Git-Mirrors/user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-04-21 16:16:50 -04:00
Code Issues Packages Projects Releases Wiki Activity

switch to [SETUP-

Browse Source
This commit is contained in:
Thorin-Oakenpants 2018-12-03 03:57:07 +13:00 committed by GitHub
parent cb5a6f3dd1
commit d2f8dea45d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
user.js
View File

@ -29,11 +29,13 @@
* Site breakage WILL happen
- There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting
and these need to be balanced against Functionality & Convenience & Breakage
* You will need to make changes. While not 100% definitive, search for these tags. If required, add them
to your overrides section at default values (or comment them out and reset them in about:config)
- [BREAKAGE] can cause some websites to break, or impact performance
- [BEHAVIOR] changes how Firefox itself works, i.e. not directly website related
- [WARNING] extra special info to heed our advice
* You will need to make changes, and to troubleshoot at times (choose wisely, there is always a trade-off).
While not 100% definitive, search for "[SETUP". If required, add each pref to your overrides section at
default values (or comment them out and reset them in about:config). We may add more:
[SETUP-WEB] can cause some websites to break
[SETUP-CHROME] changes how Firefox itself behaves (i.e. NOT directly website related)
[SETUP-PERF] may impact performance
* [WARNING] tags are extra special and used sparingly, so heed them
4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki#small_orange_diamond-maintenance
@ -476,7 +478,7 @@ user_pref("network.file.disable_unc_paths", true); // (hidden pref)
* [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
user_pref("network.gio.supported-protocols", ""); // (hidden pref)
/*** 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS [BEHAVIOR]
/*** 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS [SETUP-CHROME]
If you are in a private environment (no unwanted eyeballs) and your device is private
(restricted access), and the device is secure when unattended (locked, encrypted, forensic
hardened), then items 0850 and above can be relaxed in return for more convenience and
@ -532,7 +534,7 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false);
* - If *ALL* of the suggestion types are false, 'autocomplete' must also be false
* - If *ANY* of the suggestion types are true, 'autocomplete' must also be true
* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest
* [BEHAVIOR] If all three suggestion types are false, search engine keywords are disabled ***/
* [SETUP-CHROME] If all three suggestion types are false, search engine keywords are disabled ***/
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.bookmark", false);
@ -617,7 +619,7 @@ user_pref("security.insecure_field_warning.contextual.enabled", true);
* [1] https://bugzilla.mozilla.org/1357835 ***/
user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);
/*** 1000: CACHE [BEHAVIOR]
/*** 1000: CACHE [SETUP-CHROME]
ETAG [1] and other [2][3] cache tracking/fingerprinting techniques can be averted by
disabling *BOTH* disk (1001) and memory (1003) cache. ETAGs can also be neutralized
by modifying response headers [4]. Another solution is to use a hardened configuration
@ -659,21 +661,21 @@ user_pref("browser.cache.disk_cache_ssl", false);
// user_pref("network.dnsCacheExpiration", 60);
/** SESSIONS & SESSION RESTORE ***/
/* 1020: disable the Session Restore service completely
* [BEHAVIOR] This also disables the "Recently Closed Tabs" feature
* [SETUP-CHROME] This also disables the "Recently Closed Tabs" feature
* It does not affect "Recently Closed Windows" or any history. ***/
user_pref("browser.sessionstore.max_tabs_undo", 0);
user_pref("browser.sessionstore.max_windows_undo", 0);
/* 1021: disable storing extra session data [BEHAVIOR]
/* 1021: disable storing extra session data [SETUP-CHROME]
* extra session data contains contents of forms, scrollbar positions, cookies and POST data
* define on which sites to save extra session data:
* 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
user_pref("browser.sessionstore.privacy_level", 2);
/* 1022: disable resuming session from crash [BEHAVIOR] ***/
/* 1022: disable resuming session from crash [SETUP-CHROME] ***/
user_pref("browser.sessionstore.resume_from_crash", false);
/* 1023: set the minimum interval between session save operations - increasing it
* can help on older machines and some websites, as well as reducing writes, see [1]
* Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc
* [BEHAVIOR] This can also affect entries in the "Recently Closed Tabs" feature:
* [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature:
* i.e. the longer the interval the more chance a quick tab open/close won't be captured.
* This longer interval *may* affect history but we cannot replicate any history not recorded
* [1] https://bugzilla.mozilla.org/1304389 ***/
@ -709,7 +711,7 @@ user_pref("alerts.showFavicons", false); // default: false
user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
/* 1201: disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack)
* [BREAKAGE] <2% of secure sites do NOT support the newer "secure" renegotiation, see [2]
* [SETUP-WEB] <2% of secure sites do NOT support the newer "secure" renegotiation, see [2]
* [1] https://wiki.mozilla.org/Security:Renegotiation
* [2] https://www.ssllabs.com/ssl-pulse/ ***/
user_pref("security.ssl.require_safe_negotiation", true);
@ -750,7 +752,7 @@ user_pref("security.ssl.enable_ocsp_stapling", true);
* [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
* [1] https://en.wikipedia.org/wiki/Ocsp ***/
user_pref("security.OCSP.enabled", 1);
/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [BREAKAGE]
/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB]
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
* It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
@ -797,7 +799,7 @@ user_pref("security.mixed_content.block_object_subrequest", true);
* 2=deprecated option that now maps to 1
* 3=only allowed for locally-added roots (e.g. anti-virus)
* 4=only allowed for locally-added roots or for certs in 2015 and earlier
* [BREAKAGE] When disabled, some man-in-the-middle devices (e.g. security scanners and
* [SETUP-WEB] When disabled, some man-in-the-middle devices (e.g. security scanners and
* antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
* [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
user_pref("security.pki.sha1_enforcement_level", 1);
@ -904,7 +906,7 @@ user_pref("network.http.sendRefererHeader", 2);
/* 1602: ALL: control the amount of information to send
* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
user_pref("network.http.referer.trimmingPolicy", 0);
/* 1603: CROSS ORIGIN: control when to send a referer [BREAKAGE]
/* 1603: CROSS ORIGIN: control when to send a referer [SETUP-WEB]
* 0=always (default), 1=only if base domains match, 2=only if hosts match ***/
user_pref("network.http.referer.XOriginPolicy", 1);
/* 1604: CROSS ORIGIN: control the amount of information to send (FF52+)
@ -973,23 +975,23 @@ user_pref("plugin.state.flash", 0);
* plid.all = whether to scan the directories specified in the Windows registry for PLIDs.
* Used to detect RealPlayer, Java, Antivirus etc, but since FF52 only covers Flash ***/
user_pref("plugin.scan.plid.all", false);
/* 1820: disable all GMP (Gecko Media Plugins) [BREAKAGE]
/* 1820: disable all GMP (Gecko Media Plugins) [SETUP-WEB]
* [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
user_pref("media.gmp-provider.enabled", false);
user_pref("media.gmp.trial-create.enabled", false);
user_pref("media.gmp-manager.url", "data:text/plain,");
user_pref("media.gmp-manager.url.override", "data:text/plain,"); // (hidden pref)
user_pref("media.gmp-manager.updateEnabled", false); // disable local fallback (hidden pref)
/* 1825: disable widevine CDM (Content Decryption Module) [BREAKAGE] ***/
/* 1825: disable widevine CDM (Content Decryption Module) [SETUP-WEB] ***/
user_pref("media.gmp-widevinecdm.visible", false);
user_pref("media.gmp-widevinecdm.enabled", false);
user_pref("media.gmp-widevinecdm.autoupdate", false);
/* 1830: disable all DRM content (EME: Encryption Media Extension) [BREAKAGE]
/* 1830: disable all DRM content (EME: Encryption Media Extension) [SETUP-WEB]
* [SETTING] General>DRM Content>Play DRM-controlled content
* [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
user_pref("media.eme.enabled", false);
/* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
* This is the bundled codec used for video chat in WebRTC [BREAKAGE] ***/
* This is the bundled codec used for video chat in WebRTC [SETUP-WEB] ***/
user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)
user_pref("media.gmp-gmpopenh264.autoupdate", false);
@ -1042,7 +1044,7 @@ user_pref("dom.imagecapture.enabled", false); // default: false
user_pref("gfx.offscreencanvas.enabled", false); // default: false
/* 2030: disable auto-play of HTML5 media (FF63+)
* 0=Allowed (default), 1=Blocked, 2=Prompt
* [BREAKAGE] This may break video playback on various sites ***/
* [SETUP-WEB] This may break video playback on various sites ***/
user_pref("media.autoplay.default", 1);
/* 2031: disable audio auto-play in non-active tabs (FF51+)
* [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/
@ -1091,7 +1093,7 @@ user_pref("dom.popup_allowed_events", "click dblclick");
including service and shared workers. Shared workers can be utilized by multiple scripts and
communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
[BREAKAGE] Disabling "web workers" might break sites
[SETUP-WEB] Disabling "web workers" might break sites
[UPDATE] uMatrix 1.2.0+ allows a per-scope control for workers (2301-deprecated) and service workers (2302)
#Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0
@ -1134,7 +1136,7 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!
* [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
// user_pref("dom.event.contextmenu.enabled", false);
/* 2402: disable website access to clipboard events/content
* [BREAKAGE] This will break some sites functionality such as pasting into facebook, wordpress
* [SETUP-WEB] This will break some sites functionality such as pasting into facebook, wordpress
* this applies to onCut, onCopy, onPaste events - i.e. you have to interact with
* the website for it to look at the clipboard
* [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/
@ -1159,7 +1161,7 @@ user_pref("dom.vibrator.enabled", false);
* [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
user_pref("javascript.options.asmjs", false);
/* 2421: disable Ion and baseline JIT to help harden JS against exploits
* [NOTE] Causes the odd site issue and there is also a performance loss
* [SETUP-PERF] If false, causes the odd site issue and there is also a performance loss
* [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
// user_pref("javascript.options.ion", false);
// user_pref("javascript.options.baselinejit", false);
@ -1199,7 +1201,7 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m
user_pref("media.navigator.enabled", false);
/* 2508: disable hardware acceleration to reduce graphics fingerprinting
* [SETTING] General>Performance>Custom>Use hardware acceleration when available
* [BREAKAGE] Affects text rendering (fonts will look different), impacts video performance,
* [SETUP-PERF] Affects text rendering (fonts will look different), impacts video performance,
* and parts of Quantum that utilize the GPU will also be affected as they are rolled out
* [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/
// user_pref("gfx.direct2d.disabled", true); // [WINDOWS]
@ -1211,7 +1213,7 @@ user_pref("dom.webaudio.enabled", false);
* [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent ***/
user_pref("dom.w3c_pointer_events.enabled", false);
/* 2517: disable Media Capabilities API (FF63+)
* [NOTE] This *may* affect media performance if disabled, no one is sure
* [SETUP-PERF] This *may* affect media performance if disabled, no one is sure
* [1] https://github.com/WICG/media-capabilities
* [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/
// user_pref("media.media-capabilities.enabled", false);
@ -1232,7 +1234,7 @@ user_pref("browser.helperApps.deleteTempFileOnExit", true);
* look in profile/thumbnails directory - you may want to clean that out ***/
user_pref("browser.pagethumbnails.capturing_disabled", true); // (hidden pref)
/* 2605: block web content in file processes (FF55+)
* [BREAKAGE] You may want to disable this for corporate or developer environments
* [SETUP-WEB] You may want to disable this for corporate or developer environments
* [1] https://bugzilla.mozilla.org/1343184 ***/
user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
@ -1252,7 +1254,7 @@ user_pref("devtools.webide.enabled", false);
* [1] https://bugzilla.mozilla.org/1173199 ***/
user_pref("mathml.disabled", true);
/* 2610: disable in-content SVG (Scalable Vector Graphics) (FF53+)
* [BREAKAGE] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
* [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
* [1] https://bugzilla.mozilla.org/1216893 ***/
// user_pref("svg.disabled", true);
/* 2611: disable middle mouse click opening links from clipboard
@ -1311,13 +1313,13 @@ user_pref("browser.download.hide_plugins_without_extensions", false);
/* 2654: disable "open with" in download dialog (FF50+)
* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
* in such a way that it is forbidden to run external applications.
* [BEHAVIOR] This may interfere with some users' workflow or methods
* [SETUP-CHROME] This may interfere with some users' workflow or methods
* [1] https://bugzilla.mozilla.org/1281959 ***/
user_pref("browser.download.forbid_open_with", true);
/** EXTENSIONS ***/
/* 2660: lock down allowed extension directories
* [BEHAVIOR] This will break extensions that do not use the default XPI directories
* [SETUP-CHROME] This will break extensions that do not use the default XPI directories
* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
* [1] archived: https://archive.is/DYjAM ***/
user_pref("extensions.enabledScopes", 1); // (hidden pref)
@ -1422,7 +1424,7 @@ user_pref("dom.caches.enabled", false);
* [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
// user_pref("dom.storageManager.enabled", false);
/*** 2800: SHUTDOWN [BEHAVIOR]
/*** 2800: SHUTDOWN [SETUP-CHROME]
You should set the values to what suits you best.
- "Offline Website Data" includes appCache (2730), localStorage (2710),
Service Worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache)
@ -1497,7 +1499,7 @@ user_pref("privacy.sanitize.timeSpan", 0);
***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
/* 4001: enable First Party Isolation (FF51+)
* [BREAKAGE] May break cross-domain logins and site functionality until perfected
* [SETUP-WEB] May break cross-domain logins and site functionality until perfected
* [1] https://bugzilla.mozilla.org/1260931 ***/
user_pref("privacy.firstparty.isolate", true);
/* 4002: enforce FPI restriction for window.opener (FF54+)
@ -1569,11 +1571,11 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // default
***/
user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
/* 4501: enable privacy.resistFingerprinting (FF41+)
* [BREAKAGE] RFP is not ready for the masses, so expect some website breakage
* [SETUP-WEB] RFP is not ready for the masses, so expect some website breakage
* [1] https://bugzilla.mozilla.org/418986 ***/
user_pref("privacy.resistFingerprinting", true); // (hidden pref) (not hidden FF55+)
/* 4502: set new window sizes to round to hundreds (FF55+)
* [BEHAVIOR] Width will round down to multiples of 200s and height to 100s, to fit your screen.
* [SETUP-CHROME] Width will round down to multiples of 200s and height to 100s, to fit your screen.
* The override values are a starting point to round from if you want some control
* [1] https://bugzilla.mozilla.org/1330882
* [2] https://hardware.metrics.mozilla.com/ ***/
@ -2105,7 +2107,7 @@ user_pref("extensions.shield-recipe-client.api_url", "");
// [-] https://bugzilla.mozilla.org/1433324
user_pref("browser.newtabpage.activity-stream.enabled", false);
// 2301: disable workers
// [BREAKAGE] Disabling workers *will* break sites (e.g. Google Street View, Twitter)
// [SETUP-WEB] Disabling workers *will* break sites (e.g. Google Street View, Twitter)
// [NOTE] CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
// [-] https://bugzilla.mozilla.org/1434934
user_pref("dom.workers.enabled", false);
@ -2160,7 +2162,7 @@ user_pref("shield.savant.enabled", false);
// [-] https://bugzilla.mozilla.org/1453751
// user_pref("browser.chrome.favicons", false);
// 2030: disable auto-play of HTML5 media - replaced by media.autoplay.default
// [BREAKAGE] This may break video playback on various sites
// [SETUP-WEB] This may break video playback on various sites
// [-] https://bugzilla.mozilla.org/1470082
user_pref("media.autoplay.enabled", false);
// 2704: set cookie lifetime in days (see 2703)