From e037014a56ed22a7de39ebef6efe9dfe0c325549 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 6 Mar 2024 08:42:48 +0000 Subject: [PATCH 1/8] v123 --- user.js | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/user.js b/user.js index bd7c46f..708eab8 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 5 February 2024 -* version: 122 +* date: 8 March 2024 +* version: 123 * urls: https://github.com/arkenfox/user.js [repo] * : https://arkenfox.github.io/gui/ [interactive] * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -35,7 +35,7 @@ - It is recommended to not use the updater, or you will get a later version which may cause issues. So you should manually append your overrides (and keep a copy), and manually update when you change ESR releases (arkenfox is already past that release) - - If you decide to keep updating, then the onus is on - also see section 9999 + - If you decide to keep updating, then the onus is on you - also see section 9999 * INDEX: @@ -95,8 +95,8 @@ user_pref("browser.startup.homepage", "about:blank"); user_pref("browser.newtabpage.enabled", false); /* 0105: disable sponsored content on Firefox Home (Activity Stream) * [SETTING] Home>Firefox Home Content ***/ -user_pref("browser.newtabpage.activity-stream.showSponsored", false); // [FF58+] Pocket > Sponsored Stories -user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+] Sponsored shortcuts +user_pref("browser.newtabpage.activity-stream.showSponsored", false); // [FF58+] +user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+] Shortcuts>Sponsored shortcuts /* 0106: clear default topsites * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); @@ -158,9 +158,6 @@ user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+] user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF] user_pref("toolkit.coverage.endpoint.base", ""); -/* 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+] - * Defense-in-depth: currently covered by 0331 ***/ -user_pref("browser.ping-centre.telemetry", false); /* 0335: disable Firefox Home (Activity Stream) telemetry ***/ user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); user_pref("browser.newtabpage.activity-stream.telemetry", false); @@ -303,10 +300,12 @@ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); * [1] https://bugzilla.mozilla.org/1348275 ***/ user_pref("browser.urlbar.speculativeConnect.enabled", false); /* 0802: disable location bar contextual suggestions - * [SETTING] Privacy & Security>Address Bar>Suggestions from... + * [NOTE] The UI is controlled by the .enabled pref + * [SETTING] Search>Address Bar>Suggestions from... * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/ -user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+] -user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // [FF92+] + // user_pref("browser.urlbar.quicksuggest.enabled", false); // [FF92+] [DEFAULT: false] + // user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+] [DEFAULT: false] + // user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // [FF92+] [DEFAULT: false] /* 0803: disable live search suggestions * [NOTE] Both must be true for the location bar to work * [SETUP-CHROME] Override these if you trust and use a privacy respecting search engine @@ -322,7 +321,7 @@ user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF] user_pref("browser.urlbar.pocket.featureGate", false); // [FF116+] [DEFAULT: false] user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false] /* 0807: disable urlbar clipboard suggestions [FF118+] ***/ - // user_pref("browser.urlbar.clipboard.featureGate", false); // [DEFAULT: false] + // user_pref("browser.urlbar.clipboard.featureGate", false); // [DEFAULT: true FF125+] /* 0810: disable search and form history * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] * [NOTE] We also clear formdata on exit (2811) @@ -332,7 +331,7 @@ user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: fa user_pref("browser.formfill.enable", false); /* 0815: disable tab-to-search [FF85+] * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search - * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ + * [SETTING] Search>Address Bar>When using the address bar, suggest>Search engines ***/ // user_pref("browser.urlbar.suggest.engines", false); /* 0820: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive @@ -740,7 +739,7 @@ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); 1372073 - spoof/block fingerprinting in MediaDevices API (FF59) Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" Block: suppresses the ondevicechange event - 1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) (FF59) + 1039069 - warn when language prefs are not set to "en*" (FF59) 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59) Spoofing mimics the content language of the document. Currently it only supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. @@ -867,7 +866,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow * [1] https://bugzilla.mozilla.org/1281959 ***/ // user_pref("browser.download.forbid_open_with", true); /* 5010: disable location bar suggestion types - * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/ + * [SETTING] Search>Address Bar>When using the address bar, suggest ***/ // user_pref("browser.urlbar.suggest.history", false); // user_pref("browser.urlbar.suggest.bookmark", false); // user_pref("browser.urlbar.suggest.openpage", false); @@ -1108,7 +1107,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/ // user_pref("dom.webnotifications.enabled", false); /* 7019: disable Push Notifications [FF44+] - * [WHY] Push requires subscription + * [WHY] Website "push" requires subscription, and the API is required for CRLite (1224) * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/ // user_pref("dom.push.enabled", false); @@ -1210,6 +1209,11 @@ user_pref("security.family_safety.mode", 0); // 0711: disable skipping DoH when parental controls are enabled [FF70+] // [-] https://bugzilla.mozilla.org/1586941 user_pref("network.dns.skipTRR-when-parental-control-enabled", false); +// FF123 +// 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+] + // Defense-in-depth: currently covered by 0331 + // [-] https://bugzilla.mozilla.org/1868988 +user_pref("browser.ping-centre.telemetry", false); // ***/ /* END: internal custom pref to test for syntax errors ***/ From 2ce72dacb528fdebab71af1642d0e55c9c95a437 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 10 Apr 2024 10:18:08 +0000 Subject: [PATCH 2/8] fixup parrot number --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 708eab8..2d22931 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 8 March 2024 -* version: 123 +* date: 25 April 2024 +* version: 125 * urls: https://github.com/arkenfox/user.js [repo] * : https://arkenfox.github.io/gui/ [interactive] * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -697,7 +697,7 @@ user_pref("privacy.sanitize.timeSpan", 0); https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc 1858181 - subtly randomize canvas per eTLD+1, per session and per window-mode (FF120+) ***/ -user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); +user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); /* 4001: enable FPP in PB mode [FF114+] * [NOTE] In FF119+, FPP for all modes (7106) is enabled with ETP Strict (2701) ***/ // user_pref("privacy.fingerprintingProtection.pbmode", true); // [DEFAULT: true FF118+] From 7ec8ab87c7ce300b57ba8a49ec9c362fbbd57df2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 11 Apr 2024 20:33:28 +0000 Subject: [PATCH 3/8] yelp suggestions --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 2d22931..f63d48d 100644 --- a/user.js +++ b/user.js @@ -320,6 +320,7 @@ user_pref("browser.urlbar.addons.featureGate", false); // [FF115+] user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF] user_pref("browser.urlbar.pocket.featureGate", false); // [FF116+] [DEFAULT: false] user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false] +user_pref("browser.urlbar.yelp.featureGate", false); // [FF123+] [DEFAULT: false] /* 0807: disable urlbar clipboard suggestions [FF118+] ***/ // user_pref("browser.urlbar.clipboard.featureGate", false); // [DEFAULT: true FF125+] /* 0810: disable search and form history From 0ab2ab26ecec74dc6a9c87d60235cef666214af4 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 11 Apr 2024 21:33:46 +0000 Subject: [PATCH 4/8] add DLP --- user.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index f63d48d..df27281 100644 --- a/user.js +++ b/user.js @@ -320,7 +320,7 @@ user_pref("browser.urlbar.addons.featureGate", false); // [FF115+] user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF] user_pref("browser.urlbar.pocket.featureGate", false); // [FF116+] [DEFAULT: false] user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false] -user_pref("browser.urlbar.yelp.featureGate", false); // [FF123+] [DEFAULT: false] +user_pref("browser.urlbar.yelp.featureGate", false); // [FF124+] [DEFAULT: false] /* 0807: disable urlbar clipboard suggestions [FF118+] ***/ // user_pref("browser.urlbar.clipboard.featureGate", false); // [DEFAULT: true FF125+] /* 0810: disable search and form history @@ -583,6 +583,11 @@ user_pref("pdfjs.disabled", false); // [DEFAULT: false] user_pref("pdfjs.enableScripting", false); // [FF86+] /* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */ user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: false NON-LINUX] +/* 2630: disable content analysis by DLP (Data Loss Prevention) agents + * DLP agents are background processes on managed computers that allow enterprises to monitor locally running + * applications for data exfiltration events, which they can allow/block based on customer defined DLP policies. + * [1] https://github.com/chromium/content_analysis_sdk */ +user_pref("browser.contentanalysis.default_allow", false); // [FF124+] [DEFAULT: false] /** DOWNLOADS ***/ /* 2651: enable user interaction for security by always asking where to download From 1c50fdeb8bd0c6cb9f972f735fe71a8cf9ff7429 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 24 Apr 2024 21:16:41 +0000 Subject: [PATCH 5/8] add spoof_english --- user.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/user.js b/user.js index df27281..05eeee9 100644 --- a/user.js +++ b/user.js @@ -801,6 +801,12 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [WARNING] DO NOT USE unless testing, see [1] comment 12 * [1] https://bugzilla.mozilla.org/1635603 ***/ // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); +/* 4506: disable RFP spoof english prompt [FF59+] + * 0=prompt, 1=disabled, 2=enabled (requires RFP) + * [NOTE] When changing from value 2, preferred languages ('intl.accept_languages') is not reset. + * [SETUP-WEB] when enabled, sets 'en-US, en' for displaying pages and 'en-US' as locale. + * [SETTING] General>Language>Choose your preferred language for displaying pages>Choose>Request English... ***/ +user_pref("privacy.spoof_english", 1); /* 4510: disable using system colors * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS] From fa2d4be52a4e7ee78efda72d05c43a54b509c0f2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 25 Apr 2024 21:21:54 +0000 Subject: [PATCH 6/8] add GPC #1818 --- user.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/user.js b/user.js index 05eeee9..e32cc21 100644 --- a/user.js +++ b/user.js @@ -1130,6 +1130,9 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ // user_pref("media.peerconnection.enabled", false); +/* 4021: enable GPC (Global Privacy Control) in non-PB windows + * [WHY] Passive (and active) fingerprinting. Mostly redundant with Tracking Protection in ETP Strict (2701) ***/ + // user_pref("privacy.globalprivacycontrol.enabled", true); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 84232b2a6122d1aca203595b28f4b236b1758779 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 25 Apr 2024 21:40:07 +0000 Subject: [PATCH 7/8] tidy --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index e32cc21..7ebf561 100644 --- a/user.js +++ b/user.js @@ -412,7 +412,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * but the problem is that the browser can't know that. Setting this pref to true is the only way for the * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site? - * [STATS] SSL Labs (Nov 2023) reports over 99.5% of top sites have secure renegotiation [4] + * [STATS] SSL Labs (April 2024) reports over 99.6% of top sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://datatracker.ietf.org/doc/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 @@ -725,7 +725,7 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 418986 - limit window.screen & CSS media queries (FF41) 1281949 - spoof screen orientation (FF50) - 1330890 - spoof timezone as UTC0 (FF55) + 1330890 - spoof timezone as UTC (FF55) 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55) FF56 1333651 - spoof User Agent & Navigator API From 1e99197c39840e198993dbbe70c87784d980f940 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 25 Apr 2024 22:47:16 +0000 Subject: [PATCH 8/8] add sanitizing to GPC info --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 7ebf561..708e740 100644 --- a/user.js +++ b/user.js @@ -1131,7 +1131,8 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ // user_pref("media.peerconnection.enabled", false); /* 4021: enable GPC (Global Privacy Control) in non-PB windows - * [WHY] Passive (and active) fingerprinting. Mostly redundant with Tracking Protection in ETP Strict (2701) ***/ + * [WHY] Passive and active fingerprinting. Mostly redundant with Tracking Protection + * in ETP Strict (2701) and sanitizing on close (2800s) ***/ // user_pref("privacy.globalprivacycontrol.enabled", true); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING