get_userjs_version() {
[ -e "$1" ] && echo "$(sed -n '4p' "$1")" || echo "Not detected."
}
add_override() {
input=$1
if [ -f "$input" ]; then
echo "" >> user.js
cat "$input" >> user.js
echo -e "Status: ${GREEN}Override file appended:${NC} ${input}"
elif [ -d "$input" ]; then
SAVEIFS=$IFS
IFS=$'\n\b' # Set IFS
FILES="${input}"/*.js
for f in $FILES
do
add_override "$f"
done
IFS=$SAVEIFS # restore $IFS
else
echo -e "${ORANGE}Warning: Could not find override file:${NC} ${input}"
fi
}
remove_comments() { # expects 2 arguments: from-file and to-file
sed -e '/^\/\*.*\*\/[[:space:]]*$/d' -e '/^\/\*/,/\*\//d' -e 's|^[[:space:]]*//.*$||' -e '/^[[:space:]]*$/d' -e 's|);[[:space:]]*//.*|);|' "$1" > "$2"
}
# Applies latest version of user.js and any custom overrides
update_userjs() {
declare -r newfile="$(download_file 'https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/user.js')"
[ -z "${newfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && return 1 # check if download failed
echo -e "Please observe the following information:
Thunderbird profile: ${ORANGE}$(pwd)${NC}
Available online: ${ORANGE}$(get_userjs_version "$newfile")${NC}
Currently using: ${ORANGE}$(get_userjs_version user.js)${NC}\n\n"
if [ "$CONFIRM" = 'yes' ]; then
echo -e "This script will update to the latest user.js file and append any custom configurations from user-overrides.js. ${RED}Continue Y/N? ${NC}"
read -p "" -n 1 -r
echo -e "\n"
if ! [[ $REPLY =~ ^[Yy]$ ]]; then
echo -e "${RED}Process aborted${NC}"
rm "$newfile"
return 1
fi
fi
# Copy a version of user.js to diffs folder for later comparison
if [ "$COMPARE" = true ]; then
mkdir -p userjs_diffs
cp user.js userjs_diffs/past_user.js &>/dev/null
fi
# backup user.js
mkdir -p userjs_backups
local bakname="userjs_backups/user.js.backup.$(date +"%Y-%m-%d_%H%M")"
[ "$BACKUP" = 'single' ] && bakname='userjs_backups/user.js.backup'
cp user.js "$bakname" &>/dev/null
mv "${newfile}" user.js
echo -e "Status: ${GREEN}user.js has been backed up and replaced with the latest version!${NC}"
if [ "$ESR" = true ]; then
sed -e 's/\/\* \(ESR[0-9]\{2,\}\.x still uses all.*\)/\/\/ \1/' user.js > user.js.tmp && mv user.js.tmp user.js
echo -e "Status: ${GREEN}ESR related preferences have been activated!${NC}"
fi
# apply overrides
if [ "$SKIPOVERRIDE" = false ]; then
while IFS=',' read -ra FILES; do
for FILE in "${FILES[@]}"; do
add_override "$FILE"
done
done <<< "$OVERRIDE"
fi
# create diff
if [ "$COMPARE" = true ]; then
pastuserjs='userjs_diffs/past_user.js'
past_nocomments='userjs_diffs/past_userjs.txt'
current_nocomments='userjs_diffs/current_userjs.txt'
remove_comments "$pastuserjs" "$past_nocomments"
remove_comments user.js "$current_nocomments"
diffname="userjs_diffs/diff_$(date +"%Y-%m-%d_%H%M").txt"
diff=$(diff -w -B -U 0 "$past_nocomments" "$current_nocomments")
if [ -n "$diff" ]; then
echo "$diff" > "$diffname"
echo -e "Status: ${GREEN}A diff file was created:${NC} ${PWD}/${diffname}"
else
echo -e "Warning: ${ORANGE}Your new user.js file appears to be identical. No diff file was created.${NC}"
[ "$BACKUP" = 'multiple' ] && rm "$bakname" &>/dev/null
fi
rm "$past_nocomments" "$current_nocomments" "$pastuserjs" &>/dev/null
fi
[ "$VIEW" = true ] && open_file "${PWD}/user.js"
}
#########################
# Execute #
#########################
if [ $# != 0 ]; then
# Display usage if first argument is -help or --help
if [ "$1" = '--help' ] || [ "$1" = '-help' ]; then
usage
else
while getopts ":hp:ludsno:bcvre" opt; do
case $opt in
h)
usage
;;
p)
PROFILE_PATH=${OPTARG}
;;
l)
PROFILE_PATH='list'
;;
u)
UPDATE='yes'
;;
d)
UPDATE='no'
;;
s)
CONFIRM='no'
;;
n)
SKIPOVERRIDE=true
;;
o)
OVERRIDE=${OPTARG}
;;
b)
BACKUP='single'
;;
c)
COMPARE=true
;;
v)
VIEW=true
;;
e)
ESR=true
;;
r)
tfile="$(download_file 'https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/user.js')"
[ -z "${tfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && exit 1 # check if download failed
mv "$tfile" "${tfile}.js"
echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}"
open_file "${tfile}.js"
exit 0
;;
\?)
echo -e "${RED}\n Error! Invalid option: -$OPTARG${NC}" >&2
usage
;;
:)
echo -e "${RED}Error! Option -$OPTARG requires an argument.${NC}" >&2
exit 2
;;
esac
done
fi
fi
show_banner
update_updater "$@"
getProfilePath # updates PROFILE_PATH or exits on error
cd "$PROFILE_PATH" || exit 1
# Check if any files have the owner as root/wheel.
if [ -n "$(find ./ -user 0)" ]; then
printf 'It looks like this script was previously run with elevated privileges,
you will need to change ownership of the following files to your user:\n'
find . -user 0
cd "$CURRDIR"
exit 1
fi
update_userjs
cd "$CURRDIR"

561
user.js
View File

@ -1,7 +1,7 @@
/******
* name: thunderbird user.js
* date: 21 April 2024
* version: v115.0
* date: 7 November 2024
* version: v128.0
* url: https://github.com/HorlogeSkynet/thunderbird-user.js
* license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE)
@ -27,16 +27,21 @@
[SETUP-CHROME] changes how Thunderbird itself behaves (i.e. not directly website related)
* RELEASES: https://github.com/HorlogeSkynet/thunderbird-user.js/releases
* It is best to use the release that is optimized for and matches your Thunderbird version
* ESR102
- If you are not using thunderbird-user.js v102-1... (not a definitive list)
- 2815: clearOnShutdown cookies + offlineApps should be false
- 9999: switch the appropriate deprecated section(s) back on
* Use the thunderbird-user.js release that matches your Thunderbird version
- DON'T wait for thunderbird-user.js to update Thunderbird, nothing major changes these days
* Each release
- run prefsCleaner to reset prefs made inactive, including deprecated (9999)
* If you use a previous ESR
- It is recommended to not use the updater, or you will get a later version which may cause issues.
So you should manually append your overrides (and keep a copy), and manually update when you
change ESR releases (thunderbird-user.js is already past that release)
- If you decide to keep updating, then the onus is on you - also see section 9999
* INDEX:
0100: STARTUP
0200: GEOLOCATION / LANGUAGE / LOCALE
0200: GEOLOCATION
0300: QUIETER BIRD
0400: SAFE BROWSING
0600: BLOCK IMPLICIT OUTBOUND
@ -45,7 +50,6 @@
0900: PASSWORDS
1000: DISK AVOIDANCE
1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP)
1400: FONTS
1600: REFERERS
1700: CONTAINERS
2000: PLUGINS / MEDIA / WEBRTC
@ -53,7 +57,8 @@
2600: MISCELLANEOUS
2700: ETP (ENHANCED TRACKING PROTECTION)
2800: SHUTDOWN & SANITIZING
4500: RFP (RESIST FINGERPRINTING)
4000: FPP (fingerprintingProtection)
4500: OPTIONAL RFP (resistFingerprinting)
5000: OPTIONAL OPSEC
5500: OPTIONAL HARDENING
6000: DON'T TOUCH
@ -64,7 +69,7 @@
9200: EMAIL COMPOSITION (ENCODING / FORMAT / VIEW)
9300: OTHER THUNDERBIRD COMPONENTS (CHAT / CALENDAR / RSS)
9400: THUNDERBIRD ENCRYPTION (OPENPGP / GNUPG)
9999: DEPRECATED / REMOVED / LEGACY / RENAMED
9999: DEPRECATED / RENAMED
******/
@ -87,27 +92,12 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
* true=? (default), false=blank page ***/
user_pref("browser.newtabpage.enabled", false);
/*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/
/*** [SECTION 0200]: GEOLOCATION ***/
user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
/* 0201: use Mozilla geolocation service instead of Google if permission is granted [FF74+]
* Optionally enable logging to the console (defaults to false) ***/
user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
// user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF]
/* 0202: disable using the OS's geolocation service ***/
user_pref("geo.provider.ms-windows-location", false); // [WINDOWS]
user_pref("geo.provider.use_corelocation", false); // [MAC]
user_pref("geo.provider.use_gpsd", false); // [LINUX]
user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX]
/* 0210: set preferred language for displaying pages
* [SETTING] General > Language & Appearance > Language > Choose the language used to display...
* [TEST] https://addons.mozilla.org/about ***/
user_pref("intl.accept_languages", "en-US, en");
/* 0210b: Set dictionary to US ***/
user_pref("spellchecker.dictionary", "en-US");
/* 0211: use en-US locale regardless of the system or region locale
* [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/
user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
/*** [SECTION 0300]: QUIETER BIRD ***/
user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
@ -116,6 +106,13 @@ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the
user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
/* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/
user_pref("extensions.htmlaboutaddons.recommendations.enabled", false);
/* 0322: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
* [NOTE] This pref has no effect when Health Reports (0331) are disabled
* [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
user_pref("browser.discovery.enabled", false);
/* 0323: disable shopping experience [FF116+]
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1840156#c0 ***/
user_pref("browser.shopping.experience2023.enabled", false); // [DEFAULT: false]
/** TELEMETRY ***/
/* 0330: disable new data submission [FF41+]
@ -148,9 +145,6 @@ user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF]
user_pref("toolkit.coverage.endpoint.base", "");
/* 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
* Defense-in-depth: currently covered by 0331 ***/
user_pref("browser.ping-centre.telemetry", false);
/** STUDIES ***/
/* 0340: disable Studies
@ -263,7 +257,7 @@ user_pref("network.prefetch-next", false);
/* 0602: disable DNS prefetching
* [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
user_pref("network.dns.disablePrefetch", true);
// user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true]
user_pref("network.dns.disablePrefetchFromHTTPS", true);
/* 0603: disable predictor / prefetching ***/
user_pref("network.predictor.enabled", false);
user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
@ -286,15 +280,15 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost
user_pref("network.proxy.socks_remote_dns", true);
/* 0703: disable using UNC (Uniform Naming Convention) paths [FF61+]
* [SETUP-CHROME] Can break extensions for profiles on network shares
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
* [1] https://bugzilla.mozilla.org/1413868 ***/
user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
/* 0704: disable GIO as a potential proxy bypass vector [FF60+]
* Gvfs/GIO has a set of supported protocols like obex, network, archive, computer,
* dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+)
* dav, cdda, gphoto2, trash, etc. From FF87-117, by default only sftp was accepted
* [1] https://bugzilla.mozilla.org/1433507
* [2] https://en.wikipedia.org/wiki/GVfs
* [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] [DEFAULT: "" FF118+]
/* 0705: disable proxy direct failover for system requests [FF91+]
* [WARNING] Default true is a security feature against malicious extensions [1]
* [SETUP-CHROME] If you use a proxy and you trust your extensions
@ -306,41 +300,59 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
* [SETUP-CHROME] If you use a proxy and you understand the security impact
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/
// user_pref("network.proxy.allow_bypass", false);
/* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
* 0=default, 2=increased (TRR (Trusted Recursive Resolver) first), 3=max (TRR only), 5=off
/* 0710: enable DNS-over-HTTPS (DoH) [FF60+]
* 0=default, 2=increased (TRR (Trusted Recursive Resolver) first), 3=max (TRR only), 5=off (no rollout)
* see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
* [SETTING] General > Network & Disk Space > Connection > Settings... > Enable DNS over HTTPS
* [SETTING] Privacy & Security>DNS over HTTPS
* [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
* [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
// * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
* [3] https://support.mozilla.org/kb/firefox-dns-over-https
* [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
// user_pref("network.trr.mode", 5);
/* 0706: disable proxy direct failover for system requests [FF91+]
* [WARNING] Default true is a security feature against malicious extensions [1]
* [SETUP-CHROME] If you use a proxy and you trust your extensions
* [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
// user_pref("network.proxy.failover_direct", false);
// user_pref("network.trr.mode", 3);
/* 0712: set DoH provider
* The custom uri is the value shown when you "Choose provider>Custom>"
* [NOTE] If you USE custom then "network.trr.uri" should be set the same
* [SETTING] Privacy & Security>DNS over HTTPS>Increased/Max>Choose provider ***/
// user_pref("network.trr.uri", "https://example.dns");
// user_pref("network.trr.custom_uri", "https://example.dns");
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
/* 0802: disable location bar domain guessing
* domain guessing intercepts DNS "hostname not found errors" and resends a
* request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work
* via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
* as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
* intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
* and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
user_pref("browser.fixup.alternate.enabled", false); // [DEFAULT: false FF104+]
/* 0804: disable live search suggestions
* [NOTE] Both must be true for the location bar to work
/* 0801: disable location bar making speculative connections [FF56+]
* [1] https://bugzilla.mozilla.org/1348275 ***/
user_pref("browser.urlbar.speculativeConnect.enabled", false);
/* 0802: disable location bar contextual suggestions
* [NOTE] The UI is controlled by the .enabled pref
* [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
user_pref("browser.urlbar.quicksuggest.enabled", false); // [FF92+]
user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+]
user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // [FF92+]
/* 0803: disable live search suggestions
* [NOTE] Both must be true for live search to work in the location bar
* [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.urlbar.suggest.searches", false);
/* 0805: disable urlbar trending search suggestions [FF118+] ***/
user_pref("browser.urlbar.trending.featureGate", false);
/* 0806: disable urlbar suggestions ***/
user_pref("browser.urlbar.addons.featureGate", false); // [FF115+]
user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF]
user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false]
user_pref("browser.urlbar.yelp.featureGate", false); // [FF124+] [DEFAULT: false]
/* 0807: disable urlbar clipboard suggestions [FF118+] ***/
user_pref("browser.urlbar.clipboard.featureGate", false);
/* 0808: disable recent searches [FF120+]
* [NOTE] Recent searches are cleared with history (2811)
* [1] https://support.mozilla.org/kb/search-suggestions-firefox ***/
// user_pref("browser.urlbar.recentsearches.featureGate", false);
/* 0810: disable search and form history
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [NOTE] We also clear formdata on exit (2811)
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/
user_pref("browser.formfill.enable", false);
/* 0815: disable tab-to-search [FF85+] ***/
user_pref("browser.urlbar.suggest.engines", false);
/* 0820: disable coloring of visited links
* Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
* redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
@ -352,6 +364,9 @@ user_pref("browser.formfill.enable", false);
* [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
* [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/
user_pref("layout.css.visited_links_enabled", false);
/* 0830: enable separate default search engine in Private Windows and its UI setting ***/
user_pref("browser.search.separatePrivateDefault", true); // [FF70+]
user_pref("browser.search.separatePrivateDefault.ui.enabled", true); // [FF71+]
/*** [SECTION 0900]: PASSWORDS
[1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
@ -387,8 +402,8 @@ user_pref("network.auth.subresource-http-auth-allow", 1);
/*** [SECTION 1000]: DISK AVOIDANCE ***/
user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
/* 1001: disable disk cache
* [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this
* [NOTE] We also clear cache on exit (2811) ***/
* [NOTE] We also clear cache on exit (2811)
* [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this ***/
user_pref("browser.cache.disk.enable", false);
/* 1002: disable media cache from writing to disk in Private Browsing
* [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/
@ -398,6 +413,14 @@ user_pref("media.memory_cache_max_size", 65536);
* define on which sites to save extra session data such as form content, cookies and POST data
* 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
user_pref("browser.sessionstore.privacy_level", 2);
/* 1005: disable automatic Thunderbird start and session restore after reboot [FF62+] [WINDOWS]
* [1] https://bugzilla.mozilla.org/603903 ***/
user_pref("toolkit.winRegisterApplicationRestart", false);
/* 1006: disable favicons in shortcuts [WINDOWS]
* URL shortcuts use a cached randomly named .ico file which is stored in your
* profile/shortcutCache directory. The .ico remains after the shortcut is deleted
* If set to false then the shortcuts use a generic Firefox icon ***/
user_pref("browser.shell.shortcutFavicons", false);
/* 1901: disable disk cache for messages not in offline store */
user_pref("mail.imap.use_disk_cache2", false);
@ -416,7 +439,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
* but the problem is that the browser can't know that. Setting this pref to true is the only way for the
* browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
* [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site?
* [STATS] SSL Labs (Feb 2023) reports over 99.3% of top sites have secure renegotiation [4]
* [STATS] SSL Labs (May 2024) reports over 99.7% of top sites have secure renegotiation [4]
* [1] https://wiki.mozilla.org/Security:Renegotiation
* [2] https://datatracker.ietf.org/doc/html/rfc5746
* [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
@ -453,12 +476,6 @@ user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
user_pref("security.OCSP.require", true);
/** CERTS / HPKP (HTTP Public Key Pinning) ***/
/* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
* 0=disable detecting Family Safety mode and importing the root
* 1=only attempt to detect Family Safety mode (don't import the root)
* 2=detect Family Safety mode and import the root
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/
user_pref("security.family_safety.mode", 0);
/* 1223: enable strict PKP (Public Key Pinning)
* 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict
* [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
@ -468,7 +485,7 @@ user_pref("security.cert_pinning.enforcement_level", 2);
* 0 = disabled
* 1 = consult CRLite but only collect telemetry
* 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results
* 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (FF99+, default FF100+)
* 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default)
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
* [2] https://blog.mozilla.org/security/tag/crlite/ ***/
user_pref("security.remote_settings.crlite_filters.enabled", true);
@ -481,7 +498,7 @@ user_pref("security.pki.crlite_mode", 2);
/** MIXED CONTENT ***/
/* 1241: disable insecure passive content (such as images) on https pages ***/
user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244)
/* 1244: enable HTTPS-Only mode in all windows [FF76+]
/* 1244: enable HTTPS-Only mode in all windows
* When the top-level is HTTPS, insecure subresources are also upgraded (silent fail)
* [TEST] http://example.com [upgrade]
* [TEST] http://httpforever.com/ | http://http.rip [no upgrade] ***/
@ -512,18 +529,6 @@ user_pref("security.warn_entering_weak", true);
user_pref("security.warn_leaving_secure", true);
user_pref("security.warn_viewing_mixed", true);
/*** [SECTION 1400]: FONTS ***/
user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
/* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
* Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
* In normal windows: uses the first applicable: RFP (4506) over TP over Standard
* In Private Browsing windows: uses the most restrictive between normal and private
* 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
* [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
// user_pref("layout.css.font-visibility.private", 1);
// user_pref("layout.css.font-visibility.standard", 1);
// user_pref("layout.css.font-visibility.trackingprotection", 1);
/*** [SECTION 1600]: REFERERS
full URI: https://example.com:8888/foo/bar.html?id=1234
scheme+host+port+path: https://example.com:8888/foo/bar.html
@ -541,6 +546,12 @@ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
* https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers ***/
user_pref("privacy.userContext.enabled", true);
user_pref("privacy.userContext.ui.enabled", true);
/* 1703: set external links to open in site-specific containers [FF123+]
* [SETUP-WEB] Depending on your container extension(s) and their settings
* true=Firefox will not choose a container (so your extension can)
* false=Firefox will choose the container/no-container (default)
* [1] https://bugzilla.mozilla.org/1874599 ***/
// user_pref("browser.link.force_default_user_context_id_for_external_opens", true);
/*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
@ -548,7 +559,7 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
/* 2003: force a single network interface for ICE candidates generation [FF42+]
* When using a system-wide proxy, it uses the proxy interface
* [1] https://developer.mozilla.org/en-US/docs/Web/API/RTCIceCandidate
* [1] https://developer.mozilla.org/docs/Web/API/RTCIceCandidate
* [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
user_pref("media.peerconnection.ice.default_address_only", true);
/* 2004: force exclusion of private IPs from ICE candidates [FF51+]
@ -566,12 +577,9 @@ user_pref("dom.disable_window_move_resize", true);
/*** [SECTION 2600]: MISCELLANEOUS ***/
user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
/* 2601: prevent accessibility services from accessing your browser [RESTART]
* [1] https://support.mozilla.org/kb/accessibility-services ***/
user_pref("accessibility.force_disabled", 1);
/* 2603: remove temp files opened with an external application
* [1] https://bugzilla.mozilla.org/302433 ***/
user_pref("browser.helperApps.deleteTempFileOnExit", true);
/* 2603: remove temp files opened from non-PB windows with an external application
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=302433,1738574 ***/
user_pref("browser.download.start_downloads_in_tmp_dir", true); // [FF102+]
/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
user_pref("browser.uitour.enabled", false);
user_pref("browser.uitour.url", ""); // Defense-in-depth
@ -603,14 +611,15 @@ user_pref("network.IDN_show_punycode", true);
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
user_pref("pdfjs.disabled", false); // [DEFAULT: false]
user_pref("pdfjs.enableScripting", false); // [FF86+]
/* 2623: disable permissions delegation [FF73+]
* Currently applies to cross-origin geolocation, camera, mic and screen-sharing
* permissions, and fullscreen requests. Disabling delegation means any prompts
* for these will show/use their correct 3rd party origin
* [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
user_pref("permissions.delegation.enabled", false);
/* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */
user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: false NON-LINUX]
/* 2630: disable content analysis by DLP (Data Loss Prevention) agents
* DLP agents are background processes on managed computers that allow enterprises to monitor locally running
* applications for data exfiltration events, which they can allow/block based on customer defined DLP policies.
* 0=Block all requests, 1=Warn on all requests (which lets the user decide), 2=Allow all requests
* [1] https://github.com/chromium/content_analysis_sdk */
user_pref("browser.contentanalysis.enabled", false); // [FF121+] [DEFAULT: false]
user_pref("browser.contentanalysis.default_result", 0); // [FF127+] [DEFAULT: 0]
/** DOWNLOADS ***/
/* 2651: enable user interaction for security by always asking where to download
@ -622,13 +631,13 @@ user_pref("browser.download.manager.addToRecentDocs", false);
user_pref("browser.download.always_ask_before_handling_new_types", true);
/** EXTENSIONS ***/
/* 2660: lock down allowed extension directories
* [SETUP-CHROME] This will break extensions, language packs, themes and any other
* XPI files which are installed outside of profile and application directories
* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
* [1] https://archive.is/DYjAM (archived) ***/
/* 2660: limit allowed extension directories
* 1=profile, 2=user, 4=application, 8=system, 16=temporary, 31=all
* The pref value represents the sum: e.g. 5 would be profile and application directories
* [SETUP-CHROME] Breaks usage of files which are installed outside allowed directories
* [1] https://archive.is/DYjAM ***/
user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF]
user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
// user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
// user_pref("extensions.webextensions.restrictedDomains", "");
@ -640,86 +649,132 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
* Opener and redirect heuristics are granted for 30 days, see [3]
* [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/
* [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12
* [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
* [3] https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
// user_pref("privacy.antitracking.enableWebcompat", false);
/* 2710: enable state partitioning of service workers [FF96+] ***/
user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+]
/* 2720: enable APS (Always Partitioning Storage) ***/
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [FF104+] [DEFAULT: true FF109+]
user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [FF105+] [DEFAULT: false FF109+]
/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
/* 2810: enable Thunderbird to clear items on shutdown ***/
/* 2810: enable Thunderbird to clear items on shutdown
* [NOTE] In FF129+ clearing "siteSettings" on shutdown (2811), or manually via site data (2820) and
* via history (2830), will no longer remove sanitize on shutdown "cookie and site data" site exceptions (2815) ***/
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
/** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/
/** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS | v2 migration is FF128+ ***/
/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
* [NOTE] If "history" is true, downloads will also be cleared
* [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
* [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
* [NOTE] If "history" is true, downloads will also be cleared ***/
user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown_v2.cache", true); // [FF128+] [DEFAULT: true]
user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true); // [FF128+] [DEFAULT: true]
// user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
// user_pref("privacy.clearOnShutdown_v2.siteSettings", false); // [FF128+] [DEFAULT: false]
/* 2812: set Session Restore to clear on shutdown (if 2810 is true) [FF34+]
* [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811)
* [NOTE] If true, this prevents resuming from crashes (also see 5008) ***/
// user_pref("privacy.clearOnShutdown.openWindows", true);
/** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ ***/
/** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ | v2 migration is FF128+ ***/
/* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) [SETUP-CHROME]
* [NOTE] Exceptions: A "cookie" block permission also controls "offlineApps" (see note below).
* serviceWorkers require an "Allow" permission. For cross-domain logins, add exceptions for
* both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
* [NOTE] Exceptions: A "cookie" permission also controls "offlineApps" (see note below). For cross-domain logins,
* add exceptions for both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
* [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
* [NOTE] "sessions": Active Logins (has no site exceptions): refers to HTTP Basic Authentication [1], not logins via cookies
* [WARNING] Be selective with what sites you "Allow", as they also disable partitioning (1767271)
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question)
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings
* [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
user_pref("privacy.clearOnShutdown.cookies", true); // Cookies
user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data
user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins [DEFAULT: true]
user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); // Cookies, Site Data, Active Logins [FF128+]
/** SANITIZE MANUAL: IGNORES "ALLOW" SITE EXCEPTIONS ***/
/* 2820: reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME]
* This dialog can also be accessed from the menu History>Clear Recent History
/** SANITIZE SITE DATA: IGNORES "ALLOW" SITE EXCEPTIONS ***/
/* 2820: set manual "Clear Data" items [SETUP-CHROME] [FF128+]
* Thunderbird remembers your last choices. This will reset them when you start Thunderbird
* [SETTING] Privacy & Security>Browser Privacy>Cookies and Site Data>Clear Data ***/
user_pref("privacy.clearSiteData.cache", true);
user_pref("privacy.clearSiteData.cookiesAndStorage", false); // keep false until it respects "allow" site exceptions
user_pref("privacy.clearSiteData.historyFormDataAndDownloads", true);
// user_pref("privacy.clearSiteData.siteSettings", false);
/** SANITIZE HISTORY: IGNORES "ALLOW" SITE EXCEPTIONS | clearHistory migration is FF128+ ***/
/* 2830: set manual "Clear History" items, also via Ctrl-Shift-Del [SETUP-CHROME]
* Thunderbird remembers your last choices. This will reset them when you start Thunderbird
* [NOTE] Regardless of what you set "downloads" to, as soon as the dialog
* for "Clear Recent History" is opened, it is synced to the same as "history" ***/
user_pref("privacy.cpd.cache", true); // [DEFAULT: true]
user_pref("privacy.clearHistory.cache", true);
user_pref("privacy.cpd.formdata", true); // [DEFAULT: true]
user_pref("privacy.cpd.history", true); // [DEFAULT: true]
// user_pref("privacy.cpd.downloads", true); // not used, see note above
user_pref("privacy.clearHistory.historyFormDataAndDownloads", true);
user_pref("privacy.cpd.cookies", false);
user_pref("privacy.cpd.sessions", true); // [DEFAULT: true]
user_pref("privacy.cpd.offlineApps", true); // [DEFAULT: false]
user_pref("privacy.cpd.cookies", true);
// user_pref("privacy.cpd.downloads", true); // not used, see note above
user_pref("privacy.clearHistory.cookiesAndStorage", false);
// user_pref("privacy.cpd.openWindows", false); // Session Restore
// user_pref("privacy.cpd.passwords", false);
// user_pref("privacy.cpd.siteSettings", false);
/* 2822: reset default "Time range to clear" for "Clear Recent History" (2820)
// user_pref("privacy.clearHistory.siteSettings", false);
/** SANITIZE MANUAL: TIMERANGE ***/
/* 2840: set "Time range to clear" for "Clear Data" (2820) and "Clear History" (2830)
* Thunderbird remembers your last choice. This will reset the value when you start Thunderbird
* 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today
* [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown,
* which will display a blank value, and are not guaranteed to work ***/
user_pref("privacy.sanitize.timeSpan", 0);
/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
RFP covers a wide range of ongoing fingerprinting solutions.
It is an all-or-nothing buy in: you cannot pick and choose what parts you want
/*** [SECTION 4000]: FPP (fingerprintingProtection)
RFP (4501) overrides FPP
In FF118+ FPP is on by default in private windows (4001) and in FF119+ is controlled
by ETP (2701). FPP will also use Remote Services in future to relax FPP protections
on a per site basis for compatibility (4004).
https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargetsDefault.inc
1826408 - restrict fonts to system (kBaseFonts + kLangPackFonts) (Windows, Mac, some Linux)
https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
1858181 - subtly randomize canvas per eTLD+1, per session and per window-mode (FF120+)
***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!");
/* 4001: enable FPP in PB mode [FF114+]
* [NOTE] In FF119+, FPP for all modes (7016) is enabled with ETP Strict (2701) ***/
// user_pref("privacy.fingerprintingProtection.pbmode", true); // [DEFAULT: true FF118+]
/* 4002: set global FPP overrides [FF114+]
* uses "RFPTargets" [1] which despite the name these are not used by RFP
* e.g. "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC" = all targets but allow prefers-color-scheme and do not change timezone
* e.g. "-AllTargets,+CanvasRandomization,+JSDateTimeUTC" = no targets but do use FPP canvas and change timezone
* [NOTE] Not supported by arkenfox. Either use RFP or FPP at defaults
* [WARNING] Not recommended. Either use RFP or FPP at defaults
* [1] https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc ***/
// user_pref("privacy.fingerprintingProtection.overrides", "");
/* 4003: set granular FPP overrides
* JSON format: e.g."[{\"firstPartyDomain\": \"netflix.com\", \"overrides\": \"-CanvasRandomization,-FrameRate,\"}]"
* [NOTE] Not supported by arkenfox. Either use RFP or FPP at defaults ***/
// user_pref("privacy.fingerprintingProtection.granularOverrides", "");
/* 4004: disable remote FPP overrides [FF127+] ***/
// user_pref("privacy.fingerprintingProtection.remoteOverrides.enabled", false);
/*** [SECTION 4500]: OPTIONAL RFP (resistFingerprinting)
RFP overrides FPP (4000)
FF128+ Arkenfox by default uses FPP (automatically enabled with ETP Strict). For most people
this is all you need. To use RFP instead, add RFP (4501) to your overrides, and optionally
add letterboxing (4504), spoof_english (4506), and webgl (4520).
RFP is an all-or-nothing buy in: you cannot pick and choose what parts you want
[TEST] https://arkenfox.github.io/TZP/tzp.html
[WARNING] DO NOT USE extensions to alter RFP protected metrics
418986 - limit window.screen & CSS media queries (FF41)
1281949 - spoof screen orientation (FF50)
1330890 - spoof timezone as UTC0 (FF55)
1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
1217238 - reduce precision of time exposed by javascript (FF55)
FF56
1369303 - spoof/disable performance API
1333651 - spoof User Agent & Navigator API
version: android version spoofed as ESR
version: android version spoofed as ESR (FF119 or lower)
OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
1369319 - disable device sensor API
1369357 - disable site specific zoom
@ -730,13 +785,12 @@ user_pref("privacy.sanitize.timeSpan", 0);
1369309 - spoof media statistics
1382499 - reduce screen co-ordinate fingerprinting in Touch API
1217290 & 1409677 - enable some fingerprinting resistance for WebGL
1382545 - reduce fingerprinting in Animation API
1354633 - limit MediaError.message to a whitelist
FF58+
1372073 - spoof/block fingerprinting in MediaDevices API (FF59)
Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone"
Block: suppresses the ondevicechange event
1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) (FF59)
1039069 - warn when language prefs are not set to "en*" (FF59)
1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59)
Spoofing mimics the content language of the document. Currently it only supports en-US.
Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
@ -755,20 +809,22 @@ user_pref("privacy.sanitize.timeSpan", 0);
1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80)
1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82)
531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1)
1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100)
1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100-115)
1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102)
1422237 - return "srgb" with color-gamut (FF110)
1794628 - return "none" with inverted-colors (FF114)
1554751 - return devicePixelRatio as 2 (previously FF41+ was 1) (FF127)
1787790 - normalize system fonts (FF128)
1835987 - spoof timezone as Atlantic/Reykjavik (previously FF55+ was UTC) (FF128)
***/
user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
/* 4501: enable privacy.resistFingerprinting
* [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a site exception via the urlbar
* RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme
/* 4501: enable RFP
* [NOTE] pbmode applies if true and the original pref is false
* [1] https://bugzilla.mozilla.org/418986 ***/
user_pref("privacy.resistFingerprinting", true); // [FF41+]
* [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a canvas site exception via the urlbar.
* RFP also has a few side effects: mainly that timezone is GMT, and websites will prefer light theme ***/
// user_pref("privacy.resistFingerprinting", true); // [FF41+]
// user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+]
/* 4502: set new window size rounding max values [FF55+]
/* 4502: set RFP new window size max rounded values [FF55+]
* [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen
* [1] https://bugzilla.mozilla.org/1330882 ***/
user_pref("privacy.window.maxInnerWidth", 1600);
@ -776,8 +832,8 @@ user_pref("privacy.window.maxInnerHeight", 900);
/* 4503: disable mozAddonManager Web API [FF57+]
* [NOTE] To allow extensions to work on AMO, you also need 2662 and 4505
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF FF57-108]
/* 4504: enable RFP letterboxing [FF67+]
user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
/* 4504: enable letterboxing [FF67+]
* Dynamically resizes the inner window by applying margins in stepped ranges [2]
* If you use the dimension pref, then it will only apply those resolutions.
* The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000")
@ -786,24 +842,19 @@ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDE
* [WARNING] DO NOT USE: the dimension pref is only meant for testing
* [1] https://bugzilla.mozilla.org/1407366
* [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/
user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
// user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
// user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF]
/* 4505: experimental RFP [FF91+]
* List of domains exempted from RFP (comma-separated).
* [WARNING] DO NOT USE unless testing, see [1] comment 12
* [1] https://bugzilla.mozilla.org/1635603 ***/
/* 4505: disable RFP by domain (comma-separated) [FF91+] ***/
// user_pref("privacy.resistFingerprinting.exemptedDomains", "addons.thunderbird.net");
/* 4506: set RFP's font visibility level (1402) [FF94+] ***/
// user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
/* 4506: disable RFP spoof english prompt [FF59+]
* 0=prompt, 1=disabled, 2=enabled
* [NOTE] When changing from value 2, preferred languages ('intl.accept_languages') is not reset.
* [SETUP-WEB] when enabled, sets 'en-US, en' for displaying pages and 'en-US' as locale.
* [SETTING] General>Language>Choose your preferred language for displaying pages>Choose>Request English... ***/
user_pref("privacy.spoof_english", 1);
/* 4510: disable using system colors
* [SETTING] General > Language and Appearance > Fonts and Colors > Colors... > Use system colors ***/
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS]
/* 4511: enforce non-native widget theme
* Security: removes/reduces system API calls, e.g. win32k API [1]
* Fingerprinting: provides a uniform look and feel across platforms [2]
* [1] https://bugzilla.mozilla.org/1381938
* [2] https://bugzilla.mozilla.org/1411425 ***/
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true]
/* 4512: enforce links targeting new windows to open in a new tab instead
* 1=most recent window or tab, 2=new window, 3=new tab
* Stops malicious window sizes and some screen resolution leaks.
@ -818,8 +869,7 @@ user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
* [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js
* [2] https://searchfox.org/comm-esr102/source/mail/app/profile/all-thunderbird.js#730 ***/
user_pref("browser.link.open_newwindow.restriction", 0);
/* 4520: disable WebGL (Web Graphics Library)
* [SETUP-WEB] If you need it then override it. RFP still randomizes canvas for naive scripts ***/
/* 4520: disable WebGL (Web Graphics Library) ***/
user_pref("webgl.disabled", true);
/*** [SECTION 5000]: OPTIONAL OPSEC
@ -866,6 +916,26 @@ user_pref("browser.sessionstore.max_tabs_undo", 0);
* Application data isolation [1]
* [1] https://bugzilla.mozilla.org/1281959 ***/
// user_pref("browser.download.forbid_open_with", true);
/* 5010: disable location bar suggestion types ***/
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.openpage", false);
user_pref("browser.urlbar.suggest.topsites", false); // [FF78+]
/* 5011: disable location bar dropdown
* This value controls the total number of entries to appear in the location bar dropdown ***/
user_pref("browser.urlbar.maxRichResults", 0);
/* 5012: disable location bar autofill
* [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
user_pref("browser.urlbar.autoFill", false);
/* 5013: disable browsing and download history
* [NOTE] We also clear history and downloads on exit (2811)
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
user_pref("places.history.enabled", false);
/* 5014: disable Windows jumplist [WINDOWS] ***/
user_pref("browser.taskbar.lists.enabled", false);
user_pref("browser.taskbar.lists.frequent.enabled", false);
user_pref("browser.taskbar.lists.recent.enabled", false);
user_pref("browser.taskbar.lists.tasks.enabled", false);
/* 5013: disable browsing and download history
* [NOTE] We also clear history and downloads on exit (2811) ***/
user_pref("places.history.enabled", false);
@ -876,8 +946,8 @@ user_pref("places.history.enabled", false);
* If .supportedCountries includes your region (browser.search.region) and .supported
* is "detect" (default), then the UI will show. Stored data is not secure, uses JSON
* [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/
user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
/* 5018: limit events that can cause a pop-up ***/
user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
/* 5019: disable page thumbnail collection ***/
@ -911,7 +981,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
* [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
* [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
user_pref("javascript.options.asmjs", false);
/* 5505: disable Ion and baseline JIT to harden against JS exploits
/* 5505: disable Ion and baseline JIT to harden against JS exploits [RESTART]
* [NOTE] When both Ion and JIT are disabled, and trustedprincipals
* is enabled, then Ion can still be used by extensions (1599226)
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
@ -923,7 +993,7 @@ user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN
* Vulnerabilities [1] have increasingly been found, including those known and fixed
* in native programs years ago [2]. WASM has powerful low-level access, making
* certain attacks (brute-force) and vulnerabilities more possible
* [STATS] ~0.2% of websites, about half of which are for crytomining / malvertising [2][3]
* [STATS] ~0.2% of websites, about half of which are for cryptomining / malvertising [2][3]
* [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
* [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
* [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
@ -939,8 +1009,8 @@ user_pref("browser.eme.ui.enabled", false);
/* 5509: disable IPv6 if using a VPN
* This is an application level fallback. Disabling IPv6 is best done at an OS/network
* level, and/or configured properly in system wide VPN setups.
* If you see PR_CONNECT_RESET_ERROR, this pref *might* be the cause
* [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
* [SETUP-WEB] PR_CONNECT_RESET_ERROR
* [TEST] https://ipleak.org/
* [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
// user_pref("network.dns.disableIPv6", true);
@ -948,7 +1018,12 @@ user_pref("browser.eme.ui.enabled", false);
* 0=always (default), 1=only if base domains match, 2=only if hosts match
* [NOTE] Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram ***/
user_pref("network.http.referer.XOriginPolicy", 2);
/* 5590: show a prompt when opening a link in external applications ***/
/* 5511: set DoH bootstrap address [FF89+]
* Thunderbird uses the system DNS to initially resolve the IP address of your DoH server.
* When set to a valid, working value that matches your "network.trr.uri" (0712) Thunderbird
* won't use the system DNS. If the IP doesn't match then DoH won't work ***/
// user_pref("network.trr.bootstrapAddr", "10.0.0.1"); // [HIDDEN PREF]
/* 5590: show a prompt when opening a link in external applications [SETUP-CHROME] ***/
user_pref("security.external_protocol_requires_permission", true);
/*** [SECTION 6000]: DON'T TOUCH ***/
@ -967,10 +1042,10 @@ user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000]
* [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), and enabling FPI
* disables those. FPI is no longer maintained except at Tor Project for Tor Browser's config ***/
user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false]
/* 6009: enforce SmartBlock shims [FF81+]
/* 6009: enforce SmartBlock shims (about:compat) [FF81+]
* In FF96+ these are listed in about:compat
* [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true]
user_pref("extensions.webcompat.enable_shims", true); // [HIDDEN PREF] [DEFAULT: true]
/* 6010: enforce no TLS 1.0/1.1 downgrades
* [TEST] https://tls-v1-1.badssl.com:1010/ ***/
user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
@ -981,21 +1056,16 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
/* 6012: enforce Quarantined Domains [FF115+]
* [WHY] https://support.mozilla.org/kb/quarantined-domains */
user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true]
/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF102+ ***/
// user_pref("beacon.enabled", "");
// user_pref("browser.region.network.url", "");
// user_pref("browser.region.update.enabled", "");
// user_pref("browser.ssl_override_behavior", "");
// user_pref("devtools.chrome.enabled", "");
// user_pref("dom.disable_beforeunload", "");
// user_pref("dom.disable_open_during_load", "");
// user_pref("extensions.formautofill.available", "");
// user_pref("extensions.formautofill.addresses.supported", "");
// user_pref("extensions.formautofill.creditCards.available", "");
// user_pref("extensions.formautofill.creditCards.supported", "");
// user_pref("middlemouse.contentLoadURL", "");
/* 6051: prefsCleaner: reset previously active items removed from arkenfox FF115+ ***/
/* 6050: prefsCleaner: previously active items removed from arkenfox 115-127 ***/
// user_pref("accessibility.force_disabled", "");
// user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", "");
// user_pref("geo.provider.network.url", "");
// user_pref("geo.provider.network.logging.enabled", "");
// user_pref("geo.provider.use_gpsd", "");
// user_pref("network.protocol-handler.external.ms-windows-store", "");
// user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", "");
// user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", "");
// user_pref("privacy.partition.serviceWorkers", "");
/*** [SECTION 7000]: DON'T BOTHER
Thunderbird-User.JS maintainer here :
@ -1012,8 +1082,8 @@ user_pref("full-screen-api.enabled", false);
/* 7003: disable non-modern cipher suites [1]
* [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks
* [1] https://browserleaks.com/ssl ***/
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: false FF109+]
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false FF109+]
// user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
// user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
@ -1065,12 +1135,14 @@ user_pref("dom.event.clipboardevents.enabled", false);
* [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/
// user_pref("privacy.donottrackheader.enabled", true);
/* 7016: customize ETP settings
* [NOTE] FPP (fingerprintingProtection) is ignored when RFP (4501) is enabled
* [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
// user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5 FF103+]
// user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5]
// user_pref("privacy.fingerprintingProtection", true); // [FF114+] [ETP FF119+]
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+]
// user_pref("privacy.partition.network_state.ocsp_cache", true);
// user_pref("privacy.query_stripping.enabled", true); // [FF101+] [ETP FF102+]
// user_pref("privacy.partition.network_state.ocsp_cache", true); // [DEFAULT: true FF123+]
// user_pref("privacy.query_stripping.enabled", true); // [FF101+]
// user_pref("privacy.trackingprotection.enabled", true);
// user_pref("privacy.trackingprotection.socialtracking.enabled", true);
// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
@ -1078,13 +1150,12 @@ user_pref("dom.event.clipboardevents.enabled", false);
/* 7017: disable service workers
* [WHY] Already isolated with TCP (2701) behind a pref (2710) ***/
// user_pref("dom.serviceWorkers.enabled", false);
/* 7018: disable Web Notifications
/* 7018: disable Web Notifications [FF22+]
* [WHY] Web Notifications are behind a prompt (7002)
* [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/
// user_pref("dom.webnotifications.enabled", false); // [FF22+]
// user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
// user_pref("dom.webnotifications.enabled", false);
/* 7019: disable Push Notifications [FF44+]
* [WHY] Push requires subscription
* [WHY] Website "push" requires subscription, and the API is required for CRLite (1224)
* [NOTE] To remove all subscriptions, reset "dom.push.userAgentID"
* [1] https://support.mozilla.org/kb/push-notifications-firefox ***/
// user_pref("dom.push.enabled", false);
@ -1095,6 +1166,10 @@ user_pref("dom.event.clipboardevents.enabled", false);
* [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
* [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
user_pref("media.peerconnection.enabled", false);
/* 7021: enable GPC (Global Privacy Control) in non-PB windows
* [WHY] Passive and active fingerprinting. Mostly redundant with Tracking Protection
* in ETP Strict (2701) and sanitizing on close (2800s) ***/
// user_pref("privacy.globalprivacycontrol.enabled", true);
/*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
[WHY] They are insufficient to help anti-fingerprinting and do more harm than good
@ -1129,7 +1204,10 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan
/*** [SECTION 9000]: NON-PROJECT RELATED ***/
user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!");
/* 9001: disable welcome notices ***/
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("browser.startup.homepage_override.mstone", "ignore"); // [HIDDEN PREF]
/* 9002: disable extensions/features recommendations as you browse [FF67+] ***/
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
/* 9090: disable return receipt sending unconditionally ***/
// user_pref("mail.mdn.report.enabled", false);
/* 9099: e-mail custom headers (examples) ***/
@ -1169,10 +1247,16 @@ user_pref("mailnews.auto_config.guess.requireGoodCert", true); // [DEFAULT: true
user_pref("mail.provider.enabled", false);
/** UI (User Interface) ***/
/* 9110: Control how email addresses are displayed
* It's safer to always show actual email address, as name could be spoofed to one of your contacts
* 0=name + email (default)
* 1=email
* 2=name ***/
// user_pref("mail.addressDisplayFormat", 0);
/* 9111: Show full email instead of just name from address book
* true=Show just the display name for people in the address book (default)
* false=Show both the email address and display name. ***/
user_pref("mail.showCondensedAddresses", false);
* true=Show just the display name for people in the address book
* false=Show both the email address and display name. (default) ***/
// user_pref("mail.showCondensedAddresses", false);
/* 9112: Disable "Filelink for Large Attachments" feature
* [1] https://support.thunderbird.net/kb/filelink-large-attachments ***/
user_pref("mail.cloud_files.enabled", false);
@ -1216,9 +1300,10 @@ user_pref("mailnews.display.date_senders_timezone", false);
* "Received" header. Set the following preference. New messages will show the time the message
* was received, rather than when it was sent. ***/
// user_pref("mailnews.use_received_date", true);
/* 9126: Send minimal User-Agent in outgoing email messages (default) */
user_pref("mailnews.headers.sendUserAgent", true);
user_pref("mailnews.headers.useMinimalUserAgent", true);
/* 9126: Prevent any MUA information leakage through User-Agent header in outgoing email messages
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1114475 ***/
user_pref("mailnews.headers.sendUserAgent", false);
// user_pref("mailnews.headers.useMinimalUserAgent", true);
/** ADDRESS BOOK ***/
/* 9130: Address book collection [SETUP-FEATURE]
@ -1262,6 +1347,8 @@ user_pref("mail.sanitize_date_header", true);
/* 9210: Check spelling before sending
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=667133 ***/
// user_pref("mail.SpellCheckBeforeSend", false);
/* 9211: Set dictionary to US ***/
user_pref("spellchecker.dictionary", "en-US");
/* 9212: Compose email in plaintext unless expressly overridden
* Sometimes HTML is useful especially when used with Markdown Here
* [SETTING] Account Settings > Composition & Addressing > Composition > Compose messages in HTML format
@ -1449,39 +1536,71 @@ user_pref("_user.js.parrot", "9400 syntax error: this parrot is talking in codes
* [1] https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Allow_the_use_of_external_GnuPG ***/
user_pref("mail.openpgp.allow_external_gnupg", true); // [HIDDEN PREF]
/*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
Documentation denoted as [-]. Items deprecated prior to FF91 have been archived at [1]
[1] https://github.com/arkenfox/user.js/issues/123
***/
/*** [SECTION 9999]: DEPRECATED / RENAMED ***/
user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!");
/* ESR102.x still uses all the following prefs
/* ESR115.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable active ones
// FF103
// 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810)
// 0=keep until they expire (default), 2=keep until you close Thunderbird
// [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761
user_pref("network.cookie.lifetimePolicy", 2);
// 6012: disable SHA-1 certificates
// [-] https://bugzilla.mozilla.org/1766687
// user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1]
// FF114
// 2816: set cache to clear on exit [FF96+]
// [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust
// [1] https://bugzilla.mozilla.org/1671182
// [-] https://bugzilla.mozilla.org/1821651
// user_pref("privacy.clearsitedata.cache.enabled", true);
// 4505: experimental RFP [FF91+]
// [-] https://bugzilla.mozilla.org/1824235
// user_pref("privacy.resistFingerprinting.testGranularityMask", 0);
// 5017: disable Form Autofill heuristics
// Heuristics controls Form Autofill on forms without @autocomplete attributes
// [-] https://bugzilla.mozilla.org/1829670
// user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
// FF115
// 7001: disable offline cache (appCache)
// [NOTE] appCache storage capability was removed in FF90
// [-] https://bugzilla.mozilla.org/1677718
// user_pref("browser.cache.offline.enable", false);
// FF116
// 4506: set RFP's font visibility level (1402) [FF94+]
// [-] https://bugzilla.mozilla.org/1838415
// user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
// FF117
// 1221: disable Windows Microsoft Family Safety cert [FF50+] [WINDOWS]
// 0=disable detecting Family Safety mode and importing the root
// 1=only attempt to detect Family Safety mode (don't import the root)
// 2=detect Family Safety mode and import the root
// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686
// [-] https://bugzilla.mozilla.org/1844908
user_pref("security.family_safety.mode", 0);
// 7018: disable service worker Web Notifications [FF44+]
// [WHY] Web Notifications are behind a prompt (7002)
// [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/
// [-] https://bugzilla.mozilla.org/1842457
// user_pref("dom.webnotifications.serviceworker.enabled", false);
// FF118
// 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
// In normal windows: uses the first applicable: RFP over TP over Standard
// In Private Browsing windows: uses the most restrictive between normal and private
// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
// [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
// [-] https://bugzilla.mozilla.org/1847599
// user_pref("layout.css.font-visibility.private", 1);
// user_pref("layout.css.font-visibility.standard", 1);
// user_pref("layout.css.font-visibility.trackingprotection", 1);
// 2623: disable permissions delegation [FF73+]
// Currently applies to cross-origin geolocation, camera, mic and screen-sharing
// permissions, and fullscreen requests. Disabling delegation means any prompts
// for these will show/use their correct 3rd party origin
// [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion
// [-] https://bugzilla.mozilla.org/1697151
// user_pref("permissions.delegation.enabled", false);
// FF119
// 0211: use en-US locale regardless of the system or region locale
// [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630
// [-] https://bugzilla.mozilla.org/1846224
// user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
// FF123
// 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
// Defense-in-depth: currently covered by 0331
// [-] https://bugzilla.mozilla.org/1868988
user_pref("browser.ping-centre.telemetry", false);
// FF126
// 9003: disable What's New toolbar icon [FF69+]
// [-] https://bugzilla.mozilla.org/1724300
user_pref("browser.messaging-system.whatsNewPanel.enabled", false);
// FF127
// 2630: disable content analysis by DLP (Data Loss Prevention) agents - replaced by default_result
// [-] https://bugzilla.mozilla.org/1880314
user_pref("browser.contentanalysis.default_allow", false);
// 4511: enforce non-native widget theme
// Security: removes/reduces system API calls, e.g. win32k API [1]
// Fingerprinting: provides a uniform look and feel across platforms [2]
// [1] https://bugzilla.mozilla.org/1381938
// [2] https://bugzilla.mozilla.org/1411425
// [-] https://bugzilla.mozilla.org/1848899
user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true]
// ***/
/* END: internal custom pref to test for syntax errors ***/