From fdc9db9a084d6ef4f058d01ff8e204054f485591 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 26 May 2019 08:43:12 +0000 Subject: [PATCH] 1600s revamp - no need to enforce defaults (except the second cross-origin) = less items in prefs and about:support - simplify header info - add in that you need an extension for real control: i.e for most people, e.g I use uMatrix and have never can to whitelist anything. Kolanich has been on settings of 2 for years and only found one broken site: these are anecdotal and don;t reflect the real world: which is why the settings are pretty relaxed - move the broken info out of header and onto the pref in a setup tag - reference: https://github.com/ghacksuserjs/ghacks-user.js/issues/716#issuecomment-488527274 - thanks Kolanich and :cat2: --- user.js | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/user.js b/user.js index b3eeb66..2da4f38 100644 --- a/user.js +++ b/user.js @@ -826,45 +826,47 @@ user_pref("gfx.font_rendering.graphite.enabled", false); // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] /*** [SECTION 1600]: HEADERS / REFERERS - Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. Thus we enforce - the default values for 1601, 1602, 1605 and 1606 to minimize breakage, and only tweak 1603 and 1604. - - Our default settings provide the best balance between protection and amount of breakage. - To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2). - To fix broken sites (including your modem/router), temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config, - use the site and then change the values back. If you visit those sites regularly (e.g. vimeo), use an extension. - + Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone + --- + harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below) + harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage + --- + If you want any REAL control over referers and breakage, then use an extension. Either: + uMatrix: limited by scope, all requests are spoofed or not-spoofed + Smart Referrer: granular with source<->destination, whitelists + --- full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port: https://example.com:8888 - + --- #Required reading [#] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: ALL: control when images/links send a referer * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/ -user_pref("network.http.sendRefererHeader", 2); + // user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2] /* 1602: ALL: control the amount of information to send * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ -user_pref("network.http.referer.trimmingPolicy", 0); -/* 1603: CROSS ORIGIN: control when to send a referer [SETUP-WEB] - * 0=always (default), 1=only if base domains match, 2=only if hosts match ***/ + // user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0] +/* 1603: CROSS ORIGIN: control when to send a referer + * 0=always (default), 1=only if base domains match, 2=only if hosts match + * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo ***/ user_pref("network.http.referer.XOriginPolicy", 1); /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ -user_pref("network.http.referer.XOriginTrimmingPolicy", 0); +user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0] /* 1605: ALL: disable spoofing a referer * [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF * (Cross-Site Request Forgery) protections that some sites may rely on ***/ -user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] + // user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] /* 1606: ALL: set the default Referrer Policy [FF59+] * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy * [1] https://www.w3.org/TR/referrer-policy/ * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/ -user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3] -user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] + // user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3] + // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] /* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+] * [NOTE] Firefox cannot access .onion sites by default. We recommend you use * the Tor Browser which is specifically designed for hidden services