From 0adfddd1e2ab18b3fcbc45f6d04c4d9394149d6a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 21 Oct 2020 00:58:20 +1300 Subject: [PATCH] misc (#1040) * misc - cleanup of old release notation in comments: e.g. if it's not applicable to ESR78+ - same with default version info - simplify and save bytes on section 4700 - update 4500 header - and unify the message about using extensions as counterproductive - letterboxing - provide info on stepped ranged (and drop crap about FF67) - don't judge users who dislike seeing margins (I don't like them either, but I force my window to exact dimensions and stay there) - screenshots uploading was disabled in FF67+ : [67 release notes](https://www.mozilla.org/en-US/firefox/67.0/releasenotes/) - the pref is still there (default false) but so far I'm 99% sure this pref now does anything - I will add it to the scatchpad script if this change sticks * simplify 4500 RFP, see #1041 * update removed script * tidy readme, see #1045 - also put readme before releases * RIP FX Site Compat * clean out RFP Alts info: the information is redundant: it's already in the readme --- scratchpad-scripts/arkenfox-clear-removed.js | 6 +- user.js | 254 ++++++++----------- 2 files changed, 110 insertions(+), 150 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 8ade622..c5e40fd 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 2-Oct-2020 + Last updated: 18-Oct-2020 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -225,6 +225,10 @@ 'browser.urlbar.usepreloadedtopurls.enabled', /* 80 */ 'dom.IntersectionObserver.enabled', + /* 82-beta */ + 'extensions.screenshots.upload-disabled', + 'security.ssl3.dhe_rsa_aes_128_sha', + 'security.ssl3.dhe_rsa_aes_256_sha', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] diff --git a/user.js b/user.js index e2a9466..7cdf263 100644 --- a/user.js +++ b/user.js @@ -5,40 +5,34 @@ * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt -* releases: These are end-of-stable-life-cycle legacy archives. - *Always* use the master branch user.js for a current up-to-date version - url: https://github.com/arkenfox/user.js/releases - * README: - 0. Consider using Tor Browser if it meets your needs or fits your threat model better - * https://www.torproject.org/about/torusers.html.en - 1. READ the full README - * https://github.com/arkenfox/user.js/blob/master/README.md - 2. READ this - * https://github.com/arkenfox/user.js/wiki/1.3-Implementation - 3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum - * Real time binary checks with Google services are disabled (0412) - * You will still get prompts to update Firefox, but auto-installing them is disabled (0302a) - * Some user data is erased on close (section 2800). Change this to suit your needs - * EACH RELEASE check: - - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF) - or enable them as an alternative to RFP (or some of them for ESR users) - - 9999s: reset deprecated prefs in about:config or enable the relevant section for ESR - * Site breakage WILL happen - - There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting - and these need to be balanced against Functionality & Convenience & Breakage - * You will need to make changes, and to troubleshoot at times (choose wisely, there is always a trade-off). - While not 100% definitive, search for "[SETUP". If required, add each pref to your overrides section at - default values (or comment them out and reset them in about:config). Here are the main ones: + 1. Consider using Tor Browser if it meets your needs or fits your threat model better + * https://www.torproject.org/about/torusers.html.en + 2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries + * https://github.com/arkenfox/user.js/wiki + 3. If you skipped step 2, return to step 2 + 4. Make changes + * There are often trade-offs and conflicts between security vs privacy vs anti-fingerprinting + and these need to be balanced against functionality & convenience & breakage + * Some site breakage and unintended consequences will happen. Everyone's experience will differ + e.g. some user data is erased on close (section 2800), change this to suit your needs + * While not 100% definitive, search for "[SETUP" tags + * Take the wiki link in step 2 and read the Troubleshooting entry + 5. Some tag info [SETUP-SECURITY] it's one item, read it [SETUP-WEB] can cause some websites to break - [SETUP-CHROME] changes how Firefox itself behaves (i.e. NOT directly website related) + [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related) [SETUP-PERF] may impact performance - [SETUP-HARDEN] maybe you should consider using the Tor Browser - * [WARNING] tags are extra special and used sparingly, so heed them - 4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile) - 5. KEEP UP TO DATE: https://github.com/arkenfox/user.js/wiki#small_orange_diamond-maintenance + [WARNING] used sparingly, heed them + +* RELEASES + + * Archive: https://github.com/arkenfox/user.js/releases + * Use the correct release that matches your Firefox version + * Each release + - run the prefsCleaner or reset deprecated prefs (9999s) and prefs made redundant by RFP (4600s) + - re-enable section 4600 if you don't use RFP * INDEX: @@ -68,7 +62,7 @@ 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) 4600: RFP ALTERNATIVES - 4700: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING) + 4700: RFP ALTERNATIVES (USER AGENT SPOOFING) 5000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED @@ -340,10 +334,8 @@ user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+] * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/ user_pref("browser.ping-centre.telemetry", false); -/* 0515: disable Screenshots - * alternatively in FF60+, disable uploading to the Screenshots server ***/ +/* 0515: disable Screenshots ***/ // user_pref("extensions.screenshots.disabled", true); // [FF55+] - // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+] /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes @@ -365,7 +357,7 @@ user_pref("network.prefetch-next", false); /* 0602: disable DNS prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ user_pref("network.dns.disablePrefetch", true); -user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true FF70+] +user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); user_pref("network.predictor.enable-prefetch", false); // [FF48+] @@ -417,8 +409,7 @@ user_pref("network.http.altsvc.oe", false); * as a remote Tor node will handle the DNS request * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ user_pref("network.proxy.socks_remote_dns", true); -/* 0708: disable FTP [FF60+] - * [1] https://www.fxsitecompat.dev/en-CA/docs/2020/ftp-support-will-be-removed/ ***/ +/* 0708: disable FTP [FF60+] ***/ // user_pref("network.ftp.enabled", false); /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares @@ -546,8 +537,7 @@ user_pref("signon.formlessCapture.enabled", false); * hardens against potential credentials phishing * 0=don't allow sub-resources to open HTTP authentication credentials dialogs * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs - * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) - * [1] https://www.fxsitecompat.com/en-CA/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ***/ + * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ user_pref("network.auth.subresource-http-auth-allow", 1); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS @@ -648,7 +638,7 @@ user_pref("security.ssl.require_safe_negotiation", true); * [STATS] Firefox telemetry (June 2020) shows only 0.16% of SSL handshakes use 1.0 or 1.1 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. * [1] https://www.ssllabs.com/ssl-pulse/ ***/ - // user_pref("security.tls.version.min", 3); // [DEFAULT: 3 FF78+] + // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */ user_pref("security.tls.version.enable-deprecated", false); @@ -753,10 +743,6 @@ user_pref("security.mixed_content.block_object_subrequest", true); * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/ // user_pref("security.ssl3.rsa_des_ede3_sha", false); -/* 1263: disable DHE (Diffie-Hellman Key Exchange) - * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/ - // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false FF78+] - // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false FF78+] /* 1264: disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/ // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); @@ -783,7 +769,7 @@ user_pref("browser.ssl_override_behavior", 1); * [TEST] https://expired.badssl.com/ ***/ user_pref("browser.xul.error_pages.expert_bad_cert", true); /* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/ - // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+] + // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true] user_pref("security.insecure_connection_text.enabled", true); // [FF60+] /*** [SECTION 1400]: FONTS ***/ @@ -819,9 +805,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false); harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below) harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage --- - If you want any REAL control over referers and breakage, then use an extension. Either: - uMatrix: limited by scope, all requests are spoofed or not-spoofed - Smart Referrer: granular with source<->destination, whitelists + If you want any REAL control over referers and breakage, then use an extension --- full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html @@ -981,9 +965,6 @@ user_pref("dom.popup_allowed_events", "click dblclick"); including service and shared workers. Shared workers can be utilized by multiple scripts and communicate between browsing contexts (windows/tabs/iframes) and can even control your cache. - [NOTE] uMatrix 1.2.0+ allows a per-scope control for workers (2301-deprecated) and service workers (2302) - #Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0 - [1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API [2] Worker: https://developer.mozilla.org/docs/Web/API/Worker [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API @@ -1065,7 +1046,6 @@ user_pref("javascript.options.asmjs", false); // user_pref("javascript.options.baselinejit", false); // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] /* 2422: disable WebAssembly [FF52+] [SETUP-PERF] - * [NOTE] In FF71+ this no longer affects extensions (1576254) * [1] https://developer.mozilla.org/docs/WebAssembly ***/ user_pref("javascript.options.wasm", false); /* 2429: enable (limited but sufficient) window.opener protection [FF65+] @@ -1250,14 +1230,13 @@ user_pref("security.dialog_enable_delay", 700); user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: disable 3rd-party cookies and site-data [SETUP-WEB] * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, - * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+) + * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) * [NOTE] You can set exceptions under site permissions or use an extension * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ user_pref("network.cookie.cookieBehavior", 1); user_pref("browser.contentblocking.category", "custom"); -/* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only - and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only +/* 2702: set third-party cookies (if enabled, see 2701) to session-only [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ @@ -1388,72 +1367,67 @@ user_pref("privacy.firstparty.isolate", true); user_pref("privacy.partition.network_state", true); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) - This master switch will be used for a wide range of items, many of which will - **override** existing prefs from FF55+, often providing a **better** solution + RFP covers a wide range of ongoing fingerprinting solutions. + It is an all-or-nothing buy in: you cannot pick and choose what parts you want - IMPORTANT: As existing prefs become redundant, and some of them WILL interfere - with how RFP works, they will be moved to section 4600 and made inactive + [WARNING] Do NOT use extensions to alter RFP protected metrics + [WARNING] Do NOT use prefs in section 4600 with RFP as they can interfere - ** 418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+) - [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at - 100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. - Test your window size, do some math, resize to allow for all the non inner window elements + FF41+ + 418986 - limit window.screen & CSS media queries leaking identifiable info [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - ** 1281949 - spoof screen orientation (FF50+) - ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) - FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044) - ** 1330890 - spoof timezone as UTC 0 (FF55+) - FF58: Date.toLocaleFormat deprecated (818634) - FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973) - ** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+) - This spoof *shouldn't* affect core chrome/Firefox performance - ** 1217238 - reduce precision of time exposed by javascript (FF55+) - ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+) - ** 1333651 & 1383495 & 1396468 - spoof User Agent & Navigator API (see section 4700) (FF56+) - FF56: Version: rounded down to the nearest multiple of 10 - FF57: Version: match current ESR (1393283, 1418672, 1418162, 1511763) - FF59: OS: Windows, OSX, Android, or Linux (to reduce breakage) (1404608) - FF66: OS: HTTP Headers reduced to Windows or Android (1509829) - FF68: OS: updated to Windows 10, OS 10.14, and Android 8.1 (1511434) - FF78: OS: updated to OS 10.15 and Android 9.0 (1635011) - ** 1369319 - disable device sensor API (see 4604) (FF56+) - ** 1369357 - disable site specific zoom (see 4605) (FF56+) - ** 1337161 - hide gamepads from content (see 4606) (FF56+) - ** 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) (FF56+) - ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+) - ** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0202) (FF56-62) - ** 1369309 - spoof media statistics (see 4610) (FF57+) - ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+) - ** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+) - ** 1382545 - reduce fingerprinting in Animation API (FF57+) - ** 1354633 - limit MediaError.message to a whitelist (FF57+) - ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+) + FF50+ + 1281949 - spoof screen orientation + 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) + FF55+ + 1330890 - spoof timezone as UTC 0 + 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) + 1217238 - reduce precision of time exposed by javascript + FF56+ + 1369303 - spoof/disable performance API (see 4602, 4603) + 1333651 - spoof User Agent & Navigator API (see section 4700) + JS: FF78+ the version is spoofed as 78, and the OS as Windows 10, OS 10.15, Android 9, or Linux + HTTP Headers: spoofed as Windows or Android + 1369319 - disable device sensor API (see 4604) + 1369357 - disable site specific zoom (see 4605) + 1337161 - hide gamepads from content (see 4606) + 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) + 1333641 - reduce fingerprinting in WebSpeech API (see 4608) + FF57+ + 1369309 - spoof media statistics (see 4610) + 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) + 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) + 1382545 - reduce fingerprinting in Animation API + 1354633 - limit MediaError.message to a whitelist + 1382533 - enable fingerprinting resistance for Presentation API This blocks exposure of local IP Addresses via mDNS (Multicast DNS) - ** 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction (FF58+) - FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865) - ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+) + FF58+ + 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction + FF59+ + 1372073 - spoof/block fingerprinting in MediaDevices API Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if media.navigator.enabled is true (see 2505 which we chose to keep disabled) Block: suppresses the ondevicechange event (see 4612) - ** 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) (FF59+) - ** 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59+) + 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) + 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events Spoofing mimics the content language of the document. Currently it only supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. - FF60: Fix keydown/keyup events (1438795) - ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) - ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) - ** 1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+) - ** 1363508 - spoof/suppress Pointer Events (see 4615) (FF64+) + FF60-67 + 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) + 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) + 1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+) + 1363508 - spoof/suppress Pointer Events (see 4615) (FF64+) FF65: pointerEvent.pointerid (1492766) - ** 1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+) - ** 1407366 - enable inner window letterboxing (see 4504) (FF67+) - ** 1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+) - [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme - ** 1564422 - spoof audioContext outputLatency (FF70+) - ** 1595823 - spoof audioContext sampleRate (FF72+) - ** 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) - ** 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) - ** 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+) + 1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+) + 1407366 - enable inner window letterboxing (see 4504) (FF67+) + 1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+) + FF68-77 + 1564422 - spoof audioContext outputLatency (FF70+) + 1595823 - spoof audioContext sampleRate (FF72+) + 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) + FF78+ + 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) + 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] @@ -1470,22 +1444,22 @@ user_pref("privacy.resistFingerprinting", true); // user_pref("privacy.window.maxInnerWidth", 1000); // user_pref("privacy.window.maxInnerHeight", 1000); /* 4503: disable mozAddonManager Web API [FF57+] - * [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need - * to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect + * [NOTE] To allow extensions to work on AMO, you also need 2662 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] /* 4504: enable RFP letterboxing [FF67+] - * Dynamically resizes the inner window (FF67; 200w x100h: FF68+; stepped ranges) by applying letterboxing, - * using dimensions which waste the least content area, If you use the dimension pref, then it will only apply - * those resolutions. The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") - * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but you're - * not taking anti-fingerprinting seriously and a little visual change upsets you, then feel free to flip this pref + * Dynamically resizes the inner window by applying margins in stepped ranges, see [2] + * If you use the dimension pref, then it will only apply those resolutions. The format is + * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") + * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but + * dislike margins being applied, then flip this pref, keeping in mind that it is effectively fingerprintable * [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it - * [1] https://bugzilla.mozilla.org/1407366 ***/ + * [1] https://bugzilla.mozilla.org/1407366 + * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] /* 4510: disable showing about:blank as soon as possible during startup [FF60+] - * When default true (FF62+) this no longer masks the RFP chrome resizing activity + * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); /* 4520: disable chrome animations [FF77+] [RESTART] @@ -1493,15 +1467,7 @@ user_pref("browser.startup.blankWindow", false); user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] /*** [SECTION 4600]: RFP ALTERNATIVES - * non-RFP users: - Enable the whole section (see the SETUP tag below) - * RFP users: - Make sure these are reset in about:config. They are redundant. In fact, some - even cause RFP to not behave as you would expect and alter your fingerprint - * ESR RFP users: - Reset those *up to and including* your version. Add those *after* your version - as active prefs in your overrides. This is assuming that the patch wasn't also - backported to Firefox ESR. Backporting RFP patches to ESR is rare. + [WARNING] Do NOT use prefs in this section with RFP as they can interfere ***/ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan"); /* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these @@ -1600,32 +1566,22 @@ user_pref("layout.css.font-visibility.level", 1); // * * * / // ***/ -/*** [SECTION 4700]: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING) - This is FYI ONLY. These prefs are INSUFFICIENT(a) on their own, you need - to use RFP (4500) or an extension, in which case they become POINTLESS. - (a) Many of the components that make up your UA can be derived by other means. - And when those values differ, you provide more bits and raise entropy. - Examples of leaks include workers, navigator objects, date locale/formats, - iframes, headers, tcp/ip attributes, feature detection, and **many** more. - ALL values below intentionally left blank - use RFP, or get a vetted, tested - extension and mimic RFP values to *lower* entropy, or randomize to *raise* it +/*** [SECTION 4700]: RFP ALTERNATIVES (USER AGENT SPOOFING) + These prefs are insufficient and leak. Use RFP and **nothing else** + - Many of the user agent components can be derived by other means. When those + values differ, you provide more bits and raise entropy. Examples include + workers, iframes, headers, tcp/ip attributes, feature detection, and many more + - Web extensions also lack APIs to fully protect spoofing ***/ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow"); -/* 4701: navigator.userAgent ***/ - // user_pref("general.useragent.override", ""); // [HIDDEN PREF] -/* 4702: navigator.buildID - * Revealed build time down to the second. In FF64+ it now returns a fixed timestamp - * [1] https://bugzilla.mozilla.org/583181 - * [2] https://www.fxsitecompat.com/en-CA/docs/2018/navigator-buildid-now-returns-a-fixed-timestamp/ ***/ - // user_pref("general.buildID.override", ""); // [HIDDEN PREF] -/* 4703: navigator.appName ***/ +/* 4701: navigator DOM object overrides + * [WARNING] DO NOT USE ***/ // user_pref("general.appname.override", ""); // [HIDDEN PREF] -/* 4704: navigator.appVersion ***/ // user_pref("general.appversion.override", ""); // [HIDDEN PREF] -/* 4705: navigator.platform ***/ - // user_pref("general.platform.override", ""); // [HIDDEN PREF] -/* 4706: navigator.oscpu ***/ + // user_pref("general.buildID.override", ""); // [HIDDEN PREF] // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] + // user_pref("general.platform.override", ""); // [HIDDEN PREF] + // user_pref("general.useragent.override", ""); // [HIDDEN PREF] /*** [SECTION 5000]: PERSONAL Non-project related but useful. If any of these interest you, add them to your overrides ***/