Git-Mirrors/user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-04-22 08:29:31 -04:00
Code Issues Packages Projects Releases Wiki Activity

move network.* prefs from 2600 to new 0700 section

Browse Source
This commit is contained in:
earthlng 2018-03-01 17:26:23 +01:00 committed by GitHub
parent 2dd2f5febe
commit 2757cc60b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 65 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
user.js
View File

@ -442,6 +442,68 @@ user_pref("network.protocol-handler.external.ms-windows-store", false);
/* 0608: disable predictor / prefetching (FF48+) ***/
user_pref("network.predictor.enable-prefetch", false);
/*** 0700: MISC - NETWORK ***/
user_pref("_user.js.parrot", "0700 syntax error: ... !");
/* 0701: disable DNS requests for hostnames with a .onion TLD (FF45+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 ***/
user_pref("network.dns.blockDotOnion", true);
/* 0702: disable IPv6 (included for knowledge ONLY [WARNING] do not do this)
* This is all about covert channels such as MAC addresses being included/abused in the
* IPv6 protocol for tracking. If you want to mask your IP address, this is not the way
* to do it. It's 2016, IPv6 is here. Here are some old links
* 2010: https://christopher-parsons.com/ipv6-and-the-future-of-privacy/
* 2011: https://iapp.org/news/a/2011-09-09-facing-the-privacy-implications-of-ipv6/
* 2012: http://www.zdnet.com/article/security-versus-privacy-with-ipv6-deployment/
* [NOTE] It is a myth that disabling IPv6 will speed up your internet connection
* [1] https://www.howtogeek.com/195062/no-disabling-ipv6-probably-wont-speed-up-your-internet-connection/ ***/
// user_pref("network.dns.disableIPv6", true);
// user_pref("network.http.fast-fallback-to-IPv4", true); // default: true
/* 0703: disable HTTP Alternative Services
* [1] https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3970881 ***/
user_pref("network.http.altsvc.enabled", false);
user_pref("network.http.altsvc.oe", false);
/* 0704: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
* [WARNING] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
* To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/
user_pref("network.http.redirection-limit", 10);
/* 0705: disable HTTP2 (which was based on SPDY which is now deprecated)
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance
* privacy, and in fact opens up a number of server-side fingerprinting opportunities
* [1] https://http2.github.io/faq/
* [2] http://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
* [3] https://queue.acm.org/detail.cfm?id=2716278
* [4] https://github.com/ghacksuserjs/ghacks-user.js/issues/107 ***/
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.deps", false);
user_pref("network.http.spdy.enabled.http2", false);
/* 0706: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing security risk
* Firefox has *some* protections to mitigate the risk, but it is better to be safe
* than sorry. The downside: it will also display legitimate IDN's punycoded, which
* might be undesirable for users from countries with non-latin alphabets
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
* [1] http://kb.mozillazine.org/Network.IDN_show_punycode
* [2] https://wiki.mozilla.org/IDN_Display_Algorithm
* [3] https://en.wikipedia.org/wiki/IDN_homograph_attack
* [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
user_pref("network.IDN_show_punycode", true);
/* 0707: disable remote JAR files being opened, regardless of content type (FF42+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1173171
* [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/ ***/
user_pref("network.jar.block-remote-files", true);
/* 0708: disable JAR from opening Unsafe File Types ***/
user_pref("network.jar.open-unsafe-types", false);
/* 0709: remove paths when sending URLs to PAC scripts (FF51+)
* CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1255474 ***/
user_pref("network.proxy.autoconfig_url.include_path", false);
/* 0710: enforce the proxy server to do any DNS lookups when using SOCKS
* e.g. in TOR, this stops your local DNS server from knowing your Tor destination
* as a remote Tor node will handle the DNS request
* [1] http://kb.mozillazine.org/Network.proxy.socks_remote_dns
* [2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
user_pref("network.proxy.socks_remote_dns", true);
/*** 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS [SETUP]
If you are in a private environment (no unwanted eyeballs) and your device is private
(restricted access), and the device is secure when unattended (locked, encrypted, forensic
@ -1208,8 +1270,6 @@ user_pref("browser.download.hide_plugins_without_extensions", false);
/* 2607: disable page thumbnail collection
* look in profile/thumbnails directory - you may want to clean that out ***/
user_pref("browser.pagethumbnails.capturing_disabled", true); // (hidden pref)
/* 2608: disable JAR from opening Unsafe File Types ***/
user_pref("network.jar.open-unsafe-types", false);
/* 2609: disable exposure of system colors to CSS or canvas (FF44+)
* [NOTE] see [2] bug may cause black on black for elements with undefined colors
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=232227
@ -1223,16 +1283,6 @@ user_pref("permissions.manager.defaultsUrl", "");
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);
/* 2614: disable HTTP2 (which was based on SPDY which is now deprecated)
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance
* privacy, and in fact opens up a number of server-side fingerprinting opportunities
* [1] https://http2.github.io/faq/
* [2] http://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
* [3] https://queue.acm.org/detail.cfm?id=2716278
* [4] https://github.com/ghacksuserjs/ghacks-user.js/issues/107 ***/
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.deps", false);
user_pref("network.http.spdy.enabled.http2", false);
/* 2617: enable Firefox's built-in PDF reader [SETUP]
* [SETTING-56+] Options>General>Applications>Portable Document Format (PDF)
* [SETTING-ESR] Options>Applications>Portable Document Format (PDF)
@ -1248,31 +1298,10 @@ user_pref("network.http.spdy.enabled.http2", false);
* [NOTE]
* See 2662, and JS can still force a pdf to open in-browser by bundling its own code (rare) ***/
user_pref("pdfjs.disabled", false);
/* 2618: enforce the proxy server to do any DNS lookups when using SOCKS
* e.g. in TOR, this stops your local DNS server from knowing your Tor destination
* as a remote Tor node will handle the DNS request
* [1] http://kb.mozillazine.org/Network.proxy.socks_remote_dns
* [2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
user_pref("network.proxy.socks_remote_dns", true);
/* 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
* [WARNING] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
* To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/
user_pref("network.http.redirection-limit", 10);
/* 2620: disable middle mouse click opening links from clipboard
* [1] https://trac.torproject.org/projects/tor/ticket/10089
* [2] http://kb.mozillazine.org/Middlemouse.contentLoadURL ***/
user_pref("middlemouse.contentLoadURL", false);
/* 2621: disable IPv6 (included for knowledge ONLY [WARNING] do not do this)
* This is all about covert channels such as MAC addresses being included/abused in the
* IPv6 protocol for tracking. If you want to mask your IP address, this is not the way
* to do it. It's 2016, IPv6 is here. Here are some old links
* 2010: https://christopher-parsons.com/ipv6-and-the-future-of-privacy/
* 2011: https://iapp.org/news/a/2011-09-09-facing-the-privacy-implications-of-ipv6/
* 2012: http://www.zdnet.com/article/security-versus-privacy-with-ipv6-deployment/
* [NOTE] It is a myth that disabling IPv6 will speed up your internet connection
* [1] https://www.howtogeek.com/195062/no-disabling-ipv6-probably-wont-speed-up-your-internet-connection/ ***/
// user_pref("network.dns.disableIPv6", true);
// user_pref("network.http.fast-fallback-to-IPv4", true); // default: true
/* 2622: enforce a security delay when installing extensions (milliseconds)
* default=1000, This also covers the delay in "Save" on downloading files.
* [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
@ -1285,19 +1314,12 @@ user_pref("security.fileuri.strict_origin_policy", true);
* [1] https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
* [2] https://wiki.mozilla.org/Security/Subresource_Integrity ***/
user_pref("security.sri.enable", true); // default: true
/* 2625: disable DNS requests for hostnames with a .onion TLD (FF45+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 ***/
user_pref("network.dns.blockDotOnion", true);
/* 2626: disable optional user agent token
* [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent/Firefox ***/
user_pref("general.useragent.compatMode.firefox", false); // default: false
/* 2628: disable UITour backend so there is no chance that a remote page can use it ***/
user_pref("browser.uitour.enabled", false);
user_pref("browser.uitour.url", "");
/* 2629: disable remote JAR files being opened, regardless of content type (FF42+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1173171
* [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/ ***/
user_pref("network.jar.block-remote-files", true);
/* 2630: prevent accessibility services from accessing your browser [RESTART]
* [SETTING] Options>Privacy & Security>Permissions>Prevent accessibility services from accessing your browser
* [1] https://support.mozilla.org/kb/accessibility-services ***/
@ -1325,10 +1347,6 @@ user_pref("mathml.disabled", true);
user_pref("device.storage.enabled", false);
/* 2665: remove webchannel whitelist ***/
user_pref("webchannel.allowObject.urlWhitelist", "");
/* 2666: disable HTTP Alternative Services
* [1] https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3970881 ***/
user_pref("network.http.altsvc.enabled", false);
user_pref("network.http.altsvc.oe", false);
/* 2667: disable various developer tools in browser context
* [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
* [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
@ -1339,10 +1357,6 @@ user_pref("devtools.chrome.enabled", false);
* [1] archived: https://archive.is/DYjAM ***/
user_pref("extensions.enabledScopes", 1); // (hidden pref)
user_pref("extensions.autoDisableScopes", 15);
/* 2669: remove paths when sending URLs to PAC scripts (FF51+)
* CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1255474 ***/
user_pref("network.proxy.autoconfig_url.include_path", false);
/* 2670: disable "image/" mime types bypassing CSP (FF51+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1288361 ***/
user_pref("security.block_script_with_wrong_mime", true);
@ -1351,17 +1365,6 @@ user_pref("security.block_script_with_wrong_mime", true);
* including youtube player controls. Best left for "hardened" or specific profiles.
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 ***/
// user_pref("svg.disabled", true);
/* 2672: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing security risk
* Firefox has *some* protections to mitigate the risk, but it is better to be safe
* than sorry. The downside: it will also display legitimate IDN's punycoded, which
* might be undesirable for users from countries with non-latin alphabets
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
* [1] http://kb.mozillazine.org/Network.IDN_show_punycode
* [2] https://wiki.mozilla.org/IDN_Display_Algorithm
* [3] https://en.wikipedia.org/wiki/IDN_homograph_attack
* [4] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [5] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
user_pref("network.IDN_show_punycode", true);
/* 2673: enable CSP (Content Security Policy)
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
user_pref("security.csp.enable", true); // default: true
@ -1795,7 +1798,7 @@ user_pref("pageThumbs.enabled", false);
// 2503: (31+) disable network API - replaced by dom.netinfo.enabled
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=960426
user_pref("dom.network.enabled", false);
// 2620: (35+) disable WebSockets
// 07xx: (35+) disable WebSockets
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1091016
user_pref("network.websocket.enabled", false);
// 1610: (36+) set DNT "value" to "not be tracked" (FF21+)
@ -1817,7 +1820,7 @@ user_pref("browser.safebrowsing.reportURL", ""); // removed
// 1804: (41+) disable plugin enumeration
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1169945
user_pref("plugins.enumerable_names", "");
// 2614: (41+) disable HTTP2 (draft)
// 0705: (41+) disable HTTP2 (draft)
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1132357
user_pref("network.http.spdy.enabled.http2draft", false);
// 2803: (42+) clear passwords on shutdown
@ -1962,7 +1965,7 @@ user_pref("media.block-play-until-visible", true);
// 2504: disable virtual reality devices
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1250244
user_pref("dom.vr.oculus050.enabled", false);
// 2614: disable SPDY
// 0705: disable SPDY
// [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1248197
user_pref("network.http.spdy.enabled.v3-1", false);
// ***/