From 9ad1ce561f080e7b286a35577634ab23f0e4a9b9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 19 Aug 2025 10:49:32 +0000 Subject: [PATCH 1/5] v142 --- user.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index d9364ee..613ba3b 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 14 August 2025 -* version: 140 +* date: 15 September 2025 +* version: 142 * urls: https://github.com/arkenfox/user.js [repo] * : https://arkenfox.github.io/gui/ [interactive] * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -656,7 +656,7 @@ user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); /* 2820: set manual "Clear Data" items [SETUP-CHROME] [FF128+] * Firefox remembers your last choices. This will reset them when you start Firefox * [SETTING] Privacy & Security>Browser Privacy>Cookies and Site Data>Clear Data ***/ -user_pref("privacy.clearSiteData.cache", true); +user_pref("privacy.clearSiteData.cache", true); // [DEFAULT: true] user_pref("privacy.clearSiteData.cookiesAndStorage", false); // keep false until it respects "allow" site exceptions user_pref("privacy.clearSiteData.historyFormDataAndDownloads", true); // user_pref("privacy.clearSiteData.siteSettings", false); @@ -761,7 +761,10 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62) 1479239 - return "no-preference" with prefers-reduced-motion (FF63) - 1363508 & 1826051 - spoof/suppress Pointer Events (FF64, FF132) + 1363508 & 1826051 & 1957658 - spoof/suppress Pointer Events, spoof maxTouchPoints (FF64, FF132, FF143, ESR140.2) + FF64: maxTouchPoints: 0 = desktop + FF132: maxTouchPoints: 0 = mac | 10 = windows, linux, mobile + FF143/140.2: maxTouchPoints: 0 = mac, linux | 10 = windows | 5 = mobile 1492766 - spoof pointerEvent.pointerid (FF65) 1485266 - disable exposure of system colors to CSS or canvas (FF67) 1494034 - return "light" with prefers-color-scheme (FF67) From ae6242bdede070e72384a0d7da2a1f6a6505db57 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 20 Aug 2025 16:01:10 +0000 Subject: [PATCH 2/5] remove OCSP, #1576 --- user.js | 31 ++++++------------------------- 1 file changed, 6 insertions(+), 25 deletions(-) diff --git a/user.js b/user.js index 613ba3b..5235b03 100644 --- a/user.js +++ b/user.js @@ -401,29 +401,6 @@ user_pref("security.ssl.require_safe_negotiation", true); * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ user_pref("security.tls.enable_0rtt_data", false); -/** OCSP (Online Certificate Status Protocol) - [1] https://scotthelme.co.uk/revocation-is-broken/ - [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -***/ -/* 1211: enforce OCSP fetching to confirm current validity of certificates - * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only - * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) - * It's a trade-off between security (checking) and privacy (leaking info to the CA) - * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling - * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... - * [1] https://en.wikipedia.org/wiki/Ocsp ***/ -user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] -/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail - * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR | SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST - * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) - * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) - * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it - * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ - * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html - * [3] https://letsencrypt.org/2024/12/05/ending-ocsp/ ***/ -user_pref("security.OCSP.require", true); - /** CERTS / HPKP (HTTP Public Key Pinning) ***/ /* 1223: enable strict PKP (Public Key Pinning) * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict @@ -435,9 +412,10 @@ user_pref("security.cert_pinning.enforcement_level", 2); * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default) * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 - * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ + * [2] https://blog.mozilla.org/security/tag/crlite/ + * [3] https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/ ***/ user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+] -user_pref("security.pki.crlite_mode", 2); +user_pref("security.pki.crlite_mode", 2); // [DEFAULT: 2 FF142+] /** MIXED CONTENT ***/ /* 1241: disable insecure passive content (such as images) on https pages ***/ @@ -1052,6 +1030,9 @@ user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true] // user_pref("privacy.cpd.history", ""); // user_pref("privacy.cpd.offlineApps", ""); // user_pref("privacy.cpd.sessions", ""); +/* 6051: prefsCleaner: reset previously active items removed from arkenfox FF140+ ***/ + // user_pref("security.OCSP.enabled", ""); + // user_pref("security.OCSP.require", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 934a339e41fd495a4be7139c892f9f6e70cd7fb1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 20 Aug 2025 16:10:56 +0000 Subject: [PATCH 3/5] add removed OCSP prefs to cleanup script --- scratchpad-scripts/arkenfox-cleanup.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index b1b44f5..b0d8a06 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -6,7 +6,7 @@ There is an archived version at https://github.com/arkenfox/user.js/issues/123 if you want the full list since jesus - Last updated: 14-August-2025 + Last updated: 20-August-2025 Instructions: - [optional] close Firefox and backup your profile @@ -76,6 +76,9 @@ 'security.ssl3.rsa_des_ede3_sha', // 93 /* REMOVED */ + /* 141-153 */ + 'security.OCSP.enabled', + 'security.OCSP.require', /* 129-140 */ 'dom.securecontext.allowlist_onions', 'network.http.referer.hideOnionSource', From ff92cee8f0865a52b917800887a77760b65aa6a0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 24 Aug 2025 05:03:28 +0000 Subject: [PATCH 4/5] update FPP info --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 5235b03..9fbbc2d 100644 --- a/user.js +++ b/user.js @@ -204,7 +204,7 @@ user_pref("network.prefetch-next", false); user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); /* 0603: disable predictor / prefetching ***/ -user_pref("network.predictor.enabled", false); +user_pref("network.predictor.enabled", false); // [DEFAULT: false FF144+] user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] /* 0604: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ @@ -681,7 +681,7 @@ user_pref("privacy.sanitize.timeSpan", 0); 1887682 - use fdlibm's sin, cos and tan in jsmath (FF134+) 1978414 - various (FF143+) 1954194: available screen resolution: return a fixed offset height from screen per platform when not full screen - 1978414: hardwareConcurrency: return 2 (existing RFPTarget) + 1978414 & 1984333: hardwareConcurrency: return 2 (FF143) | mac return 8 else return 4 (FF144+) 1977836: maxTouchPoints: return multi-touch as 5 ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); From c5087d6522ee63140dac916efb1fde41f6e6f058 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 25 Aug 2025 11:25:44 +0000 Subject: [PATCH 5/5] tidy --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 9fbbc2d..048e1b2 100644 --- a/user.js +++ b/user.js @@ -681,7 +681,7 @@ user_pref("privacy.sanitize.timeSpan", 0); 1887682 - use fdlibm's sin, cos and tan in jsmath (FF134+) 1978414 - various (FF143+) 1954194: available screen resolution: return a fixed offset height from screen per platform when not full screen - 1978414 & 1984333: hardwareConcurrency: return 2 (FF143) | mac return 8 else return 4 (FF144+) + 1978414 & 1984333: hardwareConcurrency: return 2 (FF143) | less than 8 return 4 else return 8 (FF144+) 1977836: maxTouchPoints: return multi-touch as 5 ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); @@ -714,7 +714,6 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); [WARNING] DO NOT USE extensions to alter RFP protected metrics 418986 - limit window.screen & CSS media queries (FF41) - 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55) FF56 1333651 - spoof User Agent & Navigator API JS: spoofed as Windows 10, OS X 10.15, Android 10, or Linux @@ -773,6 +772,8 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 1972600 - spoof network connection for HTMLMediaElement preload (FF142, ESR140.1) 1975851 - return true for navigator.onLine (FF142, ESR140.1) 1973265 - disable WebCodecs API (FF142?) + 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF144+) + previously FF55+ it returned 2 ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable RFP