From 4074a37e1d3a2492e0fd28bcc9289b8b88e94b58 Mon Sep 17 00:00:00 2001 From: earthlng Date: Sat, 7 Dec 2019 18:26:39 +0000 Subject: [PATCH 001/657] 1201 + 1270 update (#859) trim by a line, remove extra space, fixup on red, indicate it only applies if 1201 is false --- user.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 9f74ed7..e3bed20 100644 --- a/user.js +++ b/user.js @@ -640,8 +640,15 @@ user_pref("browser.shell.shortcutFavicons", false); ***/ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/ -/* 1201: disable old SSL/TLS "insecure" negotiation (vulnerable to a MiTM attack) - * [1] https://wiki.mozilla.org/Security:Renegotiation ***/ +/* 1201: require safe negotiation + * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially + * vulnerable to a MiTM attack [3]. A server *without* RFC 5746 can be safe from the attack + * if it disables renegotiations but the problem is that the browser can't know that. + * Setting this pref to true is the only way for the browser to ensure there will be + * no unsafe renegotiations on the channel between the browser and the server. + * [1] https://wiki.mozilla.org/Security:Renegotiation + * [2] https://tools.ietf.org/html/rfc5746 + * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/ user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 @@ -747,8 +754,10 @@ user_pref("security.mixed_content.block_object_subrequest", true); // user_pref("security.ssl3.rsa_aes_256_sha", false); /** UI (User Interface) ***/ -/* 1270: display warning (red padlock) for "broken security" (see 1201) - * [1] https://wiki.mozilla.org/Security:Renegotiation ***/ +/* 1270: display warning on the padlock for "broken security" (if 1201 is false) + * Bug: warning padlock not indicated for subresources on a secure page! [2] + * [1] https://wiki.mozilla.org/Security:Renegotiation + * [2] https://bugzilla.mozilla.org/1353705 ***/ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); /* 1271: control "Add Security Exception" dialog on SSL warnings * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default) From 30daf8640c3eea528a53eb0dff2ddfc684ce591f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 9 Dec 2019 20:18:42 +0000 Subject: [PATCH 002/657] FPI stuff --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index e3bed20..3498983 100644 --- a/user.js +++ b/user.js @@ -1361,7 +1361,7 @@ user_pref("privacy.sanitize.timeSpan", 0); ** 1542309 - isolate top-level domain URLs when host is in the public suffix list (FF68+) ** 1506693 - isolate pdfjs range-based requests (FF68+) ** 1330467 - isolate site permissions (FF69+) - ** 1534339 - isolate IPv6 (coming soon) + ** 1534339 - isolate IPv6 (FF73+) ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); /* 4001: enable First Party Isolation [FF51+] From df1732745d84b1f7b163d6345fc66db4bb31402b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 10 Dec 2019 22:07:23 +0000 Subject: [PATCH 003/657] 0308: seach engine updates: better info #840 --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 3498983..5ffeea4 100644 --- a/user.js +++ b/user.js @@ -208,7 +208,8 @@ user_pref("app.update.auto", false); * used when installing/updating an extension, and in daily background update checks: if false, it * hides the expanded text description (if it exists) when you "show more details about an addon" ***/ // user_pref("extensions.getAddons.cache.enabled", false); -/* 0308: disable search update +/* 0308: disable search engine updates (e.g. OpenSearch) + * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines * [SETTING] General>Firefox Updates>Automatically update search engines ***/ user_pref("browser.search.update", false); /* 0309: disable sending Flash crash reports ***/ From 5672bc8cc8a978eed39e39b009cb909882ce4db0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 12 Dec 2019 01:21:17 +0000 Subject: [PATCH 004/657] 2032 removed, 4002 inactive, closes #840 --- user.js | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/user.js b/user.js index 5ffeea4..ddbb1b5 100644 --- a/user.js +++ b/user.js @@ -936,9 +936,6 @@ user_pref("media.getusermedia.audiocapture.enabled", false); // user_pref("media.autoplay.default", 5); /* 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] ***/ user_pref("media.autoplay.enabled.user-gestures-needed", false); -/* 2032: disable autoplay of HTML5 media in non-active tabs [FF51+] - * [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/ -user_pref("media.block-autoplay-until-in-foreground", true); // [DEFAULT: true] /*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/ user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!"); @@ -1377,7 +1374,7 @@ user_pref("privacy.firstparty.isolate", true); * [1] https://bugzilla.mozilla.org/1319773#c22 * [2] https://bugzilla.mozilla.org/1492607 * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ -user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] + // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR] /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) From 1ef62a1036ea4d37476aa09f164e82be0d82c9b5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 12 Dec 2019 01:24:12 +0000 Subject: [PATCH 005/657] media.block-autoplay-until-in-foreground #840 --- scratchpad-scripts/ghacks-clear-[removed].js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/ghacks-clear-[removed].js b/scratchpad-scripts/ghacks-clear-[removed].js index 3a889fd..71f3c8a 100644 --- a/scratchpad-scripts/ghacks-clear-[removed].js +++ b/scratchpad-scripts/ghacks-clear-[removed].js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the ghacks user.js. - Last updated: 11-November-2019 + Last updated: 11-December-2019 For instructions see: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -215,6 +215,8 @@ 'security.insecure_connection_icon.pbmode.enabled', 'security.insecure_connection_text.pbmode.enabled', 'webgl.dxgl.enabled', + /* 71-beta */ + 'media.block-autoplay-until-in-foreground', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From 9c02949e04498c6cb677ae5710737d1451fb16af Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 17 Dec 2019 15:00:34 +0000 Subject: [PATCH 006/657] 0000: config.xhtml in FF73+ (#865) --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index ddbb1b5..b0c0c99 100644 --- a/user.js +++ b/user.js @@ -84,7 +84,8 @@ user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); /* 0000: disable about:config warning - * The XUL version can still be accessed in FF71+ @ chrome://global/content/config.xul ***/ + * The XUL version can still be accessed in FF71+ @ chrome://global/content/config.xul + * and in FF73+ @ chrome://global/content/config.xhtml ***/ user_pref("general.warnOnAboutConfig", false); // for the XUL version user_pref("browser.aboutConfig.showWarning", false); // for the new HTML version [FF71+] From cd07641a9daf05d523ee239c5cc8e07de2a1e572 Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 18 Dec 2019 05:02:25 +0000 Subject: [PATCH 007/657] 2701: make sure cookieBehavior is always honored (#866) see #862 --- user.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index b0c0c99..2bb7809 100644 --- a/user.js +++ b/user.js @@ -1245,8 +1245,10 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+) * [NOTE] You can set exceptions under site permissions or use an extension - * [SETTING] Privacy & Security>Content Blocking>Custom>Choose what to block>Cookies ***/ + * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored + * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Choose what to block>Cookies ***/ user_pref("network.cookie.cookieBehavior", 1); +user_pref("browser.contentblocking.category", "custom"); /* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and From a1cdbc8324afddaad2ab49e478f7b72a49f21a8d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Dec 2019 07:46:44 +0000 Subject: [PATCH 008/657] 1408 graphite, closes #1408 and 2619 puncyode --- user.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 2bb7809..cd542f9 100644 --- a/user.js +++ b/user.js @@ -789,9 +789,10 @@ user_pref("browser.display.use_document_fonts", 0); /* 1404: disable rendering of SVG OpenType fonts * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/ user_pref("gfx.font_rendering.opentype_svg.enabled", false); -/* 1408: disable graphite which FF49 turned back on by default - * In the past it had security issues. Update: This continues to be the case, see [1] - * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/ +/* 1408: disable graphite + * Graphite has had many critical security issues in the past, see [1] + * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 + * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed. @@ -1162,8 +1163,8 @@ user_pref("permissions.manager.defaultsUrl", ""); /* 2617: remove webchannel whitelist ***/ user_pref("webchannel.allowObject.urlWhitelist", ""); /* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing - * Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also - * display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets + * Firefox has *some* protections, but it is better to be safe than sorry + * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) * [1] https://wiki.mozilla.org/IDN_Display_Algorithm * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack From f9146fdf24bd168fa8dc7f1b9a1df1ee4c34f0b4 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Dec 2019 09:46:21 +0000 Subject: [PATCH 009/657] update setting tags, minor tweaks --- user.js | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/user.js b/user.js index cd542f9..2613657 100644 --- a/user.js +++ b/user.js @@ -200,7 +200,7 @@ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the // user_pref("extensions.update.enabled", false); /* 0302a: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] * [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed - * [SETTING] General>Firefox Updates>Check for updates but let you choose... ***/ + * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/ user_pref("app.update.auto", false); /* 0302b: disable auto-INSTALLING extension and theme updates (after the check in 0301b) * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/ @@ -257,7 +257,7 @@ user_pref("datareporting.policy.dataSubmissionEnabled", false); user_pref("app.shield.optoutstudies.enabled", false); /* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+] * [NOTE] This pref has no effect when Health Reports (0340) are disabled - * [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to make personalized extension rec. + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/ user_pref("browser.discovery.enabled", false); /* 0350: disable Crash Reports ***/ @@ -361,7 +361,6 @@ user_pref("browser.ping-centre.telemetry", false); /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Privacy & Security>Forms & Passwords>Autofill addresses * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] @@ -411,7 +410,7 @@ user_pref("network.dns.disableIPv6", true); * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to * enhance privacy, and opens up a number of server-side fingerprinting opportunities. * [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is - * at 35% (April 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites + * at 40% (December 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites * [1] https://http2.github.io/faq/ * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html * [3] https://http2.github.io/http2-spec/#rfc.section.10.8 @@ -518,11 +517,12 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false); /* 0850e: disable location bar one-off searches [FF51+] * [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/ // user_pref("browser.urlbar.oneOffSearches", false); -/* 0860: disable search and form history [SETUP-WEB] - * [WARNING] Autocomplete form data is still (in April 2019) easily read by third parties, see [1] - * [NOTE] We also clear formdata on exiting Firefox (see 2803) +/* 0860: disable search and form history + * [SETUP-WEB] Be aware thet autocomplete form data can be read by third parties, see [1] [2] + * [NOTE] We also clear formdata on exit (see 2803) * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history - * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html ***/ + * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html + * [2] https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); /* 0862: disable browsing and download history * [NOTE] We also clear history and downloads on exiting Firefox (see 2803) @@ -540,11 +540,11 @@ user_pref("browser.taskbar.previews.enable", false); user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); /* 0901: disable saving passwords * [NOTE] This does not clear any passwords already saved - * [SETTING] Privacy & Security>Forms & Passwords>Ask to save logins and passwords for websites ***/ + * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ // user_pref("signon.rememberSignons", false); -/* 0902: use a master password (recommended if you save passwords) +/* 0902: use a master password * There are no preferences for this. It is all handled internally. - * [SETTING] Privacy & Security>Forms & Passwords>Use a master password + * [SETTING] Privacy & Security>Logins and Passwords>Use a master password * [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/ /* 0903: set how often Firefox should ask for the master password * 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/ @@ -554,7 +554,8 @@ user_pref("security.ask_for_password", 2); user_pref("security.password_lifetime", 5); /* 0905: disable auto-filling username & password form fields * can leak in cross-site forms *and* be spoofed - * [NOTE] Username & password is still available when you enter the field ***/ + * [NOTE] Username & password is still available when you enter the field + * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords ***/ user_pref("signon.autofillForms", false); /* 0909: disable formless login capture for Password Manager [FF51+] ***/ user_pref("signon.formlessCapture.enabled", false); @@ -723,7 +724,7 @@ user_pref("security.family_safety.mode", 0); // user_pref("security.nocertdb", true); // [HIDDEN PREF] /* 1223: enforce strict pinning * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict - * [WARNING] If you rely on an AV (antivirus) to protect your web browsing + * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing * by inspecting ALL your web traffic, then leave at current default=1 * [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/ user_pref("security.cert_pinning.enforcement_level", 2); @@ -849,8 +850,8 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0] * [1] https://bugzilla.mozilla.org/1305144 ***/ user_pref("network.http.referer.hideOnionSource", true); /* 1610: ALL: enable the DNT (Do Not Track) HTTP header - * [NOTE] DNT is enforced with Tracking Protection regardless of this pref - * [SETTING] Privacy & Security>Content Blocking>Send websites a "Do Not Track"... ***/ + * [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref + * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/ user_pref("privacy.donottrackheader.enabled", true); /*** [SECTION 1700]: CONTAINERS @@ -1247,7 +1248,7 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+) * [NOTE] You can set exceptions under site permissions or use an extension * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored - * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Choose what to block>Cookies ***/ + * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ user_pref("network.cookie.cookieBehavior", 1); user_pref("browser.contentblocking.category", "custom"); /* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only From 34cfcedc1b0dd0d24e2a2a5d8b80bc318795d0b5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Dec 2019 16:19:39 +0000 Subject: [PATCH 010/657] 2402+2403, finally closes #735 --- user.js | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index 2613657..2b8a778 100644 --- a/user.js +++ b/user.js @@ -1030,14 +1030,12 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! // user_pref("dom.event.contextmenu.enabled", false); /* 2402: disable website access to clipboard events/content * [SETUP-WEB] This will break some sites functionality such as pasting into facebook, wordpress - * this applies to onCut, onCopy, onPaste events - i.e. you have to interact with - * the website for it to look at the clipboard - * [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/ + * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website + * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one + * is default false) then enabling this pref can leak clipboard content, see [2] + * [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ + * [2] https://bugzilla.mozilla.org/1528289 */ user_pref("dom.event.clipboardevents.enabled", false); -/* 2403: disable middlemouse paste leaking clipboard content on Linux after autoscroll - * Defense in depth if clipboard events are enabled (see 2402) - * [1] https://bugzilla.mozilla.org/1528289 */ -user_pref("middlemouse.paste", false); // [DEFAULT: false on Windows] /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] * this disables document.execCommand("cut"/"copy") to protect your clipboard * [1] https://bugzilla.mozilla.org/1170911 ***/ @@ -1628,7 +1626,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("browser.tabs.closeWindowWithLastTab", false); // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] - // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [WINDOWS] [MAC] + // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] /* UX FEATURES: disable and hide the icons and menus ***/ From 5b1d56933ba921ea0fee85fd46e355c484d70b87 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Dec 2019 16:21:21 +0000 Subject: [PATCH 011/657] middlemouse.paste, see #735 --- scratchpad-scripts/ghacks-clear-[removed].js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/ghacks-clear-[removed].js b/scratchpad-scripts/ghacks-clear-[removed].js index 71f3c8a..ab22f90 100644 --- a/scratchpad-scripts/ghacks-clear-[removed].js +++ b/scratchpad-scripts/ghacks-clear-[removed].js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the ghacks user.js. - Last updated: 11-December-2019 + Last updated: 19-December-2019 For instructions see: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -217,6 +217,7 @@ 'webgl.dxgl.enabled', /* 71-beta */ 'media.block-autoplay-until-in-foreground', + 'middlemouse.paste', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From 07c128a1907380f3706eba4daa0f6551491a429b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Dec 2019 16:31:51 +0000 Subject: [PATCH 012/657] 71 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 2b8a778..dd066d8 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 06 December 2019 -* version 71-beta: Dancing Pants +* date: 19 December 2019 +* version 71: Dancing Pants * "Ooh-ooh, see that girl, watch that scene, dig in the dancing pants" * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js From ed60588473f887c6a1c33c57ca6a803d6b99f583 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Dec 2019 16:34:44 +0000 Subject: [PATCH 013/657] 72-alpha start --- user.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/user.js b/user.js index dd066d8..d1594f8 100644 --- a/user.js +++ b/user.js @@ -1,8 +1,7 @@ /****** * name: ghacks user.js * date: 19 December 2019 -* version 71: Dancing Pants -* "Ooh-ooh, see that girl, watch that scene, dig in the dancing pants" +* version 72-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 79d316fd2299ef4c724bc5354d5a35b0a50eabf7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Dec 2019 16:37:19 +0000 Subject: [PATCH 014/657] remove old deprecations --- user.js | 121 +------------------------------------------------------- 1 file changed, 1 insertion(+), 120 deletions(-) diff --git a/user.js b/user.js index d1594f8..f23aec4 100644 --- a/user.js +++ b/user.js @@ -1643,130 +1643,11 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED - Documentation denoted as [-]. Items deprecated prior to FF61 have been archived at [1], which + Documentation denoted as [-]. Items deprecated prior to FF68 have been archived at [1], which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); -/* FF61 -// 0501: disable experiments - // [1] https://wiki.mozilla.org/Telemetry/Experiments - // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801 -user_pref("experiments.enabled", false); -user_pref("experiments.manifest.uri", ""); -user_pref("experiments.supported", false); -user_pref("experiments.activeExperiment", false); -// 2612: disable remote JAR files being opened, regardless of content type [FF42+] - // [1] https://bugzilla.mozilla.org/1173171 - // [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/ - // [-] https://bugzilla.mozilla.org/1427726 -user_pref("network.jar.block-remote-files", true); -// 2613: disable JAR from opening Unsafe File Types - // [-] https://bugzilla.mozilla.org/1427726 -user_pref("network.jar.open-unsafe-types", false); -// ***/ -/* FF62 -// 1803: disable Java plugin - // [-] (part5) https://bugzilla.mozilla.org/1461243 -user_pref("plugin.state.java", 0); -// ***/ -/* FF63 -// 0205: disable GeoIP-based search results - // [NOTE] May not be hidden if Firefox has changed your settings due to your locale - // [-] https://bugzilla.mozilla.org/1462015 -user_pref("browser.search.countryCode", "US"); // [HIDDEN PREF] -// 0301a: disable auto-update checks for Firefox - // [SETTING] General>Firefox Updates>Never check for updates - // [-] https://bugzilla.mozilla.org/1420514 - // user_pref("app.update.enabled", false); -// 0503: disable "Savant" Shield study [FF61+] - // [-] https://bugzilla.mozilla.org/1457226 -user_pref("shield.savant.enabled", false); -// 1031: disable favicons in tabs and new bookmarks - merged into browser.chrome.site_icons - // [-] https://bugzilla.mozilla.org/1453751 - // user_pref("browser.chrome.favicons", false); -// 2030: disable autoplay of HTML5 media - replaced by media.autoplay.default - // This may break video playback on various sites - // [-] https://bugzilla.mozilla.org/1470082 -user_pref("media.autoplay.enabled", false); -// 2704: set cookie lifetime in days (see 2703) - // [-] https://bugzilla.mozilla.org/1457170 - // user_pref("network.cookie.lifetime.days", 90); // [DEFAULT: 90] -// 5000's: enable "Ctrl+Tab cycles through tabs in recently used order" - replaced by browser.ctrlTab.recentlyUsedOrder - // [-] https://bugzilla.mozilla.org/1473595 - // user_pref("browser.ctrlTab.previews", true); -// ***/ -/* FF64 -// 0516: disable Onboarding [FF55+] - // Onboarding is an interactive tour/setup for new installs/profiles and features. Every time - // about:home or about:newtab is opened, the onboarding overlay is injected into that page - // [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3] - // [1] https://wiki.mozilla.org/Firefox/Onboarding - // [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf - // [3] https://bugzilla.mozilla.org/863246#c154 - // [-] https://bugzilla.mozilla.org/1462415 -user_pref("browser.onboarding.enabled", false); -// 2608: disable WebIDE ADB extension downloads - both renamed - // [1] https://trac.torproject.org/projects/tor/ticket/16222 - // [-] https://bugzilla.mozilla.org/1491315 -user_pref("devtools.webide.autoinstallADBHelper", false); -user_pref("devtools.webide.adbAddonURL", ""); -// 2681: disable CSP violation events [FF59+] - // [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent - // [-] https://bugzilla.mozilla.org/1488165 -user_pref("security.csp.enable_violation_events", false); -// ***/ -/* FF65 -// 0850a: disable location bar autocomplete and suggestion types - // If you enforce any of the suggestion types (see the other 0850a), you MUST enforce 'autocomplete' - // - If *ALL* of the suggestion types are false, 'autocomplete' must also be false - // - If *ANY* of the suggestion types are true, 'autocomplete' must also be true - // [-] https://bugzilla.mozilla.org/1502392 -user_pref("browser.urlbar.autocomplete.enabled", false); -// 0908: remove user & password info when attempting to fix an entered URL (i.e. 0802 is true) - // e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix) - // [-] https://bugzilla.mozilla.org/1510580 -user_pref("browser.fixup.hide_user_pass", true); // [DEFAULT: true] -// ***/ -/* FF66 -// 0380: disable Browser Error Reporter [FF60+] - // [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection - // [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html - // [-] https://bugzilla.mozilla.org/1509888 -user_pref("browser.chrome.errorReporter.enabled", false); -user_pref("browser.chrome.errorReporter.submitUrl", ""); -// 0502: disable Mozilla permission to silently opt you into tests - // [-] https://bugzilla.mozilla.org/1415625 -user_pref("network.allow-experiments", false); -// ***/ -/* FF67 -// 2428: enforce DOMHighResTimeStamp API - // [WARNING] Required for normalization of timestamps and any timer resolution mitigations - // [-] https://bugzilla.mozilla.org/1485264 -user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true] -// 5000's: disable CFR [FF64+] - split into two new prefs: *cfr.addons, *cfr.features - // [SETTING] General>Browsing>Recommend extensions as you browse - // [1] https://support.mozilla.org/en-US/kb/extension-recommendations - // [-] https://bugzilla.mozilla.org/1528953 - // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false); -// ***/ -/* FF68 -// 0105b: disable Activity Stream Legacy Snippets - // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1546190,1540939 -user_pref("browser.newtabpage.activity-stream.disableSnippets", true); -user_pref("browser.aboutHomeSnippets.updateUrl", ""); -// 0307: disable auto updating of lightweight themes (LWT) - // Not to be confused with themes in 0301* + 0302*, which use the FF55+ Theme API - // Mozilla plan to convert existing LWTs and remove LWT support in the future, see [1] - // [1] https://blog.mozilla.org/addons/2018/09/20/future-themes-here/ - // [-] (part3b) https://bugzilla.mozilla.org/1525762 -user_pref("lightweightThemes.update.enabled", false); -// 2682: enable CSP 1.1 experimental hash-source directive [FF29+] - // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975 - // [-] https://bugzilla.mozilla.org/1386214 -user_pref("security.csp.experimentalEnabled", true); -// ***/ - /* ESR68.x still uses all the following prefs // [NOTE] replace the * with a slash in the line above to re-enable them // FF69 From ef293b57a7696fc044de395407a8c67f372d7617 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Dec 2019 06:14:25 +0000 Subject: [PATCH 015/657] 5000s: add ui.systemUsesDarkTheme --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index f23aec4..27b22a3 100644 --- a/user.js +++ b/user.js @@ -1616,6 +1616,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("browser.download.autohideButton", false); // [FF57+] // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent + // user_pref("ui.systemUsesDarkTheme", 1); // [[FF67+] override OS: 0=light, 1=dark /* CONTENT BEHAVIOR ***/ // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] From 85273d0f19e6314f69f323d581b46e00392167be Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Dec 2019 07:13:48 +0000 Subject: [PATCH 016/657] 0517: setting tag --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 27b22a3..58d5b31 100644 --- a/user.js +++ b/user.js @@ -360,6 +360,7 @@ user_pref("browser.ping-centre.telemetry", false); /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes + * [SETTING] Options>Privacy&Security>Forms and Autofill>Autofill addresses (FF73+) * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] From 315de066ecee8501853f045926a622c3fe5f750e Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Tue, 24 Dec 2019 11:49:19 +0000 Subject: [PATCH 017/657] typo (#870) --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 58d5b31..ca6dc62 100644 --- a/user.js +++ b/user.js @@ -1617,7 +1617,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("browser.download.autohideButton", false); // [FF57+] // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent - // user_pref("ui.systemUsesDarkTheme", 1); // [[FF67+] override OS: 0=light, 1=dark + // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] override OS: 0=light, 1=dark /* CONTENT BEHAVIOR ***/ // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] From 18ad40a5c603f176a4f835cb72b89a3cc33255a7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 25 Dec 2019 02:14:49 +0000 Subject: [PATCH 018/657] systemUsesDarkTheme -> RFP Alts --- user.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index ca6dc62..17413cf 100644 --- a/user.js +++ b/user.js @@ -1439,7 +1439,7 @@ user_pref("privacy.firstparty.isolate", true); FF65: pointerEvent.pointerid (1492766) ** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+) ** 1407366 - enable inner window letterboxing (see 4504) (FF67+) - ** 1540726 - return "light" with prefers-color-scheme (FF67+) + ** 1540726 - return "light" with prefers-color-scheme (see 4616) (FF67+) [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme ** 1564422 - spoof audioContext outputLatency (FF70+) ** 1595823 - spoof audioContext sampleRate (FF72+) @@ -1569,6 +1569,9 @@ user_pref("dom.w3c_pointer_events.enabled", false); // [SETUP-CHROME] Might affect CSS in themes and extensions // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 user_pref("ui.use_standins_for_native_colors", true); +// 4616: enforce prefers-color-scheme as light [FF67+] + // 0=light, 1=dark : This overrides your OS value +user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // * * * / // ***/ @@ -1617,7 +1620,6 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("browser.download.autohideButton", false); // [FF57+] // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent - // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] override OS: 0=light, 1=dark /* CONTENT BEHAVIOR ***/ // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] From e431b324c8433117c90e3e5d72eed258bc54d613 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 8 Jan 2020 02:53:25 +0000 Subject: [PATCH 019/657] FF72 deprecated --- user.js | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index 17413cf..aaddac3 100644 --- a/user.js +++ b/user.js @@ -113,7 +113,6 @@ user_pref("browser.newtab.preload", false); /* 0105a: disable Activity Stream telemetry ***/ user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); user_pref("browser.newtabpage.activity-stream.telemetry", false); -user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); /* 0105b: disable Activity Stream Snippets * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server * [1] https://abouthome-snippets-service.readthedocs.io/ ***/ @@ -238,7 +237,6 @@ user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+] user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+] user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+] -user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+] /* 0331: disable Telemetry Coverage * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/ user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] @@ -1265,14 +1263,6 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] * [WARNING] This will break a LOT of sites' functionality AND extensions! * You are better off using an extension for more granular control ***/ // user_pref("dom.storage.enabled", false); -/* 2720: enforce IndexedDB (IDB) as enabled - * IDB is required for extensions and Firefox internals (even before FF63 in [1]) - * To control *website* IDB data, control allowing cookies and service workers, or use - * Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize - * on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically - * via an extension. Note that IDB currently cannot be sanitized by host. - * [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ ***/ -user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] /* 2730: disable offline cache ***/ user_pref("browser.cache.offline.enable", false); /* 2740: disable service worker cache and cache storage @@ -1677,6 +1667,23 @@ user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+] // [-] https://bugzilla.mozilla.org/1574480 user_pref("offline-apps.allow_by_default", false); // * * * / +// FF72 +// 0105a: disable Activity Stream telemetry + // [-] https://bugzilla.mozilla.org/1597697 +user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); +// 0330: disable Hybdrid Content telemetry + // [-] https://bugzilla.mozilla.org/1520491 +user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+] +// 2720: enforce IndexedDB (IDB) as enabled + // IDB is required for extensions and Firefox internals (even before FF63 in [1]) + // To control *website* IDB data, control allowing cookies and service workers, or use + // Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize + // on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically + // via an extension. Note that IDB currently cannot be sanitized by host. + // [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ + // [-] https://bugzilla.mozilla.org/1488583 +user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] +// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From e1022c2e72010c6d7b3db458c7b1c7e6f1193879 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 14 Jan 2020 17:38:22 +0000 Subject: [PATCH 020/657] 72-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index aaddac3..a0421ca 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 19 December 2019 -* version 72-alpha +* date: 20 January 2020 +* version 72-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 5d2c5de11cb333f0e6332005858565bb8dfecb88 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 15 Jan 2020 02:53:07 +0000 Subject: [PATCH 021/657] fixup deprecated ESR-cycle version --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a0421ca..b88fc78 100644 --- a/user.js +++ b/user.js @@ -1637,8 +1637,8 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED - Documentation denoted as [-]. Items deprecated prior to FF68 have been archived at [1], which - also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets + Documentation denoted as [-]. Items deprecated in FF68 or earlier have been archived at [1], + which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); From 7619e312de497a53344f2532832482cc26cfb580 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 24 Jan 2020 16:48:16 +0000 Subject: [PATCH 022/657] 72 final --- user.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/user.js b/user.js index b88fc78..e8bdaa7 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 20 January 2020 -* version 72-beta +* date: 24 January 2020 +* version 72 * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -83,10 +83,10 @@ user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); /* 0000: disable about:config warning - * The XUL version can still be accessed in FF71+ @ chrome://global/content/config.xul - * and in FF73+ @ chrome://global/content/config.xhtml ***/ -user_pref("general.warnOnAboutConfig", false); // for the XUL version -user_pref("browser.aboutConfig.showWarning", false); // for the new HTML version [FF71+] + * FF71-72: chrome://global/content/config.xul + * FF73+: chrome://global/content/config.xhtml ***/ +user_pref("general.warnOnAboutConfig", false); // XUL/XHTML version +user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+] /*** [SECTION 0100]: STARTUP ***/ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); @@ -358,7 +358,7 @@ user_pref("browser.ping-centre.telemetry", false); /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Options>Privacy&Security>Forms and Autofill>Autofill addresses (FF73+) + * [SETTING] Options>Privacy & Security>Forms and Autofill>Autofill addresses (FF74+) * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] From cd9fc110b0c23d0cc8be34ccbff1839fbd8ca0fa Mon Sep 17 00:00:00 2001 From: earthlng Date: Mon, 10 Feb 2020 16:47:17 +0000 Subject: [PATCH 023/657] v1.2 look for `lock` file instead of `webappsstore.sqlite-shm` to detect if firefox is running or not (with this profile) see https://github.com/ghacksuserjs/ghacks-user.js/pull/405#issuecomment-581447586 and follow-up comments. Thanks @atomGit for reporting the issue and @rusty-snake for confirming it. --- prefsCleaner.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/prefsCleaner.sh b/prefsCleaner.sh index 360c2ea..d8185cd 100644 --- a/prefsCleaner.sh +++ b/prefsCleaner.sh @@ -2,7 +2,7 @@ ## prefs.js cleaner for Linux/Mac ## author: @claustromaniac -## version: 1.1 +## version: 1.2 ## special thanks to @overdodactyl and @earthlng for a few snippets that I stol..*cough* borrowed from the updater.sh @@ -27,7 +27,7 @@ fQuit() { fFF_check() { # there are many ways to see if firefox is running or not, some more reliable than others # this isn't elegant and might not be future-proof but should at least be compatible with any environment - while [ -e webappsstore.sqlite-shm ]; do + while [ -e lock ]; do echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n" read -p "Press any key to continue." done @@ -58,7 +58,7 @@ echo -e "\n\n" echo " ╔══════════════════════════╗" echo " ║ prefs.js cleaner ║" echo " ║ by claustromaniac ║" -echo " ║ v1.1 ║" +echo " ║ v1.2 ║" echo " ╚══════════════════════════╝" echo -e "\nThis script should be run from your Firefox profile directory.\n" echo "It will remove any entries from prefs.js that also exist in user.js." From 03f558b09caa59a4fd45c4edba10443ec3052ab8 Mon Sep 17 00:00:00 2001 From: earthlng Date: Mon, 10 Feb 2020 17:12:08 +0000 Subject: [PATCH 024/657] nit: 0517 SETTING we don't include `Options>` in [SETTING] lines --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index e8bdaa7..b3ee05f 100644 --- a/user.js +++ b/user.js @@ -358,7 +358,7 @@ user_pref("browser.ping-centre.telemetry", false); /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Options>Privacy & Security>Forms and Autofill>Autofill addresses (FF74+) + * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses (FF74+) * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] From 1ce1f7449462ff7509e08b9dc38613f87366c143 Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 12 Feb 2020 12:03:29 +0000 Subject: [PATCH 025/657] Update user.js --- user.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index b3ee05f..1289e37 100644 --- a/user.js +++ b/user.js @@ -1429,7 +1429,7 @@ user_pref("privacy.firstparty.isolate", true); FF65: pointerEvent.pointerid (1492766) ** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+) ** 1407366 - enable inner window letterboxing (see 4504) (FF67+) - ** 1540726 - return "light" with prefers-color-scheme (see 4616) (FF67+) + ** 1494034 - return "light" with prefers-color-scheme (see 4616) (FF67+) [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme ** 1564422 - spoof audioContext outputLatency (FF70+) ** 1595823 - spoof audioContext sampleRate (FF72+) @@ -1555,12 +1555,12 @@ user_pref("dom.w3c_pointer_events.enabled", false); // * * * / // FF67+ // 4615: [2618] disable exposure of system colors to CSS or canvas [FF44+] - // [NOTE] See second listed bug: may cause black on black for elements with undefined colors - // [SETUP-CHROME] Might affect CSS in themes and extensions - // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 + // [NOTE] See second listed bug: may cause black on black for elements with undefined colors + // [SETUP-CHROME] Might affect CSS in themes and extensions + // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 user_pref("ui.use_standins_for_native_colors", true); // 4616: enforce prefers-color-scheme as light [FF67+] - // 0=light, 1=dark : This overrides your OS value + // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // * * * / // ***/ From 5f3e3b2691d0348cbd9ab7f33172fe6d05657ca1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 14 Feb 2020 01:00:02 +0000 Subject: [PATCH 026/657] VR default prompt, RFP info, start 73-alpha --- user.js | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index 1289e37..57d89c9 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 24 January 2020 -* version 72 +* date: 14 February 2020 +* version 73-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -1080,10 +1080,6 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code. see [1] * [1] https://bugzilla.mozilla.org/1313580 ***/ // user_pref("dom.battery.enabled", false); -/* 2504: disable virtual reality devices - * Optional protection depending on your connected devices - * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ - // user_pref("dom.vr.enabled", false); /* 2505: disable media device enumeration [FF29+] * [NOTE] media.peerconnection.enabled should also be set to false (see 2001) * [1] https://wiki.mozilla.org/Media/getUserMedia @@ -1104,6 +1100,15 @@ user_pref("dom.webaudio.enabled", false); * [1] https://github.com/WICG/media-capabilities * [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ // user_pref("media.media-capabilities.enabled", false); +/* 2520: disable virtual reality devices + * Optional protection depending on your connected devices + * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ + // user_pref("dom.vr.enabled", false); +/* 2521: set a default permission for Virtual Reality (see 2520) [FF73+] + * 0=always ask (default), 1=allow, 2=block + * [SETTING] to add site exceptions: Page Info>Permissions>Access Virtual Reality Devices + * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ + // user_pref("permissions.default.xr", 0); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -1433,6 +1438,7 @@ user_pref("privacy.firstparty.isolate", true); [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme ** 1564422 - spoof audioContext outputLatency (FF70+) ** 1595823 - spoof audioContext sampleRate (FF72+) + ** 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] From 64f34f147179b5ade799149a55bde8626af3058b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 15 Feb 2020 12:55:59 +0000 Subject: [PATCH 027/657] 73-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 57d89c9..455e791 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 14 February 2020 -* version 73-alpha +* date: 15 February 2020 +* version 73-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 1afd52de6ee2055956266319035eb11516688bbc Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 22 Feb 2020 13:56:30 +0000 Subject: [PATCH 028/657] 0306: minor tweak There is no "show more details about an addon" anymore since they moved to the new html/card layout --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 455e791..6b2cc2e 100644 --- a/user.js +++ b/user.js @@ -204,8 +204,8 @@ user_pref("app.update.auto", false); * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/ // user_pref("extensions.update.autoUpdateDefault", false); /* 0306: disable extension metadata - * used when installing/updating an extension, and in daily background update checks: if false, it - * hides the expanded text description (if it exists) when you "show more details about an addon" ***/ + * used when installing/updating an extension, and in daily background update checks: + * when false, extension detail tabs will have no description ***/ // user_pref("extensions.getAddons.cache.enabled", false); /* 0308: disable search engine updates (e.g. OpenSearch) * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines From e67a0c868d0264b643a832c71b10743c7287e0e9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 25 Feb 2020 00:20:19 +0000 Subject: [PATCH 029/657] Update troubleshooting-help.md --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index 02cc07a..8aedf4c 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -8,11 +8,11 @@ assignees: '' --- Before you proceed... - - Keep reading this. Seriously. - - Note that we do not support forks (i.e. IceCat, Pale Moon, WaterFox, etc). - - Make sure you searched for the `[Setup` tags in the `user.js`. + - Issues will be closed as invalid if you do not [Troubleshoot](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.4-Troubleshooting), including + - confirming the problem is caused by the `user.js` + - searching the `[Setup` tags in the `user.js` - Search the GitHub repository. The information you need is most likely here already. - - Check out our [troubleshooting](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.4-Troubleshooting) wiki page, including steps to see if the problem is caused by the `user.js` or an extension. + - Note: We do not support forks See also: - Extension breakage due to prefs [issue 391](https://github.com/ghacksuserjs/ghacks-user.js/issues/391) From a542701ba5b6c2341ef3028c4a28d8ea08a3f9ed Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 25 Feb 2020 00:21:42 +0000 Subject: [PATCH 030/657] Update troubleshooting-help.md --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index 8aedf4c..4cf0a19 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -8,7 +8,7 @@ assignees: '' --- Before you proceed... - - Issues will be closed as invalid if you do not [Troubleshoot](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.4-Troubleshooting), including + - Issues will be closed as invalid if you do not [troubleshoot](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.4-Troubleshooting), including - confirming the problem is caused by the `user.js` - searching the `[Setup` tags in the `user.js` - Search the GitHub repository. The information you need is most likely here already. From 4139630635319861969568b816b7a9ff3e2028c1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 12 Mar 2020 03:37:46 +0000 Subject: [PATCH 031/657] 73 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 6b2cc2e..5aa2c34 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 15 February 2020 -* version 73-beta +* date: 11 March 2020 +* version 73 * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 615ebeda2f315e9f43e5825f80870e818d72ad8d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 12 Mar 2020 03:43:31 +0000 Subject: [PATCH 032/657] start 74-alpha --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 5aa2c34..d6010db 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js * date: 11 March 2020 -* version 73 +* version 74-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 24777c9ac2013a17751919f090f9696a1a413456 Mon Sep 17 00:00:00 2001 From: earthlng Date: Thu, 12 Mar 2020 03:44:52 +0000 Subject: [PATCH 033/657] FF74: 0203 updates (#904) --- user.js | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index d6010db..f30e0b9 100644 --- a/user.js +++ b/user.js @@ -152,8 +152,8 @@ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely decease // user_pref("permissions.default.geo", 2); /* 0203: use Mozilla geolocation service instead of Google when geolocation is enabled * Optionally enable logging to the console (defaults to false) ***/ -user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); - // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF] +user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); + // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] /* 0204: disable using the OS's geolocation service ***/ user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] user_pref("geo.provider.use_corelocation", false); // [MAC] @@ -1690,6 +1690,13 @@ user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+] // [-] https://bugzilla.mozilla.org/1488583 user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] // * * * / +// FF74 +// 0203: use Mozilla geolocation service instead of Google when geolocation is enabled + // Optionally enable logging to the console (defaults to false) + // [-] https://bugzilla.mozilla.org/1613627 +user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); + // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF] +// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From 4ddf60cf32dc1b22cd5061dc4471dbf635a3ad1d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 12 Mar 2020 03:56:13 +0000 Subject: [PATCH 034/657] 0203: make sure users know these are 74+ prefs --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index f30e0b9..1d5f666 100644 --- a/user.js +++ b/user.js @@ -150,7 +150,7 @@ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely decease * [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/ // user_pref("permissions.default.geo", 2); -/* 0203: use Mozilla geolocation service instead of Google when geolocation is enabled +/* 0203: use Mozilla geolocation service instead of Google when geolocation is enabled [FF74+] * Optionally enable logging to the console (defaults to false) ***/ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] From 6f7e09ad431966a78f8b78e57de7b024f3547e2c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 12 Mar 2020 05:23:57 +0000 Subject: [PATCH 035/657] 1704 deprecated, add 1703 --- user.js | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 1d5f666..9b855eb 100644 --- a/user.js +++ b/user.js @@ -867,10 +867,10 @@ user_pref("privacy.userContext.ui.enabled", true); /* 1702: enable Container Tabs [FF50+] * [SETTING] General>Tabs>Enable Container Tabs ***/ user_pref("privacy.userContext.enabled", true); -/* 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME] - * 0=no menu (default), 1=show when clicked, 2=show on long press - * [1] https://bugzilla.mozilla.org/1328756 ***/ -user_pref("privacy.userContext.longPressBehavior", 2); +/* 1703: set behaviour on "+ Tab" button to display container menu on left click [FF74+] + * [NOTE] The menu is always shown on long press and right click + * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/ + // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true); /*** [SECTION 1800]: PLUGINS ***/ user_pref("_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!"); @@ -1696,6 +1696,11 @@ user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] // [-] https://bugzilla.mozilla.org/1613627 user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF] +// 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME] + // 0=no menu (default), 1=show when clicked, 2=show on long press + // [1] https://bugzilla.mozilla.org/1328756 + // [-] https://bugzilla.mozilla.org/1606265 +user_pref("privacy.userContext.longPressBehavior", 2); // * * * / // ***/ From b6e2a3f64f030fa3586984f294931d3d0334cfbd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 12 Mar 2020 14:44:14 +0000 Subject: [PATCH 036/657] one of the 2012 webgl prefs deprecated --- user.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 9b855eb..e6c5df8 100644 --- a/user.js +++ b/user.js @@ -918,7 +918,6 @@ user_pref("webgl.disabled", true); user_pref("webgl.enable-webgl2", false); /* 2012: limit WebGL ***/ user_pref("webgl.min_capability_mode", true); -user_pref("webgl.disable-extensions", true); user_pref("webgl.disable-fail-if-major-performance-caveat", true); /* 2022: disable screensharing ***/ user_pref("media.getusermedia.screensharing.enabled", false); @@ -1701,6 +1700,9 @@ user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?ke // [1] https://bugzilla.mozilla.org/1328756 // [-] https://bugzilla.mozilla.org/1606265 user_pref("privacy.userContext.longPressBehavior", 2); +// 2012: limit WebGL + // [-] https://bugzilla.mozilla.org/1477756 +user_pref("webgl.disable-extensions", true); // * * * / // ***/ From 187692af660838c3650c96d0f7f57a4e5cc84ec7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Mar 2020 11:36:03 +0000 Subject: [PATCH 037/657] enforce disabled system + prefixed colors --- user.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/user.js b/user.js index e6c5df8..e6a1cb7 100644 --- a/user.js +++ b/user.js @@ -1186,6 +1186,9 @@ user_pref("pdfjs.disabled", false); // [DEFAULT: false] /* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] * [1] https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/ ***/ user_pref("network.protocol-handler.external.ms-windows-store", false); +/* 2622: enforce no system colors; they can be fingerprinted + * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ +user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop From fe1b03bd2aafd6f9193d5ef2068192c3fcc9e01b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 27 Mar 2020 12:36:16 +0000 Subject: [PATCH 038/657] tls downgrades -> session only --- user.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index e6a1cb7..e9c6f8a 100644 --- a/user.js +++ b/user.js @@ -658,7 +658,9 @@ user_pref("security.ssl.require_safe_negotiation", true); * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // user_pref("security.tls.version.max", 4); -/* 1203: disable SSL session tracking [FF36+] +/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */ +user_pref("security.tls.version.enable-deprecated", false); +/* 1204: disable SSL session tracking [FF36+] * SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the * consequences. FPI isolates these, but it was designed with the Tor protocol in mind, @@ -667,12 +669,12 @@ user_pref("security.ssl.require_safe_negotiation", true); * [2] https://bugzilla.mozilla.org/967977 * [3] https://arxiv.org/abs/1810.07304 ***/ user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] -/* 1204: disable SSL Error Reporting +/* 1205: disable SSL Error Reporting * [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/ user_pref("security.ssl.errorReporting.automatic", false); user_pref("security.ssl.errorReporting.enabled", false); user_pref("security.ssl.errorReporting.url", ""); -/* 1205: disable TLS1.3 0-RTT (round-trip time) [FF51+] +/* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] * [1] https://github.com/tlswg/tls13-spec/issues/1001 * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ user_pref("security.tls.enable_0rtt_data", false); From ee35d7c70df0ee3423012dbd365e3430e7023b4a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 27 Mar 2020 12:44:06 +0000 Subject: [PATCH 039/657] 2421: ion/jit and extensions note --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index e9c6f8a..426ad8d 100644 --- a/user.js +++ b/user.js @@ -1055,6 +1055,7 @@ user_pref("dom.vibrator.enabled", false); * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ user_pref("javascript.options.asmjs", false); /* 2421: disable Ion and baseline JIT to help harden JS against exploits + * [NOTE] In FF75+ these no longer affect extensions (1599226) * [WARNING] If false, causes the odd site issue and there is also a performance loss * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ // user_pref("javascript.options.ion", false); From f0945743b7ac4ca1d04fffbe62b33270ea7b85f5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 27 Mar 2020 16:20:41 +0000 Subject: [PATCH 040/657] 2662: clarify 4503 needed, #912 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 426ad8d..d800bbd 100644 --- a/user.js +++ b/user.js @@ -1221,7 +1221,7 @@ user_pref("browser.download.hide_plugins_without_extensions", false); * [1] archived: https://archive.is/DYjAM ***/ user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] -/* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) [FF60+] +/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ // user_pref("extensions.webextensions.restrictedDomains", ""); From 55ae994972c6b27fb40b121b07aeed6c2e781e4d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Mar 2020 13:18:34 +0000 Subject: [PATCH 041/657] 2421 fixup Ion/Jit note --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index d800bbd..1131884 100644 --- a/user.js +++ b/user.js @@ -1055,7 +1055,7 @@ user_pref("dom.vibrator.enabled", false); * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ user_pref("javascript.options.asmjs", false); /* 2421: disable Ion and baseline JIT to help harden JS against exploits - * [NOTE] In FF75+ these no longer affect extensions (1599226) + * [NOTE] Disabling JIT also disables Ion. In FF75+ disabling Ion no longer affects extensions (1599226) * [WARNING] If false, causes the odd site issue and there is also a performance loss * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ // user_pref("javascript.options.ion", false); From e7d20867cb50c0f934bc3883ce60e16ec69a82ef Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 6 Apr 2020 00:39:52 +0000 Subject: [PATCH 042/657] 2623 delegation 2421 ion/jit tweak --- user.js | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 1131884..4bf0cb3 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 11 March 2020 -* version 74-alpha +* date: 05 April 2020 +* version 74-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -1055,8 +1055,7 @@ user_pref("dom.vibrator.enabled", false); * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ user_pref("javascript.options.asmjs", false); /* 2421: disable Ion and baseline JIT to help harden JS against exploits - * [NOTE] Disabling JIT also disables Ion. In FF75+ disabling Ion no longer affects extensions (1599226) - * [WARNING] If false, causes the odd site issue and there is also a performance loss + * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ // user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); @@ -1192,6 +1191,12 @@ user_pref("network.protocol-handler.external.ms-windows-store", false); /* 2622: enforce no system colors; they can be fingerprinted * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] +/* 2623: disable permissions delegation [FF73+] + * Currently applies to cross-origin geolocation, camera, mic and screen-sharing + * permissions, and fullscreen requests. Disabling delegation means any prompts + * for these will show/use their correct 3rd party origin + * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion */ +user_pref("permissions.delegation.enabled", false); /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop From 94c83519f2230ffca2387b7a27e2f938f0902f95 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 8 Apr 2020 07:08:36 +0000 Subject: [PATCH 043/657] 74 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 4bf0cb3..024eda2 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 05 April 2020 -* version 74-beta +* date: 07 April 2020 +* version 74 * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 7e71b6663c9a4e24a6d42ccdeb72a9f33c5980db Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 8 Apr 2020 07:12:14 +0000 Subject: [PATCH 044/657] 75-alpha, add 105e, closes #922 --- user.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 024eda2..8f0c031 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js * date: 07 April 2020 -* version 74 +* version 75-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -125,6 +125,9 @@ user_pref("browser.newtabpage.activity-stream.showSponsored", false); user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+] /* 0105d: disable Activity Stream recent Highlights in the Library [FF57+] ***/ // user_pref("browser.library.activity-stream.enabled", false); +/* 0105e: disable Activity Stream Top Sites + * The new "megabar" in FF75+ suggests top sites even if you don't use AS */ +user_pref("browser.newtabpage.activity-stream.feeds.topsites", false); /* 0110: start Firefox in PB (Private Browsing) mode * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed * [WARNING] The P in PB mode is misleading: it means no "persistent" disk storage such as history, From d2da48c215a7ee06ce97f10aab0a894afb4c427a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 8 Apr 2020 08:01:07 +0000 Subject: [PATCH 045/657] revert top sites, see #922 --- user.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/user.js b/user.js index 8f0c031..23a015c 100644 --- a/user.js +++ b/user.js @@ -125,9 +125,6 @@ user_pref("browser.newtabpage.activity-stream.showSponsored", false); user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+] /* 0105d: disable Activity Stream recent Highlights in the Library [FF57+] ***/ // user_pref("browser.library.activity-stream.enabled", false); -/* 0105e: disable Activity Stream Top Sites - * The new "megabar" in FF75+ suggests top sites even if you don't use AS */ -user_pref("browser.newtabpage.activity-stream.feeds.topsites", false); /* 0110: start Firefox in PB (Private Browsing) mode * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed * [WARNING] The P in PB mode is misleading: it means no "persistent" disk storage such as history, From 8c7149c6a5762b75e14d38c6c36558be26a4ae69 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Apr 2020 06:07:13 +0000 Subject: [PATCH 046/657] 2421: Ion/JIT trusted principals, closes #914 --- user.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 23a015c..38b232d 100644 --- a/user.js +++ b/user.js @@ -1054,11 +1054,14 @@ user_pref("dom.vibrator.enabled", false); * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ user_pref("javascript.options.asmjs", false); -/* 2421: disable Ion and baseline JIT to help harden JS against exploits +/* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] + * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new pref + * hidden pref is enabled, then Ion can still be used by extensions (1599226) * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ // user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); + // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] /* 2422: disable WebAssembly [FF52+] [SETUP-PERF] * [NOTE] In FF71+ this no longer affects extensions (1576254) * [1] https://developer.mozilla.org/docs/WebAssembly ***/ From d2dd0c2ab4d0671312c70b278d84265ea6b85bcc Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Apr 2020 02:51:17 +0000 Subject: [PATCH 047/657] tls stats update - Go to https://telemetry.mozilla.org/ - click `measurement dashboard` - select `SSL_HANDSHAKE_VERSION` I looked at Nightly 75 (0.26 and 0.01) and Nightly 76 (0.2 and 0) --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 38b232d..06edde9 100644 --- a/user.js +++ b/user.js @@ -654,7 +654,7 @@ user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. - * Firefox telemetry (April 2019) shows only 0.5% of TLS web traffic uses 1.0 or 1.1 + * Firefox telemetry (April 2020) shows only 0.25% of TLS web traffic uses 1.0 or 1.1 * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // user_pref("security.tls.version.max", 4); From 97c5378e52fe29f98317f671f8fd95aee6fddd63 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Apr 2020 16:23:48 +0000 Subject: [PATCH 048/657] 1007: *forceMediaMemoryCache PB mode --- user.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 06edde9..2ee8e11 100644 --- a/user.js +++ b/user.js @@ -396,7 +396,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost /* 0701: disable IPv6 * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice * with VPNs. That's even assuming your ISP and/or router and/or website can handle it. - * Firefox telemetry (April 2019) shows only 5% of all connections are IPv6. + * Firefox telemetry (April 2019) shows only 5% of all connections are IPv6 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. @@ -596,6 +596,9 @@ user_pref("browser.cache.disk.enable", false); * [NOTE] This means any permission changes are session only * [1] https://bugzilla.mozilla.org/967812 ***/ // user_pref("permissions.memory_only", true); // [HIDDEN PREF] +/* 1007: disable media cache from writing to disk in Private Browsing Mode [FF75+] + * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB Mode */ + //user_pref("browser.privatebrowsing.forceMediaMemoryCache", false); /** SESSIONS & SESSION RESTORE ***/ /* 1020: exclude "Undo Closed Tabs" in Session Restore ***/ From deae6e14f989710ebdfddafa21e2406efb79795b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Apr 2020 16:38:12 +0000 Subject: [PATCH 049/657] 75 deprecated --- user.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 2ee8e11..605ec27 100644 --- a/user.js +++ b/user.js @@ -158,12 +158,11 @@ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/ user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] user_pref("geo.provider.use_corelocation", false); // [MAC] user_pref("geo.provider.use_gpsd", false); // [LINUX] -/* 0205: disable GeoIP-based search results +/* 0205: disable GeoIP-based search defaults * [NOTE] May not be hidden if Firefox has changed your settings due to your locale * [1] https://trac.torproject.org/projects/tor/ticket/16254 * [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/ user_pref("browser.search.region", "US"); // [HIDDEN PREF] -user_pref("browser.search.geoip.url", ""); /* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US" * i.e. ignore all of Mozilla's various search engines in multiple locales ***/ user_pref("browser.search.geoSpecificDefaults", false); @@ -1721,6 +1720,11 @@ user_pref("privacy.userContext.longPressBehavior", 2); // [-] https://bugzilla.mozilla.org/1477756 user_pref("webgl.disable-extensions", true); // * * * / +// FF75 +// 0205: disable GeoIP-based search defaults URL + // [-] https://bugzilla.mozilla.org/1589618 +user_pref("browser.search.geoip.url", ""); +// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From b695468c7e0e39a614aebf47c5e4c0ad78749766 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Apr 2020 18:07:12 +0000 Subject: [PATCH 050/657] remove 0205 --- user.js | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/user.js b/user.js index 605ec27..af3dd1c 100644 --- a/user.js +++ b/user.js @@ -7,7 +7,7 @@ * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt * releases: These are end-of-stable-life-cycle legacy archives. - *Always* use the master branch user.js for a current up-to-date version. + *Always* use the master branch user.js for a current up-to-date version url: https://github.com/ghacksuserjs/ghacks-user.js/releases * README: @@ -158,11 +158,6 @@ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/ user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] user_pref("geo.provider.use_corelocation", false); // [MAC] user_pref("geo.provider.use_gpsd", false); // [LINUX] -/* 0205: disable GeoIP-based search defaults - * [NOTE] May not be hidden if Firefox has changed your settings due to your locale - * [1] https://trac.torproject.org/projects/tor/ticket/16254 - * [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/ -user_pref("browser.search.region", "US"); // [HIDDEN PREF] /* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US" * i.e. ignore all of Mozilla's various search engines in multiple locales ***/ user_pref("browser.search.geoSpecificDefaults", false); @@ -1720,11 +1715,6 @@ user_pref("privacy.userContext.longPressBehavior", 2); // [-] https://bugzilla.mozilla.org/1477756 user_pref("webgl.disable-extensions", true); // * * * / -// FF75 -// 0205: disable GeoIP-based search defaults URL - // [-] https://bugzilla.mozilla.org/1589618 -user_pref("browser.search.geoip.url", ""); -// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From ba83c555cc78bb60f40c0d7b20cc643d02c26c62 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Apr 2020 18:10:34 +0000 Subject: [PATCH 051/657] geo default search engines browser.search.geoip.url is deprecated in 75, the prefs are only used on first run, and we don't mess with search engines as that is a user choice --- scratchpad-scripts/ghacks-clear-[removed].js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/ghacks-clear-[removed].js b/scratchpad-scripts/ghacks-clear-[removed].js index ab22f90..fbde545 100644 --- a/scratchpad-scripts/ghacks-clear-[removed].js +++ b/scratchpad-scripts/ghacks-clear-[removed].js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the ghacks user.js. - Last updated: 19-December-2019 + Last updated: 12-April-2020 For instructions see: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -218,6 +218,9 @@ /* 71-beta */ 'media.block-autoplay-until-in-foreground', 'middlemouse.paste', + /* 75-beta */ + 'browser.search.geoip.url', + 'browser.search.region', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From 394b6915995383968e12d923f0b4d63c0ff6b4e9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 13 Apr 2020 04:55:10 +0000 Subject: [PATCH 052/657] 2421: grammar fix --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index af3dd1c..9725a5e 100644 --- a/user.js +++ b/user.js @@ -1052,7 +1052,7 @@ user_pref("dom.vibrator.enabled", false); * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ user_pref("javascript.options.asmjs", false); /* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] - * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new pref + * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new * hidden pref is enabled, then Ion can still be used by extensions (1599226) * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ From d7c276b3fe6fec1ea6f7b33333e1142b812687d7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 13 Apr 2020 06:17:54 +0000 Subject: [PATCH 053/657] 2402: clipboardevents -> inactive, #887 --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 9725a5e..ee57bcc 100644 --- a/user.js +++ b/user.js @@ -1024,14 +1024,14 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! /* 2401: disable website control over browser right-click context menu * [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/ // user_pref("dom.event.contextmenu.enabled", false); -/* 2402: disable website access to clipboard events/content - * [SETUP-WEB] This will break some sites functionality such as pasting into facebook, wordpress +/* 2402: disable website access to clipboard events/content [SETUP-HARDEN] + * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one * is default false) then enabling this pref can leak clipboard content, see [2] * [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ * [2] https://bugzilla.mozilla.org/1528289 */ -user_pref("dom.event.clipboardevents.enabled", false); + // user_pref("dom.event.clipboardevents.enabled", false); /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] * this disables document.execCommand("cut"/"copy") to protect your clipboard * [1] https://bugzilla.mozilla.org/1170911 ***/ From dd162d9f489686d821d4a53377e15d7fab16dd15 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 14 Apr 2020 00:16:03 +0000 Subject: [PATCH 054/657] 1007 fixups --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index ee57bcc..fa3ad93 100644 --- a/user.js +++ b/user.js @@ -590,9 +590,10 @@ user_pref("browser.cache.disk.enable", false); * [NOTE] This means any permission changes are session only * [1] https://bugzilla.mozilla.org/967812 ***/ // user_pref("permissions.memory_only", true); // [HIDDEN PREF] -/* 1007: disable media cache from writing to disk in Private Browsing Mode [FF75+] - * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB Mode */ - //user_pref("browser.privatebrowsing.forceMediaMemoryCache", false); +/* 1007: disable media cache from writing to disk in Private Browsing [FF75+] + * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB */ +user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); +user_pref("media.memory_cache_max_size", 16384); /** SESSIONS & SESSION RESTORE ***/ /* 1020: exclude "Undo Closed Tabs" in Session Restore ***/ From b90e72370c5fca05e13f91bef873fcb4b3104d05 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 14 Apr 2020 00:28:00 +0000 Subject: [PATCH 055/657] 1007 fixup what FF75+ applies to --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index fa3ad93..e9ed7f5 100644 --- a/user.js +++ b/user.js @@ -590,9 +590,9 @@ user_pref("browser.cache.disk.enable", false); * [NOTE] This means any permission changes are session only * [1] https://bugzilla.mozilla.org/967812 ***/ // user_pref("permissions.memory_only", true); // [HIDDEN PREF] -/* 1007: disable media cache from writing to disk in Private Browsing [FF75+] +/* 1007: disable media cache from writing to disk in Private Browsing * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB */ -user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); +user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] user_pref("media.memory_cache_max_size", 16384); /** SESSIONS & SESSION RESTORE ***/ From d455c500a6c74058b3eb71d8349586d2e1de0072 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 15 Apr 2020 14:44:14 +0000 Subject: [PATCH 056/657] 75-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index e9ed7f5..4bbad65 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 07 April 2020 -* version 75-alpha +* date: 15 April 2020 +* version 75-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From dff5bb478a830ac186a2318ac3d09dc7ae6919a7 Mon Sep 17 00:00:00 2001 From: W Date: Thu, 16 Apr 2020 04:04:13 +0000 Subject: [PATCH 057/657] 0211: add possible breakage for CJK input methods --- user.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 4bbad65..a7c2ec8 100644 --- a/user.js +++ b/user.js @@ -168,7 +168,9 @@ user_pref("browser.search.geoSpecificDefaults.url", ""); * [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); /* 0211: enforce US English locale regardless of the system locale - * [1] https://bugzilla.mozilla.org/867501 ***/ + * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages, see [2] + * [1] https://bugzilla.mozilla.org/867501 + * [2] https://bugzilla.mozilla.org/1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /* 0212: enforce fallback text encoding to match en-US * When the content or server doesn't declare a charset the browser will From 3366e0aa162006aa7343f92c87b38c5c52c9bd11 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Apr 2020 08:52:48 +0000 Subject: [PATCH 058/657] 75 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a7c2ec8..a101af0 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 15 April 2020 -* version 75-beta +* date: 23 April 2020 +* version 75 * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From bd384622db70eaf6893d32a0c1c4b99d5516fa5b Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 29 Apr 2020 12:00:10 +0000 Subject: [PATCH 059/657] Update troubleshooter.js (#935) extensions.blocklist.pingCountTotal is not used anymore in FF76+ --- scratchpad-scripts/troubleshooter.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index 1cce763..61488f0 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -1,5 +1,5 @@ -/*** ghacks-user.js troubleshooter.js v1.6.0 ***/ +/*** ghacks-user.js troubleshooter.js v1.6.1 ***/ (function() { @@ -107,7 +107,7 @@ ] // any runtime-set pref that everyone will have and that can be safely reset - const oFILLER = { type: 64, name: 'extensions.blocklist.pingCountTotal', value: -1 }; + const oFILLER = { type: 64, name: 'app.update.lastUpdateTime.browser-cleanup-thumbnails', value: 1580000000 }; function getMyList(arr) { const aRet = []; From 0ea1605642e67db9f930cb79680a3b1b78a74b62 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 30 Apr 2020 18:52:27 +0000 Subject: [PATCH 060/657] start 76-alpha, 2605 default --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index a101af0..7419fe0 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 23 April 2020 -* version 75 +* date: 30 April 2020 +* version 76-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -1132,7 +1132,7 @@ user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] /* 2605: block web content in file processes [FF55+] * [SETUP-WEB] You may want to disable this for corporate or developer environments * [1] https://bugzilla.mozilla.org/1343184 ***/ -user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); +user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); // [DEFAULT: false FF76+] /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ user_pref("browser.uitour.enabled", false); user_pref("browser.uitour.url", ""); From c0780df24d9798462daf3380d47d0c5c5e6bbf83 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 30 Apr 2020 21:50:50 +0000 Subject: [PATCH 061/657] 1401: PDF breakage, closes #937 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 7419fe0..3068a21 100644 --- a/user.js +++ b/user.js @@ -779,7 +779,7 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); /* 1401: disable websites choosing fonts (0=block, 1=allow) * This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector - * [SETUP-WEB] Disabling fonts can uglify the web a fair bit. + * [SETUP-WEB] Can break some PDFs (missing text). Limiting to default fonts can "uglify" the web * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/ user_pref("browser.display.use_document_fonts", 0); /* 1403: disable icon fonts (glyphs) and local fallback rendering From 14aaec71fb192eaab78365d54b0b76a2d5845860 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 4 May 2020 07:34:23 +0000 Subject: [PATCH 062/657] 76 deprecated --- user.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 3068a21..a46e1da 100644 --- a/user.js +++ b/user.js @@ -272,12 +272,11 @@ user_pref("network.connectivity-service.enabled", false); /*** [SECTION 0400]: BLOCKLISTS / SAFE BROWSING (SB) ***/ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); /** BLOCKLISTS ***/ -/* 0401: enforce Firefox blocklist, but sanitize blocklist url +/* 0401: enforce Firefox blocklist * [NOTE] It includes updates for "revoked certificates" * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ * [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] -user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); /** SAFE BROWSING (SB) Safe Browsing has taken many steps to preserve privacy. *IF* required, a full url is never @@ -1718,6 +1717,10 @@ user_pref("privacy.userContext.longPressBehavior", 2); // [-] https://bugzilla.mozilla.org/1477756 user_pref("webgl.disable-extensions", true); // * * * / +// FF76 +// 0401: sanitize blocklist url +user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); +// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From e38e253c25ebee28d4ecaa96d2f5cd68e3d86e1d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 4 May 2020 10:49:07 +0000 Subject: [PATCH 063/657] oophs, forgot deprecation source --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index a46e1da..4785166 100644 --- a/user.js +++ b/user.js @@ -1719,6 +1719,7 @@ user_pref("webgl.disable-extensions", true); // * * * / // FF76 // 0401: sanitize blocklist url + // [-] https://bugzilla.mozilla.org/1618188 user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); // * * * / // ***/ From 919d4bfe961c6fa798c78472835eb1a839149cee Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 4 May 2020 10:52:25 +0000 Subject: [PATCH 064/657] godamnit, also move related reference --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 4785166..fcc75b3 100644 --- a/user.js +++ b/user.js @@ -274,8 +274,7 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); /** BLOCKLISTS ***/ /* 0401: enforce Firefox blocklist * [NOTE] It includes updates for "revoked certificates" - * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ - * [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/ + * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ ***/ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] /** SAFE BROWSING (SB) @@ -1719,6 +1718,7 @@ user_pref("webgl.disable-extensions", true); // * * * / // FF76 // 0401: sanitize blocklist url + // [2] https://trac.torproject.org/projects/tor/ticket/16931 // [-] https://bugzilla.mozilla.org/1618188 user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); // * * * / From 07117c65c19f5d02af77cc578927481c72e958f5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 7 May 2020 05:13:19 +0000 Subject: [PATCH 065/657] RFP spoofs FF78+ --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index fcc75b3..d0f7767 100644 --- a/user.js +++ b/user.js @@ -1413,7 +1413,8 @@ user_pref("privacy.firstparty.isolate", true); FF57: The version number will match current ESR (1393283, 1418672, 1418162, 1511763) FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage) (1404608) FF66: The OS in HTTP Headers will be reduced to Windows or Android (1509829) - FF68: Reported OS versions updated to Windows 10, OS 10.14, and Adnroid 8.1 (1511434) + FF68: Reported OS versions updated to Windows 10, OS 10.14, and Android 8.1 (1511434) + FF78: Reported OS versions updated to OS 10.15 and Android 9.0 (1635011) ** 1369319 - disable device sensor API (see 4604) (FF56+) ** 1369357 - disable site specific zoom (see 4605) (FF56+) ** 1337161 - hide gamepads from content (see 4606) (FF56+) From 27d72eda9eed2c065cc6397e4e9b03c86ffa6424 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 7 May 2020 06:20:10 +0000 Subject: [PATCH 066/657] 1244: https-only-mode --- user.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user.js b/user.js index d0f7767..eb4735f 100644 --- a/user.js +++ b/user.js @@ -736,6 +736,10 @@ user_pref("security.mixed_content.block_display_content", true); /* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+] * [1] https://bugzilla.mozilla.org/1190623 ***/ user_pref("security.mixed_content.block_object_subrequest", true); +/* 1244: enable https-only-mode [FF76+] + * [NOTE] This is experimental + * [1] https://bugzilla.mozilla.org/1613063 */ + // user_pref("dom.security.https_only_mode", true); /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] ***/ /* 1261: disable 3DES (effective key size < 128) From bb1e5bfd54c5281f372e596712b91c8444c1c785 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 7 May 2020 14:56:49 +0000 Subject: [PATCH 067/657] 76-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index eb4735f..c953fa6 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 30 April 2020 -* version 76-alpha +* date: 7 May 2020 +* version 76-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 4bc5b89cfe6f599747ba50160fc4aa3bded421d1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 15 May 2020 23:18:11 +0000 Subject: [PATCH 068/657] 4500: RFP changes 78+ re canvas --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index c953fa6..8050498 100644 --- a/user.js +++ b/user.js @@ -1432,7 +1432,7 @@ user_pref("privacy.firstparty.isolate", true); ** 1354633 - limit MediaError.message to a whitelist (FF57+) ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+) This blocks exposure of local IP Addresses via mDNS (Multicast DNS) - ** 967895 - enable site permission prompt before allowing canvas data extraction (FF58+) + ** 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction (FF58+) FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865) ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+) Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if @@ -1455,6 +1455,7 @@ user_pref("privacy.firstparty.isolate", true); ** 1564422 - spoof audioContext outputLatency (FF70+) ** 1595823 - spoof audioContext sampleRate (FF72+) ** 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) + ** 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] From ff9bf76e5255b70265a1457252e4486f4e3c53f5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 24 May 2020 18:09:46 +0000 Subject: [PATCH 069/657] 76 final, save some bytes in RFP section --- user.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/user.js b/user.js index 8050498..367cd22 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 7 May 2020 -* version 76-beta +* date: 24 May 2020 +* version 76 * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -1412,13 +1412,13 @@ user_pref("privacy.firstparty.isolate", true); This spoof *shouldn't* affect core chrome/Firefox performance ** 1217238 - reduce precision of time exposed by javascript (FF55+) ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+) - ** 1333651 & 1383495 & 1396468 - spoof Navigator API (see section 4700) (FF56+) - FF56: The version number will be rounded down to the nearest multiple of 10 - FF57: The version number will match current ESR (1393283, 1418672, 1418162, 1511763) - FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage) (1404608) - FF66: The OS in HTTP Headers will be reduced to Windows or Android (1509829) - FF68: Reported OS versions updated to Windows 10, OS 10.14, and Android 8.1 (1511434) - FF78: Reported OS versions updated to OS 10.15 and Android 9.0 (1635011) + ** 1333651 & 1383495 & 1396468 - spoof User Agent & Navigator API (see section 4700) (FF56+) + FF56: Version: rounded down to the nearest multiple of 10 + FF57: Version: match current ESR (1393283, 1418672, 1418162, 1511763) + FF59: OS: Windows, OSX, Android, or Linux (to reduce breakage) (1404608) + FF66: OS: HTTP Headers reduced to Windows or Android (1509829) + FF68: OS: updated to Windows 10, OS 10.14, and Android 8.1 (1511434) + FF78: OS: updated to OS 10.15 and Android 9.0 (1635011) ** 1369319 - disable device sensor API (see 4604) (FF56+) ** 1369357 - disable site specific zoom (see 4605) (FF56+) ** 1337161 - hide gamepads from content (see 4606) (FF56+) From 868882ae3321c66bf979e455b0ab4731bdb22f71 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 24 May 2020 18:11:55 +0000 Subject: [PATCH 070/657] start 77-alpha --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 367cd22..d35ef0d 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js * date: 24 May 2020 -* version 76 +* version 77-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 3edc48da56ad77c156f108a4889834d033ddc38f Mon Sep 17 00:00:00 2001 From: Matt Loberg Date: Tue, 26 May 2020 06:54:55 -0500 Subject: [PATCH 071/657] fix updater.sh when dealing with multiple overrides (#947) thanks @mloberg ! --- updater.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/updater.sh b/updater.sh index 226a492..5c06a9c 100755 --- a/updater.sh +++ b/updater.sh @@ -2,7 +2,7 @@ ## ghacks-user.js updater for macOS and Linux -## version: 2.5 +## version: 2.6 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac @@ -313,8 +313,10 @@ update_userjs () { # apply overrides if [ "$SKIPOVERRIDE" = false ]; then - while IFS=',' read -ra FILE; do - add_override "$FILE" + while IFS=',' read -ra FILES; do + for FILE in "${FILES[@]}"; do + add_override "$FILE" + done done <<< "$OVERRIDE" fi From f69d92e6ddc4c855686601caa391fda5a953ebaa Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 29 May 2020 12:23:17 +0000 Subject: [PATCH 072/657] 1244: https upgrade local --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index d35ef0d..a5ce6cb 100644 --- a/user.js +++ b/user.js @@ -739,7 +739,8 @@ user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable https-only-mode [FF76+] * [NOTE] This is experimental * [1] https://bugzilla.mozilla.org/1613063 */ - // user_pref("dom.security.https_only_mode", true); + // user_pref("dom.security.https_only_mode", true); // [FF76+] + // user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+] /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] ***/ /* 1261: disable 3DES (effective key size < 128) From f6e6de844430fa64440ae230061720839e8282be Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 29 May 2020 12:41:59 +0000 Subject: [PATCH 073/657] 77 deprecated --- user.js | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/user.js b/user.js index a5ce6cb..d5b3f7c 100644 --- a/user.js +++ b/user.js @@ -506,9 +506,6 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false); /* 0850d: disable location bar autofill * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ // user_pref("browser.urlbar.autoFill", false); -/* 0850e: disable location bar one-off searches [FF51+] - * [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/ - // user_pref("browser.urlbar.oneOffSearches", false); /* 0860: disable search and form history * [SETUP-WEB] Be aware thet autocomplete form data can be read by third parties, see [1] [2] * [NOTE] We also clear formdata on exit (see 2803) @@ -1132,10 +1129,6 @@ user_pref("browser.helperApps.deleteTempFileOnExit", true); /* 2604: disable page thumbnail collection * look in profile/thumbnails directory - you may want to clean that out ***/ user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] -/* 2605: block web content in file processes [FF55+] - * [SETUP-WEB] You may want to disable this for corporate or developer environments - * [1] https://bugzilla.mozilla.org/1343184 ***/ -user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); // [DEFAULT: false FF76+] /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ user_pref("browser.uitour.enabled", false); user_pref("browser.uitour.url", ""); @@ -1729,6 +1722,17 @@ user_pref("webgl.disable-extensions", true); // [-] https://bugzilla.mozilla.org/1618188 user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); // * * * / +// FF77 +// 0850e: disable location bar one-off searches [FF51+] + // [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ + // [-] https://bugzilla.mozilla.org/1628926 + // user_pref("browser.urlbar.oneOffSearches", false); +// 2605: block web content in file processes [FF55+] + // [SETUP-WEB] You may want to disable this for corporate or developer environments + // [1] https://bugzilla.mozilla.org/1343184 + // [-] https://bugzilla.mozilla.org/1603007 +user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); +// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From ecc62554e5493c6b6e51a237358ad61e092c679b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 1 Jun 2020 15:27:38 +0000 Subject: [PATCH 074/657] 2608: remote debugging: default value, closes #950 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index d5b3f7c..ade9208 100644 --- a/user.js +++ b/user.js @@ -1138,7 +1138,7 @@ user_pref("browser.uitour.url", ""); user_pref("devtools.chrome.enabled", false); /* 2608: disable remote debugging * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/ -user_pref("devtools.debugger.remote-enabled", false); +user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#misc * [1] https://bugzilla.mozilla.org/1173199 ***/ From 05580f5e99ccbe02646c9062acd137e51b55a8d2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 2 Jun 2020 20:48:41 +0000 Subject: [PATCH 075/657] 0709 hotfix, #923, #951 --- user.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/user.js b/user.js index ade9208..bf9672e 100644 --- a/user.js +++ b/user.js @@ -441,6 +441,11 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] +/*** [SECTION 0709]: HOTFIX for FF77, FIXED in FF78 ***/ +/* 0709: disabling UNC can cause extension storage to fail + * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/923 ***/ +user_pref("network.file.disable_unc_paths", false); // [HIDDEN PREF] + /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS Change items 0850 and above to suit for privacy vs convenience and functionality. Consider your environment (no unwanted eyeballs), your device (restricted access), your device's From 683ef63b37bbdc3e19787b9a53a0c8547980d857 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 5 Jun 2020 03:08:16 +0000 Subject: [PATCH 076/657] RFP alts: prefers-reduced-motion --- user.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index bf9672e..b71c1e4 100644 --- a/user.js +++ b/user.js @@ -1444,7 +1444,7 @@ user_pref("privacy.firstparty.isolate", true); FF60: Fix keydown/keyup events (1438795) ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) - ** 1479239 - return "no-preference" with prefers-reduced-motion (FF63+) + ** 1479239 - return "no-preference" with prefers-reduced-motion (see 4617) (FF63+) ** 1363508 - spoof/suppress Pointer Events (see 4614) (FF64+) FF65: pointerEvent.pointerid (1492766) ** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+) @@ -1584,6 +1584,10 @@ user_pref("ui.use_standins_for_native_colors", true); // 4616: enforce prefers-color-scheme as light [FF67+] // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] +// 4617: enforce prefers-reduced-motion as no-preference [FF63+] + // 0=no-preference, 1=reduce +user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] + // * * * / // ***/ From b07cf1f03dd68dcb5e4c103dce163ecb740e417d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 5 Jun 2020 03:10:09 +0000 Subject: [PATCH 077/657] remove extra line from last commit, save one byte --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index b71c1e4..d7475f0 100644 --- a/user.js +++ b/user.js @@ -1587,7 +1587,6 @@ user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // 4617: enforce prefers-reduced-motion as no-preference [FF63+] // 0=no-preference, 1=reduce user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] - // * * * / // ***/ From 9d78e050ee69aa5326bbac5205da840e1ed29678 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 12 Jun 2020 17:39:28 +0000 Subject: [PATCH 078/657] 77-beta --- user.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index d7475f0..add068a 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 24 May 2020 -* version 77-alpha +* date: 12 Jun 2020 +* version 77-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -755,8 +755,8 @@ user_pref("security.mixed_content.block_object_subrequest", true); // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); /* 1263: disable DHE (Diffie-Hellman Key Exchange) * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/ - // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); - // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); + // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false FF79+] + // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false FF79+] /* 1264: disable the remaining non-modern cipher suites as of FF52 ***/ // user_pref("security.ssl3.rsa_aes_128_sha", false); // user_pref("security.ssl3.rsa_aes_256_sha", false); @@ -1595,8 +1595,8 @@ user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] to use RFP (4500) or an extension, in which case they become POINTLESS. (a) Many of the components that make up your UA can be derived by other means. And when those values differ, you provide more bits and raise entropy. - Examples of leaks include navigator objects, date locale/formats, iframes, - headers, tcp/ip attributes, feature detection, and **many** more. + Examples of leaks include workers, navigator objects, date locale/formats, + iframes, headers, tcp/ip attributes, feature detection, and **many** more. ALL values below intentionally left blank - use RFP, or get a vetted, tested extension and mimic RFP values to *lower* entropy, or randomize to *raise* it ***/ From b9100488cb60f863b3b42e0728ebea7c43c6ddfb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 14 Jun 2020 10:26:10 +0000 Subject: [PATCH 079/657] 77 final --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index add068a..bf68880 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 12 Jun 2020 -* version 77-beta +* date: 14 Jun 2020 +* version 77 * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -1078,7 +1078,7 @@ user_pref("javascript.options.wasm", false); // user_pref("dom.IntersectionObserver.enabled", false); /* 2429: enable (limited but sufficient) window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ -user_pref("dom.targetBlankNoOpener.enabled", true); +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF78+] /*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); From 48f258ff5302ac6cb8421fa6d3788135a682abe6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 14 Jun 2020 10:28:32 +0000 Subject: [PATCH 080/657] start 78-alpha --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index bf68880..d6ecb37 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js * date: 14 Jun 2020 -* version 77 +* version 78-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From f573200aa8ba37d9941d7ff8fd5e70896a0c0735 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 18 Jun 2020 02:29:54 +0000 Subject: [PATCH 081/657] ciphers in ESR78 [1496639](https://bugzilla.mozilla.org/show_bug.cgi?id=1496639) --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index d6ecb37..de76f44 100644 --- a/user.js +++ b/user.js @@ -755,8 +755,8 @@ user_pref("security.mixed_content.block_object_subrequest", true); // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); /* 1263: disable DHE (Diffie-Hellman Key Exchange) * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/ - // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false FF79+] - // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false FF79+] + // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false ESR78 & FF79+] + // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false ESR78 & FF79+] /* 1264: disable the remaining non-modern cipher suites as of FF52 ***/ // user_pref("security.ssl3.rsa_aes_128_sha", false); // user_pref("security.ssl3.rsa_aes_256_sha", false); From 4be0a80720f4d7af22bc103b3dc075ef55d47d88 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 24 Jun 2020 17:26:25 +0000 Subject: [PATCH 082/657] update trac tor tickets (#958) and some other minor tweaks --- user.js | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/user.js b/user.js index de76f44..0c77f86 100644 --- a/user.js +++ b/user.js @@ -177,7 +177,7 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] * fallback to the "Current locale" based on your application language * [SETTING] General>Language and Appearance>Fonts and Colors>Advanced>Text Encoding for Legacy Content * [TEST] https://hsivonen.com/test/moz/check-charset.htm - * [1] https://trac.torproject.org/projects/tor/ticket/20025 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 ***/ user_pref("intl.charset.fallback.override", "windows-1252"); /*** [SECTION 0300]: QUIET FOX @@ -390,7 +390,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost /* 0701: disable IPv6 * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice * with VPNs. That's even assuming your ISP and/or router and/or website can handle it. - * Firefox telemetry (April 2019) shows only 5% of all connections are IPv6 + * [STATS] Firefox telemetry (June 2020) shows only 5% of all connections are IPv6 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. @@ -430,13 +430,13 @@ user_pref("network.proxy.socks_remote_dns", true); // user_pref("network.ftp.enabled", false); /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares - * [1] https://trac.torproject.org/projects/tor/ticket/26424 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] /* 0710: disable GIO as a potential proxy bypass vector * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64) * [1] https://bugzilla.mozilla.org/1433507 - * [2] https://trac.torproject.org/23044 + * [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044 * [3] https://en.wikipedia.org/wiki/GVfs * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] @@ -653,10 +653,10 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 + * [STATS] Firefox telemetry (June 2020) shows only 0.16% of SSL handshakes use 1.0 or 1.1 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. - * Firefox telemetry (April 2020) shows only 0.25% of TLS web traffic uses 1.0 or 1.1 * [1] https://www.ssllabs.com/ssl-pulse/ ***/ - // user_pref("security.tls.version.min", 3); + // user_pref("security.tls.version.min", 3); // [DEFAULT: 3 FF78+] // user_pref("security.tls.version.max", 4); /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */ user_pref("security.tls.version.enable-deprecated", false); @@ -715,7 +715,7 @@ user_pref("security.pki.sha1_enforcement_level", 1); * 0=disable detecting Family Safety mode and importing the root * 1=only attempt to detect Family Safety mode (don't import the root) * 2=detect Family Safety mode and import the root - * [1] https://trac.torproject.org/projects/tor/ticket/21686 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/ user_pref("security.family_safety.mode", 0); /* 1222: disable intermediate certificate caching (fingerprinting attack vector) [FF41+] [RESTART] * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only. @@ -726,12 +726,12 @@ user_pref("security.family_safety.mode", 0); * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing * by inspecting ALL your web traffic, then leave at current default=1 - * [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/ user_pref("security.cert_pinning.enforcement_level", 2); /** MIXED CONTENT ***/ /* 1240: disable insecure active content on https pages - * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21323 ***/ user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] /* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/ user_pref("security.mixed_content.block_display_content", true); @@ -755,8 +755,8 @@ user_pref("security.mixed_content.block_object_subrequest", true); // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); /* 1263: disable DHE (Diffie-Hellman Key Exchange) * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/ - // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false ESR78 & FF79+] - // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false ESR78 & FF79+] + // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false FF78+] + // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false FF78+] /* 1264: disable the remaining non-modern cipher suites as of FF52 ***/ // user_pref("security.ssl3.rsa_aes_128_sha", false); // user_pref("security.ssl3.rsa_aes_256_sha", false); @@ -764,8 +764,10 @@ user_pref("security.mixed_content.block_object_subrequest", true); /** UI (User Interface) ***/ /* 1270: display warning on the padlock for "broken security" (if 1201 is false) * Bug: warning padlock not indicated for subresources on a secure page! [2] + * [STATS] SSL Labs (June 2020) reports 98.8% of sites have secure renegotiation [3] * [1] https://wiki.mozilla.org/Security:Renegotiation - * [2] https://bugzilla.mozilla.org/1353705 ***/ + * [2] https://bugzilla.mozilla.org/1353705 + * [3] https://www.ssllabs.com/ssl-pulse/ ***/ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); /* 1271: control "Add Security Exception" dialog on SSL warnings * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default) @@ -789,7 +791,7 @@ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); user_pref("browser.display.use_document_fonts", 0); /* 1403: disable icon fonts (glyphs) and local fallback rendering * [1] https://bugzilla.mozilla.org/789788 - * [2] https://trac.torproject.org/projects/tor/ticket/8455 ***/ + * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] // user_pref("gfx.downloadable_fonts.fallback_delay", -1); /* 1404: disable rendering of SVG OpenType fonts @@ -962,7 +964,7 @@ user_pref("dom.disable_window_move_resize", true); * This stops malicious window sizes and some screen resolution leaks. * You can still right-click a link and open in a new window. * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen - * [1] https://trac.torproject.org/projects/tor/ticket/9881 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ user_pref("browser.link.open_newwindow", 3); user_pref("browser.link.open_newwindow.restriction", 0); /* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks @@ -1142,7 +1144,7 @@ user_pref("browser.uitour.url", ""); * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ user_pref("devtools.chrome.enabled", false); /* 2608: disable remote debugging - * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#misc @@ -1154,7 +1156,7 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] * [1] https://bugzilla.mozilla.org/1216893 ***/ // user_pref("svg.disabled", true); /* 2611: disable middle mouse click opening links from clipboard - * [1] https://trac.torproject.org/projects/tor/ticket/10089 ***/ + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ user_pref("middlemouse.contentLoadURL", false); /* 2614: limit HTTP redirects (this does not control redirects with HTML meta tags or JS) * [NOTE] A low setting of 5 or under will probably break some sites (e.g. gmail logins) @@ -1507,8 +1509,8 @@ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan // 4601: [2514] spoof (or limit?) number of CPU cores [FF48+] // [NOTE] *may* affect core chrome/Firefox performance, will affect content. // [1] https://bugzilla.mozilla.org/1008453 - // [2] https://trac.torproject.org/projects/tor/ticket/21675 - // [3] https://trac.torproject.org/projects/tor/ticket/22127 + // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 + // [3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 // [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency // user_pref("dom.maxHardwareConcurrency", 2); // * * * / @@ -1520,7 +1522,7 @@ user_pref("dom.enable_resource_timing", false); user_pref("dom.enable_performance", false); // 4604: [2512] disable device sensor API // Optional protection depending on your device - // [1] https://trac.torproject.org/projects/tor/ticket/15758 + // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 // [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ // [3] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 // user_pref("device.sensors.enabled", false); @@ -1531,7 +1533,7 @@ user_pref("dom.enable_performance", false); user_pref("browser.zoom.siteSpecific", false); // 4606: [2501] disable gamepad API - USB device ID enumeration // Optional protection depending on your connected devices - // [1] https://trac.torproject.org/projects/tor/ticket/13023 + // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 // user_pref("dom.gamepad.enabled", false); // 4607: [2503] disable giving away network info [FF31+] // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none @@ -1547,7 +1549,7 @@ user_pref("media.webspeech.synth.enabled", false); // * * * / // FF57+ // 4610: [2506] disable video statistics - JS performance fingerprinting [FF25+] - // [1] https://trac.torproject.org/projects/tor/ticket/15757 + // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 // [2] https://bugzilla.mozilla.org/654550 user_pref("media.video_stats.enabled", false); // 4611: [2509] disable touch events @@ -1555,7 +1557,7 @@ user_pref("media.video_stats.enabled", false); // 0=disabled, 1=enabled, 2=autodetect // Optional protection depending on your device // [1] https://developer.mozilla.org/docs/Web/API/Touch_events - // [2] https://trac.torproject.org/projects/tor/ticket/10286 + // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 // user_pref("dom.w3c_touch_events.enabled", 0); // * * * / // FF59+ From 77ecef8be3a0a6b1a0f32c9d9ef501478065b00f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Jun 2020 12:16:57 +0000 Subject: [PATCH 083/657] 78 deprecated, add 2032 (#962) --- user.js | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 0c77f86..f3b08b6 100644 --- a/user.js +++ b/user.js @@ -943,8 +943,10 @@ user_pref("media.getusermedia.audiocapture.enabled", false); * [NOTE] You can set exceptions under site permissions * [SETTING] Privacy & Security>Permissions>Autoplay>Settings>Default for all websites ***/ // user_pref("media.autoplay.default", 5); -/* 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] ***/ -user_pref("media.autoplay.enabled.user-gestures-needed", false); +/* 2031: disable autoplay of HTML5 media if you interacted with the site [FF78+] + * 0=sticky (default), 1=transient, 2=user + * [1] https://html.spec.whatwg.org/multipage/interaction.html#sticky-activation ***/ +user_pref("media.autoplay.blocking_policy", 2); /*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/ user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!"); @@ -1635,7 +1637,6 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("full-screen-api.warning.timeout", 0); /* APPEARANCE ***/ // user_pref("browser.download.autohideButton", false); // [FF57+] - // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent /* CONTENT BEHAVIOR ***/ // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" @@ -1743,6 +1744,14 @@ user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozi // [-] https://bugzilla.mozilla.org/1603007 user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); // * * * / +// FF78 +// 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] - replaced by 'media.autoplay.blocking_policy' + // [-] https://bugzilla.mozilla.org/1509933 +user_pref("media.autoplay.enabled.user-gestures-needed", false); +// 5000's: disable chrome animations - replaced FF77+ by 'ui.prefersReducedMotion' (4617) + // [-] https://bugzilla.mozilla.org/1640501 + // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] +// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From aaf6cb33d7d74b6e8b4e0384254745719ab42d5c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Jun 2020 12:37:32 +0000 Subject: [PATCH 084/657] 4617 restart - at least for disabling chrome animations --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index f3b08b6..73c3b03 100644 --- a/user.js +++ b/user.js @@ -1588,7 +1588,7 @@ user_pref("ui.use_standins_for_native_colors", true); // 4616: enforce prefers-color-scheme as light [FF67+] // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] -// 4617: enforce prefers-reduced-motion as no-preference [FF63+] +// 4617: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] // 0=no-preference, 1=reduce user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // * * * / From 488a82562601d6cddb045347e5ae7d734e0a49dd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 28 Jun 2020 15:48:13 +0000 Subject: [PATCH 085/657] update weak ciphers/tests etc, closes #931 (#963) - adds the new tests including the non-JS JA3 Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Co-authored-by: earthlng --- user.js | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index 73c3b03..4af746f 100644 --- a/user.js +++ b/user.js @@ -637,6 +637,8 @@ user_pref("browser.shell.shortcutFavicons", false); /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS) Your cipher and other settings can be used in server side fingerprinting [TEST] https://www.ssllabs.com/ssltest/viewMyClient.html + [TEST] https://browserleaks.com/ssl + [TEST] https://ja3er.com/ [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/ ***/ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); @@ -744,22 +746,29 @@ user_pref("security.mixed_content.block_object_subrequest", true); // user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+] -/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] ***/ -/* 1261: disable 3DES (effective key size < 128) +/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] + * These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1]) + * Additionally some have other weaknesses like key sizes of 128 (or lower) [2] and/or no Perfect Forward Secrecy [3]. + * [1] https://browserleaks.com/ssl + * [2] https://en.wikipedia.org/wiki/Key_size + * [3] https://en.wikipedia.org/wiki/Forward_secrecy + ***/ +/* 1261: disable 3DES (effective key size < 128 and no PFS) * [1] https://en.wikipedia.org/wiki/3des#Security * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/ // user_pref("security.ssl3.rsa_des_ede3_sha", false); -/* 1262: disable 128 bits ***/ - // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); - // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); /* 1263: disable DHE (Diffie-Hellman Key Exchange) * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/ // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false FF78+] // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false FF78+] -/* 1264: disable the remaining non-modern cipher suites as of FF52 ***/ - // user_pref("security.ssl3.rsa_aes_128_sha", false); - // user_pref("security.ssl3.rsa_aes_256_sha", false); +/* 1264: disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/ + // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); + // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); + // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); + // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); + // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS + // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS /** UI (User Interface) ***/ /* 1270: display warning on the padlock for "broken security" (if 1201 is false) From 618f7bed3f693f0931689740b2ce540e64b0e651 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 29 Jun 2020 15:49:11 +0000 Subject: [PATCH 086/657] 0850a: add top sites FF78+ --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 4af746f..5260324 100644 --- a/user.js +++ b/user.js @@ -495,11 +495,12 @@ user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); * [1] https://bugzilla.mozilla.org/1348275 ***/ user_pref("browser.urlbar.speculativeConnect.enabled", false); /* 0850a: disable location bar suggestion types - * If all three suggestion types are false, search engine keywords are disabled + * If the first three suggestion types are false, search engine keywords are disabled * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/ // user_pref("browser.urlbar.suggest.history", false); // user_pref("browser.urlbar.suggest.bookmark", false); // user_pref("browser.urlbar.suggest.openpage", false); + // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+] /* 0850c: disable location bar dropdown * This value controls the total number of entries to appear in the location bar dropdown * [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always From b5b04454e0710920ce3ad427c50eeeb904a22842 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 1 Jul 2020 03:46:52 +0000 Subject: [PATCH 087/657] 0850a search keywords fixup --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 5260324..abd98a3 100644 --- a/user.js +++ b/user.js @@ -495,7 +495,6 @@ user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); * [1] https://bugzilla.mozilla.org/1348275 ***/ user_pref("browser.urlbar.speculativeConnect.enabled", false); /* 0850a: disable location bar suggestion types - * If the first three suggestion types are false, search engine keywords are disabled * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/ // user_pref("browser.urlbar.suggest.history", false); // user_pref("browser.urlbar.suggest.bookmark", false); From 3d18af19e3936beecca8506dc57319a428b98dc2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 5 Jul 2020 14:02:25 +0000 Subject: [PATCH 088/657] various, #959 (#967) Co-authored-by: rusty-snake --- user.js | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index abd98a3..e6916a0 100644 --- a/user.js +++ b/user.js @@ -125,6 +125,9 @@ user_pref("browser.newtabpage.activity-stream.showSponsored", false); user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+] /* 0105d: disable Activity Stream recent Highlights in the Library [FF57+] ***/ // user_pref("browser.library.activity-stream.enabled", false); +/* 0105e: clear default topsites + * [NOTE] This does not block you from adding your own ***/ +user_pref("browser.newtabpage.activity-stream.default.sites", ""); /* 0110: start Firefox in PB (Private Browsing) mode * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed * [WARNING] The P in PB mode is misleading: it means no "persistent" disk storage such as history, @@ -175,7 +178,7 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /* 0212: enforce fallback text encoding to match en-US * When the content or server doesn't declare a charset the browser will * fallback to the "Current locale" based on your application language - * [SETTING] General>Language and Appearance>Fonts and Colors>Advanced>Text Encoding for Legacy Content + * [SETTING] General>Language and Appearance>Fonts and Colors>Advanced>Text Encoding for Legacy Content (FF72-) * [TEST] https://hsivonen.com/test/moz/check-charset.htm * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 ***/ user_pref("intl.charset.fallback.override", "windows-1252"); @@ -205,7 +208,7 @@ user_pref("app.update.auto", false); // user_pref("extensions.getAddons.cache.enabled", false); /* 0308: disable search engine updates (e.g. OpenSearch) * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines - * [SETTING] General>Firefox Updates>Automatically update search engines ***/ + * [SETTING] General>Firefox Updates>Automatically update search engines (FF72-) ***/ user_pref("browser.search.update", false); /* 0309: disable sending Flash crash reports ***/ user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); @@ -1502,6 +1505,9 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * When default true (FF62+) this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); +/* 4520: disable chrome animations [FF77+] [RESTART] + * [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ +user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] /*** [SECTION 4600]: RFP ALTERNATIVES * non-RFP users: @@ -1757,7 +1763,7 @@ user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); // 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] - replaced by 'media.autoplay.blocking_policy' // [-] https://bugzilla.mozilla.org/1509933 user_pref("media.autoplay.enabled.user-gestures-needed", false); -// 5000's: disable chrome animations - replaced FF77+ by 'ui.prefersReducedMotion' (4617) +// 5000's: disable chrome animations - replaced FF77+ by 'ui.prefersReducedMotion' (4520) // [-] https://bugzilla.mozilla.org/1640501 // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] // * * * / From d0060fed3cf52008178dc11271018b5296dfb2e0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 8 Jul 2020 13:18:38 +0000 Subject: [PATCH 089/657] 2031: use exceptions if you need to, #969 --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index e6916a0..3875297 100644 --- a/user.js +++ b/user.js @@ -957,6 +957,7 @@ user_pref("media.getusermedia.audiocapture.enabled", false); // user_pref("media.autoplay.default", 5); /* 2031: disable autoplay of HTML5 media if you interacted with the site [FF78+] * 0=sticky (default), 1=transient, 2=user + * [NOTE] If you have trouble with some video sites, then add an exception (see 2030) * [1] https://html.spec.whatwg.org/multipage/interaction.html#sticky-activation ***/ user_pref("media.autoplay.blocking_policy", 2); From 1a389c021417833ccd688a52d05cd4b0b08734fa Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 10 Jul 2020 10:09:13 +0000 Subject: [PATCH 090/657] dnsResolveSingleWordsAfterSearch (#968) --- user.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 3875297..ed5857e 100644 --- a/user.js +++ b/user.js @@ -461,9 +461,8 @@ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); /* 0801: disable location bar using search * Don't leak URL typos to a search engine, give an error message instead. * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" - * [NOTE] Search buttons in the dropdown work, but hitting 'enter' in the location bar will fail - * [TIP] You can add keywords to search engines in options (e.g. 'd' for DuckDuckGo) and - * the dropdown will now auto-select it and you can then hit 'enter' and it will work + * [NOTE] This does **not** affect explicit user action such as using search buttons in the + * dropdown, or using keyword search shortcuts you configure in options (e.g. 'd' for DuckDuckGo) * [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search * engine that respects privacy, then you probably don't need this ***/ user_pref("keyword.enabled", false); @@ -497,6 +496,11 @@ user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); /* 0810: disable location bar making speculative connections [FF56+] * [1] https://bugzilla.mozilla.org/1348275 ***/ user_pref("browser.urlbar.speculativeConnect.enabled", false); +/* 0811: disable location bar leaking single words to a DNS provider **after searching** [FF78+] + * 0=never resolve single words, 1=heuristic (default), 2=always resolve + * [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions + * [1] https://bugzilla.mozilla.org/1642623 ***/ +user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); /* 0850a: disable location bar suggestion types * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/ // user_pref("browser.urlbar.suggest.history", false); From 84997386c1d1d8a08c336a52b588d0d416188e37 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 20 Jul 2020 05:24:18 +0000 Subject: [PATCH 091/657] 78-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index ed5857e..bbcf796 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 14 Jun 2020 -* version 78-alpha +* date: 20 Jul 2020 +* version 78-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From fe0af3bb348fb996d4635ad87d1c4f22b2a3b557 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 21 Jul 2020 10:40:01 +0000 Subject: [PATCH 092/657] remove 0709 duplicate, 78 final --- user.js | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/user.js b/user.js index bbcf796..e323e8d 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 20 Jul 2020 -* version 78-beta +* date: 21 Jul 2020 +* version 78 * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -444,11 +444,6 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] -/*** [SECTION 0709]: HOTFIX for FF77, FIXED in FF78 ***/ -/* 0709: disabling UNC can cause extension storage to fail - * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/923 ***/ -user_pref("network.file.disable_unc_paths", false); // [HIDDEN PREF] - /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS Change items 0850 and above to suit for privacy vs convenience and functionality. Consider your environment (no unwanted eyeballs), your device (restricted access), your device's From 46d03279d3e44ee94f1968992ad4eafcce68ce92 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 22 Jul 2020 12:35:13 +0000 Subject: [PATCH 093/657] 79 start, fixup 2429 default info --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index e323e8d..9a5cdd9 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 21 Jul 2020 -* version 78 +* date: 22 Jul 2020 +* version 79-alpha * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -1094,7 +1094,7 @@ user_pref("javascript.options.wasm", false); // user_pref("dom.IntersectionObserver.enabled", false); /* 2429: enable (limited but sufficient) window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ -user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF78+] +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] /*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); From df21798b81d5665e69f2dde2928ff6a5032ab555 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 10:53:25 +0000 Subject: [PATCH 094/657] Delete ghacks-clear-FF68inclusive-[RFP-alternatives].js --- ...-clear-FF68inclusive-[RFP-alternatives].js | 61 ------------------- 1 file changed, 61 deletions(-) delete mode 100644 scratchpad-scripts/ghacks-clear-FF68inclusive-[RFP-alternatives].js diff --git a/scratchpad-scripts/ghacks-clear-FF68inclusive-[RFP-alternatives].js b/scratchpad-scripts/ghacks-clear-FF68inclusive-[RFP-alternatives].js deleted file mode 100644 index dd315d6..0000000 --- a/scratchpad-scripts/ghacks-clear-FF68inclusive-[RFP-alternatives].js +++ /dev/null @@ -1,61 +0,0 @@ -/*** - This will reset the preferences that are under sections 4600 & 4700 in the ghacks user.js - up to and including Firefox/ESR 68. These are the prefs that are no longer necessary, - or they conflict with, privacy.resistFingerprinting if you have that enabled. - - For instructions see: - https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] -***/ - -(function() { - let ops = [ - /* section 4600 */ - 'dom.maxHardwareConcurrency', - 'dom.enable_resource_timing', - 'dom.enable_performance', - 'device.sensors.enabled', - 'browser.zoom.siteSpecific', - 'dom.gamepad.enabled', - 'dom.netinfo.enabled', - 'media.webspeech.synth.enabled', - 'media.video_stats.enabled', - 'dom.w3c_touch_events.enabled', - 'media.ondevicechange.enabled', - 'webgl.enable-debug-renderer-info', - 'dom.w3c_pointer_events.enabled', - 'ui.use_standins_for_native_colors', - /* section 4700 */ - 'general.useragent.override', - 'general.buildID.override', - 'general.appname.override', - 'general.appversion.override', - 'general.platform.override', - 'general.oscpu.override', - /* reset parrot: check your open about:config after running the script */ - '_user.js.parrot' - ] - - if("undefined" === typeof(Services)) { - alert("about:config needs to be the active tab!"); - return; - } - - let c = 0; - for (let i = 0, len = ops.length; i < len; i++) { - if (Services.prefs.prefHasUserValue(ops[i])) { - Services.prefs.clearUserPref(ops[i]); - if (!Services.prefs.prefHasUserValue(ops[i])) { - console.log("reset", ops[i]); - c++; - } else { console.log("failed to reset", ops[i]); } - } - } - - focus(); - - let d = (c==1) ? " pref" : " prefs"; - if (c > 0) { - alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); - } else { alert("nothing to reset"); } - -})(); From 892b3d9d69938516cb81549b3bb68ab71bcfb2dd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 10:53:38 +0000 Subject: [PATCH 095/657] Delete ghacks-clear-FF68inclusive-[deprecated].js --- ...ghacks-clear-FF68inclusive-[deprecated].js | 221 ------------------ 1 file changed, 221 deletions(-) delete mode 100644 scratchpad-scripts/ghacks-clear-FF68inclusive-[deprecated].js diff --git a/scratchpad-scripts/ghacks-clear-FF68inclusive-[deprecated].js b/scratchpad-scripts/ghacks-clear-FF68inclusive-[deprecated].js deleted file mode 100644 index a3005e0..0000000 --- a/scratchpad-scripts/ghacks-clear-FF68inclusive-[deprecated].js +++ /dev/null @@ -1,221 +0,0 @@ -/*** - This will reset the preferences that have been deprecated by Mozilla - and used in the ghacks user.js up to and including Firefox/ESR 68 - - It is in reverse order, so feel free to remove sections that do not apply - - For instructions see: - https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] -***/ - -(function() { - let ops = [ - /* deprecated */ - - /* 68 */ - 'browser.newtabpage.activity-stream.disableSnippets', - 'browser.aboutHomeSnippets.updateUrl', - 'lightweightThemes.update.enabled', - 'security.csp.experimentalEnabled', - /* F67 */ - 'dom.event.highrestimestamp.enabled', - 'browser.newtabpage.activity-stream.asrouter.userprefs.cfr', - /* 66 */ - 'browser.chrome.errorReporter.enabled', - 'browser.chrome.errorReporter.submitUrl', - 'network.allow-experiments', - /* 65 */ - 'browser.urlbar.autocomplete.enabled', - 'browser.fixup.hide_user_pass', - /* 64 */ - 'browser.onboarding.enabled', - 'devtools.webide.autoinstallADBHelper', - 'devtools.webide.adbAddonURL', - 'security.csp.enable_violation_events', - /* 63 */ - 'browser.search.countryCode', - 'app.update.enabled', - 'shield.savant.enabled', - 'browser.chrome.favicons', - 'media.autoplay.enabled', - 'network.cookie.lifetime.days', - 'browser.ctrlTab.previews', - /* 62 */ - 'plugin.state.java', - /* 61 */ - 'experiments.enabled', - 'experiments.manifest.uri', - 'experiments.supported', - 'experiments.activeExperiment', - 'network.jar.block-remote-files', - 'network.jar.open-unsafe-types', - /* 60 */ - 'browser.newtabpage.directory.source', - 'browser.newtabpage.enhanced', - 'browser.newtabpage.introShown', - 'extensions.shield-recipe-client.enabled', - 'extensions.shield-recipe-client.api_url', - 'browser.newtabpage.activity-stream.enabled', - 'dom.workers.enabled', - /* 59 */ - 'intl.locale.matchOS', - 'general.useragent.locale', - 'datareporting.healthreport.about.reportUrl', - 'dom.flyweb.enabled', - 'security.mixed_content.use_hsts', - 'security.mixed_content.send_hsts_priming', - 'network.http.referer.userControlPolicy', - 'security.xpconnect.plugin.unrestricted', - 'media.getusermedia.screensharing.allowed_domains', - 'camera.control.face_detection.enabled', - 'dom.disable_window_status_change', - 'dom.idle-observers-api.enabled', - /* 58 */ - 'browser.crashReports.unsubmittedCheck.autoSubmit', - /* 57 */ - 'social.whitelist', - 'social.toast-notifications.enabled', - 'social.shareDirectory', - 'social.remote-install.enabled', - 'social.directories', - 'social.share.activationPanelEnabled', - 'social.enabled', - 'media.eme.chromium-api.enabled', - 'devtools.webide.autoinstallFxdtAdapters', - 'browser.casting.enabled', - 'browser.bookmarks.showRecentlyBookmarked', - /* 56 */ - 'extensions.screenshots.system-disabled', - 'extensions.formautofill.experimental', - /* 55 */ - 'geo.security.allowinsecure', - 'browser.selfsupport.enabled', - 'browser.selfsupport.url', - 'browser.newtabpage.directory.ping', - 'browser.formfill.saveHttpsForms', - 'browser.formautofill.enabled', - 'dom.enable_user_timing', - 'dom.keyboardevent.code.enabled', - 'browser.tabs.animate', - 'browser.fullscreen.animate', - /* 54 */ - 'browser.safebrowsing.reportMalwareMistakeURL', - 'browser.safebrowsing.reportPhishMistakeURL', - 'media.eme.apiVisible', - 'dom.archivereader.enabled', - /* 53 */ - 'security.tls.unrestricted_rc4_fallback', - 'plugin.scan.Acrobat', - 'plugin.scan.Quicktime', - 'plugin.scan.WindowsMediaPlayer', - 'media.getusermedia.screensharing.allow_on_old_platforms', - 'dom.beforeAfterKeyboardEvent.enabled', - /* 52 */ - 'network.http.sendSecureXSiteReferrer', - 'media.gmp-eme-adobe.enabled', - 'media.gmp-eme-adobe.visible', - 'media.gmp-eme-adobe.autoupdate', - 'dom.telephony.enabled', - 'dom.battery.enabled', - /* 51 */ - 'media.block-play-until-visible', - 'dom.vr.oculus050.enabled', - 'network.http.spdy.enabled.v3-1', - /* 50 */ - 'browser.usedOnWindows10.introURL', - 'plugins.update.notifyUser', - 'browser.safebrowsing.enabled', - 'security.ssl3.ecdhe_ecdsa_rc4_128_sha', - 'security.ssl3.ecdhe_rsa_rc4_128_sha', - 'security.ssl3.rsa_rc4_128_md5', - 'security.ssl3.rsa_rc4_128_sha', - 'plugins.update.url', - /* 49 */ - 'loop.enabled', - 'loop.server', - 'loop.feedback.formURL', - 'loop.feedback.manualFormURL', - 'loop.facebook.appId', - 'loop.facebook.enabled', - 'loop.facebook.fallbackUrl', - 'loop.facebook.shareUrl', - 'loop.logDomains', - 'dom.disable_window_open_feature.scrollbars', - 'dom.push.udp.wakeupEnabled', - /* 48 */ - 'browser.urlbar.unifiedcomplete', - /* 47 */ - 'toolkit.telemetry.unifiedIsOptIn', - 'datareporting.healthreport.about.reportUrlUnified', - 'browser.history.allowPopState', - 'browser.history.allowPushState', - 'browser.history.allowReplaceState', - /* 46 */ - 'datareporting.healthreport.service.enabled', - 'datareporting.healthreport.documentServerURI', - 'datareporting.policy.dataSubmissionEnabled.v2', - 'browser.safebrowsing.appRepURL', - 'browser.polaris.enabled', - 'browser.pocket.enabled', - 'browser.pocket.api', - 'browser.pocket.site', - 'browser.pocket.oAuthConsumerKey', - /* 45 */ - 'browser.sessionstore.privacy_level_deferred', - /* 44 */ - 'browser.safebrowsing.provider.google.appRepURL', - 'security.tls.insecure_fallback_hosts.use_static_list', - 'dom.workers.sharedWorkers.enabled', - 'dom.disable_image_src_set', - /* 43 */ - 'browser.safebrowsing.gethashURL', - 'browser.safebrowsing.updateURL', - 'browser.safebrowsing.malware.reportURL', - 'browser.trackingprotection.gethashURL', - 'browser.trackingprotection.updateURL', - 'pfs.datasource.url', - 'browser.search.showOneOffButtons', - /* 42 and earlier */ - 'privacy.clearOnShutdown.passwords', // 42 - 'full-screen-api.approval-required', // 42 - 'browser.safebrowsing.reportErrorURL', // 41 - 'browser.safebrowsing.reportGenericURL', // 41 - 'browser.safebrowsing.reportMalwareErrorURL', // 41 - 'browser.safebrowsing.reportMalwareURL', // 41 - 'browser.safebrowsing.reportURL', // 41 - 'plugins.enumerable_names', // 41 - 'network.http.spdy.enabled.http2draft', // 41 - 'camera.control.autofocus_moving_callback.enabled', // 37 - 'privacy.donottrackheader.value', // 36 - 'network.websocket.enabled', // 35 - 'dom.network.enabled', // 31 - 'pageThumbs.enabled', // 25 - - /* reset parrot: check your open about:config after running the script */ - '_user.js.parrot' - ] - - if("undefined" === typeof(Services)) { - alert("about:config needs to be the active tab!"); - return; - } - - let c = 0; - for (let i = 0, len = ops.length; i < len; i++) { - if (Services.prefs.prefHasUserValue(ops[i])) { - Services.prefs.clearUserPref(ops[i]); - if (!Services.prefs.prefHasUserValue(ops[i])) { - console.log("reset", ops[i]); - c++; - } else { console.log("failed to reset", ops[i]); } - } - } - - focus(); - - let d = (c==1) ? " pref" : " prefs"; - if (c > 0) { - alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); - } else { alert("nothing to reset"); } - -})(); From 24c228df922649e74acfc4b6474926beba50c98f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 10:57:12 +0000 Subject: [PATCH 096/657] update to ESR78 --- scratchpad-scripts/ghacks-clear-deprecated.js | 248 ++++++++++++++++++ 1 file changed, 248 insertions(+) create mode 100644 scratchpad-scripts/ghacks-clear-deprecated.js diff --git a/scratchpad-scripts/ghacks-clear-deprecated.js b/scratchpad-scripts/ghacks-clear-deprecated.js new file mode 100644 index 0000000..e3ab4e1 --- /dev/null +++ b/scratchpad-scripts/ghacks-clear-deprecated.js @@ -0,0 +1,248 @@ +/*** + Version: up to and including FF/ESR78 + + This will reset the preferences that have been deprecated by Mozilla + and used in the ghacks user.js + + It is in reverse order, so feel free to remove sections that do not apply + + For instructions see: + https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] +***/ + +(function() { + let ops = [ + /* deprecated */ + + /* 78 */ + 'media.autoplay.enabled.user-gestures-needed', + 'toolkit.cosmeticAnimations.enabled', + /* 77 */ + 'browser.urlbar.oneOffSearches', + 'browser.tabs.remote.allowLinkedWebInFileUriProcess', + /* 76 */ + 'extensions.blocklist.url', + /* 74 */ + 'geo.wifi.uri', + 'geo.wifi.logging.enabled', + 'privacy.userContext.longPressBehavior', + 'webgl.disable-extensions', + /* 72 */ + 'browser.newtabpage.activity-stream.telemetry.ping.endpoint', + 'toolkit.telemetry.hybridContent.enabled', + 'dom.indexedDB.enabled', + /* 71 */ + 'devtools.webide.enabled', + 'devtools.webide.autoinstallADBExtension', + 'offline-apps.allow_by_default', + /* 69 */ + 'gfx.downloadable_fonts.woff2.enabled', + 'plugins.click_to_play', + 'media.autoplay.allow-muted', + /* 68 */ + 'browser.newtabpage.activity-stream.disableSnippets', + 'browser.aboutHomeSnippets.updateUrl', + 'lightweightThemes.update.enabled', + 'security.csp.experimentalEnabled', + /* F67 */ + 'dom.event.highrestimestamp.enabled', + 'browser.newtabpage.activity-stream.asrouter.userprefs.cfr', + /* 66 */ + 'browser.chrome.errorReporter.enabled', + 'browser.chrome.errorReporter.submitUrl', + 'network.allow-experiments', + /* 65 */ + 'browser.urlbar.autocomplete.enabled', + 'browser.fixup.hide_user_pass', + /* 64 */ + 'browser.onboarding.enabled', + 'devtools.webide.autoinstallADBHelper', + 'devtools.webide.adbAddonURL', + 'security.csp.enable_violation_events', + /* 63 */ + 'browser.search.countryCode', + 'app.update.enabled', + 'shield.savant.enabled', + 'browser.chrome.favicons', + 'media.autoplay.enabled', + 'network.cookie.lifetime.days', + 'browser.ctrlTab.previews', + /* 62 */ + 'plugin.state.java', + /* 61 */ + 'experiments.enabled', + 'experiments.manifest.uri', + 'experiments.supported', + 'experiments.activeExperiment', + 'network.jar.block-remote-files', + 'network.jar.open-unsafe-types', + /* 60 */ + 'browser.newtabpage.directory.source', + 'browser.newtabpage.enhanced', + 'browser.newtabpage.introShown', + 'extensions.shield-recipe-client.enabled', + 'extensions.shield-recipe-client.api_url', + 'browser.newtabpage.activity-stream.enabled', + 'dom.workers.enabled', + /* 59 */ + 'intl.locale.matchOS', + 'general.useragent.locale', + 'datareporting.healthreport.about.reportUrl', + 'dom.flyweb.enabled', + 'security.mixed_content.use_hsts', + 'security.mixed_content.send_hsts_priming', + 'network.http.referer.userControlPolicy', + 'security.xpconnect.plugin.unrestricted', + 'media.getusermedia.screensharing.allowed_domains', + 'camera.control.face_detection.enabled', + 'dom.disable_window_status_change', + 'dom.idle-observers-api.enabled', + /* 58 */ + 'browser.crashReports.unsubmittedCheck.autoSubmit', + /* 57 */ + 'social.whitelist', + 'social.toast-notifications.enabled', + 'social.shareDirectory', + 'social.remote-install.enabled', + 'social.directories', + 'social.share.activationPanelEnabled', + 'social.enabled', + 'media.eme.chromium-api.enabled', + 'devtools.webide.autoinstallFxdtAdapters', + 'browser.casting.enabled', + 'browser.bookmarks.showRecentlyBookmarked', + /* 56 */ + 'extensions.screenshots.system-disabled', + 'extensions.formautofill.experimental', + /* 55 */ + 'geo.security.allowinsecure', + 'browser.selfsupport.enabled', + 'browser.selfsupport.url', + 'browser.newtabpage.directory.ping', + 'browser.formfill.saveHttpsForms', + 'browser.formautofill.enabled', + 'dom.enable_user_timing', + 'dom.keyboardevent.code.enabled', + 'browser.tabs.animate', + 'browser.fullscreen.animate', + /* 54 */ + 'browser.safebrowsing.reportMalwareMistakeURL', + 'browser.safebrowsing.reportPhishMistakeURL', + 'media.eme.apiVisible', + 'dom.archivereader.enabled', + /* 53 */ + 'security.tls.unrestricted_rc4_fallback', + 'plugin.scan.Acrobat', + 'plugin.scan.Quicktime', + 'plugin.scan.WindowsMediaPlayer', + 'media.getusermedia.screensharing.allow_on_old_platforms', + 'dom.beforeAfterKeyboardEvent.enabled', + /* 52 */ + 'network.http.sendSecureXSiteReferrer', + 'media.gmp-eme-adobe.enabled', + 'media.gmp-eme-adobe.visible', + 'media.gmp-eme-adobe.autoupdate', + 'dom.telephony.enabled', + 'dom.battery.enabled', + /* 51 */ + 'media.block-play-until-visible', + 'dom.vr.oculus050.enabled', + 'network.http.spdy.enabled.v3-1', + /* 50 */ + 'browser.usedOnWindows10.introURL', + 'plugins.update.notifyUser', + 'browser.safebrowsing.enabled', + 'security.ssl3.ecdhe_ecdsa_rc4_128_sha', + 'security.ssl3.ecdhe_rsa_rc4_128_sha', + 'security.ssl3.rsa_rc4_128_md5', + 'security.ssl3.rsa_rc4_128_sha', + 'plugins.update.url', + /* 49 */ + 'loop.enabled', + 'loop.server', + 'loop.feedback.formURL', + 'loop.feedback.manualFormURL', + 'loop.facebook.appId', + 'loop.facebook.enabled', + 'loop.facebook.fallbackUrl', + 'loop.facebook.shareUrl', + 'loop.logDomains', + 'dom.disable_window_open_feature.scrollbars', + 'dom.push.udp.wakeupEnabled', + /* 48 */ + 'browser.urlbar.unifiedcomplete', + /* 47 */ + 'toolkit.telemetry.unifiedIsOptIn', + 'datareporting.healthreport.about.reportUrlUnified', + 'browser.history.allowPopState', + 'browser.history.allowPushState', + 'browser.history.allowReplaceState', + /* 46 */ + 'datareporting.healthreport.service.enabled', + 'datareporting.healthreport.documentServerURI', + 'datareporting.policy.dataSubmissionEnabled.v2', + 'browser.safebrowsing.appRepURL', + 'browser.polaris.enabled', + 'browser.pocket.enabled', + 'browser.pocket.api', + 'browser.pocket.site', + 'browser.pocket.oAuthConsumerKey', + /* 45 */ + 'browser.sessionstore.privacy_level_deferred', + /* 44 */ + 'browser.safebrowsing.provider.google.appRepURL', + 'security.tls.insecure_fallback_hosts.use_static_list', + 'dom.workers.sharedWorkers.enabled', + 'dom.disable_image_src_set', + /* 43 */ + 'browser.safebrowsing.gethashURL', + 'browser.safebrowsing.updateURL', + 'browser.safebrowsing.malware.reportURL', + 'browser.trackingprotection.gethashURL', + 'browser.trackingprotection.updateURL', + 'pfs.datasource.url', + 'browser.search.showOneOffButtons', + /* 42 and earlier */ + 'privacy.clearOnShutdown.passwords', // 42 + 'full-screen-api.approval-required', // 42 + 'browser.safebrowsing.reportErrorURL', // 41 + 'browser.safebrowsing.reportGenericURL', // 41 + 'browser.safebrowsing.reportMalwareErrorURL', // 41 + 'browser.safebrowsing.reportMalwareURL', // 41 + 'browser.safebrowsing.reportURL', // 41 + 'plugins.enumerable_names', // 41 + 'network.http.spdy.enabled.http2draft', // 41 + 'camera.control.autofocus_moving_callback.enabled', // 37 + 'privacy.donottrackheader.value', // 36 + 'network.websocket.enabled', // 35 + 'dom.network.enabled', // 31 + 'pageThumbs.enabled', // 25 + + /* reset parrot: check your open about:config after running the script */ + '_user.js.parrot' + ] + + if("undefined" === typeof(Services)) { + alert("about:config needs to be the active tab!"); + return; + } + + let c = 0; + for (let i = 0, len = ops.length; i < len; i++) { + if (Services.prefs.prefHasUserValue(ops[i])) { + Services.prefs.clearUserPref(ops[i]); + if (!Services.prefs.prefHasUserValue(ops[i])) { + console.log("reset", ops[i]); + c++; + } else { console.log("failed to reset", ops[i]); } + } + } + + focus(); + + let d = (c==1) ? " pref" : " prefs"; + if (c > 0) { + alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); + } else { alert("nothing to reset"); } + +})(); From be64819ce7ed94a5c1604c49a79006d898d6bb06 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 10:58:22 +0000 Subject: [PATCH 097/657] update to ESR78 --- .../ghacks-clear-RFP-alternatives | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 scratchpad-scripts/ghacks-clear-RFP-alternatives diff --git a/scratchpad-scripts/ghacks-clear-RFP-alternatives b/scratchpad-scripts/ghacks-clear-RFP-alternatives new file mode 100644 index 0000000..a2824ad --- /dev/null +++ b/scratchpad-scripts/ghacks-clear-RFP-alternatives @@ -0,0 +1,65 @@ +/*** + Version: up to and including FF/ESR78 + + This will reset the preferences that are under sections 4600 & 4700 in the + ghacks user.js. These are the prefs that are no longer necessary, or they + conflict with, privacy.resistFingerprinting if you have that enabled. + + For instructions see: + https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] +***/ + +(function() { + let ops = [ + /* section 4600 */ + 'dom.maxHardwareConcurrency', + 'dom.enable_resource_timing', + 'dom.enable_performance', + 'device.sensors.enabled', + 'browser.zoom.siteSpecific', + 'dom.gamepad.enabled', + 'dom.netinfo.enabled', + 'media.webspeech.synth.enabled', + 'media.video_stats.enabled', + 'dom.w3c_touch_events.enabled', + 'media.ondevicechange.enabled', + 'webgl.enable-debug-renderer-info', + 'dom.w3c_pointer_events.enabled', + 'ui.use_standins_for_native_colors', + 'ui.systemUsesDarkTheme', + 'ui.prefersReducedMotion' + /* section 4700 */ + 'general.useragent.override', + 'general.buildID.override', + 'general.appname.override', + 'general.appversion.override', + 'general.platform.override', + 'general.oscpu.override', + /* reset parrot: check your open about:config after running the script */ + '_user.js.parrot' + ] + + if("undefined" === typeof(Services)) { + alert("about:config needs to be the active tab!"); + return; + } + + let c = 0; + for (let i = 0, len = ops.length; i < len; i++) { + if (Services.prefs.prefHasUserValue(ops[i])) { + Services.prefs.clearUserPref(ops[i]); + if (!Services.prefs.prefHasUserValue(ops[i])) { + console.log("reset", ops[i]); + c++; + } else { console.log("failed to reset", ops[i]); } + } + } + + focus(); + + let d = (c==1) ? " pref" : " prefs"; + if (c > 0) { + alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); + } else { alert("nothing to reset"); } + +})(); From 52926cca7a14d49bb94a366ae5ea8843bcd1efd1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 10:59:19 +0000 Subject: [PATCH 098/657] Delete ghacks-clear-[removed].js --- scratchpad-scripts/ghacks-clear-[removed].js | 251 ------------------- 1 file changed, 251 deletions(-) delete mode 100644 scratchpad-scripts/ghacks-clear-[removed].js diff --git a/scratchpad-scripts/ghacks-clear-[removed].js b/scratchpad-scripts/ghacks-clear-[removed].js deleted file mode 100644 index fbde545..0000000 --- a/scratchpad-scripts/ghacks-clear-[removed].js +++ /dev/null @@ -1,251 +0,0 @@ -/*** - This will reset the preferences that have been removed completely from the ghacks user.js. - - Last updated: 12-April-2020 - - For instructions see: - https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] -***/ - -(function() { - let ops = [ - /* removed in ghacks user.js v52-57 */ - /* 52-alpha */ - 'browser.search.reset.enabled', - 'browser.search.reset.whitelist', - /* 54-alpha */ - 'browser.migrate.automigrate.enabled', - 'services.sync.enabled', - 'webextensions.storage.sync.enabled', - 'webextensions.storage.sync.serverURL', - /* 55-alpha */ - 'dom.keyboardevent.dispatch_during_composition', // default is false anyway - 'dom.vr.oculus.enabled', // covered by dom.vr.enabled - 'dom.vr.openvr.enabled', // ditto - 'dom.vr.osvr.enabled', // ditto - 'extensions.pocket.api', // covered by extensions.pocket.enabled - 'extensions.pocket.oAuthConsumerKey', // ditto - 'extensions.pocket.site', // ditto - /* 56-alpha: none */ - /* 57-alpha */ - 'geo.wifi.xhr.timeout', // covered by geo.enabled - 'browser.search.geoip.timeout', // ditto - 'media.webspeech.recognition.enable', // default is false anyway - 'gfx.layerscope.enabled', // default is false anyway - /* 58-alpha */ - // excluding these e10 settings - // 'browser.tabs.remote.autostart', - // 'browser.tabs.remote.autostart.2', - // 'browser.tabs.remote.force-enable', - // 'browser.tabs.remote.separateFileUriProcess', - // 'extensions.e10sBlocksEnabling', - // 'extensions.webextensions.remote', - // 'dom.ipc.processCount', - // 'dom.ipc.shims.enabledWarnings', - // 'dom.ipc.processCount.extension', - // 'dom.ipc.processCount.file', - // 'security.sandbox.content.level', - // 'dom.ipc.plugins.sandbox-level.default', - // 'dom.ipc.plugins.sandbox-level.flash', - // 'security.sandbox.logging.enabled', - 'dom.presentation.controller.enabled', - 'dom.presentation.discoverable', - 'dom.presentation.discovery.enabled', - 'dom.presentation.enabled', - 'dom.presentation.receiver.enabled', - 'dom.presentation.session_transport.data_channel.enable', - /* 59-alpha */ - 'browser.stopReloadAnimation.enabled', - 'browser.tabs.insertRelatedAfterCurrent', - 'browser.tabs.loadDivertedInBackground', - 'browser.tabs.loadInBackground', - 'browser.tabs.selectOwnerOnClose', - 'browser.urlbar.clickSelectsAll', - 'browser.urlbar.doubleClickSelectsAll', - 'media.flac.enabled', - 'media.mediasource.enabled', - 'media.mediasource.mp4.enabled', - 'media.mediasource.webm.audio.enabled', - 'media.mediasource.webm.enabled', - 'media.mp4.enabled', - 'media.ogg.enabled', - 'media.ogg.flac.enabled', - 'media.opus.enabled', - 'media.raw.enabled', - 'media.wave.enabled', - 'media.webm.enabled', - 'media.wmf.amd.vp9.enabled', - 'media.wmf.enabled', - 'media.wmf.vp9.enabled', - 'ui.submenuDelay', - /* 60-beta - these were all at default anyway */ - 'device.storage.enabled', - 'general.useragent.compatMode.firefox', - 'network.dns.blockDotOnion', - 'network.stricttransportsecurity.preloadlist', - 'security.block_script_with_wrong_mime', - 'security.fileuri.strict_origin_policy', - 'security.sri.enable', - /* 61-beta */ - 'browser.laterrun.enabled', - 'browser.offline-apps.notify', - 'browser.rights.3.shown', - 'browser.slowStartup.maxSamples', - 'browser.slowStartup.notificationDisabled', - 'browser.slowStartup.samples', - 'browser.storageManager.enabled', - 'dom.allow_scripts_to_close_windows', - 'dom.disable_window_flip', - 'network.http.fast-fallback-to-IPv4', - 'offline-apps.quota.warn', - 'services.blocklist.signing.enforced', - /* 62-beta */ - 'browser.urlbar.autoFill.typed', - 'security.tls.version.fallback-limit', - /* 63-beta */ - 'extensions.webextensions.keepStorageOnUninstall', - 'extensions.webextensions.keepUuidOnUninstall', - 'privacy.trackingprotection.ui.enabled', - /* 64-beta */ - 'browser.eme.ui.enabled', - 'browser.sessionstore.max_windows_undo', - 'network.auth.subresource-img-cross-origin-http-auth-allow', - 'media.peerconnection.ice.tcp', - 'media.peerconnection.identity.enabled', - 'media.peerconnection.identity.timeout', - 'media.peerconnection.turn.disable', - 'media.peerconnection.use_document_iceservers', - 'media.peerconnection.video.enabled', - 'media.navigator.video.enabled', - /* 65-beta */ - 'browser.contentblocking.enabled', - 'browser.urlbar.maxHistoricalSearchSuggestions', - /* 67-beta */ - 'app.update.service.enabled', - 'app.update.silent', - 'app.update.staging.enabled', - 'browser.cache.disk.capacity', - 'browser.cache.disk.smart_size.enabled', - 'browser.cache.disk.smart_size.first_run', - 'browser.cache.offline.insecure.enable', - 'browser.safebrowsing.downloads.remote.url', - 'browser.safebrowsing.provider.google.reportMalwareMistakeURL', - 'browser.safebrowsing.provider.google.reportPhishMistakeURL', - 'browser.safebrowsing.provider.google.reportURL', - 'browser.safebrowsing.provider.google4.dataSharing.enabled', - 'browser.safebrowsing.provider.google4.dataSharingURL', - 'browser.safebrowsing.provider.google4.reportMalwareMistakeURL', - 'browser.safebrowsing.provider.google4.reportPhishMistakeURL', - 'browser.safebrowsing.provider.google4.reportURL', - 'browser.safebrowsing.reportPhishURL', - 'browser.sessionhistory.max_total_viewers', - 'browser.urlbar.filter.javascript', - 'canvas.capturestream.enabled', - 'dom.imagecapture.enabled', - 'dom.popup_maximum', - 'gfx.offscreencanvas.enabled', - 'javascript.options.shared_memory', - 'media.gmp-gmpopenh264.autoupdate', - 'media.gmp-gmpopenh264.enabled', - 'media.gmp-manager.updateEnabled', - 'media.gmp-manager.url', - 'media.gmp-manager.url.override', - 'media.gmp.trial-create.enabled', - 'media.gmp-widevinecdm.autoupdate', - 'network.cookie.leave-secure-alone', - 'network.cookie.same-site.enabled', - 'network.dnsCacheEntries', - 'network.dnsCacheExpiration', - 'network.proxy.autoconfig_url.include_path', - 'pdfjs.enableWebGL', - 'plugin.default.state', - 'plugin.defaultXpi.state', - 'plugin.scan.plid.all', - 'security.data_uri.block_toplevel_data_uri_navigations', - 'security.insecure_field_warning.contextual.enabled', - 'security.insecure_password.ui.enabled', - 'signon.autofillForms.http', - 'signon.storeWhenAutocompleteOff', - 'xpinstall.whitelist.required', - /* 67-beta: Blocklist, SB & TP cleanup: these were all inactive */ - 'browser.safebrowsing.downloads.remote.block_dangerous', - 'browser.safebrowsing.downloads.remote.block_dangerous_host', - 'browser.safebrowsing.blockedURIs.enabled', - 'browser.safebrowsing.provider.google.gethashURL', - 'browser.safebrowsing.provider.google.updateURL', - 'browser.safebrowsing.provider.google4.gethashURL', - 'browser.safebrowsing.provider.google4.updateURL', - 'browser.safebrowsing.provider.mozilla.gethashURL', - 'browser.safebrowsing.provider.mozilla.updateURL', - 'browser.urlbar.userMadeSearchSuggestionsChoice', - 'privacy.trackingprotection.annotate_channels', - 'privacy.trackingprotection.enabled', - 'privacy.trackingprotection.lower_network_priority', - 'privacy.trackingprotection.pbmode.enabled', - 'services.blocklist.addons.collection', - 'services.blocklist.gfx.collection', - 'services.blocklist.onecrl.collection', - 'services.blocklist.plugins.collection', - 'services.blocklist.update_enabled', - 'urlclassifier.trackingTable', - /* 68-beta */ - 'dom.forms.datetime', - 'font.blacklist.underline_offset', - 'font.name.monospace.x-unicode', - 'font.name.monospace.x-western', - 'font.name.sans-serif.x-unicode', - 'font.name.sans-serif.x-western', - 'font.name.serif.x-unicode', - 'font.name.serif.x-western', - 'layout.css.font-loading-api.enabled', - 'toolkit.telemetry.cachedClientID', - /* 69-beta */ - 'plugin.sessionPermissionNow.intervalInMinutes', - /* 70-beta */ - 'browser.cache.disk_cache_ssl', - 'browser.sessionhistory.max_entries', - 'dom.push.connection.enabled', - 'dom.push.serverURL', - 'extensions.getAddons.discovery.api_url', - 'extensions.htmlaboutaddons.discover.enabled', - 'extensions.webservice.discoverURL', - 'intl.locale.requested', - 'intl.regional_prefs.use_os_locales', - 'privacy.usercontext.about_newtab_segregation.enabled', - 'security.insecure_connection_icon.pbmode.enabled', - 'security.insecure_connection_text.pbmode.enabled', - 'webgl.dxgl.enabled', - /* 71-beta */ - 'media.block-autoplay-until-in-foreground', - 'middlemouse.paste', - /* 75-beta */ - 'browser.search.geoip.url', - 'browser.search.region', - /* reset parrot: check your open about:config after running the script */ - '_user.js.parrot' - ] - - if("undefined" === typeof(Services)) { - alert("about:config needs to be the active tab!"); - return; - } - - let c = 0; - for (let i = 0, len = ops.length; i < len; i++) { - if (Services.prefs.prefHasUserValue(ops[i])) { - Services.prefs.clearUserPref(ops[i]); - if (!Services.prefs.prefHasUserValue(ops[i])) { - console.log("reset", ops[i]); - c++; - } else { console.log("failed to reset", ops[i]); } - } - } - - focus(); - - let d = (c==1) ? " pref" : " prefs"; - if (c > 0) { - alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); - } else { alert("nothing to reset"); } - -})(); From 10cc1224d0f951b165185abce1468a2db1fcb67b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 11:00:23 +0000 Subject: [PATCH 099/657] Create ghacks-clear-removed.js --- scratchpad-scripts/ghacks-clear-removed.js | 251 +++++++++++++++++++++ 1 file changed, 251 insertions(+) create mode 100644 scratchpad-scripts/ghacks-clear-removed.js diff --git a/scratchpad-scripts/ghacks-clear-removed.js b/scratchpad-scripts/ghacks-clear-removed.js new file mode 100644 index 0000000..00b6d6b --- /dev/null +++ b/scratchpad-scripts/ghacks-clear-removed.js @@ -0,0 +1,251 @@ +/*** + This will reset the preferences that have been removed completely from the ghacks user.js. + + Last updated: 21-April-2020 + + For instructions see: + https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] +***/ + +(function() { + let ops = [ + /* removed in ghacks user.js v52-57 */ + /* 52-alpha */ + 'browser.search.reset.enabled', + 'browser.search.reset.whitelist', + /* 54-alpha */ + 'browser.migrate.automigrate.enabled', + 'services.sync.enabled', + 'webextensions.storage.sync.enabled', + 'webextensions.storage.sync.serverURL', + /* 55-alpha */ + 'dom.keyboardevent.dispatch_during_composition', // default is false anyway + 'dom.vr.oculus.enabled', // covered by dom.vr.enabled + 'dom.vr.openvr.enabled', // ditto + 'dom.vr.osvr.enabled', // ditto + 'extensions.pocket.api', // covered by extensions.pocket.enabled + 'extensions.pocket.oAuthConsumerKey', // ditto + 'extensions.pocket.site', // ditto + /* 56-alpha: none */ + /* 57-alpha */ + 'geo.wifi.xhr.timeout', // covered by geo.enabled + 'browser.search.geoip.timeout', // ditto + 'media.webspeech.recognition.enable', // default is false anyway + 'gfx.layerscope.enabled', // default is false anyway + /* 58-alpha */ + // excluding these e10 settings + // 'browser.tabs.remote.autostart', + // 'browser.tabs.remote.autostart.2', + // 'browser.tabs.remote.force-enable', + // 'browser.tabs.remote.separateFileUriProcess', + // 'extensions.e10sBlocksEnabling', + // 'extensions.webextensions.remote', + // 'dom.ipc.processCount', + // 'dom.ipc.shims.enabledWarnings', + // 'dom.ipc.processCount.extension', + // 'dom.ipc.processCount.file', + // 'security.sandbox.content.level', + // 'dom.ipc.plugins.sandbox-level.default', + // 'dom.ipc.plugins.sandbox-level.flash', + // 'security.sandbox.logging.enabled', + 'dom.presentation.controller.enabled', + 'dom.presentation.discoverable', + 'dom.presentation.discovery.enabled', + 'dom.presentation.enabled', + 'dom.presentation.receiver.enabled', + 'dom.presentation.session_transport.data_channel.enable', + /* 59-alpha */ + 'browser.stopReloadAnimation.enabled', + 'browser.tabs.insertRelatedAfterCurrent', + 'browser.tabs.loadDivertedInBackground', + 'browser.tabs.loadInBackground', + 'browser.tabs.selectOwnerOnClose', + 'browser.urlbar.clickSelectsAll', + 'browser.urlbar.doubleClickSelectsAll', + 'media.flac.enabled', + 'media.mediasource.enabled', + 'media.mediasource.mp4.enabled', + 'media.mediasource.webm.audio.enabled', + 'media.mediasource.webm.enabled', + 'media.mp4.enabled', + 'media.ogg.enabled', + 'media.ogg.flac.enabled', + 'media.opus.enabled', + 'media.raw.enabled', + 'media.wave.enabled', + 'media.webm.enabled', + 'media.wmf.amd.vp9.enabled', + 'media.wmf.enabled', + 'media.wmf.vp9.enabled', + 'ui.submenuDelay', + /* 60-beta - these were all at default anyway */ + 'device.storage.enabled', + 'general.useragent.compatMode.firefox', + 'network.dns.blockDotOnion', + 'network.stricttransportsecurity.preloadlist', + 'security.block_script_with_wrong_mime', + 'security.fileuri.strict_origin_policy', + 'security.sri.enable', + /* 61-beta */ + 'browser.laterrun.enabled', + 'browser.offline-apps.notify', + 'browser.rights.3.shown', + 'browser.slowStartup.maxSamples', + 'browser.slowStartup.notificationDisabled', + 'browser.slowStartup.samples', + 'browser.storageManager.enabled', + 'dom.allow_scripts_to_close_windows', + 'dom.disable_window_flip', + 'network.http.fast-fallback-to-IPv4', + 'offline-apps.quota.warn', + 'services.blocklist.signing.enforced', + /* 62-beta */ + 'browser.urlbar.autoFill.typed', + 'security.tls.version.fallback-limit', + /* 63-beta */ + 'extensions.webextensions.keepStorageOnUninstall', + 'extensions.webextensions.keepUuidOnUninstall', + 'privacy.trackingprotection.ui.enabled', + /* 64-beta */ + 'browser.eme.ui.enabled', + 'browser.sessionstore.max_windows_undo', + 'network.auth.subresource-img-cross-origin-http-auth-allow', + 'media.peerconnection.ice.tcp', + 'media.peerconnection.identity.enabled', + 'media.peerconnection.identity.timeout', + 'media.peerconnection.turn.disable', + 'media.peerconnection.use_document_iceservers', + 'media.peerconnection.video.enabled', + 'media.navigator.video.enabled', + /* 65-beta */ + 'browser.contentblocking.enabled', + 'browser.urlbar.maxHistoricalSearchSuggestions', + /* 67-beta */ + 'app.update.service.enabled', + 'app.update.silent', + 'app.update.staging.enabled', + 'browser.cache.disk.capacity', + 'browser.cache.disk.smart_size.enabled', + 'browser.cache.disk.smart_size.first_run', + 'browser.cache.offline.insecure.enable', + 'browser.safebrowsing.downloads.remote.url', + 'browser.safebrowsing.provider.google.reportMalwareMistakeURL', + 'browser.safebrowsing.provider.google.reportPhishMistakeURL', + 'browser.safebrowsing.provider.google.reportURL', + 'browser.safebrowsing.provider.google4.dataSharing.enabled', + 'browser.safebrowsing.provider.google4.dataSharingURL', + 'browser.safebrowsing.provider.google4.reportMalwareMistakeURL', + 'browser.safebrowsing.provider.google4.reportPhishMistakeURL', + 'browser.safebrowsing.provider.google4.reportURL', + 'browser.safebrowsing.reportPhishURL', + 'browser.sessionhistory.max_total_viewers', + 'browser.urlbar.filter.javascript', + 'canvas.capturestream.enabled', + 'dom.imagecapture.enabled', + 'dom.popup_maximum', + 'gfx.offscreencanvas.enabled', + 'javascript.options.shared_memory', + 'media.gmp-gmpopenh264.autoupdate', + 'media.gmp-gmpopenh264.enabled', + 'media.gmp-manager.updateEnabled', + 'media.gmp-manager.url', + 'media.gmp-manager.url.override', + 'media.gmp.trial-create.enabled', + 'media.gmp-widevinecdm.autoupdate', + 'network.cookie.leave-secure-alone', + 'network.cookie.same-site.enabled', + 'network.dnsCacheEntries', + 'network.dnsCacheExpiration', + 'network.proxy.autoconfig_url.include_path', + 'pdfjs.enableWebGL', + 'plugin.default.state', + 'plugin.defaultXpi.state', + 'plugin.scan.plid.all', + 'security.data_uri.block_toplevel_data_uri_navigations', + 'security.insecure_field_warning.contextual.enabled', + 'security.insecure_password.ui.enabled', + 'signon.autofillForms.http', + 'signon.storeWhenAutocompleteOff', + 'xpinstall.whitelist.required', + /* 67-beta: Blocklist, SB & TP cleanup: these were all inactive */ + 'browser.safebrowsing.downloads.remote.block_dangerous', + 'browser.safebrowsing.downloads.remote.block_dangerous_host', + 'browser.safebrowsing.blockedURIs.enabled', + 'browser.safebrowsing.provider.google.gethashURL', + 'browser.safebrowsing.provider.google.updateURL', + 'browser.safebrowsing.provider.google4.gethashURL', + 'browser.safebrowsing.provider.google4.updateURL', + 'browser.safebrowsing.provider.mozilla.gethashURL', + 'browser.safebrowsing.provider.mozilla.updateURL', + 'browser.urlbar.userMadeSearchSuggestionsChoice', + 'privacy.trackingprotection.annotate_channels', + 'privacy.trackingprotection.enabled', + 'privacy.trackingprotection.lower_network_priority', + 'privacy.trackingprotection.pbmode.enabled', + 'services.blocklist.addons.collection', + 'services.blocklist.gfx.collection', + 'services.blocklist.onecrl.collection', + 'services.blocklist.plugins.collection', + 'services.blocklist.update_enabled', + 'urlclassifier.trackingTable', + /* 68-beta */ + 'dom.forms.datetime', + 'font.blacklist.underline_offset', + 'font.name.monospace.x-unicode', + 'font.name.monospace.x-western', + 'font.name.sans-serif.x-unicode', + 'font.name.sans-serif.x-western', + 'font.name.serif.x-unicode', + 'font.name.serif.x-western', + 'layout.css.font-loading-api.enabled', + 'toolkit.telemetry.cachedClientID', + /* 69-beta */ + 'plugin.sessionPermissionNow.intervalInMinutes', + /* 70-beta */ + 'browser.cache.disk_cache_ssl', + 'browser.sessionhistory.max_entries', + 'dom.push.connection.enabled', + 'dom.push.serverURL', + 'extensions.getAddons.discovery.api_url', + 'extensions.htmlaboutaddons.discover.enabled', + 'extensions.webservice.discoverURL', + 'intl.locale.requested', + 'intl.regional_prefs.use_os_locales', + 'privacy.usercontext.about_newtab_segregation.enabled', + 'security.insecure_connection_icon.pbmode.enabled', + 'security.insecure_connection_text.pbmode.enabled', + 'webgl.dxgl.enabled', + /* 71-beta */ + 'media.block-autoplay-until-in-foreground', + 'middlemouse.paste', + /* 75-beta */ + 'browser.search.geoip.url', + 'browser.search.region', + /* reset parrot: check your open about:config after running the script */ + '_user.js.parrot' + ] + + if("undefined" === typeof(Services)) { + alert("about:config needs to be the active tab!"); + return; + } + + let c = 0; + for (let i = 0, len = ops.length; i < len; i++) { + if (Services.prefs.prefHasUserValue(ops[i])) { + Services.prefs.clearUserPref(ops[i]); + if (!Services.prefs.prefHasUserValue(ops[i])) { + console.log("reset", ops[i]); + c++; + } else { console.log("failed to reset", ops[i]); } + } + } + + focus(); + + let d = (c==1) ? " pref" : " prefs"; + if (c > 0) { + alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); + } else { alert("nothing to reset"); } + +})(); From f8fd03482de41d0cad9fcce7530a282185b836aa Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 11:19:49 +0000 Subject: [PATCH 100/657] 79 deprecated --- user.js | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index 9a5cdd9..94c8a05 100644 --- a/user.js +++ b/user.js @@ -175,13 +175,6 @@ user_pref("intl.accept_languages", "en-US, en"); * [1] https://bugzilla.mozilla.org/867501 * [2] https://bugzilla.mozilla.org/1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] -/* 0212: enforce fallback text encoding to match en-US - * When the content or server doesn't declare a charset the browser will - * fallback to the "Current locale" based on your application language - * [SETTING] General>Language and Appearance>Fonts and Colors>Advanced>Text Encoding for Legacy Content (FF72-) - * [TEST] https://hsivonen.com/test/moz/check-charset.htm - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 ***/ -user_pref("intl.charset.fallback.override", "windows-1252"); /*** [SECTION 0300]: QUIET FOX Starting in user.js v67, we only disable the auto-INSTALL of Firefox. You still get prompts @@ -485,9 +478,6 @@ user_pref("layout.css.visited_links_enabled", false); * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/ user_pref("browser.search.suggest.enabled", false); user_pref("browser.urlbar.suggest.searches", false); -/* 0809: disable location bar suggesting "preloaded" top websites [FF54+] - * [1] https://bugzilla.mozilla.org/1211726 ***/ -user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); /* 0810: disable location bar making speculative connections [FF56+] * [1] https://bugzilla.mozilla.org/1348275 ***/ user_pref("browser.urlbar.speculativeConnect.enabled", false); @@ -1685,6 +1675,24 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); +/* ESR78.x still uses all the following prefs +// [NOTE] replace the * with a slash in the line above to re-enable them +// FF79 +// 0212: enforce fallback text encoding to match en-US + // When the content or server doesn't declare a charset the browser will + // fallback to the "Current locale" based on your application language + // [SETTING] General>Language and Appearance>Fonts and Colors>Advanced>Text Encoding for Legacy Content (FF72-) + // [TEST] https://hsivonen.com/test/moz/check-charset.htm + // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 + // [-] https://bugzilla.mozilla.org/1603712 +user_pref("intl.charset.fallback.override", "windows-1252"); +// 0809: disable location bar suggesting "preloaded" top websites [FF54+] + // [1] https://bugzilla.mozilla.org/1211726 + // [-] https://bugzilla.mozilla.org/1643639 +user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); +// * * * / +// ***/ + /* ESR68.x still uses all the following prefs // [NOTE] replace the * with a slash in the line above to re-enable them // FF69 From 771e57480a1ab6cedfe2fda9330482cce3a75bdf Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 12:21:10 +0000 Subject: [PATCH 101/657] Delete ghacks-clear-RFP-alternatives --- .../ghacks-clear-RFP-alternatives | 65 ------------------- 1 file changed, 65 deletions(-) delete mode 100644 scratchpad-scripts/ghacks-clear-RFP-alternatives diff --git a/scratchpad-scripts/ghacks-clear-RFP-alternatives b/scratchpad-scripts/ghacks-clear-RFP-alternatives deleted file mode 100644 index a2824ad..0000000 --- a/scratchpad-scripts/ghacks-clear-RFP-alternatives +++ /dev/null @@ -1,65 +0,0 @@ -/*** - Version: up to and including FF/ESR78 - - This will reset the preferences that are under sections 4600 & 4700 in the - ghacks user.js. These are the prefs that are no longer necessary, or they - conflict with, privacy.resistFingerprinting if you have that enabled. - - For instructions see: - https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] -***/ - -(function() { - let ops = [ - /* section 4600 */ - 'dom.maxHardwareConcurrency', - 'dom.enable_resource_timing', - 'dom.enable_performance', - 'device.sensors.enabled', - 'browser.zoom.siteSpecific', - 'dom.gamepad.enabled', - 'dom.netinfo.enabled', - 'media.webspeech.synth.enabled', - 'media.video_stats.enabled', - 'dom.w3c_touch_events.enabled', - 'media.ondevicechange.enabled', - 'webgl.enable-debug-renderer-info', - 'dom.w3c_pointer_events.enabled', - 'ui.use_standins_for_native_colors', - 'ui.systemUsesDarkTheme', - 'ui.prefersReducedMotion' - /* section 4700 */ - 'general.useragent.override', - 'general.buildID.override', - 'general.appname.override', - 'general.appversion.override', - 'general.platform.override', - 'general.oscpu.override', - /* reset parrot: check your open about:config after running the script */ - '_user.js.parrot' - ] - - if("undefined" === typeof(Services)) { - alert("about:config needs to be the active tab!"); - return; - } - - let c = 0; - for (let i = 0, len = ops.length; i < len; i++) { - if (Services.prefs.prefHasUserValue(ops[i])) { - Services.prefs.clearUserPref(ops[i]); - if (!Services.prefs.prefHasUserValue(ops[i])) { - console.log("reset", ops[i]); - c++; - } else { console.log("failed to reset", ops[i]); } - } - } - - focus(); - - let d = (c==1) ? " pref" : " prefs"; - if (c > 0) { - alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); - } else { alert("nothing to reset"); } - -})(); From 0d27689c64c6a83b74dc34cd354bf3e349fb43c6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 12:22:20 +0000 Subject: [PATCH 102/657] update to ESR78 and this time add the file extension --- .../ghacks-clear-RFP-alternatives.js | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 scratchpad-scripts/ghacks-clear-RFP-alternatives.js diff --git a/scratchpad-scripts/ghacks-clear-RFP-alternatives.js b/scratchpad-scripts/ghacks-clear-RFP-alternatives.js new file mode 100644 index 0000000..a2824ad --- /dev/null +++ b/scratchpad-scripts/ghacks-clear-RFP-alternatives.js @@ -0,0 +1,65 @@ +/*** + Version: up to and including FF/ESR78 + + This will reset the preferences that are under sections 4600 & 4700 in the + ghacks user.js. These are the prefs that are no longer necessary, or they + conflict with, privacy.resistFingerprinting if you have that enabled. + + For instructions see: + https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] +***/ + +(function() { + let ops = [ + /* section 4600 */ + 'dom.maxHardwareConcurrency', + 'dom.enable_resource_timing', + 'dom.enable_performance', + 'device.sensors.enabled', + 'browser.zoom.siteSpecific', + 'dom.gamepad.enabled', + 'dom.netinfo.enabled', + 'media.webspeech.synth.enabled', + 'media.video_stats.enabled', + 'dom.w3c_touch_events.enabled', + 'media.ondevicechange.enabled', + 'webgl.enable-debug-renderer-info', + 'dom.w3c_pointer_events.enabled', + 'ui.use_standins_for_native_colors', + 'ui.systemUsesDarkTheme', + 'ui.prefersReducedMotion' + /* section 4700 */ + 'general.useragent.override', + 'general.buildID.override', + 'general.appname.override', + 'general.appversion.override', + 'general.platform.override', + 'general.oscpu.override', + /* reset parrot: check your open about:config after running the script */ + '_user.js.parrot' + ] + + if("undefined" === typeof(Services)) { + alert("about:config needs to be the active tab!"); + return; + } + + let c = 0; + for (let i = 0, len = ops.length; i < len; i++) { + if (Services.prefs.prefHasUserValue(ops[i])) { + Services.prefs.clearUserPref(ops[i]); + if (!Services.prefs.prefHasUserValue(ops[i])) { + console.log("reset", ops[i]); + c++; + } else { console.log("failed to reset", ops[i]); } + } + } + + focus(); + + let d = (c==1) ? " pref" : " prefs"; + if (c > 0) { + alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); + } else { alert("nothing to reset"); } + +})(); From c4a06c4689c168c8008f72c4a2ecdcbe4da3c23e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Jul 2020 12:23:14 +0000 Subject: [PATCH 103/657] missing comma --- scratchpad-scripts/ghacks-clear-RFP-alternatives.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scratchpad-scripts/ghacks-clear-RFP-alternatives.js b/scratchpad-scripts/ghacks-clear-RFP-alternatives.js index a2824ad..1dfc5f7 100644 --- a/scratchpad-scripts/ghacks-clear-RFP-alternatives.js +++ b/scratchpad-scripts/ghacks-clear-RFP-alternatives.js @@ -27,7 +27,7 @@ 'dom.w3c_pointer_events.enabled', 'ui.use_standins_for_native_colors', 'ui.systemUsesDarkTheme', - 'ui.prefersReducedMotion' + 'ui.prefersReducedMotion', /* section 4700 */ 'general.useragent.override', 'general.buildID.override', From 117ab133b16b9bf91088830f5ed807c393cfdc7d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 29 Jul 2020 02:19:20 +0000 Subject: [PATCH 104/657] remove 0809 not deprecated, just hidden: default is false anyway --- user.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/user.js b/user.js index 94c8a05..b1bd380 100644 --- a/user.js +++ b/user.js @@ -1686,10 +1686,6 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 // [-] https://bugzilla.mozilla.org/1603712 user_pref("intl.charset.fallback.override", "windows-1252"); -// 0809: disable location bar suggesting "preloaded" top websites [FF54+] - // [1] https://bugzilla.mozilla.org/1211726 - // [-] https://bugzilla.mozilla.org/1643639 -user_pref("browser.urlbar.usepreloadedtopurls.enabled", false); // * * * / // ***/ From 091a71aade5654db4208ae3c89750cdbb5666cab Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 29 Jul 2020 02:22:09 +0000 Subject: [PATCH 105/657] browser.urlbar.usepreloadedtopurls.enabled --- scratchpad-scripts/ghacks-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/ghacks-clear-removed.js b/scratchpad-scripts/ghacks-clear-removed.js index 00b6d6b..dfb63c4 100644 --- a/scratchpad-scripts/ghacks-clear-removed.js +++ b/scratchpad-scripts/ghacks-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the ghacks user.js. - Last updated: 21-April-2020 + Last updated: 28-July-2020 For instructions see: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -221,6 +221,8 @@ /* 75-beta */ 'browser.search.geoip.url', 'browser.search.region', + /* 79-beta */ + 'browser.urlbar.usepreloadedtopurls.enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From 2809854802b3756c26aa089987761f1bbd3f34ce Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 1 Aug 2020 11:03:17 +0000 Subject: [PATCH 106/657] font visibility / RFP (#985) --- user.js | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index b1bd380..f486017 100644 --- a/user.js +++ b/user.js @@ -804,7 +804,8 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] - * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed. + * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed + * [NOTE] RFP in FF80+ restricts the whitelist to bundled and "Base Fonts" (see 4618) * [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. * Eventually privacy.resistFingerprinting (see 4500) will cover this * [1] https://bugzilla.mozilla.org/1121643 ***/ @@ -911,7 +912,7 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); * [1] https://www.privacytools.io/#webrtc ***/ user_pref("media.peerconnection.enabled", false); /* 2002: limit WebRTC IP leaks if using WebRTC - * In FF70+ these settings match Mode 4 (Mode 3 in older versions) (see [3]) + * In FF70+ these settings match Mode 4 (Mode 3 in older versions), see [3] * [TEST] https://browserleaks.com/webrtc * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy @@ -1092,7 +1093,7 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * Initially a Linux issue (high precision readout) that was fixed. * However, it is still another metric for fingerprinting, used to raise entropy. * e.g. do you have a battery or not, current charging status, charge level, times remaining etc - * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code. see [1] + * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code, see [1] * [1] https://bugzilla.mozilla.org/1313580 ***/ // user_pref("dom.battery.enabled", false); /* 2505: disable media device enumeration [FF29+] @@ -1387,7 +1388,7 @@ user_pref("privacy.firstparty.isolate", true); /* 4002: enforce FPI restriction for window.opener [FF54+] * [NOTE] Setting this to false may reduce the breakage in 4001 * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But - * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute. (see [2],[3]) + * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute, see [2],[3] * The 2nd pref removes that limitation and will only allow communication if FPDs also match. * [1] https://bugzilla.mozilla.org/1319773#c22 * [2] https://bugzilla.mozilla.org/1492607 @@ -1461,6 +1462,7 @@ user_pref("privacy.firstparty.isolate", true); ** 1595823 - spoof audioContext sampleRate (FF72+) ** 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) ** 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) + ** 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] @@ -1596,6 +1598,12 @@ user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // 4617: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] // 0=no-preference, 1=reduce user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] +// 4618: limit font visbility (non-ANDROID) [FF79+] + // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, see [1] + // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts + // [NOTE] Bundled fonts are auto-allowed + // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc +user_pref("layout.css.font-visibility.level", 1); // * * * / // ***/ From 58fb1db8380d641f43fa90308c36cd15fea0bb31 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 2 Aug 2020 01:27:30 +0000 Subject: [PATCH 107/657] HTTPS-Only Mode UI --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index f486017..e543b20 100644 --- a/user.js +++ b/user.js @@ -734,6 +734,7 @@ user_pref("security.mixed_content.block_display_content", true); user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable https-only-mode [FF76+] * [NOTE] This is experimental + * [SETTING] Privacy & Security>HTTPS-Only Mode (FF81+) * [1] https://bugzilla.mozilla.org/1613063 */ // user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+] From c4b7e076911e8f674ccdeaa9e3747340baf39c87 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 2 Aug 2020 01:47:48 +0000 Subject: [PATCH 108/657] 4500: site partitioning --- user.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index e543b20..b61dc57 100644 --- a/user.js +++ b/user.js @@ -1362,6 +1362,7 @@ user_pref("privacy.cpd.siteSettings", false); // Site Preferences user_pref("privacy.sanitize.timeSpan", 0); /*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION) + 4001: FPI ** 1278037 - isolate indexedDB (FF51+) ** 1277803 - isolate favicons (FF52+) ** 1264562 - isolate OCSP cache (FF52+) @@ -1380,11 +1381,15 @@ user_pref("privacy.sanitize.timeSpan", 0); ** 1506693 - isolate pdfjs range-based requests (FF68+) ** 1330467 - isolate site permissions (FF69+) ** 1534339 - isolate IPv6 (FF73+) + 4003: NETWORK PARTITON + ** 1647732 - isolate font cache (FF80+) + ** 1649673 - isolate speculative connections (FF80+) ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); /* 4001: enable First Party Isolation [FF51+] * [SETUP-WEB] May break cross-domain logins and site functionality until perfected - * [1] https://bugzilla.mozilla.org/1260931 ***/ + * [1] https://bugzilla.mozilla.org/1260931 + * [2] https://bugzilla.mozilla.org/1299996 [META] ***/ user_pref("privacy.firstparty.isolate", true); /* 4002: enforce FPI restriction for window.opener [FF54+] * [NOTE] Setting this to false may reduce the breakage in 4001 @@ -1396,6 +1401,9 @@ user_pref("privacy.firstparty.isolate", true); * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR] +/* 4003: enable site partitioning (FF78+) + * [1] https://bugzilla.mozilla.org/1590107 [META] */ +user_pref("privacy.partition.network_state", true); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) This master switch will be used for a wide range of items, many of which will From bc832575d839794ca1c1518f4f1b708ceb91cf40 Mon Sep 17 00:00:00 2001 From: earthlng Date: Mon, 3 Aug 2020 14:52:21 +0000 Subject: [PATCH 109/657] 1003: kibibytes --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index b61dc57..3543b52 100644 --- a/user.js +++ b/user.js @@ -577,7 +577,7 @@ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is m * [NOTE] We also clear cache on exiting Firefox (see 2803) ***/ user_pref("browser.cache.disk.enable", false); /* 1003: disable memory cache -/* capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kilobytes ***/ + * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/ // user_pref("browser.cache.memory.enable", false); // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF ESR] /* 1006: disable permissions manager from writing to disk [RESTART] @@ -585,7 +585,7 @@ user_pref("browser.cache.disk.enable", false); * [1] https://bugzilla.mozilla.org/967812 ***/ // user_pref("permissions.memory_only", true); // [HIDDEN PREF] /* 1007: disable media cache from writing to disk in Private Browsing - * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB */ + * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/ user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] user_pref("media.memory_cache_max_size", 16384); From 8c2bcc0352fccb23334549db313ee7411d702f78 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 3 Aug 2020 22:50:58 +0000 Subject: [PATCH 110/657] 1007: bump to 64mb, see #941 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 3543b52..b27f4b4 100644 --- a/user.js +++ b/user.js @@ -587,7 +587,7 @@ user_pref("browser.cache.disk.enable", false); /* 1007: disable media cache from writing to disk in Private Browsing * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/ user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] -user_pref("media.memory_cache_max_size", 16384); +user_pref("media.memory_cache_max_size", 65536); /** SESSIONS & SESSION RESTORE ***/ /* 1020: exclude "Undo Closed Tabs" in Session Restore ***/ From 0f6957bbd448005fbe6078c5abc10d4349f83e4c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 4 Aug 2020 10:18:29 +0000 Subject: [PATCH 111/657] 4600: add missing version section --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index b27f4b4..d284a64 100644 --- a/user.js +++ b/user.js @@ -1607,6 +1607,7 @@ user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // 4617: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] // 0=no-preference, 1=reduce user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] +// FF80+ // 4618: limit font visbility (non-ANDROID) [FF79+] // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, see [1] // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts From 8452edb94b88af306b79cc3844f02f79a4cb5637 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 4 Aug 2020 10:25:29 +0000 Subject: [PATCH 112/657] 4600: see #987 --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index d284a64..def62a3 100644 --- a/user.js +++ b/user.js @@ -1590,6 +1590,10 @@ user_pref("media.ondevicechange.enabled", false); // [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info user_pref("webgl.enable-debug-renderer-info", false); // * * * / +// FF63+ +// 4617: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] + // 0=no-preference, 1=reduce +user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // FF65+ // 4614: [2516] disable PointerEvents // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent @@ -1604,9 +1608,6 @@ user_pref("ui.use_standins_for_native_colors", true); // 4616: enforce prefers-color-scheme as light [FF67+] // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] -// 4617: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] - // 0=no-preference, 1=reduce -user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // FF80+ // 4618: limit font visbility (non-ANDROID) [FF79+] // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, see [1] From 172118e61b62b099f33c2ecfab619846ce15dcb6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 5 Aug 2020 01:35:10 +0000 Subject: [PATCH 113/657] RFP+Alts: fixup sequential numbering, see #987 --- user.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/user.js b/user.js index def62a3..0bbfeb5 100644 --- a/user.js +++ b/user.js @@ -1460,12 +1460,12 @@ user_pref("privacy.partition.network_state", true); FF60: Fix keydown/keyup events (1438795) ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) - ** 1479239 - return "no-preference" with prefers-reduced-motion (see 4617) (FF63+) - ** 1363508 - spoof/suppress Pointer Events (see 4614) (FF64+) + ** 1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+) + ** 1363508 - spoof/suppress Pointer Events (see 4615) (FF64+) FF65: pointerEvent.pointerid (1492766) - ** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+) + ** 1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+) ** 1407366 - enable inner window letterboxing (see 4504) (FF67+) - ** 1494034 - return "light" with prefers-color-scheme (see 4616) (FF67+) + ** 1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+) [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme ** 1564422 - spoof audioContext outputLatency (FF70+) ** 1595823 - spoof audioContext sampleRate (FF72+) @@ -1591,21 +1591,21 @@ user_pref("media.ondevicechange.enabled", false); user_pref("webgl.enable-debug-renderer-info", false); // * * * / // FF63+ -// 4617: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] +// 4614: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] // 0=no-preference, 1=reduce user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] -// FF65+ -// 4614: [2516] disable PointerEvents +// FF64+ +// 4615: [2516] disable PointerEvents // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent user_pref("dom.w3c_pointer_events.enabled", false); // * * * / // FF67+ -// 4615: [2618] disable exposure of system colors to CSS or canvas [FF44+] +// 4616: [2618] disable exposure of system colors to CSS or canvas [FF44+] // [NOTE] See second listed bug: may cause black on black for elements with undefined colors // [SETUP-CHROME] Might affect CSS in themes and extensions // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 user_pref("ui.use_standins_for_native_colors", true); -// 4616: enforce prefers-color-scheme as light [FF67+] +// 4617: enforce prefers-color-scheme as light [FF67+] // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // FF80+ From 6905187b3e14b1aea336ffcbfdf4e42126593527 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 13 Aug 2020 04:39:38 +0000 Subject: [PATCH 114/657] 0207/0208: region/search (#989) --- user.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/user.js b/user.js index 0bbfeb5..a0146e5 100644 --- a/user.js +++ b/user.js @@ -165,6 +165,13 @@ user_pref("geo.provider.use_gpsd", false); // [LINUX] * i.e. ignore all of Mozilla's various search engines in multiple locales ***/ user_pref("browser.search.geoSpecificDefaults", false); user_pref("browser.search.geoSpecificDefaults.url", ""); +/* 0207: disable region updates + * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/ +user_pref("browser.region.network.url", ""); // [FF78+] +user_pref("browser.region.update.enabled", false); // [[FF79+] +/* 0208: set search region + * [NOTE] May not be hidden if Firefox has changed your settings due to your region (see 0207) ***/ + // user_pref("browser.search.region", "US"); // [HIDDEN PREF] /** LANGUAGE / LOCALE ***/ /* 0210: set preferred language for displaying web pages From e16ede1cdf4167e8889e6d5ca96a54ccdc8ba826 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 13 Aug 2020 14:44:27 +0000 Subject: [PATCH 115/657] 79-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a0146e5..8520511 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 22 Jul 2020 -* version 79-alpha +* date: 13 Aug 2020 +* version 79-beta * authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 5ed3047b7a09b075ef4f516f9b4ae861021499f0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 13 Aug 2020 15:22:38 +0000 Subject: [PATCH 116/657] references cleanup --- user.js | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/user.js b/user.js index 8520511..3cb73ca 100644 --- a/user.js +++ b/user.js @@ -2,7 +2,6 @@ * name: ghacks user.js * date: 13 Aug 2020 * version 79-beta -* authors: v52+ github | v51- www.ghacks.net * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -347,17 +346,14 @@ user_pref("extensions.systemAddon.update.url", ""); // [FF44+] * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/ user_pref("browser.ping-centre.telemetry", false); /* 0515: disable Screenshots - * alternatively in FF60+, disable uploading to the Screenshots server - * [1] https://github.com/mozilla-services/screenshots - * [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/ + * alternatively in FF60+, disable uploading to the Screenshots server ***/ // user_pref("extensions.screenshots.disabled", true); // [FF55+] // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+] /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses (FF74+) - * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill - * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/ + * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] user_pref("extensions.formautofill.available", "off"); // [FF56+] user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] @@ -372,16 +368,14 @@ user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!"); * [1] https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ ***/ user_pref("network.prefetch-next", false); /* 0602: disable DNS prefetching - * [1] https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/ - * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ + * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF ESR] [DEFAULT: true FF70+] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); user_pref("network.predictor.enable-prefetch", false); // [FF48+] /* 0605: disable link-mouseover opening connection to linked server - * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests - * [2] https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links/ ***/ + * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ user_pref("network.http.speculative-parallel-limit", 0); /* 0606: disable "Hyperlink Auditing" (click tracking) and enforce same host in case * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ @@ -429,7 +423,7 @@ user_pref("network.http.altsvc.oe", false); * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ user_pref("network.proxy.socks_remote_dns", true); /* 0708: disable FTP [FF60+] - * [1] https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/ ***/ + * [1] https://www.fxsitecompat.dev/en-CA/docs/2020/ftp-support-will-be-removed/ ***/ // user_pref("network.ftp.enabled", false); /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares @@ -538,7 +532,7 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); /* 0902: use a master password * There are no preferences for this. It is all handled internally. * [SETTING] Privacy & Security>Logins and Passwords>Use a master password - * [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/ + * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ /* 0903: set how often Firefox should ask for the master password * 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/ user_pref("security.ask_for_password", 2); @@ -896,8 +890,7 @@ user_pref("_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies /* 1803: disable Flash plugin * 0=deactivated, 1=ask, 2=enabled * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash - * [NOTE] You can still override individual sites via site permissions - * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/ + * [NOTE] You can still override individual sites via site permissions ***/ user_pref("plugin.state.flash", 0); /* 1820: disable GMP (Gecko Media Plugins) * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ @@ -1051,9 +1044,8 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one - * is default false) then enabling this pref can leak clipboard content, see [2] - * [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ - * [2] https://bugzilla.mozilla.org/1528289 */ + * is default false) then enabling this pref can leak clipboard content, see [1] + * [1] https://bugzilla.mozilla.org/1528289 */ // user_pref("dom.event.clipboardevents.enabled", false); /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] * this disables document.execCommand("cut"/"copy") to protect your clipboard @@ -1204,8 +1196,7 @@ user_pref("network.IDN_show_punycode", true); * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) * [SETTING] General>Applications>Portable Document Format (PDF) ***/ user_pref("pdfjs.disabled", false); // [DEFAULT: false] -/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] - * [1] https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/ ***/ +/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ user_pref("network.protocol-handler.external.ms-windows-store", false); /* 2622: enforce no system colors; they can be fingerprinted * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ @@ -1780,7 +1771,6 @@ user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozi // * * * / // FF77 // 0850e: disable location bar one-off searches [FF51+] - // [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ // [-] https://bugzilla.mozilla.org/1628926 // user_pref("browser.urlbar.oneOffSearches", false); // 2605: block web content in file processes [FF55+] From 815c3026b5c5287a22af197434faebf4922ccd17 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 13 Aug 2020 15:30:36 +0000 Subject: [PATCH 117/657] 79 final --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 3cb73ca..85adda6 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js * date: 13 Aug 2020 -* version 79-beta +* version 79 * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 0358fdac8bc86847ac5af21dacbe2db9f1132a81 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 13 Aug 2020 15:32:45 +0000 Subject: [PATCH 118/657] 80-alpha --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 85adda6..056fbca 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js * date: 13 Aug 2020 -* version 79 +* version 80-alpha * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 99aa5af3566d67ef379f4b95f7cb983f5bccda4c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 13 Aug 2020 15:34:26 +0000 Subject: [PATCH 119/657] password master->primary --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 056fbca..d138216 100644 --- a/user.js +++ b/user.js @@ -529,14 +529,14 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); * [NOTE] This does not clear any passwords already saved * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ // user_pref("signon.rememberSignons", false); -/* 0902: use a master password +/* 0902: use a primary password * There are no preferences for this. It is all handled internally. - * [SETTING] Privacy & Security>Logins and Passwords>Use a master password + * [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ -/* 0903: set how often Firefox should ask for the master password +/* 0903: set how often Firefox should ask for the primary password * 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/ user_pref("security.ask_for_password", 2); -/* 0904: set how often in minutes Firefox should ask for the master password (see 0903) +/* 0904: set how often in minutes Firefox should ask for the primary password (see 0903) * in minutes, default is 30 ***/ user_pref("security.password_lifetime", 5); /* 0905: disable auto-filling username & password form fields From 93840ca1810608fe0703767516015fe368100cd9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 13 Aug 2020 15:37:25 +0000 Subject: [PATCH 120/657] 0602 not hidden in ESR78 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index d138216..90f2863 100644 --- a/user.js +++ b/user.js @@ -370,7 +370,7 @@ user_pref("network.prefetch-next", false); /* 0602: disable DNS prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ user_pref("network.dns.disablePrefetch", true); -user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF ESR] [DEFAULT: true FF70+] +user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF ESR68 or lower] [DEFAULT: true FF70+] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); user_pref("network.predictor.enable-prefetch", false); // [FF48+] From f9f0fffd27062d8b93dd12be5bf88cfd1d720844 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 14 Aug 2020 09:01:14 +0000 Subject: [PATCH 121/657] Update README.md --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b374351..81b54a9 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ ### ![][b] user.js A `user.js` is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the [overview](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.1-Overview) wiki page. -### ![][b] ghacks user.js -The `ghacks user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen). +### ![][b] This user.js +This `user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen). -Everyone, experts included, should at least read the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `ghacks user.js` settings. +Everyone, experts included, should at least read the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `user.js` settings. Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services. @@ -13,14 +13,12 @@ Also be aware that this `user.js` is made specifically for desktop Firefox. Usin Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+label%3Adiffs) ### ![][b] acknowledgments -Literally thousands of sources, references and suggestions. That said... +Literally thousands of sources, references and suggestions. Special mention to: -* Martin Brinkmann at [ghacks](https://www.ghacks.net/) 1 -* The ghacks community and commentators * [12bytes](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs) * The 12bytes article now uses this user.js and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement) -1 The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name. +1 This user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015, published in August 2015, and moved to GitHub in March 2017 ### ![][b] [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) From 726d5bde30604f7a857d674d50ddaf91aadd1c19 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 14 Aug 2020 14:12:28 +0000 Subject: [PATCH 122/657] 0105b: stop console error, closes #992 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 90f2863..5b6f656 100644 --- a/user.js +++ b/user.js @@ -116,7 +116,7 @@ user_pref("browser.newtabpage.activity-stream.telemetry", false); * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server * [1] https://abouthome-snippets-service.readthedocs.io/ ***/ user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); -user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); +user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{\"\":\"\"}"); /* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); From f1e0203ef4dec5bfaa5258a12db8cf7e6070685a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 15 Aug 2020 01:56:01 +0000 Subject: [PATCH 123/657] 0105b, cleaner value, see #992 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 5b6f656..26169cb 100644 --- a/user.js +++ b/user.js @@ -116,7 +116,7 @@ user_pref("browser.newtabpage.activity-stream.telemetry", false); * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server * [1] https://abouthome-snippets-service.readthedocs.io/ ***/ user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); -user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{\"\":\"\"}"); +user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); /* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); From 9a37e1340c430cc9953f6a73226f286d12bd9746 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 20 Aug 2020 17:18:22 +0000 Subject: [PATCH 124/657] 0905: add reference, #982 --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 26169cb..00e738d 100644 --- a/user.js +++ b/user.js @@ -542,7 +542,8 @@ user_pref("security.password_lifetime", 5); /* 0905: disable auto-filling username & password form fields * can leak in cross-site forms *and* be spoofed * [NOTE] Username & password is still available when you enter the field - * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords ***/ + * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords + * [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ ***/ user_pref("signon.autofillForms", false); /* 0909: disable formless login capture for Password Manager [FF51+] ***/ user_pref("signon.formlessCapture.enabled", false); From 8d6d17d46bbb11b5b3e0c281f72266a82ebb187b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 21 Aug 2020 21:05:08 +0000 Subject: [PATCH 125/657] 1244: HTTPS-only mode: FF80+ site exceptions The option is not shown if https-only-mode is not being applied. I tested with `http://asmjs.org/` since it doesn't redirect/upgrade to secure. --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 00e738d..f67ab24 100644 --- a/user.js +++ b/user.js @@ -734,8 +734,9 @@ user_pref("security.mixed_content.block_display_content", true); /* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+] * [1] https://bugzilla.mozilla.org/1190623 ***/ user_pref("security.mixed_content.block_object_subrequest", true); -/* 1244: enable https-only-mode [FF76+] +/* 1244: enable HTTPS-Only mode [FF76+] * [NOTE] This is experimental + * [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+) * [SETTING] Privacy & Security>HTTPS-Only Mode (FF81+) * [1] https://bugzilla.mozilla.org/1613063 */ // user_pref("dom.security.https_only_mode", true); // [FF76+] From b3eee6c9fd6a5497f361079389b2dd648f3fdb53 Mon Sep 17 00:00:00 2001 From: h88e22dgpeps56sg <52240714+h88e22dgpeps56sg@users.noreply.github.com> Date: Sat, 22 Aug 2020 12:07:13 +0000 Subject: [PATCH 126/657] improve readability, remove lots of unnecessary echo commands, remove legacy arguments (#997) Co-authored-by: TotallyLeGIT --- updater.sh | 118 +++++++++++++++++++++-------------------------------- 1 file changed, 47 insertions(+), 71 deletions(-) diff --git a/updater.sh b/updater.sh index 5c06a9c..d2756af 100755 --- a/updater.sh +++ b/updater.sh @@ -11,7 +11,7 @@ readonly CURRDIR=$(pwd) sfp=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null) -if [ -z "$sfp" ]; then sfp=${BASH_SOURCE[0]}; fi +[ -z "$sfp" ] && sfp=${BASH_SOURCE[0]} readonly SCRIPT_DIR=$(dirname "${sfp}") @@ -52,15 +52,15 @@ fi show_banner () { - echo -e "${BBLUE}\n" - echo ' ############################################################################' - echo ' #### ####' - echo ' #### ghacks user.js ####' - echo ' #### Hardening the Privacy and Security Settings of Firefox ####' - echo ' #### Maintained by @Thorin-Oakenpants and @earthlng ####' - echo ' #### Updater for macOS and Linux by @overdodactyl ####' - echo ' #### ####' - echo ' ############################################################################' + echo -e "${BBLUE} + ############################################################################ + #### #### + #### ghacks user.js #### + #### Hardening the Privacy and Security Settings of Firefox #### + #### Maintained by @Thorin-Oakenpants and @earthlng #### + #### Updater for macOS and Linux by @overdodactyl #### + #### #### + ############################################################################" echo -e "${NC}\n" echo -e "Documentation for this script is available here: ${CYAN}https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts${NC}\n" } @@ -70,43 +70,35 @@ show_banner () { ######################### usage() { - echo -e "${BLUE}\nUsage: $0 [-h] [-p PROFILE] [-u] [-d] [-s] [-n] [-b] [-c] [-v] [-r] [-e] [-o OVERRIDE]\n${NC}" 1>&2 # Echo usage string to standard error - echo 'Optional Arguments:' - echo -e "\t-h,\t\t Show this help message and exit." - echo -e "\t-p PROFILE,\t Path to your Firefox profile (if different than the dir of this script)" - echo -e "\t\t\t IMPORTANT: if the path include spaces, wrap the entire argument in quotes." - echo -e "\t-l, \t\t Choose your Firefox profile from a list" - echo -e "\t-u,\t\t Update updater.sh and execute silently. Do not seek confirmation." - echo -e "\t-d,\t\t Do not look for updates to updater.sh." - echo -e "\t-s,\t\t Silently update user.js. Do not seek confirmation." - echo -e "\t-b,\t\t Only keep one backup of each file." - echo -e "\t-c,\t\t Create a diff file comparing old and new user.js within userjs_diffs. " - echo -e "\t-o OVERRIDE,\t Filename or path to overrides file (if different than user-overrides.js)." - echo -e "\t\t\t If used with -p, paths should be relative to PROFILE or absolute paths" - echo -e "\t\t\t If given a directory, all files inside will be appended recursively." - echo -e "\t\t\t You can pass multiple files or directories by passing a comma separated list." - echo -e "\t\t\t\t Note: If a directory is given, only files inside ending in the extension .js are appended" - echo -e "\t\t\t\t IMPORTANT: do not add spaces between files/paths. Ex: -o file1.js,file2.js,dir1" - echo -e "\t\t\t\t IMPORTANT: if any files/paths include spaces, wrap the entire argument in quotes." - echo -e "\t\t\t\t\t Ex: -o \"override folder\" " - echo -e "\t-n,\t\t Do not append any overrides, even if user-overrides.js exists." - echo -e "\t-v,\t\t Open the resulting user.js file." - echo -e "\t-r,\t\t Only download user.js to a temporary file and open it." - echo -e "\t-e,\t\t Activate ESR related preferences." - echo -e - echo 'Deprecated Arguments (they still work for now):' - echo -e "\t-donotupdate,\t Use instead -d" - echo -e "\t-update,\t Use instead -u" - echo -e + echo + echo -e "${BLUE}Usage: $0 [-bcdehlnrsuv] [-p PROFILE] [-o OVERRIDE]${NC}" 1>&2 # Echo usage string to standard error + echo -e " +Optional Arguments: + -h Show this help message and exit. + -p PROFILE Path to your Firefox profile (if different than the dir of this script) + IMPORTANT: if the path includes spaces, wrap the entire argument in quotes. + -l Choose your Firefox profile from a list + -u Update updater.sh and execute silently. Do not seek confirmation. + -d Do not look for updates to updater.sh. + -s Silently update user.js. Do not seek confirmation. + -b Only keep one backup of each file. + -c Create a diff file comparing old and new user.js within userjs_diffs. + -o OVERRIDE Filename or path to overrides file (if different than user-overrides.js). + If used with -p, paths should be relative to PROFILE or absolute paths + If given a directory, all files inside will be appended recursively. + You can pass multiple files or directories by passing a comma separated list. + Note: If a directory is given, only files inside ending in the extension .js are appended + IMPORTANT: do not add spaces between files/paths. Ex: -o file1.js,file2.js,dir1 + IMPORTANT: if any files/paths include spaces, wrap the entire argument in quotes. + Ex: -o \"override folder\" + -n Do not append any overrides, even if user-overrides.js exists. + -v Open the resulting user.js file. + -r Only download user.js to a temporary file and open it. + -e Activate ESR related preferences." + echo exit 1 } -legacy_argument () { - echo -e "${ORANGE}\nWarning: command line arguments have changed." - echo -e "$1 has been deprecated and may not work in the future.\n" - echo -e "Please view the new options using the -h argument.${NC}" -} - ######################### # File Handling # ######################### @@ -204,8 +196,8 @@ get_updater_version () { # Update updater.sh # Default: Check for update, if available, ask user if they want to execute it # Args: -# -donotupdate: New version will not be looked for and update will not occur -# -update: Check for update, if available, execute without asking +# -d: New version will not be looked for and update will not occur +# -u: Check for update, if available, execute without asking update_updater () { if [ $UPDATE = 'no' ]; then return 0 # User signified not to check for updates @@ -218,9 +210,7 @@ update_updater () { echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}" read -p "" -n 1 -r echo -e "\n\n" - if [[ $REPLY =~ ^[Nn]$ ]]; then - return 0 # Update available, but user chooses not to update - fi + [[ $REPLY =~ ^[Nn]$ ]] && return 0 # Update available, but user chooses not to update fi else return 0 # No update available @@ -238,11 +228,7 @@ update_updater () { # Returns version number of a user.js file get_userjs_version () { - if [ -e $1 ]; then - echo "$(sed -n '4p' "$1")" - else - echo "Not detected." - fi + [ -e $1 ] && echo "$(sed -n '4p' "$1")" || echo "Not detected." } add_override () { @@ -273,10 +259,10 @@ remove_comments () { # expects 2 arguments: from-file and to-file update_userjs () { declare -r newfile=$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js') - echo 'Please observe the following information:' - echo -e "\tFirefox profile: ${ORANGE}$(pwd)${NC}" - echo -e "\tAvailable online: ${ORANGE}$(get_userjs_version $newfile)${NC}" - echo -e "\tCurrently using: ${ORANGE}$(get_userjs_version user.js)\n${NC}\n" + echo -e "Please observe the following information: + Firefox profile: ${ORANGE}$(pwd)${NC} + Available online: ${ORANGE}$(get_userjs_version $newfile)${NC} + Currently using: ${ORANGE}$(get_userjs_version user.js)${NC}\n\n" if [ $CONFIRM = 'yes' ]; then echo -e "This script will update to the latest user.js file and append any custom configurations from user-overrides.js. ${RED}Continue Y/N? ${NC}" @@ -298,9 +284,7 @@ update_userjs () { # backup user.js mkdir -p userjs_backups local bakname="userjs_backups/user.js.backup.$(date +"%Y-%m-%d_%H%M")" - if [ $BACKUP = 'single' ]; then - bakname='userjs_backups/user.js.backup' - fi + [ $BACKUP = 'single' ] && bakname='userjs_backups/user.js.backup' cp user.js "$bakname" &>/dev/null mv "${newfile}" user.js @@ -336,14 +320,12 @@ update_userjs () { echo -e "Status: ${GREEN}A diff file was created:${NC} ${PWD}/${diffname}" else echo -e "Warning: ${ORANGE}Your new user.js file appears to be identical. No diff file was created.${NC}" - if [ $BACKUP = 'multiple' ]; then - rm $bakname &>/dev/null - fi + [ $BACKUP = 'multiple' ] && rm $bakname &>/dev/null fi rm $past_nocomments $current_nocomments $pastuserjs &>/dev/null fi - if [ "$VIEW" = true ]; then open_file "${PWD}/user.js"; fi + [ "$VIEW" = true ] && open_file "${PWD}/user.js" } ######################### @@ -355,12 +337,6 @@ if [ $# != 0 ]; then # Display usage if first argument is -help or --help if [ $1 = '--help' ] || [ $1 = '-help' ]; then usage - elif [ $legacy_lc = '-donotupdate' ]; then - UPDATE='no' - legacy_argument $1 - elif [ $legacy_lc = '-update' ]; then - UPDATE='yes' - legacy_argument $1 else while getopts ":hp:ludsno:bcvre" opt; do case $opt in From a5ab3e23d68253f41aeb86cfaa7628e1eed882d5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 22 Aug 2020 22:16:27 +0000 Subject: [PATCH 127/657] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 81b54a9..e13832d 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,6 @@ Literally thousands of sources, references and suggestions. Special mention to: * [12bytes](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs) * The 12bytes article now uses this user.js and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement) -1 This user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015, published in August 2015, and moved to GitHub in March 2017 - ### ![][b] [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [b]: /wikipiki/bullet01.png From cfce521919053be2434f8c3bf428787fde50ee9f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 23 Aug 2020 14:37:18 +0000 Subject: [PATCH 128/657] 1409: RFP changes in FF81+ (#998) --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index f67ab24..0eccd71 100644 --- a/user.js +++ b/user.js @@ -809,7 +809,8 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] RFP in FF80+ restricts the whitelist to bundled and "Base Fonts" (see 4618) + * [NOTE] in FF80 RFP restricts the whitelist to bundled and "Base Fonts" + * ...and in FF81+ the whitelist **overrides** RFP's font visibility (see 4618) * [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. * Eventually privacy.resistFingerprinting (see 4500) will cover this * [1] https://bugzilla.mozilla.org/1121643 ***/ From 38d772e4c8721f59a361370572cdb25d777ea04a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 25 Aug 2020 14:59:41 +0000 Subject: [PATCH 129/657] https-only mode updates (#1001) --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 0eccd71..4996b3f 100644 --- a/user.js +++ b/user.js @@ -735,11 +735,12 @@ user_pref("security.mixed_content.block_display_content", true); * [1] https://bugzilla.mozilla.org/1190623 ***/ user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable HTTPS-Only mode [FF76+] - * [NOTE] This is experimental + * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored * [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+) - * [SETTING] Privacy & Security>HTTPS-Only Mode (FF81+) - * [1] https://bugzilla.mozilla.org/1613063 */ + * [SETTING] Privacy & Security>HTTPS-Only Mode (FF80+ with browser.preferences.exposeHTTPSOnly = true) + * [1] https://bugzilla.mozilla.org/1613063 ***/ // user_pref("dom.security.https_only_mode", true); // [FF76+] + // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] // user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+] /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] From c6f53c876803a4af26e1000c17455cc09f04cd9b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 26 Aug 2020 11:28:47 +0000 Subject: [PATCH 130/657] 2201 deprecated (dead prefs removed in 82), #979 (#1002) --- user.js | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index 4996b3f..9d116d1 100644 --- a/user.js +++ b/user.js @@ -958,16 +958,6 @@ user_pref("media.autoplay.blocking_policy", 2); /*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/ user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!"); -/* 2201: prevent websites from disabling new window features ***/ -user_pref("dom.disable_window_open_feature.close", true); -user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.menubar", true); -user_pref("dom.disable_window_open_feature.minimizable", true); -user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar -user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.titlebar", true); -user_pref("dom.disable_window_open_feature.toolbar", true); /* 2202: prevent scripts from moving and resizing open windows ***/ user_pref("dom.disable_window_move_resize", true); /* 2203: open links targeting new windows in a new tab instead @@ -1772,6 +1762,17 @@ user_pref("webgl.disable-extensions", true); // [2] https://trac.torproject.org/projects/tor/ticket/16931 // [-] https://bugzilla.mozilla.org/1618188 user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); +// 2201: prevent websites from disabling new window features + // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1507375,1660524 +user_pref("dom.disable_window_open_feature.close", true); +user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true] +user_pref("dom.disable_window_open_feature.menubar", true); +user_pref("dom.disable_window_open_feature.minimizable", true); +user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar +user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true] +user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true] +user_pref("dom.disable_window_open_feature.titlebar", true); +user_pref("dom.disable_window_open_feature.toolbar", true); // * * * / // FF77 // 0850e: disable location bar one-off searches [FF51+] From 592b959c241ad3fb633a6cc4f9f766321771383c Mon Sep 17 00:00:00 2001 From: h88e22dgpeps56sg <52240714+h88e22dgpeps56sg@users.noreply.github.com> Date: Fri, 28 Aug 2020 10:51:15 +0000 Subject: [PATCH 131/657] Updater.sh rework 2 (#1000) * rework DOWNLOAD_METHOD, download_file, open_file * remove legacy command leftover line * return empty string if download fails and return/exit if this happens and show error message * fix IFS var typo * bump version * add quotes Co-authored-by: TotallyLeGIT --- updater.sh | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/updater.sh b/updater.sh index d2756af..ddd5266 100755 --- a/updater.sh +++ b/updater.sh @@ -2,7 +2,7 @@ ## ghacks-user.js updater for macOS and Linux -## version: 2.6 +## version: 2.7 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac @@ -42,9 +42,9 @@ ESR=false # Download method priority: curl -> wget DOWNLOAD_METHOD='' if [[ $(command -v 'curl') ]]; then - DOWNLOAD_METHOD='curl' + DOWNLOAD_METHOD='curl --max-redirs 3 -so' elif [[ $(command -v 'wget') ]]; then - DOWNLOAD_METHOD='wget' + DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O' else echo -e "${RED}This script requires curl or wget.\nProcess aborted${NC}" exit 0 @@ -104,24 +104,16 @@ Optional Arguments: ######################### # Download files -download_file () { - declare -r url=$1 +download_file () { # expects URL as argument ($1) declare -r tf=$(mktemp) - local dlcmd='' - if [ $DOWNLOAD_METHOD = 'curl' ]; then - dlcmd="curl -o $tf" - else - dlcmd="wget -O $tf" - fi - - $dlcmd "${url}" &>/dev/null && echo "$tf" || echo '' # return the temp-filename (or empty string on error) + $DOWNLOAD_METHOD "${tf}" "$1" && echo "$tf" || echo '' # return the temp-filename or empty string on error } open_file () { #expects one argument: file_path if [ "$(uname)" == 'Darwin' ]; then open "$1" - elif [ "$(expr substr $(uname -s) 1 5)" == "Linux" ]; then + elif [ "$(uname -s | cut -c -5)" == "Linux" ]; then xdg-open "$1" else echo -e "${RED}Error: Sorry, opening files is not supported for your OS.${NC}" @@ -203,7 +195,8 @@ update_updater () { return 0 # User signified not to check for updates fi - declare -r tmpfile=$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.sh') + declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.sh')" + [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed if [[ $(get_updater_version "${SCRIPT_DIR}/updater.sh") < $(get_updater_version "${tmpfile}") ]]; then if [ $UPDATE = 'check' ]; then @@ -238,7 +231,7 @@ add_override () { cat "$input" >> user.js echo -e "Status: ${GREEN}Override file appended:${NC} ${input}" elif [ -d "$input" ]; then - FSAVEIFS=$IFS + SAVEIFS=$IFS IFS=$'\n\b' # Set IFS FILES="${input}"/*.js for f in $FILES @@ -257,7 +250,8 @@ remove_comments () { # expects 2 arguments: from-file and to-file # Applies latest version of user.js and any custom overrides update_userjs () { - declare -r newfile=$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js') + declare -r newfile="$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js')" + [ -z "${newfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && return 1 # check if download failed echo -e "Please observe the following information: Firefox profile: ${ORANGE}$(pwd)${NC} @@ -333,7 +327,6 @@ update_userjs () { ######################### if [ $# != 0 ]; then - readonly legacy_lc=$(echo $1 | tr '[A-Z]' '[a-z]') # Display usage if first argument is -help or --help if [ $1 = '--help' ] || [ $1 = '-help' ]; then usage @@ -377,7 +370,8 @@ if [ $# != 0 ]; then ESR=true ;; r) - tfile=$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js') + tfile="$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js')" + [ -z "${tfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && exit 1 # check if download failed mv $tfile "${tfile}.js" echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}" open_file "${tfile}.js" From 5fd7f6de7e5b193f63954380e948fb8b876ea445 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 28 Aug 2020 18:27:20 +0000 Subject: [PATCH 132/657] 80-alpha --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 9d116d1..2788d3b 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 13 Aug 2020 -* version 80-alpha +* date: 28 Aug 2020 +* version 80-beta * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From fbe1d48fe2a934da37ce950d28edee2372d86bda Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 31 Aug 2020 19:49:00 +0000 Subject: [PATCH 133/657] 2203: open_newwindow values - FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1661643 - https://hg.mozilla.org/integration/autoland/rev/12d62b074178 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 2788d3b..fa49e66 100644 --- a/user.js +++ b/user.js @@ -965,7 +965,7 @@ user_pref("dom.disable_window_move_resize", true); * You can still right-click a link and open in a new window. * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ -user_pref("browser.link.open_newwindow", 3); +user_pref("browser.link.open_newwindow", 3); // 2=new window, 3=new tab user_pref("browser.link.open_newwindow.restriction", 0); /* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks * [NOTE] You can still manually toggle the browser's fullscreen state (F11), From 8dacf6e91f055a91125a01decebfc86a145043c3 Mon Sep 17 00:00:00 2001 From: Diogo Agostinho Date: Mon, 31 Aug 2020 21:47:57 +0000 Subject: [PATCH 134/657] fix typo (#1005) --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index fa49e66..0a9dceb 100644 --- a/user.js +++ b/user.js @@ -505,7 +505,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ // user_pref("browser.urlbar.autoFill", false); /* 0860: disable search and form history - * [SETUP-WEB] Be aware thet autocomplete form data can be read by third parties, see [1] [2] + * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties, see [1] [2] * [NOTE] We also clear formdata on exit (see 2803) * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html From 22d2d702beb25ef627c22f38f24ad3c6bb1756d3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 3 Sep 2020 13:02:09 +0000 Subject: [PATCH 135/657] 1409: obsolete RFP mention --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 0a9dceb..4893c80 100644 --- a/user.js +++ b/user.js @@ -813,7 +813,6 @@ user_pref("gfx.font_rendering.graphite.enabled", false); * [NOTE] in FF80 RFP restricts the whitelist to bundled and "Base Fonts" * ...and in FF81+ the whitelist **overrides** RFP's font visibility (see 4618) * [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. - * Eventually privacy.resistFingerprinting (see 4500) will cover this * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] From ed993d550288c30e636e5198e7aa349c5de3a5c5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 3 Sep 2020 13:04:31 +0000 Subject: [PATCH 136/657] 80 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 4893c80..226a724 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js -* date: 28 Aug 2020 -* version 80-beta +* date: 03 Sep 2020 +* version 80 * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt From 3c2bd930c3f6c25889a169d16ec4b6f60d022a72 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 3 Sep 2020 13:11:16 +0000 Subject: [PATCH 137/657] start 81-alpha, EOL for ESR68 --- user.js | 100 ++------------------------------------------------------ 1 file changed, 3 insertions(+), 97 deletions(-) diff --git a/user.js b/user.js index 226a724..5259baa 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: ghacks user.js * date: 03 Sep 2020 -* version 80 +* version 81-alpha * url: https://github.com/ghacksuserjs/ghacks-user.js * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt @@ -370,7 +370,7 @@ user_pref("network.prefetch-next", false); /* 0602: disable DNS prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ user_pref("network.dns.disablePrefetch", true); -user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF ESR68 or lower] [DEFAULT: true FF70+] +user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true FF70+] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); user_pref("network.predictor.enable-prefetch", false); // [FF48+] @@ -1680,7 +1680,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED - Documentation denoted as [-]. Items deprecated in FF68 or earlier have been archived at [1], + Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1], which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123 ***/ @@ -1699,99 +1699,5 @@ user_pref("intl.charset.fallback.override", "windows-1252"); // * * * / // ***/ -/* ESR68.x still uses all the following prefs -// [NOTE] replace the * with a slash in the line above to re-enable them -// FF69 -// 1405: disable WOFF2 (Web Open Font Format) [FF35+] - // [-] https://bugzilla.mozilla.org/1556991 - // user_pref("gfx.downloadable_fonts.woff2.enabled", false); -// 1802: enforce click-to-play for plugins - // [-] https://bugzilla.mozilla.org/1519434 -user_pref("plugins.click_to_play", true); // [DEFAULT: true FF25+] -// 2033: disable autoplay for muted videos [FF63+] - replaced by 'media.autoplay.default' options (2030) - // [-] https://bugzilla.mozilla.org/1562331 - // user_pref("media.autoplay.allow-muted", false); -// * * * / -// FF71 -// 2608: disable WebIDE and ADB extension download - // [1] https://trac.torproject.org/projects/tor/ticket/16222 - // [-] https://bugzilla.mozilla.org/1539462 -user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+] -user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+] -// 2731: enforce websites to ask to store data for offline use - // [1] https://support.mozilla.org/questions/1098540 - // [2] https://bugzilla.mozilla.org/959985 - // [-] https://bugzilla.mozilla.org/1574480 -user_pref("offline-apps.allow_by_default", false); -// * * * / -// FF72 -// 0105a: disable Activity Stream telemetry - // [-] https://bugzilla.mozilla.org/1597697 -user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); -// 0330: disable Hybdrid Content telemetry - // [-] https://bugzilla.mozilla.org/1520491 -user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+] -// 2720: enforce IndexedDB (IDB) as enabled - // IDB is required for extensions and Firefox internals (even before FF63 in [1]) - // To control *website* IDB data, control allowing cookies and service workers, or use - // Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize - // on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically - // via an extension. Note that IDB currently cannot be sanitized by host. - // [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ - // [-] https://bugzilla.mozilla.org/1488583 -user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] -// * * * / -// FF74 -// 0203: use Mozilla geolocation service instead of Google when geolocation is enabled - // Optionally enable logging to the console (defaults to false) - // [-] https://bugzilla.mozilla.org/1613627 -user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); - // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF] -// 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME] - // 0=no menu (default), 1=show when clicked, 2=show on long press - // [1] https://bugzilla.mozilla.org/1328756 - // [-] https://bugzilla.mozilla.org/1606265 -user_pref("privacy.userContext.longPressBehavior", 2); -// 2012: limit WebGL - // [-] https://bugzilla.mozilla.org/1477756 -user_pref("webgl.disable-extensions", true); -// * * * / -// FF76 -// 0401: sanitize blocklist url - // [2] https://trac.torproject.org/projects/tor/ticket/16931 - // [-] https://bugzilla.mozilla.org/1618188 -user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); -// 2201: prevent websites from disabling new window features - // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1507375,1660524 -user_pref("dom.disable_window_open_feature.close", true); -user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.menubar", true); -user_pref("dom.disable_window_open_feature.minimizable", true); -user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar -user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.titlebar", true); -user_pref("dom.disable_window_open_feature.toolbar", true); -// * * * / -// FF77 -// 0850e: disable location bar one-off searches [FF51+] - // [-] https://bugzilla.mozilla.org/1628926 - // user_pref("browser.urlbar.oneOffSearches", false); -// 2605: block web content in file processes [FF55+] - // [SETUP-WEB] You may want to disable this for corporate or developer environments - // [1] https://bugzilla.mozilla.org/1343184 - // [-] https://bugzilla.mozilla.org/1603007 -user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); -// * * * / -// FF78 -// 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] - replaced by 'media.autoplay.blocking_policy' - // [-] https://bugzilla.mozilla.org/1509933 -user_pref("media.autoplay.enabled.user-gestures-needed", false); -// 5000's: disable chrome animations - replaced FF77+ by 'ui.prefersReducedMotion' (4520) - // [-] https://bugzilla.mozilla.org/1640501 - // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] -// * * * / -// ***/ - /* END: internal custom pref to test for syntax errors ***/ user_pref("_user.js.parrot", "SUCCESS: No no he's not dead, he's, he's restin'!"); From 76019e6fbe957a4338a7c91de20821089b459659 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 3 Sep 2020 13:27:25 +0000 Subject: [PATCH 138/657] ESR78 unhidden prefs also, the note about WebExt + SVG only applies to people using outdated versions .. so that can go too --- user.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 5259baa..0f95a51 100644 --- a/user.js +++ b/user.js @@ -581,7 +581,7 @@ user_pref("browser.cache.disk.enable", false); /* 1003: disable memory cache * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/ // user_pref("browser.cache.memory.enable", false); - // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF ESR] + // user_pref("browser.cache.memory.capacity", 0); /* 1006: disable permissions manager from writing to disk [RESTART] * [NOTE] This means any permission changes are session only * [1] https://bugzilla.mozilla.org/967812 ***/ @@ -1149,7 +1149,6 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] * [1] https://bugzilla.mozilla.org/1173199 ***/ // user_pref("mathml.disabled", true); /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] - * [NOTE] In FF70+ and ESR68.1.0+ this no longer affects extensions (1564208) * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. * [1] https://bugzilla.mozilla.org/1216893 ***/ // user_pref("svg.disabled", true); @@ -1391,7 +1390,7 @@ user_pref("privacy.firstparty.isolate", true); * [2] https://bugzilla.mozilla.org/1492607 * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] - // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR] + // user_pref("privacy.firstparty.isolate.block_post_message", true); /* 4003: enable site partitioning (FF78+) * [1] https://bugzilla.mozilla.org/1590107 [META] */ user_pref("privacy.partition.network_state", true); From 75a03df0f70523caa52560229f671028380ff76f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 5 Sep 2020 15:20:46 +0000 Subject: [PATCH 139/657] miscellaneous (#1007) - less active prefs - now that ESR68 is EOL, at least a whopping two (0602, 1273) - also I don't know when the default changed - another whopping whole one (1240) - and where we do enforce/reset a pref to default, lets say that - this is not a definitive list, sing out if there is anything else - IPv6 info - especially for Iron Heart who likes to claim that this pref breaks 5% of sites - cleanup of settings tags now we only care abut ESR78+ --- user.js | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/user.js b/user.js index 0f95a51..85b59f4 100644 --- a/user.js +++ b/user.js @@ -206,8 +206,7 @@ user_pref("app.update.auto", false); * when false, extension detail tabs will have no description ***/ // user_pref("extensions.getAddons.cache.enabled", false); /* 0308: disable search engine updates (e.g. OpenSearch) - * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines - * [SETTING] General>Firefox Updates>Automatically update search engines (FF72-) ***/ + * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ user_pref("browser.search.update", false); /* 0309: disable sending Flash crash reports ***/ user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); @@ -352,7 +351,7 @@ user_pref("browser.ping-centre.telemetry", false); /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses (FF74+) + * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] user_pref("extensions.formautofill.available", "off"); // [FF56+] @@ -377,16 +376,16 @@ user_pref("network.predictor.enable-prefetch", false); // [FF48+] /* 0605: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ user_pref("network.http.speculative-parallel-limit", 0); -/* 0606: disable "Hyperlink Auditing" (click tracking) and enforce same host in case +/* 0606: enforce no "Hyperlink Auditing" (click tracking) * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ user_pref("browser.send_pings", false); // [DEFAULT: false] -user_pref("browser.send_pings.require_same_host", true); +user_pref("browser.send_pings.require_same_host", true); // defense-in-depth /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); /* 0701: disable IPv6 - * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice - * with VPNs. That's even assuming your ISP and/or router and/or website can handle it. + * IPv6 can be abused, especially with MAC addresses, and they do not play nice with VPNs. That's + * even assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 * [STATS] Firefox telemetry (June 2020) shows only 5% of all connections are IPv6 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, @@ -726,7 +725,7 @@ user_pref("security.family_safety.mode", 0); user_pref("security.cert_pinning.enforcement_level", 2); /** MIXED CONTENT ***/ -/* 1240: disable insecure active content on https pages +/* 1240: enforce no insecure active content on https pages * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21323 ***/ user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] /* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/ @@ -785,7 +784,7 @@ user_pref("browser.ssl_override_behavior", 1); * [TEST] https://expired.badssl.com/ ***/ user_pref("browser.xul.error_pages.expert_bad_cert", true); /* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/ -user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+] + // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+] user_pref("security.insecure_connection_text.enabled", true); // [FF60+] /*** [SECTION 1400]: FONTS ***/ @@ -1141,7 +1140,7 @@ user_pref("browser.uitour.url", ""); * [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ user_pref("devtools.chrome.enabled", false); -/* 2608: disable remote debugging +/* 2608: reset remote debugging to disabled * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] @@ -1690,7 +1689,6 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); // 0212: enforce fallback text encoding to match en-US // When the content or server doesn't declare a charset the browser will // fallback to the "Current locale" based on your application language - // [SETTING] General>Language and Appearance>Fonts and Colors>Advanced>Text Encoding for Legacy Content (FF72-) // [TEST] https://hsivonen.com/test/moz/check-charset.htm // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 // [-] https://bugzilla.mozilla.org/1603712 From 9c98972d14cefa6b09fd14d74dfed1332fba2027 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 5 Sep 2020 15:42:34 +0000 Subject: [PATCH 140/657] misc2 (#1010) * forceMediaMemoryCache breakage * add back ESR68-EOL for prefsCleaner users --- user.js | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 99 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 85b59f4..603d0ef 100644 --- a/user.js +++ b/user.js @@ -586,7 +586,8 @@ user_pref("browser.cache.disk.enable", false); * [1] https://bugzilla.mozilla.org/967812 ***/ // user_pref("permissions.memory_only", true); // [HIDDEN PREF] /* 1007: disable media cache from writing to disk in Private Browsing - * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/ + * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB + * [SETUP-WEB] ESR78: playback might break on subsequent loading (1650281) ***/ user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] user_pref("media.memory_cache_max_size", 65536); @@ -735,9 +736,11 @@ user_pref("security.mixed_content.block_display_content", true); user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable HTTPS-Only mode [FF76+] * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored + * [WARNING] This is experimental, see [1] and you can't set exceptions if FPI is enabled, see [2] * [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+) * [SETTING] Privacy & Security>HTTPS-Only Mode (FF80+ with browser.preferences.exposeHTTPSOnly = true) - * [1] https://bugzilla.mozilla.org/1613063 ***/ + * [1] https://bugzilla.mozilla.org/1613063 [META] + * [2] https://bugzilla.mozilla.org/1647829 ***/ // user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] // user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+] @@ -1696,5 +1699,99 @@ user_pref("intl.charset.fallback.override", "windows-1252"); // * * * / // ***/ +/* ESR68.x still uses all the following prefs +// [NOTE] replace the * with a slash in the line above to re-enable them +// FF69 +// 1405: disable WOFF2 (Web Open Font Format) [FF35+] + // [-] https://bugzilla.mozilla.org/1556991 + // user_pref("gfx.downloadable_fonts.woff2.enabled", false); +// 1802: enforce click-to-play for plugins + // [-] https://bugzilla.mozilla.org/1519434 +user_pref("plugins.click_to_play", true); // [DEFAULT: true FF25+] +// 2033: disable autoplay for muted videos [FF63+] - replaced by 'media.autoplay.default' options (2030) + // [-] https://bugzilla.mozilla.org/1562331 + // user_pref("media.autoplay.allow-muted", false); +// * * * / +// FF71 +// 2608: disable WebIDE and ADB extension download + // [1] https://trac.torproject.org/projects/tor/ticket/16222 + // [-] https://bugzilla.mozilla.org/1539462 +user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+] +user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+] +// 2731: enforce websites to ask to store data for offline use + // [1] https://support.mozilla.org/questions/1098540 + // [2] https://bugzilla.mozilla.org/959985 + // [-] https://bugzilla.mozilla.org/1574480 +user_pref("offline-apps.allow_by_default", false); +// * * * / +// FF72 +// 0105a: disable Activity Stream telemetry + // [-] https://bugzilla.mozilla.org/1597697 +user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); +// 0330: disable Hybdrid Content telemetry + // [-] https://bugzilla.mozilla.org/1520491 +user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+] +// 2720: enforce IndexedDB (IDB) as enabled + // IDB is required for extensions and Firefox internals (even before FF63 in [1]) + // To control *website* IDB data, control allowing cookies and service workers, or use + // Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize + // on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically + // via an extension. Note that IDB currently cannot be sanitized by host. + // [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ + // [-] https://bugzilla.mozilla.org/1488583 +user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] +// * * * / +// FF74 +// 0203: use Mozilla geolocation service instead of Google when geolocation is enabled + // Optionally enable logging to the console (defaults to false) + // [-] https://bugzilla.mozilla.org/1613627 +user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); + // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF] +// 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME] + // 0=no menu (default), 1=show when clicked, 2=show on long press + // [1] https://bugzilla.mozilla.org/1328756 + // [-] https://bugzilla.mozilla.org/1606265 +user_pref("privacy.userContext.longPressBehavior", 2); +// 2012: limit WebGL + // [-] https://bugzilla.mozilla.org/1477756 +user_pref("webgl.disable-extensions", true); +// * * * / +// FF76 +// 0401: sanitize blocklist url + // [2] https://trac.torproject.org/projects/tor/ticket/16931 + // [-] https://bugzilla.mozilla.org/1618188 +user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); +// 2201: prevent websites from disabling new window features + // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1507375,1660524 +user_pref("dom.disable_window_open_feature.close", true); +user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true] +user_pref("dom.disable_window_open_feature.menubar", true); +user_pref("dom.disable_window_open_feature.minimizable", true); +user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar +user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true] +user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true] +user_pref("dom.disable_window_open_feature.titlebar", true); +user_pref("dom.disable_window_open_feature.toolbar", true); +// * * * / +// FF77 +// 0850e: disable location bar one-off searches [FF51+] + // [-] https://bugzilla.mozilla.org/1628926 + // user_pref("browser.urlbar.oneOffSearches", false); +// 2605: block web content in file processes [FF55+] + // [SETUP-WEB] You may want to disable this for corporate or developer environments + // [1] https://bugzilla.mozilla.org/1343184 + // [-] https://bugzilla.mozilla.org/1603007 +user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); +// * * * / +// FF78 +// 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] - replaced by 'media.autoplay.blocking_policy' + // [-] https://bugzilla.mozilla.org/1509933 +user_pref("media.autoplay.enabled.user-gestures-needed", false); +// 5000's: disable chrome animations - replaced FF77+ by 'ui.prefersReducedMotion' (4520) + // [-] https://bugzilla.mozilla.org/1640501 + // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] +// * * * / +// ***/ + /* END: internal custom pref to test for syntax errors ***/ user_pref("_user.js.parrot", "SUCCESS: No no he's not dead, he's, he's restin'!"); From f606c8b8666cf14fb8104acdc30e7629f89bb3b5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 8 Sep 2020 23:49:22 +0000 Subject: [PATCH 141/657] 2203 values see https://bugzilla.mozilla.org/show_bug.cgi?id=1663500 where they reverted https://bugzilla.mozilla.org/show_bug.cgi?id=1661643 where they said value 1 didn't do anything - all changes in FF82, so nothing to see here folks ... move along --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 603d0ef..5cfbe9f 100644 --- a/user.js +++ b/user.js @@ -966,7 +966,7 @@ user_pref("dom.disable_window_move_resize", true); * You can still right-click a link and open in a new window. * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ -user_pref("browser.link.open_newwindow", 3); // 2=new window, 3=new tab +user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab user_pref("browser.link.open_newwindow.restriction", 0); /* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks * [NOTE] You can still manually toggle the browser's fullscreen state (F11), From 78a7c194ebe728215f00c81edf71c6e632eb6037 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 10 Sep 2020 07:33:50 +0000 Subject: [PATCH 142/657] update ref links --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 5cfbe9f..2e7da6d 100644 --- a/user.js +++ b/user.js @@ -964,14 +964,14 @@ user_pref("dom.disable_window_move_resize", true); /* 2203: open links targeting new windows in a new tab instead * This stops malicious window sizes and some screen resolution leaks. * You can still right-click a link and open in a new window. - * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen + * [TEST] https://torzillafox.github.io/tzp/tzp.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab user_pref("browser.link.open_newwindow.restriction", 0); /* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks * [NOTE] You can still manually toggle the browser's fullscreen state (F11), * but this pref will disable embedded video/game fullscreen controls, e.g. youtube - * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen ***/ + * [TEST] https://torzillafox.github.io/tzp/tzp.html#screen ***/ // user_pref("full-screen-api.enabled", false); /* 2210: block popup windows * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ @@ -1147,7 +1147,7 @@ user_pref("devtools.chrome.enabled", false); * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] - * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#misc + * [TEST] https://torzillafox.github.io/tzp/tzp.html#misc * [1] https://bugzilla.mozilla.org/1173199 ***/ // user_pref("mathml.disabled", true); /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] @@ -1408,7 +1408,7 @@ user_pref("privacy.partition.network_state", true); [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at 100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test your window size, do some math, resize to allow for all the non inner window elements - [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen + [TEST] https://torzillafox.github.io/tzp/tzp.html#screen ** 1281949 - spoof screen orientation (FF50+) ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044) From c8eee094e0f10b2c15644327c6fa31fb72a24730 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 11 Sep 2020 03:23:55 +0000 Subject: [PATCH 143/657] update links --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 2e7da6d..77f0b41 100644 --- a/user.js +++ b/user.js @@ -964,14 +964,14 @@ user_pref("dom.disable_window_move_resize", true); /* 2203: open links targeting new windows in a new tab instead * This stops malicious window sizes and some screen resolution leaks. * You can still right-click a link and open in a new window. - * [TEST] https://torzillafox.github.io/tzp/tzp.html#screen + * [TEST] https://hardenff.github.io/tzp/tzp.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab user_pref("browser.link.open_newwindow.restriction", 0); /* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks * [NOTE] You can still manually toggle the browser's fullscreen state (F11), * but this pref will disable embedded video/game fullscreen controls, e.g. youtube - * [TEST] https://torzillafox.github.io/tzp/tzp.html#screen ***/ + * [TEST] https://hardenff.github.io/tzp/tzp.html#screen ***/ // user_pref("full-screen-api.enabled", false); /* 2210: block popup windows * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ @@ -1147,7 +1147,7 @@ user_pref("devtools.chrome.enabled", false); * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] - * [TEST] https://torzillafox.github.io/tzp/tzp.html#misc + * [TEST] https://hardenff.github.io/tzp/tzp.html#misc * [1] https://bugzilla.mozilla.org/1173199 ***/ // user_pref("mathml.disabled", true); /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] @@ -1408,7 +1408,7 @@ user_pref("privacy.partition.network_state", true); [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at 100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test your window size, do some math, resize to allow for all the non inner window elements - [TEST] https://torzillafox.github.io/tzp/tzp.html#screen + [TEST] https://hardenff.github.io/tzp/tzp.html#screen ** 1281949 - spoof screen orientation (FF50+) ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044) From 18112f9ae86ac2b27ff93955a3d1d4aeb09e5d67 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 11 Sep 2020 21:55:12 +0000 Subject: [PATCH 144/657] last F time :) update TZP links --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 77f0b41..08962f3 100644 --- a/user.js +++ b/user.js @@ -964,14 +964,14 @@ user_pref("dom.disable_window_move_resize", true); /* 2203: open links targeting new windows in a new tab instead * This stops malicious window sizes and some screen resolution leaks. * You can still right-click a link and open in a new window. - * [TEST] https://hardenff.github.io/tzp/tzp.html#screen + * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab user_pref("browser.link.open_newwindow.restriction", 0); /* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks * [NOTE] You can still manually toggle the browser's fullscreen state (F11), * but this pref will disable embedded video/game fullscreen controls, e.g. youtube - * [TEST] https://hardenff.github.io/tzp/tzp.html#screen ***/ + * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ // user_pref("full-screen-api.enabled", false); /* 2210: block popup windows * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ @@ -1147,7 +1147,7 @@ user_pref("devtools.chrome.enabled", false); * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] - * [TEST] https://hardenff.github.io/tzp/tzp.html#misc + * [TEST] https://arkenfox.github.io/TZP/tzp.html#misc * [1] https://bugzilla.mozilla.org/1173199 ***/ // user_pref("mathml.disabled", true); /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] @@ -1408,7 +1408,7 @@ user_pref("privacy.partition.network_state", true); [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at 100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test your window size, do some math, resize to allow for all the non inner window elements - [TEST] https://hardenff.github.io/tzp/tzp.html#screen + [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ** 1281949 - spoof screen orientation (FF50+) ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044) From 3e4c56cf27d0b67457fa2a11e4fd26da0737833c Mon Sep 17 00:00:00 2001 From: earthlng Date: Sun, 13 Sep 2020 12:16:21 +0000 Subject: [PATCH 145/657] arkenfox support also fixes mixed line endings --- updater.bat | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/updater.bat b/updater.bat index b433678..0e883be 100644 --- a/updater.bat +++ b/updater.bat @@ -3,10 +3,10 @@ TITLE ghacks user.js updater REM ## ghacks-user.js updater for Windows REM ## author: @claustromaniac -REM ## version: 4.10 +REM ## version: 4.11 REM ## instructions: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts -SET v=4.10 +SET v=4.11 VERIFY ON CD /D "%~dp0" @@ -100,7 +100,10 @@ IF NOT EXIST user.js ( ) :exitloop IF NOT "!_name!"=="" ( - IF /I NOT "!_name!"=="!_name:ghacks=!" ( + SET "_tempvar=" + IF /I NOT "!_name!"=="!_name:ghacks=!" SET _tempvar=1 + IF /I NOT "!_name!"=="!_name:arkenfox=!" SET _tempvar=1 + IF !_tempvar! EQU 1 ( CALL :message "!_name! !_version:~2!,!_date!" ) ELSE (CALL :message "Current user.js version not recognised.") ) ELSE (CALL :message "Current user.js version not recognised.") @@ -136,10 +139,10 @@ IF EXIST user.js.new ( IF DEFINED _rfpalts ( CALL :message "Activating RFP Alternatives section..." CALL :activate user.js.new "[SETUP-non-RFP]" - ) - IF DEFINED _esr ( - CALL :message "Activating ESR section..." - CALL :activate user.js.new ".x still uses all the following prefs" + ) + IF DEFINED _esr ( + CALL :message "Activating ESR section..." + CALL :activate user.js.new ".x still uses all the following prefs" ) IF DEFINED _multi ( FORFILES /P user.js-overrides /M *.js >nul 2>&1 @@ -216,8 +219,8 @@ ENDLOCAL GOTO :EOF ::::::::::::::: Activate Section ::::::::::::::: -:activate -:: arg1 = file +:activate +:: arg1 = file :: arg2 = line substring SETLOCAL DisableDelayedExpansion ( From ae0c980d25721b3ce32a56fb37a3e07a9282be98 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 04:15:03 +0000 Subject: [PATCH 146/657] migration --- user.js | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index 08962f3..05dc94d 100644 --- a/user.js +++ b/user.js @@ -1,22 +1,22 @@ /****** -* name: ghacks user.js +* name: arkenfox user.js * date: 03 Sep 2020 * version 81-alpha -* url: https://github.com/ghacksuserjs/ghacks-user.js -* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt +* url: https://github.com/arkenfox/user.js +* license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt * releases: These are end-of-stable-life-cycle legacy archives. *Always* use the master branch user.js for a current up-to-date version - url: https://github.com/ghacksuserjs/ghacks-user.js/releases + url: https://github.com/arkenfox/user.js/releases * README: 0. Consider using Tor Browser if it meets your needs or fits your threat model better * https://www.torproject.org/about/torusers.html.en 1. READ the full README - * https://github.com/ghacksuserjs/ghacks-user.js/blob/master/README.md + * https://github.com/arkenfox/user.js/blob/master/README.md 2. READ this - * https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation + * https://github.com/arkenfox/user.js/wiki/1.3-Implementation 3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum * Real time binary checks with Google services are disabled (0412) * You will still get prompts to update Firefox, but auto-installing them is disabled (0302a) @@ -38,7 +38,7 @@ [SETUP-HARDEN] maybe you should consider using the Tor Browser * [WARNING] tags are extra special and used sparingly, so heed them 4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile) - 5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki#small_orange_diamond-maintenance + 5. KEEP UP TO DATE: https://github.com/arkenfox/user.js/wiki#small_orange_diamond-maintenance * INDEX: @@ -391,7 +391,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. * [TEST] https://ipleak.org/ - * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/437#issuecomment-403740626 + * [1] https://github.com/arkenfox/user.js/issues/437#issuecomment-403740626 * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/ user_pref("network.dns.disableIPv6", true); /* 0702: disable HTTP2 @@ -568,7 +568,7 @@ user_pref("network.auth.subresource-http-auth-allow", 1); [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/ [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache [4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 - [5] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor + [5] https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); /** CACHE ***/ @@ -1683,7 +1683,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1], which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets - [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123 + [1] https://github.com/arkenfox/user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); /* ESR78.x still uses all the following prefs From af516315971b7c94075db1e317bee5b12dc3b781 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 04:19:03 +0000 Subject: [PATCH 147/657] Update LICENSE.txt --- LICENSE.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.txt b/LICENSE.txt index a18c4e2..0eed2c7 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2017 ghacksuserjs +Copyright (c) 2020 arkenfox Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From 4c4270f1d7972c0f274dc65dc7ae83913194545d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 04:33:50 +0000 Subject: [PATCH 148/657] migration changes --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index e13832d..2c3a00c 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,23 @@ ### ![][b] user.js -A `user.js` is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the [overview](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.1-Overview) wiki page. +A `user.js` is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the [overview](https://github.com/arkenfox/user.js/wiki/1.1-Overview) wiki page. -### ![][b] This user.js -This `user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen). +### ![][b] the arkenfox user.js -Everyone, experts included, should at least read the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `user.js` settings. +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) + +The `arkenfox user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen). + +Everyone, experts included, should at least read the [implementation](https://github.com/arkenfox/user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `user.js` settings. Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services. -Also be aware that this `user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser. +Also be aware that the `arkenfox user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser. -Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+label%3Adiffs) +Sitemap: [Releases](https://github.com/arkenfox/user.js/releases), [changelogs](https://github.com/arkenfox/user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/arkenfox/user.js/wiki), [stickies](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs) ### ![][b] acknowledgments Literally thousands of sources, references and suggestions. Special mention to: -* [12bytes](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs) - * The 12bytes article now uses this user.js and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement) - -### ![][b] [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) + * This [12bytes article](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs) which uses the `arkenfox user.js` and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement) [b]: /wikipiki/bullet01.png From ed5b15877709f7c6690f88e769bd1db1e817752f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 05:52:28 +0000 Subject: [PATCH 149/657] Rename ghacks-clear-RFP-alternatives.js to arkenfox-clear-RFP-alternatives.js --- ...ear-RFP-alternatives.js => arkenfox-clear-RFP-alternatives.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename scratchpad-scripts/{ghacks-clear-RFP-alternatives.js => arkenfox-clear-RFP-alternatives.js} (100%) diff --git a/scratchpad-scripts/ghacks-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js similarity index 100% rename from scratchpad-scripts/ghacks-clear-RFP-alternatives.js rename to scratchpad-scripts/arkenfox-clear-RFP-alternatives.js From 6fdda5fb627ef9758ccefe243f2a7bf059c3b398 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 05:53:09 +0000 Subject: [PATCH 150/657] rename as arkenfox --- .../{ghacks-clear-deprecated.js => arkenfox-clear-deprecated.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename scratchpad-scripts/{ghacks-clear-deprecated.js => arkenfox-clear-deprecated.js} (100%) diff --git a/scratchpad-scripts/ghacks-clear-deprecated.js b/scratchpad-scripts/arkenfox-clear-deprecated.js similarity index 100% rename from scratchpad-scripts/ghacks-clear-deprecated.js rename to scratchpad-scripts/arkenfox-clear-deprecated.js From 26bca612d7ea9d86ac6e2aa4b54288e92024ee92 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 05:54:22 +0000 Subject: [PATCH 151/657] rename as arkenfox --- .../{ghacks-clear-removed.js => arkenfox-clear-removed.js} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename scratchpad-scripts/{ghacks-clear-removed.js => arkenfox-clear-removed.js} (98%) diff --git a/scratchpad-scripts/ghacks-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js similarity index 98% rename from scratchpad-scripts/ghacks-clear-removed.js rename to scratchpad-scripts/arkenfox-clear-removed.js index dfb63c4..8032bcc 100644 --- a/scratchpad-scripts/ghacks-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,10 +1,10 @@ /*** - This will reset the preferences that have been removed completely from the ghacks user.js. + This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 28-July-2020 + Last updated: 14-Sept-2020 For instructions see: - https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] + https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ (function() { From 637e5964dbadf6783ae1f1833ad5c190b315a238 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 05:56:00 +0000 Subject: [PATCH 152/657] update links --- scratchpad-scripts/arkenfox-clear-RFP-alternatives.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js index 1dfc5f7..4be4b81 100644 --- a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js +++ b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js @@ -2,11 +2,11 @@ Version: up to and including FF/ESR78 This will reset the preferences that are under sections 4600 & 4700 in the - ghacks user.js. These are the prefs that are no longer necessary, or they + arkenfox user.js. These are the prefs that are no longer necessary, or they conflict with, privacy.resistFingerprinting if you have that enabled. For instructions see: - https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] + https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ (function() { From 1f545312fd6d11060df67d7157186e66a81c5398 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 05:57:30 +0000 Subject: [PATCH 153/657] update names + links --- scratchpad-scripts/arkenfox-clear-deprecated.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-deprecated.js b/scratchpad-scripts/arkenfox-clear-deprecated.js index e3ab4e1..766dd33 100644 --- a/scratchpad-scripts/arkenfox-clear-deprecated.js +++ b/scratchpad-scripts/arkenfox-clear-deprecated.js @@ -2,12 +2,12 @@ Version: up to and including FF/ESR78 This will reset the preferences that have been deprecated by Mozilla - and used in the ghacks user.js + and used in the arkenfox user.js It is in reverse order, so feel free to remove sections that do not apply For instructions see: - https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] + https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ (function() { From 44e22835c128621cc13f864fcf7cf2dc1d07af13 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 05:58:39 +0000 Subject: [PATCH 154/657] update name --- scratchpad-scripts/arkenfox-clear-removed.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 8032bcc..25da048 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -9,7 +9,7 @@ (function() { let ops = [ - /* removed in ghacks user.js v52-57 */ + /* removed in arkenfox user.js v52-57 */ /* 52-alpha */ 'browser.search.reset.enabled', 'browser.search.reset.whitelist', From 2532ddcc18b6323459797be0697ab6a54e6f1a4b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 05:59:51 +0000 Subject: [PATCH 155/657] update name --- scratchpad-scripts/troubleshooter.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index 61488f0..a33d803 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -1,5 +1,5 @@ -/*** ghacks-user.js troubleshooter.js v1.6.1 ***/ +/*** arkenfox user.js troubleshooter.js v1.6.1 ***/ (function() { From eff4b74130272ed4dfe815c0f411512df9f51c3c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 06:05:33 +0000 Subject: [PATCH 156/657] migration: cleanup code references --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index 4cf0a19..9585395 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -8,16 +8,16 @@ assignees: '' --- Before you proceed... - - Issues will be closed as invalid if you do not [troubleshoot](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.4-Troubleshooting), including + - Issues will be closed as invalid if you do not [troubleshoot](https://github.com/arkenfox/user.js/wiki/1.4-Troubleshooting), including - confirming the problem is caused by the `user.js` - searching the `[Setup` tags in the `user.js` - Search the GitHub repository. The information you need is most likely here already. - Note: We do not support forks See also: - - Extension breakage due to prefs [issue 391](https://github.com/ghacksuserjs/ghacks-user.js/issues/391) - - Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts [issue 350](https://github.com/ghacksuserjs/ghacks-user.js/issues/350) - - The extension CSP header modification game [issue 664](https://github.com/ghacksuserjs/ghacks-user.js/issues/664) + - Extension breakage due to prefs [issue 391](https://github.com/arkenfox/user.js/issues/391) + - Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts [issue 350](https://github.com/arkenfox/user.js/issues/350) + - The extension CSP header modification game [issue 664](https://github.com/arkenfox/user.js/issues/664) If you still need help, help us help you by providing relevant information: - browser version From 6a107d4d2fbe885b2c8ee2254d7a024d56188540 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 06:06:32 +0000 Subject: [PATCH 157/657] migration: cleanup code references --- .github/ISSUE_TEMPLATE/user-js.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/user-js.md b/.github/ISSUE_TEMPLATE/user-js.md index 1357819..7955d27 100644 --- a/.github/ISSUE_TEMPLATE/user-js.md +++ b/.github/ISSUE_TEMPLATE/user-js.md @@ -9,7 +9,7 @@ assignees: '' We value feedback in general, but we value feedback from informed users more. There is no need for you to be an expert to participate (most of us aren't), but we hope that you at least understand our decisions before questioning them. We discuss all changes openly, and we do not make changes lightly. So, if you don't understand why we decided to add/remove/change a certain pref, search the repo. The answer is most certainly here. -If some change we made took you by surprise (in the wrong way), remember that keeping track of changes is your responsibility. Watch the repo, read the [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=✓&q=is%3Aissue+label%3Achangelog), compare [releases](https://github.com/ghacksuserjs/ghacks-user.js/releases) as you update your copy of user.js, or use any other method you prefer. +If some change we made took you by surprise (in the wrong way), remember that keeping track of changes is your responsibility. Watch the repo, read the [changelogs](https://github.com/arkenfox/user.js/issues?utf8=✓&q=is%3Aissue+label%3Achangelog), compare [releases](https://github.com/arkenfox/user.js/releases) as you update your copy of user.js, or use any other method you prefer. Clear all of this when you're ready to type. From fc650522863ede373f458ac71552dc5e91a5afd8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 06:07:32 +0000 Subject: [PATCH 158/657] migration: cleanup code references --- _config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_config.yml b/_config.yml index a8f761e..839cbe3 100644 --- a/_config.yml +++ b/_config.yml @@ -1,3 +1,3 @@ theme: jekyll-theme-midnight -title: ghacks-user.js +title: user.js description: An ongoing comprehensive user.js template for configuring and hardening Firefox privacy, security and anti-fingerprinting From 515d6ff8744a746021e0f9fe1091e1782d3391ba Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 06:11:35 +0000 Subject: [PATCH 159/657] v2.3: update repo name --- prefsCleaner.bat | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/prefsCleaner.bat b/prefsCleaner.bat index 4c8f7a4..f82658a 100644 --- a/prefsCleaner.bat +++ b/prefsCleaner.bat @@ -3,7 +3,7 @@ TITLE prefs.js cleaner REM ### prefs.js cleaner for Windows REM ## author: @claustromaniac -REM ## version: 2.2 +REM ## version: 2.3 CD /D "%~dp0" @@ -13,7 +13,7 @@ ECHO: ECHO ######################################## ECHO #### prefs.js cleaner for Windows #### ECHO #### by claustromaniac #### -ECHO #### v2.2 #### +ECHO #### v2.3 #### ECHO ######################################## ECHO: CALL :message "This script should be run from your Firefox profile directory." @@ -101,7 +101,7 @@ ECHO add-ons disabled. Then, restart it again normally, and see if the CALL :message " problems were solved." ECHO: CALL :message "If you are able to identify the cause of your issues, please bring it up" -ECHO on ghacks-user.js GitHub repository. +ECHO on arkenfox user.js GitHub repository. ECHO: ECHO: PAUSE From 16c36580406c16644aa59c84a74920adfad39b72 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 06:17:44 +0000 Subject: [PATCH 160/657] align look with TZP --- README.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 2c3a00c..32849d5 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ -### ![][b] user.js +### 🟪 user.js A `user.js` is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the [overview](https://github.com/arkenfox/user.js/wiki/1.1-Overview) wiki page. -### ![][b] the arkenfox user.js +### 🟩 the arkenfox user.js [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) @@ -13,11 +13,16 @@ Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Bro Also be aware that the `arkenfox user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser. -Sitemap: [Releases](https://github.com/arkenfox/user.js/releases), [changelogs](https://github.com/arkenfox/user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/arkenfox/user.js/wiki), [stickies](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs) +### 🟧 sitemap -### ![][b] acknowledgments + - [Releases](https://github.com/arkenfox/user.js/releases) + - [changelogs](https://github.com/arkenfox/user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog) + - [Wiki](https://github.com/arkenfox/user.js/wiki) + - [stickies](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22) + - [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs) + +### 🟥 acknowledgments Literally thousands of sources, references and suggestions. Special mention to: * This [12bytes article](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs) which uses the `arkenfox user.js` and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement) -[b]: /wikipiki/bullet01.png From ed05c644824c69d9d930bd3972959497aa50107a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 06:18:33 +0000 Subject: [PATCH 161/657] we no longer have github pages --- wikipiki/bullet01.png | Bin 3374 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 wikipiki/bullet01.png diff --git a/wikipiki/bullet01.png b/wikipiki/bullet01.png deleted file mode 100644 index eaaacd52134f420398f84d34d82a9cf0b7101d16..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3374 zcmV+}4bk$6P)KLZ*U+IBfRsybQWXdwQbLP>6pAqfylh#{fb6;Z(vMMVS~$e@S=j*ftg6;Uhf59&ghTmgWD0l;*T zI709Y^p6lP1rIRMx#05C~cW=H_Aw*bJ-5DT&Z2n+x)QHX^p z00esgV8|mQcmRZ%02D^@S3L16t`O%c004NIvOKvYIYoh62rY33S640`D9%Y2D-rV&neh&#Q1i z007~1e$oCcFS8neI|hJl{-P!B1ZZ9hpmq0)X0i`JwE&>$+E?>%_LC6RbVIkUx0b+_+BaR3cnT7Zv!AJxW zizFb)h!jyGOOZ85F;a?DAXP{m@;!0_IfqH8(HlgRxt7s3}k3K`kFu>>-2Q$QMFfPW!La{h336o>X zu_CMttHv6zR;&ZNiS=X8v3CR#fknUxHUxJ0uoBa_M6WNWeqIg~6QE69c9o#eyhGvpiOA@W-aonk<7r1(?fC{oI5N*U!4 zfg=2N-7=cNnjjOr{yriy6mMFgG#l znCF=fnQv8CDz++o6_Lscl}eQ+l^ZHARH>?_s@|##Rr6KLRFA1%Q+=*RRWnoLsR`7U zt5vFIcfW3@?wFpwUVxrVZ>QdQz32KIeJ}k~{cZZE^+ya? z2D1z#2HOnI7(B%_ac?{wFUQ;QQA1tBKtrWrm0_3Rgps+?Jfqb{jYbcQX~taRB;#$y zZN{S}1|}gUOHJxc?wV3fxuz+mJ4`!F$IZ;mqRrNsHJd##*D~ju=bP7?-?v~|cv>vB zsJ6IeNwVZxrdjT`yl#bBIa#GxRa#xMMy;K#CDyyGyQdMSxlWT#tDe?p!?5wT$+oGt z8L;Kp2HUQ-ZMJ=3XJQv;x5ci*?vuTfeY$;({XGW_huIFR9a(?@3)XSs8O^N5RyOM=TTmp(3=8^+zpz2r)C z^>JO{deZfso3oq3?Wo(Y?l$ge?uXo;%ru`Vo>?<<(8I_>;8Eq#KMS9gFl*neeosSB zfoHYnBQIkwkyowPu(zdms`p{<7e4kra-ZWq<2*OsGTvEV%s0Td$hXT+!*8Bnh2KMe zBmZRodjHV?r+_5^X9J0WL4jKW`}lf%A-|44I@@LTvf1rHjG(ze6+w@Jt%Bvjts!X0 z?2xS?_ve_-kiKB_KiJlZ$9G`c^=E@oNG)mWWaNo-3TIW8)$Hg0Ub-~8?KhvJ>$ z3*&nim@mj(aCxE5!t{lw7O5^0EIO7zOo&c6l<+|iDySBWCGrz@C5{St!X3hAA}`T4 z(TLbXTq+(;@<=L8dXnssyft|w#WSTW<++3>sgS%(4NTpeI-VAqb|7ssJvzNHgOZVu zaYCvgO_R1~>SyL=cFU|~g|hy|Zi}}s9+d~lYqOB71z9Z$wnC=pR9Yz4DhIM>Wmjgu z&56o6maCpC&F##y%G;1PobR9i?GnNg;gYtchD%p19a!eQtZF&3JaKv33gZ<8D~47E ztUS1iwkmDaPpj=$m#%)jCVEY4fnLGNg2A-`YwHVD3gv};>)hAvT~AmqS>Lr``i7kw zJ{5_It`yrBmlc25DBO7E8;5VoznR>Ww5hAaxn$2~(q`%A-YuS64wkBy=9dm`4cXeX z4c}I@?e+FW+b@^RDBHV(wnMq2zdX3SWv9u`%{xC-q*U}&`cyXV(%rRT*Z6MH?i+i& z_B8C(+grT%{XWUQ+f@NoP1R=AW&26{v-dx)iK^-Nmiuj8txj!m?Z*Ss1N{dh4z}01 z)YTo*JycSU)+_5r4#yw9{+;i4Ee$peRgIj+;v;ZGdF1K$3E%e~4LaI(jC-u%2h$&R z9cLXcYC@Xwnns&bn)_Q~Te?roKGD|d-g^8;+aC{{G(1^(O7m37Y1-+6)01cN&y1aw zoqc{T`P^XJqPBbIW6s}d4{z_f5Om?vMgNQEJG?v2T=KYd^0M3I6IZxbny)%vZR&LD zJpPl@Psh8QyPB@KTx+@RdcC!KX7}kEo;S|j^u2lU7XQ}Oo;f|;z4Ll+_r>@1-xl3| zawq-H%e&ckC+@AhPrP6BKT#_XdT7&;F71j}Joy zkC~6lh7E@6o;W@^IpRNZ{ptLtL(gQ-CY~4mqW;US7Zxvm_|@yz&e53Bp_lTPlfP|z zrTyx_>lv@x#=^!PzR7qqF<$gm`|ZJZ+;<)Cqu&ot2z=0000WV@Og>004R=004l4008;_004mL004C`008P>0026e000+nl3&F} z00076Nkl@vnbTIPJVNwl}pr}KolPFXqsKEY%E*(M*+nk%* z)a8$~{Ixn17}!Ox*|nr&;W3zpHuo%~eB7QrHj{ju!nebg6mGghL5KJ8`#OF2A|m|F z_-Ejkn-KGY>iI3-e$+r25m)K)h_l2V4;&!wvl8!AQ2h#@+bkq%Aa#o3!I;NV`E|T9 zx)eIGsCpIqFEH*^h+Z43Rmg2xz2R3c|Xn5;mw`_&`CGq4~RPDgN4Z1C;9)(D2 z5n!wxn>KPdy!qj_NZ2V7cFNY=9a$bL&!Ran?pBDl>;cBwv1vmG=QrQhi_A5NyuY4p zu1PlEHOlhvp@{0nz700-0><3fw1Lw3%uJQY?0JzlXZ~#VoMc{~7HzO>L3MFbEePI# z1rL>4uXR2%RW349A@b@-{$?s9GhHrPpEatsEB0u!vJ+gqMb%O-pEf3}BGdasrmP}U zB?YpIOqa;UgjKYlMUAvt&h7vcjZ}XNu_lv7#t8-u%B)cHx!(sN4l2Js)a*ZNpAFGCkI>QG>a2IgZ0f~oMQ16Ch zC+IF5W)CTOjL0Lz>>+J9sW;qU`1b(yi=cZ!4`xBV6Ot}S-J^EhPkP0KlaZ70KgcXqaelzmH+?%07*qoM6N<$ Ef@qmi<^TWy From 7fe9784bf87d0baf1ef6053aaa7542ae5837da53 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Sep 2020 06:18:54 +0000 Subject: [PATCH 162/657] we no longer have github pages --- wikipiki/exclamation.png | Bin 3210 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 wikipiki/exclamation.png diff --git a/wikipiki/exclamation.png b/wikipiki/exclamation.png deleted file mode 100644 index e8e4ff5fd1ec1b49fe12fe38f8eadfc775ffbfac..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3210 zcmV;540ZE~P)KLZ*U+IBfRsybQWXdwQbLP>6pAqfylh#{fb6;Z(vMMVS~$e@S=j*ftg6;Uhf59&ghTmgWD0l;*T zI709Y^p6lP1rIRMx#05C~cW=H_Aw*bJ-5DT&Z2n+x)QHX^p z00esgV8|mQcmRZ%02D^@S3L16t`O%c004NIvOKvYIYoh62rY33S640`D9%Y2D-rV&neh&#Q1i z007~1e$oCcFS8neI|hJl{-P!B1ZZ9hpmq0)X0i`JwE&>$+E?>%_LC6RbVIkUx0b+_+BaR3cnT7Zv!AJxW zizFb)h!jyGOOZ85F;a?DAXP{m@;!0_IfqH8(HlgRxt7s3}k3K`kFu>>-2Q$QMFfPW!La{h336o>X zu_CMttHv6zR;&ZNiS=X8v3CR#fknUxHUxJ0uoBa_M6WNWeqIg~6QE69c9o#eyhGvpiOA@W-aonk<7r1(?fC{oI5N*U!4 zfg=2N-7=cNnjjOr{yriy6mMFgG#l znCF=fnQv8CDz++o6_Lscl}eQ+l^ZHARH>?_s@|##Rr6KLRFA1%Q+=*RRWnoLsR`7U zt5vFIcfW3@?wFpwUVxrVZ>QdQz32KIeJ}k~{cZZE^+ya? z2D1z#2HOnI7(B%_ac?{wFUQ;QQA1tBKtrWrm0_3Rgps+?Jfqb{jYbcQX~taRB;#$y zZN{S}1|}gUOHJxc?wV3fxuz+mJ4`!F$IZ;mqRrNsHJd##*D~ju=bP7?-?v~|cv>vB zsJ6IeNwVZxrdjT`yl#bBIa#GxRa#xMMy;K#CDyyGyQdMSxlWT#tDe?p!?5wT$+oGt z8L;Kp2HUQ-ZMJ=3XJQv;x5ci*?vuTfeY$;({XGW_huIFR9a(?@3)XSs8O^N5RyOM=TTmp(3=8^+zpz2r)C z^>JO{deZfso3oq3?Wo(Y?l$ge?uXo;%ru`Vo>?<<(8I_>;8Eq#KMS9gFl*neeosSB zfoHYnBQIkwkyowPu(zdms`p{<7e4kra-ZWq<2*OsGTvEV%s0Td$hXT+!*8Bnh2KMe zBmZRodjHV?r+_5^X9J0WL4jKW`}lf%A-|44I@@LTvf1rHjG(ze6+w@Jt%Bvjts!X0 z?2xS?_ve_-kiKB_KiJlZ$9G`c^=E@oNG)mWWaNo-3TIW8)$Hg0Ub-~8?KhvJ>$ z3*&nim@mj(aCxE5!t{lw7O5^0EIO7zOo&c6l<+|iDySBWCGrz@C5{St!X3hAA}`T4 z(TLbXTq+(;@<=L8dXnssyft|w#WSTW<++3>sgS%(4NTpeI-VAqb|7ssJvzNHgOZVu zaYCvgO_R1~>SyL=cFU|~g|hy|Zi}}s9+d~lYqOB71z9Z$wnC=pR9Yz4DhIM>Wmjgu z&56o6maCpC&F##y%G;1PobR9i?GnNg;gYtchD%p19a!eQtZF&3JaKv33gZ<8D~47E ztUS1iwkmDaPpj=$m#%)jCVEY4fnLGNg2A-`YwHVD3gv};>)hAvT~AmqS>Lr``i7kw zJ{5_It`yrBmlc25DBO7E8;5VoznR>Ww5hAaxn$2~(q`%A-YuS64wkBy=9dm`4cXeX z4c}I@?e+FW+b@^RDBHV(wnMq2zdX3SWv9u`%{xC-q*U}&`cyXV(%rRT*Z6MH?i+i& z_B8C(+grT%{XWUQ+f@NoP1R=AW&26{v-dx)iK^-Nmiuj8txj!m?Z*Ss1N{dh4z}01 z)YTo*JycSU)+_5r4#yw9{+;i4Ee$peRgIj+;v;ZGdF1K$3E%e~4LaI(jC-u%2h$&R z9cLXcYC@Xwnns&bn)_Q~Te?roKGD|d-g^8;+aC{{G(1^(O7m37Y1-+6)01cN&y1aw zoqc{T`P^XJqPBbIW6s}d4{z_f5Om?vMgNQEJG?v2T=KYd^0M3I6IZxbny)%vZR&LD zJpPl@Psh8QyPB@KTx+@RdcC!KX7}kEo;S|j^u2lU7XQ}Oo;f|;z4Ll+_r>@1-xl3| zawq-H%e&ckC+@AhPrP6BKT#_XdT7&;F71j}Joy zkC~6lh7E@6o;W@^IpRNZ{ptLtL(gQ-CY~4mqW;US7Zxvm_|@yz&e53Bp_lTPlfP|z zrTyx_>lv@x#=^!PzR7qqF<$gm`|ZJZ+;<)Cqu&ot2z=0000WV@Og>004R=004l4008;_004mL004C`008P>0026e000+nl3&F} z0005CNklR0gKSMcQL z5IlMBSwXJ~p1f$O5H)FCm|h%mcr9pZ9s05!PBRbE$d4YazTb zEL0!>TY-qBv=5Tx@abSsUKqFp<}Pe6K(hiYpp5CJ&E`Yk;KD!+ldBNjf}6z&Q0rkF zhKFZa_T~wjHRI0oa4KJauM$|JRZ4yM=ND4B_v87@&io9UFsF zg$+Q$&S`&EsXx>4*sa1zU1g^{xm5@Xt#?bM+<*!wp*w>j0A-c3alha3`+YZHSZ|#I z20%kdIm#Codov(*0SbDA7ytkO07*qoM6N<$f+=wLcmMzZ From f61d4a0d383d9ccc9513c35f09f1290a4292a5d1 Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 15 Sep 2020 11:55:28 +0000 Subject: [PATCH 163/657] Update prefsCleaner.sh --- prefsCleaner.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/prefsCleaner.sh b/prefsCleaner.sh index d8185cd..c9d92d9 100644 --- a/prefsCleaner.sh +++ b/prefsCleaner.sh @@ -2,7 +2,7 @@ ## prefs.js cleaner for Linux/Mac ## author: @claustromaniac -## version: 1.2 +## version: 1.3 ## special thanks to @overdodactyl and @earthlng for a few snippets that I stol..*cough* borrowed from the updater.sh @@ -58,7 +58,7 @@ echo -e "\n\n" echo " ╔══════════════════════════╗" echo " ║ prefs.js cleaner ║" echo " ║ by claustromaniac ║" -echo " ║ v1.2 ║" +echo " ║ v1.3 ║" echo " ╚══════════════════════════╝" echo -e "\nThis script should be run from your Firefox profile directory.\n" echo "It will remove any entries from prefs.js that also exist in user.js." @@ -90,7 +90,7 @@ select option in Start Help Exit; do echo "4. Rename or copy your latest backup to prefs.js." echo "5. Run Firefox and see if you notice anything wrong with it." echo "6. If you do notice something wrong, especially with your extensions, and/or with the UI, go to about:support, and restart Firefox with add-ons disabled. Then, restart it again normally, and see if the problems were solved." - echo -e "If you are able to identify the cause of your issues, please bring it up on ghacks-user.js GitHub repository.\n" + echo -e "If you are able to identify the cause of your issues, please bring it up on the arkenfox user.js GitHub repository.\n" ;; Exit) fQuit 0 From 42b7650d42a781b66d94516b4a849d253ef05cc8 Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 15 Sep 2020 11:58:52 +0000 Subject: [PATCH 164/657] v2.8: arkenfox --- updater.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/updater.sh b/updater.sh index ddd5266..7ab21d4 100755 --- a/updater.sh +++ b/updater.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash -## ghacks-user.js updater for macOS and Linux +## arkenfox user.js updater for macOS and Linux -## version: 2.7 +## version: 2.8 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac @@ -55,14 +55,14 @@ show_banner () { echo -e "${BBLUE} ############################################################################ #### #### - #### ghacks user.js #### + #### arkenfox user.js #### #### Hardening the Privacy and Security Settings of Firefox #### #### Maintained by @Thorin-Oakenpants and @earthlng #### #### Updater for macOS and Linux by @overdodactyl #### #### #### ############################################################################" echo -e "${NC}\n" - echo -e "Documentation for this script is available here: ${CYAN}https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts${NC}\n" + echo -e "Documentation for this script is available here: ${CYAN}https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts${NC}\n" } ######################### @@ -195,7 +195,7 @@ update_updater () { return 0 # User signified not to check for updates fi - declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.sh')" + declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')" [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed if [[ $(get_updater_version "${SCRIPT_DIR}/updater.sh") < $(get_updater_version "${tmpfile}") ]]; then @@ -250,7 +250,7 @@ remove_comments () { # expects 2 arguments: from-file and to-file # Applies latest version of user.js and any custom overrides update_userjs () { - declare -r newfile="$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js')" + declare -r newfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')" [ -z "${newfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && return 1 # check if download failed echo -e "Please observe the following information: @@ -370,7 +370,7 @@ if [ $# != 0 ]; then ESR=true ;; r) - tfile="$(download_file 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js')" + tfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')" [ -z "${tfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && exit 1 # check if download failed mv $tfile "${tfile}.js" echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}" From ee3e5f01863dd99e7cd485aa0be335b7d8c45fbe Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 15 Sep 2020 12:04:54 +0000 Subject: [PATCH 165/657] v4.12: arkenfox --- updater.bat | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/updater.bat b/updater.bat index 0e883be..7783860 100644 --- a/updater.bat +++ b/updater.bat @@ -1,12 +1,12 @@ @ECHO OFF & SETLOCAL EnableDelayedExpansion -TITLE ghacks user.js updater +TITLE arkenfox user.js updater -REM ## ghacks-user.js updater for Windows +REM ## arkenfox user.js updater for Windows REM ## author: @claustromaniac -REM ## version: 4.11 -REM ## instructions: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts +REM ## version: 4.12 +REM ## instructions: https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts -SET v=4.11 +SET v=4.12 VERIFY ON CD /D "%~dp0" @@ -52,7 +52,7 @@ IF DEFINED _updateb ( REM Uncomment the next line and comment out the PowerShell call for testing. REM COPY /B /Y "!_myname!.bat" "[updated]!_myname!.bat" >nul ( - PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.bat', '[updated]!_myname!.bat')" + PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/arkenfox/user.js/master/updater.bat', '[updated]!_myname!.bat')" ) >nul 2>&1 IF EXIST "[updated]!_myname!.bat" ( START /min CMD /C "[updated]!_myname!.bat" !_myparams! @@ -111,7 +111,7 @@ IF NOT EXIST user.js ( ECHO: IF NOT DEFINED _ua ( CALL :message "This batch should be run from your Firefox profile directory." - ECHO: It will download the latest version of ghacks user.js from github and then + ECHO: It will download the latest version of arkenfox user.js from github and then CALL :message "append any of your own changes from user-overrides.js to it." CALL :message "Visit the wiki for more detailed information." ECHO: @@ -133,7 +133,7 @@ IF DEFINED _log ( IF EXIST user.js.new (DEL /F "user.js.new") CALL :message "Retrieving latest user.js file from github repository..." ( - PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js', 'user.js.new')" + PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/arkenfox/user.js/master/user.js', 'user.js.new')" ) >nul 2>&1 IF EXIST user.js.new ( IF DEFINED _rfpalts ( From e1d336a178b784766d05afbd84c8e006001979f4 Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 15 Sep 2020 13:36:39 +0000 Subject: [PATCH 166/657] standardize some error codes * 0 : successful termination * 2 : command line syntax error * 1 : catchall for general errors Plus a few text improvements based on unmerged PR https://github.com/arkenfox/user.js/pull/910/commits/4fbb2be98d8d156efd0f172e24cbbf77591ef4fc --- updater.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/updater.sh b/updater.sh index 7ab21d4..a27e98a 100755 --- a/updater.sh +++ b/updater.sh @@ -47,7 +47,7 @@ elif [[ $(command -v 'wget') ]]; then DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O' else echo -e "${RED}This script requires curl or wget.\nProcess aborted${NC}" - exit 0 + exit 1 fi @@ -76,7 +76,7 @@ usage() { Optional Arguments: -h Show this help message and exit. -p PROFILE Path to your Firefox profile (if different than the dir of this script) - IMPORTANT: if the path includes spaces, wrap the entire argument in quotes. + IMPORTANT: If the path contains spaces, wrap the entire argument in quotes. -l Choose your Firefox profile from a list -u Update updater.sh and execute silently. Do not seek confirmation. -d Do not look for updates to updater.sh. @@ -88,8 +88,8 @@ Optional Arguments: If given a directory, all files inside will be appended recursively. You can pass multiple files or directories by passing a comma separated list. Note: If a directory is given, only files inside ending in the extension .js are appended - IMPORTANT: do not add spaces between files/paths. Ex: -o file1.js,file2.js,dir1 - IMPORTANT: if any files/paths include spaces, wrap the entire argument in quotes. + IMPORTANT: Do not add spaces between files/paths. Ex: -o file1.js,file2.js,dir1 + IMPORTANT: If any file/path contains spaces, wrap the entire argument in quotes. Ex: -o \"override folder\" -n Do not append any overrides, even if user-overrides.js exists. -v Open the resulting user.js file. @@ -104,13 +104,13 @@ Optional Arguments: ######################### # Download files -download_file () { # expects URL as argument ($1) +download_file () { # expects URL as argument ($1) declare -r tf=$(mktemp) $DOWNLOAD_METHOD "${tf}" "$1" && echo "$tf" || echo '' # return the temp-filename or empty string on error } -open_file () { #expects one argument: file_path +open_file () { # expects one argument: file_path if [ "$(uname)" == 'Darwin' ]; then open "$1" elif [ "$(uname -s | cut -c -5)" == "Linux" ]; then @@ -211,7 +211,7 @@ update_updater () { mv "${tmpfile}" "${SCRIPT_DIR}/updater.sh" chmod u+x "${SCRIPT_DIR}/updater.sh" "${SCRIPT_DIR}/updater.sh" "$@" -d - exit 1 + exit 0 } @@ -375,7 +375,7 @@ if [ $# != 0 ]; then mv $tfile "${tfile}.js" echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}" open_file "${tfile}.js" - exit 1 + exit 0 ;; \?) echo -e "${RED}\n Error! Invalid option: -$OPTARG${NC}" >&2 @@ -383,7 +383,7 @@ if [ $# != 0 ]; then ;; :) echo -e "${RED}Error! Option -$OPTARG requires an argument.${NC}" >&2 - exit 1 + exit 2 ;; esac done From c367beabe38750dfc21cd8c5da27239ed0529845 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 23 Sep 2020 12:20:59 +0000 Subject: [PATCH 167/657] 81-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 05dc94d..bf8cdc3 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 03 Sep 2020 -* version 81-alpha +* date: 23 Sep 2020 +* version 81-beta * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 4779ea78500031d3e723c211997708743a71073a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 27 Sep 2020 00:47:09 +0000 Subject: [PATCH 168/657] remove CSP issue, closes #1021 --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index 9585395..4ed3b19 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -17,7 +17,6 @@ Before you proceed... See also: - Extension breakage due to prefs [issue 391](https://github.com/arkenfox/user.js/issues/391) - Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts [issue 350](https://github.com/arkenfox/user.js/issues/350) - - The extension CSP header modification game [issue 664](https://github.com/arkenfox/user.js/issues/664) If you still need help, help us help you by providing relevant information: - browser version From 2391874e044be303e14f405e9c06e07c13c6dc6c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 28 Sep 2020 19:04:08 +0000 Subject: [PATCH 169/657] UI setting change in 81 https://bugzilla.mozilla.org/show_bug.cgi?id=1613468 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index bf8cdc3..bdb7224 100644 --- a/user.js +++ b/user.js @@ -1124,7 +1124,7 @@ user_pref("dom.webaudio.enabled", false); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); /* 2601: prevent accessibility services from accessing your browser [RESTART] - * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser + * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser [FF80 or lower] * [1] https://support.mozilla.org/kb/accessibility-services ***/ user_pref("accessibility.force_disabled", 1); /* 2602: disable sending additional analytics to web servers From 421f1e361c772e70d1e59f528b7d0aa1f2290f68 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 29 Sep 2020 06:10:57 +0000 Subject: [PATCH 170/657] [ ] are for for prefs only --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index bdb7224..6eed776 100644 --- a/user.js +++ b/user.js @@ -1124,7 +1124,7 @@ user_pref("dom.webaudio.enabled", false); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); /* 2601: prevent accessibility services from accessing your browser [RESTART] - * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser [FF80 or lower] + * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower) * [1] https://support.mozilla.org/kb/accessibility-services ***/ user_pref("accessibility.force_disabled", 1); /* 2602: disable sending additional analytics to web servers From a56ba859363f87d45b860b51560a9a3072f33b84 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 2 Oct 2020 08:33:27 +0000 Subject: [PATCH 171/657] remove dom.IntersectionObserver.enabled #1026 - this was made inactive in v68 - since at least FF79, when active as false, it breaks the web and browser consoles - it breaks websites - it breaks extensions: e.g. uBO panel functionality - it does nothing to mitigate possible fingerprinting (which was why it was initially added as a concern) - i.e the API only provided a standardized method, it does not stop previous/earlier workarounds --- user.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/user.js b/user.js index 6eed776..7f02fdf 100644 --- a/user.js +++ b/user.js @@ -1073,11 +1073,6 @@ user_pref("javascript.options.asmjs", false); * [NOTE] In FF71+ this no longer affects extensions (1576254) * [1] https://developer.mozilla.org/docs/WebAssembly ***/ user_pref("javascript.options.wasm", false); -/* 2426: disable Intersection Observer API [FF55+] - * [1] https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API - * [2] https://w3c.github.io/IntersectionObserver/ - * [3] https://bugzilla.mozilla.org/1243846 ***/ - // user_pref("dom.IntersectionObserver.enabled", false); /* 2429: enable (limited but sufficient) window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] From e89f9a5d8997210f6c9ee089e5000a2dcb244613 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 2 Oct 2020 08:36:15 +0000 Subject: [PATCH 172/657] dom.IntersectionObserver.enabled commit: https://github.com/arkenfox/user.js/commit/a56ba859363f87d45b860b51560a9a3072f33b84 issue: #1026 --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 25da048..8ade622 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 14-Sept-2020 + Last updated: 2-Oct-2020 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -223,6 +223,8 @@ 'browser.search.region', /* 79-beta */ 'browser.urlbar.usepreloadedtopurls.enabled', + /* 80 */ + 'dom.IntersectionObserver.enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From d5ccf4693b7cac1f9d04255187a735d51691d7a6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 7 Oct 2020 02:43:51 +1300 Subject: [PATCH 173/657] fixup font prefs vs RFP, fixes #1025 (#1028) - make 1401 inactive: it affects RFP's FPing - remove old warning/setup-web: we do not care about documenting breakage or FPing risks when we have a warning and they are inactive. If someone uses them, that's on them - new warnings --- user.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 7f02fdf..f559dae 100644 --- a/user.js +++ b/user.js @@ -794,9 +794,9 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); /* 1401: disable websites choosing fonts (0=block, 1=allow) * This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector - * [SETUP-WEB] Can break some PDFs (missing text). Limiting to default fonts can "uglify" the web + * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618) * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/ -user_pref("browser.display.use_document_fonts", 0); + // user_pref("browser.display.use_document_fonts", 0); /* 1403: disable icon fonts (glyphs) and local fallback rendering * [1] https://bugzilla.mozilla.org/789788 * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ @@ -812,9 +812,8 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] in FF80 RFP restricts the whitelist to bundled and "Base Fonts" - * ...and in FF81+ the whitelist **overrides** RFP's font visibility (see 4618) - * [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. + * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618) + * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4618) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] From c90341ddedf7e0c1ae1256d647a9470d056602c1 Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 7 Oct 2020 12:10:24 +0000 Subject: [PATCH 174/657] 1244: HTTPS-Only mode update (#1031) --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index f559dae..54efc6f 100644 --- a/user.js +++ b/user.js @@ -736,7 +736,7 @@ user_pref("security.mixed_content.block_display_content", true); user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable HTTPS-Only mode [FF76+] * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored - * [WARNING] This is experimental, see [1] and you can't set exceptions if FPI is enabled, see [2] + * [WARNING] This is experimental [1] and you can't set exceptions if FPI is enabled [2] (fixed in FF83) * [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+) * [SETTING] Privacy & Security>HTTPS-Only Mode (FF80+ with browser.preferences.exposeHTTPSOnly = true) * [1] https://bugzilla.mozilla.org/1613063 [META] From 0e10a820d9f69a446ea526ffc8a93900b8c6a620 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 13 Oct 2020 14:01:41 +0000 Subject: [PATCH 175/657] 81 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 54efc6f..03acb59 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 23 Sep 2020 -* version 81-beta +* date: 13 Oct 2020 +* version 81 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From f591a8adf84346797704f683b76e6a582ecf6fcb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 13 Oct 2020 14:12:53 +0000 Subject: [PATCH 176/657] 82-alpha, 82 deprecated, remove old deprecated --- user.js | 105 ++++---------------------------------------------------- 1 file changed, 7 insertions(+), 98 deletions(-) diff --git a/user.js b/user.js index 03acb59..e2a9466 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js * date: 13 Oct 2020 -* version 81 +* version 82-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -160,10 +160,6 @@ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/ user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] user_pref("geo.provider.use_corelocation", false); // [MAC] user_pref("geo.provider.use_gpsd", false); // [LINUX] -/* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US" - * i.e. ignore all of Mozilla's various search engines in multiple locales ***/ -user_pref("browser.search.geoSpecificDefaults", false); -user_pref("browser.search.geoSpecificDefaults.url", ""); /* 0207: disable region updates * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/ user_pref("browser.region.network.url", ""); // [FF78+] @@ -1691,99 +1687,12 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); // [-] https://bugzilla.mozilla.org/1603712 user_pref("intl.charset.fallback.override", "windows-1252"); // * * * / -// ***/ - -/* ESR68.x still uses all the following prefs -// [NOTE] replace the * with a slash in the line above to re-enable them -// FF69 -// 1405: disable WOFF2 (Web Open Font Format) [FF35+] - // [-] https://bugzilla.mozilla.org/1556991 - // user_pref("gfx.downloadable_fonts.woff2.enabled", false); -// 1802: enforce click-to-play for plugins - // [-] https://bugzilla.mozilla.org/1519434 -user_pref("plugins.click_to_play", true); // [DEFAULT: true FF25+] -// 2033: disable autoplay for muted videos [FF63+] - replaced by 'media.autoplay.default' options (2030) - // [-] https://bugzilla.mozilla.org/1562331 - // user_pref("media.autoplay.allow-muted", false); -// * * * / -// FF71 -// 2608: disable WebIDE and ADB extension download - // [1] https://trac.torproject.org/projects/tor/ticket/16222 - // [-] https://bugzilla.mozilla.org/1539462 -user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+] -user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+] -// 2731: enforce websites to ask to store data for offline use - // [1] https://support.mozilla.org/questions/1098540 - // [2] https://bugzilla.mozilla.org/959985 - // [-] https://bugzilla.mozilla.org/1574480 -user_pref("offline-apps.allow_by_default", false); -// * * * / -// FF72 -// 0105a: disable Activity Stream telemetry - // [-] https://bugzilla.mozilla.org/1597697 -user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); -// 0330: disable Hybdrid Content telemetry - // [-] https://bugzilla.mozilla.org/1520491 -user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+] -// 2720: enforce IndexedDB (IDB) as enabled - // IDB is required for extensions and Firefox internals (even before FF63 in [1]) - // To control *website* IDB data, control allowing cookies and service workers, or use - // Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize - // on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically - // via an extension. Note that IDB currently cannot be sanitized by host. - // [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ - // [-] https://bugzilla.mozilla.org/1488583 -user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] -// * * * / -// FF74 -// 0203: use Mozilla geolocation service instead of Google when geolocation is enabled - // Optionally enable logging to the console (defaults to false) - // [-] https://bugzilla.mozilla.org/1613627 -user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); - // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF] -// 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME] - // 0=no menu (default), 1=show when clicked, 2=show on long press - // [1] https://bugzilla.mozilla.org/1328756 - // [-] https://bugzilla.mozilla.org/1606265 -user_pref("privacy.userContext.longPressBehavior", 2); -// 2012: limit WebGL - // [-] https://bugzilla.mozilla.org/1477756 -user_pref("webgl.disable-extensions", true); -// * * * / -// FF76 -// 0401: sanitize blocklist url - // [2] https://trac.torproject.org/projects/tor/ticket/16931 - // [-] https://bugzilla.mozilla.org/1618188 -user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/"); -// 2201: prevent websites from disabling new window features - // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1507375,1660524 -user_pref("dom.disable_window_open_feature.close", true); -user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.menubar", true); -user_pref("dom.disable_window_open_feature.minimizable", true); -user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar -user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true] -user_pref("dom.disable_window_open_feature.titlebar", true); -user_pref("dom.disable_window_open_feature.toolbar", true); -// * * * / -// FF77 -// 0850e: disable location bar one-off searches [FF51+] - // [-] https://bugzilla.mozilla.org/1628926 - // user_pref("browser.urlbar.oneOffSearches", false); -// 2605: block web content in file processes [FF55+] - // [SETUP-WEB] You may want to disable this for corporate or developer environments - // [1] https://bugzilla.mozilla.org/1343184 - // [-] https://bugzilla.mozilla.org/1603007 -user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false); -// * * * / -// FF78 -// 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] - replaced by 'media.autoplay.blocking_policy' - // [-] https://bugzilla.mozilla.org/1509933 -user_pref("media.autoplay.enabled.user-gestures-needed", false); -// 5000's: disable chrome animations - replaced FF77+ by 'ui.prefersReducedMotion' (4520) - // [-] https://bugzilla.mozilla.org/1640501 - // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+] +// FF82 +// 0206: disable geographically specific results/search engines e.g. "browser.search.*.US" + // i.e. ignore all of Mozilla's various search engines in multiple locales + // [-] https://bugzilla.mozilla.org/1619926 +user_pref("browser.search.geoSpecificDefaults", false); +user_pref("browser.search.geoSpecificDefaults.url", ""); // * * * / // ***/ From 0adfddd1e2ab18b3fcbc45f6d04c4d9394149d6a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 21 Oct 2020 00:58:20 +1300 Subject: [PATCH 177/657] misc (#1040) * misc - cleanup of old release notation in comments: e.g. if it's not applicable to ESR78+ - same with default version info - simplify and save bytes on section 4700 - update 4500 header - and unify the message about using extensions as counterproductive - letterboxing - provide info on stepped ranged (and drop crap about FF67) - don't judge users who dislike seeing margins (I don't like them either, but I force my window to exact dimensions and stay there) - screenshots uploading was disabled in FF67+ : [67 release notes](https://www.mozilla.org/en-US/firefox/67.0/releasenotes/) - the pref is still there (default false) but so far I'm 99% sure this pref now does anything - I will add it to the scatchpad script if this change sticks * simplify 4500 RFP, see #1041 * update removed script * tidy readme, see #1045 - also put readme before releases * RIP FX Site Compat * clean out RFP Alts info: the information is redundant: it's already in the readme --- scratchpad-scripts/arkenfox-clear-removed.js | 6 +- user.js | 254 ++++++++----------- 2 files changed, 110 insertions(+), 150 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 8ade622..c5e40fd 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 2-Oct-2020 + Last updated: 18-Oct-2020 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -225,6 +225,10 @@ 'browser.urlbar.usepreloadedtopurls.enabled', /* 80 */ 'dom.IntersectionObserver.enabled', + /* 82-beta */ + 'extensions.screenshots.upload-disabled', + 'security.ssl3.dhe_rsa_aes_128_sha', + 'security.ssl3.dhe_rsa_aes_256_sha', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] diff --git a/user.js b/user.js index e2a9466..7cdf263 100644 --- a/user.js +++ b/user.js @@ -5,40 +5,34 @@ * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt -* releases: These are end-of-stable-life-cycle legacy archives. - *Always* use the master branch user.js for a current up-to-date version - url: https://github.com/arkenfox/user.js/releases - * README: - 0. Consider using Tor Browser if it meets your needs or fits your threat model better - * https://www.torproject.org/about/torusers.html.en - 1. READ the full README - * https://github.com/arkenfox/user.js/blob/master/README.md - 2. READ this - * https://github.com/arkenfox/user.js/wiki/1.3-Implementation - 3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum - * Real time binary checks with Google services are disabled (0412) - * You will still get prompts to update Firefox, but auto-installing them is disabled (0302a) - * Some user data is erased on close (section 2800). Change this to suit your needs - * EACH RELEASE check: - - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF) - or enable them as an alternative to RFP (or some of them for ESR users) - - 9999s: reset deprecated prefs in about:config or enable the relevant section for ESR - * Site breakage WILL happen - - There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting - and these need to be balanced against Functionality & Convenience & Breakage - * You will need to make changes, and to troubleshoot at times (choose wisely, there is always a trade-off). - While not 100% definitive, search for "[SETUP". If required, add each pref to your overrides section at - default values (or comment them out and reset them in about:config). Here are the main ones: + 1. Consider using Tor Browser if it meets your needs or fits your threat model better + * https://www.torproject.org/about/torusers.html.en + 2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries + * https://github.com/arkenfox/user.js/wiki + 3. If you skipped step 2, return to step 2 + 4. Make changes + * There are often trade-offs and conflicts between security vs privacy vs anti-fingerprinting + and these need to be balanced against functionality & convenience & breakage + * Some site breakage and unintended consequences will happen. Everyone's experience will differ + e.g. some user data is erased on close (section 2800), change this to suit your needs + * While not 100% definitive, search for "[SETUP" tags + * Take the wiki link in step 2 and read the Troubleshooting entry + 5. Some tag info [SETUP-SECURITY] it's one item, read it [SETUP-WEB] can cause some websites to break - [SETUP-CHROME] changes how Firefox itself behaves (i.e. NOT directly website related) + [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related) [SETUP-PERF] may impact performance - [SETUP-HARDEN] maybe you should consider using the Tor Browser - * [WARNING] tags are extra special and used sparingly, so heed them - 4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile) - 5. KEEP UP TO DATE: https://github.com/arkenfox/user.js/wiki#small_orange_diamond-maintenance + [WARNING] used sparingly, heed them + +* RELEASES + + * Archive: https://github.com/arkenfox/user.js/releases + * Use the correct release that matches your Firefox version + * Each release + - run the prefsCleaner or reset deprecated prefs (9999s) and prefs made redundant by RFP (4600s) + - re-enable section 4600 if you don't use RFP * INDEX: @@ -68,7 +62,7 @@ 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) 4600: RFP ALTERNATIVES - 4700: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING) + 4700: RFP ALTERNATIVES (USER AGENT SPOOFING) 5000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED @@ -340,10 +334,8 @@ user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+] * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/ user_pref("browser.ping-centre.telemetry", false); -/* 0515: disable Screenshots - * alternatively in FF60+, disable uploading to the Screenshots server ***/ +/* 0515: disable Screenshots ***/ // user_pref("extensions.screenshots.disabled", true); // [FF55+] - // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+] /* 0517: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes @@ -365,7 +357,7 @@ user_pref("network.prefetch-next", false); /* 0602: disable DNS prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ user_pref("network.dns.disablePrefetch", true); -user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true FF70+] +user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); user_pref("network.predictor.enable-prefetch", false); // [FF48+] @@ -417,8 +409,7 @@ user_pref("network.http.altsvc.oe", false); * as a remote Tor node will handle the DNS request * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ user_pref("network.proxy.socks_remote_dns", true); -/* 0708: disable FTP [FF60+] - * [1] https://www.fxsitecompat.dev/en-CA/docs/2020/ftp-support-will-be-removed/ ***/ +/* 0708: disable FTP [FF60+] ***/ // user_pref("network.ftp.enabled", false); /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares @@ -546,8 +537,7 @@ user_pref("signon.formlessCapture.enabled", false); * hardens against potential credentials phishing * 0=don't allow sub-resources to open HTTP authentication credentials dialogs * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs - * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) - * [1] https://www.fxsitecompat.com/en-CA/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ***/ + * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ user_pref("network.auth.subresource-http-auth-allow", 1); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS @@ -648,7 +638,7 @@ user_pref("security.ssl.require_safe_negotiation", true); * [STATS] Firefox telemetry (June 2020) shows only 0.16% of SSL handshakes use 1.0 or 1.1 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. * [1] https://www.ssllabs.com/ssl-pulse/ ***/ - // user_pref("security.tls.version.min", 3); // [DEFAULT: 3 FF78+] + // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */ user_pref("security.tls.version.enable-deprecated", false); @@ -753,10 +743,6 @@ user_pref("security.mixed_content.block_object_subrequest", true); * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/ // user_pref("security.ssl3.rsa_des_ede3_sha", false); -/* 1263: disable DHE (Diffie-Hellman Key Exchange) - * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/ - // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false FF78+] - // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false FF78+] /* 1264: disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/ // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); @@ -783,7 +769,7 @@ user_pref("browser.ssl_override_behavior", 1); * [TEST] https://expired.badssl.com/ ***/ user_pref("browser.xul.error_pages.expert_bad_cert", true); /* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/ - // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+] + // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true] user_pref("security.insecure_connection_text.enabled", true); // [FF60+] /*** [SECTION 1400]: FONTS ***/ @@ -819,9 +805,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false); harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below) harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage --- - If you want any REAL control over referers and breakage, then use an extension. Either: - uMatrix: limited by scope, all requests are spoofed or not-spoofed - Smart Referrer: granular with source<->destination, whitelists + If you want any REAL control over referers and breakage, then use an extension --- full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html @@ -981,9 +965,6 @@ user_pref("dom.popup_allowed_events", "click dblclick"); including service and shared workers. Shared workers can be utilized by multiple scripts and communicate between browsing contexts (windows/tabs/iframes) and can even control your cache. - [NOTE] uMatrix 1.2.0+ allows a per-scope control for workers (2301-deprecated) and service workers (2302) - #Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0 - [1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API [2] Worker: https://developer.mozilla.org/docs/Web/API/Worker [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API @@ -1065,7 +1046,6 @@ user_pref("javascript.options.asmjs", false); // user_pref("javascript.options.baselinejit", false); // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] /* 2422: disable WebAssembly [FF52+] [SETUP-PERF] - * [NOTE] In FF71+ this no longer affects extensions (1576254) * [1] https://developer.mozilla.org/docs/WebAssembly ***/ user_pref("javascript.options.wasm", false); /* 2429: enable (limited but sufficient) window.opener protection [FF65+] @@ -1250,14 +1230,13 @@ user_pref("security.dialog_enable_delay", 700); user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: disable 3rd-party cookies and site-data [SETUP-WEB] * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, - * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+) + * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) * [NOTE] You can set exceptions under site permissions or use an extension * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ user_pref("network.cookie.cookieBehavior", 1); user_pref("browser.contentblocking.category", "custom"); -/* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only - and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only +/* 2702: set third-party cookies (if enabled, see 2701) to session-only [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ @@ -1388,72 +1367,67 @@ user_pref("privacy.firstparty.isolate", true); user_pref("privacy.partition.network_state", true); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) - This master switch will be used for a wide range of items, many of which will - **override** existing prefs from FF55+, often providing a **better** solution + RFP covers a wide range of ongoing fingerprinting solutions. + It is an all-or-nothing buy in: you cannot pick and choose what parts you want - IMPORTANT: As existing prefs become redundant, and some of them WILL interfere - with how RFP works, they will be moved to section 4600 and made inactive + [WARNING] Do NOT use extensions to alter RFP protected metrics + [WARNING] Do NOT use prefs in section 4600 with RFP as they can interfere - ** 418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+) - [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at - 100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. - Test your window size, do some math, resize to allow for all the non inner window elements + FF41+ + 418986 - limit window.screen & CSS media queries leaking identifiable info [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - ** 1281949 - spoof screen orientation (FF50+) - ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) - FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044) - ** 1330890 - spoof timezone as UTC 0 (FF55+) - FF58: Date.toLocaleFormat deprecated (818634) - FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973) - ** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+) - This spoof *shouldn't* affect core chrome/Firefox performance - ** 1217238 - reduce precision of time exposed by javascript (FF55+) - ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+) - ** 1333651 & 1383495 & 1396468 - spoof User Agent & Navigator API (see section 4700) (FF56+) - FF56: Version: rounded down to the nearest multiple of 10 - FF57: Version: match current ESR (1393283, 1418672, 1418162, 1511763) - FF59: OS: Windows, OSX, Android, or Linux (to reduce breakage) (1404608) - FF66: OS: HTTP Headers reduced to Windows or Android (1509829) - FF68: OS: updated to Windows 10, OS 10.14, and Android 8.1 (1511434) - FF78: OS: updated to OS 10.15 and Android 9.0 (1635011) - ** 1369319 - disable device sensor API (see 4604) (FF56+) - ** 1369357 - disable site specific zoom (see 4605) (FF56+) - ** 1337161 - hide gamepads from content (see 4606) (FF56+) - ** 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) (FF56+) - ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+) - ** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0202) (FF56-62) - ** 1369309 - spoof media statistics (see 4610) (FF57+) - ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+) - ** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+) - ** 1382545 - reduce fingerprinting in Animation API (FF57+) - ** 1354633 - limit MediaError.message to a whitelist (FF57+) - ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+) + FF50+ + 1281949 - spoof screen orientation + 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) + FF55+ + 1330890 - spoof timezone as UTC 0 + 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) + 1217238 - reduce precision of time exposed by javascript + FF56+ + 1369303 - spoof/disable performance API (see 4602, 4603) + 1333651 - spoof User Agent & Navigator API (see section 4700) + JS: FF78+ the version is spoofed as 78, and the OS as Windows 10, OS 10.15, Android 9, or Linux + HTTP Headers: spoofed as Windows or Android + 1369319 - disable device sensor API (see 4604) + 1369357 - disable site specific zoom (see 4605) + 1337161 - hide gamepads from content (see 4606) + 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) + 1333641 - reduce fingerprinting in WebSpeech API (see 4608) + FF57+ + 1369309 - spoof media statistics (see 4610) + 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) + 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) + 1382545 - reduce fingerprinting in Animation API + 1354633 - limit MediaError.message to a whitelist + 1382533 - enable fingerprinting resistance for Presentation API This blocks exposure of local IP Addresses via mDNS (Multicast DNS) - ** 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction (FF58+) - FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865) - ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+) + FF58+ + 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction + FF59+ + 1372073 - spoof/block fingerprinting in MediaDevices API Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if media.navigator.enabled is true (see 2505 which we chose to keep disabled) Block: suppresses the ondevicechange event (see 4612) - ** 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) (FF59+) - ** 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59+) + 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) + 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events Spoofing mimics the content language of the document. Currently it only supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. - FF60: Fix keydown/keyup events (1438795) - ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) - ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) - ** 1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+) - ** 1363508 - spoof/suppress Pointer Events (see 4615) (FF64+) + FF60-67 + 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) + 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) + 1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+) + 1363508 - spoof/suppress Pointer Events (see 4615) (FF64+) FF65: pointerEvent.pointerid (1492766) - ** 1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+) - ** 1407366 - enable inner window letterboxing (see 4504) (FF67+) - ** 1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+) - [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme - ** 1564422 - spoof audioContext outputLatency (FF70+) - ** 1595823 - spoof audioContext sampleRate (FF72+) - ** 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) - ** 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) - ** 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+) + 1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+) + 1407366 - enable inner window letterboxing (see 4504) (FF67+) + 1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+) + FF68-77 + 1564422 - spoof audioContext outputLatency (FF70+) + 1595823 - spoof audioContext sampleRate (FF72+) + 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) + FF78+ + 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) + 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] @@ -1470,22 +1444,22 @@ user_pref("privacy.resistFingerprinting", true); // user_pref("privacy.window.maxInnerWidth", 1000); // user_pref("privacy.window.maxInnerHeight", 1000); /* 4503: disable mozAddonManager Web API [FF57+] - * [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need - * to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect + * [NOTE] To allow extensions to work on AMO, you also need 2662 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] /* 4504: enable RFP letterboxing [FF67+] - * Dynamically resizes the inner window (FF67; 200w x100h: FF68+; stepped ranges) by applying letterboxing, - * using dimensions which waste the least content area, If you use the dimension pref, then it will only apply - * those resolutions. The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") - * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but you're - * not taking anti-fingerprinting seriously and a little visual change upsets you, then feel free to flip this pref + * Dynamically resizes the inner window by applying margins in stepped ranges, see [2] + * If you use the dimension pref, then it will only apply those resolutions. The format is + * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") + * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but + * dislike margins being applied, then flip this pref, keeping in mind that it is effectively fingerprintable * [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it - * [1] https://bugzilla.mozilla.org/1407366 ***/ + * [1] https://bugzilla.mozilla.org/1407366 + * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] /* 4510: disable showing about:blank as soon as possible during startup [FF60+] - * When default true (FF62+) this no longer masks the RFP chrome resizing activity + * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); /* 4520: disable chrome animations [FF77+] [RESTART] @@ -1493,15 +1467,7 @@ user_pref("browser.startup.blankWindow", false); user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] /*** [SECTION 4600]: RFP ALTERNATIVES - * non-RFP users: - Enable the whole section (see the SETUP tag below) - * RFP users: - Make sure these are reset in about:config. They are redundant. In fact, some - even cause RFP to not behave as you would expect and alter your fingerprint - * ESR RFP users: - Reset those *up to and including* your version. Add those *after* your version - as active prefs in your overrides. This is assuming that the patch wasn't also - backported to Firefox ESR. Backporting RFP patches to ESR is rare. + [WARNING] Do NOT use prefs in this section with RFP as they can interfere ***/ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan"); /* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these @@ -1600,32 +1566,22 @@ user_pref("layout.css.font-visibility.level", 1); // * * * / // ***/ -/*** [SECTION 4700]: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING) - This is FYI ONLY. These prefs are INSUFFICIENT(a) on their own, you need - to use RFP (4500) or an extension, in which case they become POINTLESS. - (a) Many of the components that make up your UA can be derived by other means. - And when those values differ, you provide more bits and raise entropy. - Examples of leaks include workers, navigator objects, date locale/formats, - iframes, headers, tcp/ip attributes, feature detection, and **many** more. - ALL values below intentionally left blank - use RFP, or get a vetted, tested - extension and mimic RFP values to *lower* entropy, or randomize to *raise* it +/*** [SECTION 4700]: RFP ALTERNATIVES (USER AGENT SPOOFING) + These prefs are insufficient and leak. Use RFP and **nothing else** + - Many of the user agent components can be derived by other means. When those + values differ, you provide more bits and raise entropy. Examples include + workers, iframes, headers, tcp/ip attributes, feature detection, and many more + - Web extensions also lack APIs to fully protect spoofing ***/ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow"); -/* 4701: navigator.userAgent ***/ - // user_pref("general.useragent.override", ""); // [HIDDEN PREF] -/* 4702: navigator.buildID - * Revealed build time down to the second. In FF64+ it now returns a fixed timestamp - * [1] https://bugzilla.mozilla.org/583181 - * [2] https://www.fxsitecompat.com/en-CA/docs/2018/navigator-buildid-now-returns-a-fixed-timestamp/ ***/ - // user_pref("general.buildID.override", ""); // [HIDDEN PREF] -/* 4703: navigator.appName ***/ +/* 4701: navigator DOM object overrides + * [WARNING] DO NOT USE ***/ // user_pref("general.appname.override", ""); // [HIDDEN PREF] -/* 4704: navigator.appVersion ***/ // user_pref("general.appversion.override", ""); // [HIDDEN PREF] -/* 4705: navigator.platform ***/ - // user_pref("general.platform.override", ""); // [HIDDEN PREF] -/* 4706: navigator.oscpu ***/ + // user_pref("general.buildID.override", ""); // [HIDDEN PREF] // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] + // user_pref("general.platform.override", ""); // [HIDDEN PREF] + // user_pref("general.useragent.override", ""); // [HIDDEN PREF] /*** [SECTION 5000]: PERSONAL Non-project related but useful. If any of these interest you, add them to your overrides ***/ From 9f9988527250b2797b1864dce18f5dae7a0dc547 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 20 Oct 2020 12:57:00 +0000 Subject: [PATCH 178/657] clean up acknowledgments --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 32849d5..ec755c6 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,6 @@ Also be aware that the `arkenfox user.js` is made specifically for desktop Firef - [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs) ### 🟥 acknowledgments -Literally thousands of sources, references and suggestions. Special mention to: +Literally thousands of sources, references and suggestions. Many thanks, and much appreciated. - * This [12bytes article](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs) which uses the `arkenfox user.js` and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement) From 26d47684475830af4c9f16daae55cfce020113ca Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 21 Oct 2020 13:44:21 +0000 Subject: [PATCH 179/657] add media.autoplay.blocking_policy --- scratchpad-scripts/troubleshooter.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index a33d803..9284132 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -1,5 +1,5 @@ -/*** arkenfox user.js troubleshooter.js v1.6.1 ***/ +/*** arkenfox user.js troubleshooter.js v1.6.2 ***/ (function() { @@ -62,6 +62,7 @@ 'dom.webaudio.enabled', 'media.autoplay.enabled', 'media.autoplay.default', // FF63+ + 'media.autoplay.blocking_policy', // FF78+ /* Forms */ 'browser.formfill.enable', From e14732aad3a90a62ee15649c2c8694724ef87802 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 24 Oct 2020 12:29:31 +1300 Subject: [PATCH 180/657] 2031: better reference: closes #1022 (#1048) --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 7cdf263..96c3b3c 100644 --- a/user.js +++ b/user.js @@ -932,8 +932,9 @@ user_pref("media.getusermedia.audiocapture.enabled", false); // user_pref("media.autoplay.default", 5); /* 2031: disable autoplay of HTML5 media if you interacted with the site [FF78+] * 0=sticky (default), 1=transient, 2=user + * Firefox's Autoplay Policy Documentation [PDF] is linked below via SUMO * [NOTE] If you have trouble with some video sites, then add an exception (see 2030) - * [1] https://html.spec.whatwg.org/multipage/interaction.html#sticky-activation ***/ + * [1] https://support.mozilla.org/questions/1293231 ***/ user_pref("media.autoplay.blocking_policy", 2); /*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/ From c45780d79bc047568e486ac181a3a9b39df85b60 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 26 Oct 2020 10:34:54 +0000 Subject: [PATCH 181/657] 0701 PHP localhost + IPv6, fixes #1053 --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 96c3b3c..1eabb13 100644 --- a/user.js +++ b/user.js @@ -378,6 +378,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. + * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" * [TEST] https://ipleak.org/ * [1] https://github.com/arkenfox/user.js/issues/437#issuecomment-403740626 * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/ From ac52886ea8c54f2bee386456459c1d34c09cf265 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 26 Oct 2020 23:37:49 +1300 Subject: [PATCH 182/657] 2422 WASM, add reason for disabling, fixes #1037 (#1054) --- user.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 1eabb13..0b49739 100644 --- a/user.js +++ b/user.js @@ -1047,8 +1047,14 @@ user_pref("javascript.options.asmjs", false); // user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] -/* 2422: disable WebAssembly [FF52+] [SETUP-PERF] - * [1] https://developer.mozilla.org/docs/WebAssembly ***/ +/* 2422: disable WebAssembly [FF52+] + * Vulnerabilities have increasingly been found, including those known and fixed + * in native programs years ago [2]. WASM has powerful low-level access, making + * certain attacks (brute-force) and vulnerabilities more possible + * [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3] + * [1] https://developer.mozilla.org/docs/WebAssembly + * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly + * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ user_pref("javascript.options.wasm", false); /* 2429: enable (limited but sufficient) window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ From 07cccd538618f27d9a120db292b19999150bb111 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 3 Nov 2020 06:05:40 +1300 Subject: [PATCH 183/657] remove 4003: partition, see #1051 (#1057) --- scratchpad-scripts/arkenfox-clear-removed.js | 3 +- user.js | 43 ++++++++------------ 2 files changed, 20 insertions(+), 26 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index c5e40fd..4e824dc 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 18-Oct-2020 + Last updated: 02-Nov-2020 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -227,6 +227,7 @@ 'dom.IntersectionObserver.enabled', /* 82-beta */ 'extensions.screenshots.upload-disabled', + 'privacy.partition.network_state', 'security.ssl3.dhe_rsa_aes_128_sha', 'security.ssl3.dhe_rsa_aes_256_sha', /* reset parrot: check your open about:config after running the script */ diff --git a/user.js b/user.js index 0b49739..955004d 100644 --- a/user.js +++ b/user.js @@ -1331,28 +1331,24 @@ user_pref("privacy.cpd.siteSettings", false); // Site Preferences user_pref("privacy.sanitize.timeSpan", 0); /*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION) - 4001: FPI - ** 1278037 - isolate indexedDB (FF51+) - ** 1277803 - isolate favicons (FF52+) - ** 1264562 - isolate OCSP cache (FF52+) - ** 1268726 - isolate Shared Workers (FF52+) - ** 1316283 - isolate SSL session cache (FF52+) - ** 1317927 - isolate media cache (FF53+) - ** 1323644 - isolate HSTS and HPKP (FF54+) - ** 1334690 - isolate HTTP Alternative Services (FF54+) - ** 1334693 - isolate SPDY/HTTP2 (FF55+) - ** 1337893 - isolate DNS cache (FF55+) - ** 1344170 - isolate blob: URI (FF55+) - ** 1300671 - isolate data:, about: URLs (FF55+) - ** 1473247 - isolate IP addresses (FF63+) - ** 1492607 - isolate postMessage with targetOrigin "*" (requires 4002) (FF65+) - ** 1542309 - isolate top-level domain URLs when host is in the public suffix list (FF68+) - ** 1506693 - isolate pdfjs range-based requests (FF68+) - ** 1330467 - isolate site permissions (FF69+) - ** 1534339 - isolate IPv6 (FF73+) - 4003: NETWORK PARTITON - ** 1647732 - isolate font cache (FF80+) - ** 1649673 - isolate speculative connections (FF80+) + 1278037 - indexedDB (FF51+) + 1277803 - favicons (FF52+) + 1264562 - OCSP cache (FF52+) + 1268726 - Shared Workers (FF52+) + 1316283 - SSL session cache (FF52+) + 1317927 - media cache (FF53+) + 1323644 - HSTS and HPKP (FF54+) + 1334690 - HTTP Alternative Services (FF54+) + 1334693 - SPDY/HTTP2 (FF55+) + 1337893 - DNS cache (FF55+) + 1344170 - blob: URI (FF55+) + 1300671 - data:, about: URLs (FF55+) + 1473247 - IP addresses (FF63+) + 1492607 - postMessage with targetOrigin "*" (requires 4002) (FF65+) + 1542309 - top-level domain URLs when host is in the public suffix list (FF68+) + 1506693 - pdfjs range-based requests (FF68+) + 1330467 - site permissions (FF69+) + 1534339 - IPv6 (FF73+) ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); /* 4001: enable First Party Isolation [FF51+] @@ -1370,9 +1366,6 @@ user_pref("privacy.firstparty.isolate", true); * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] // user_pref("privacy.firstparty.isolate.block_post_message", true); -/* 4003: enable site partitioning (FF78+) - * [1] https://bugzilla.mozilla.org/1590107 [META] */ -user_pref("privacy.partition.network_state", true); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) RFP covers a wide range of ongoing fingerprinting solutions. From 910d7004c691837cfb2bcfb3ebb71933dd96a0b0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 11 Nov 2020 16:12:57 +0000 Subject: [PATCH 184/657] release info, fixes #1042 now we have somewhere to add things like HTTPS-Only Mode, appCache, secure downloads when we make changes that impact ESR --- user.js | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 955004d..41aa7f8 100644 --- a/user.js +++ b/user.js @@ -26,13 +26,17 @@ [SETUP-PERF] may impact performance [WARNING] used sparingly, heed them -* RELEASES +* RELEASES: https://github.com/arkenfox/user.js/releases - * Archive: https://github.com/arkenfox/user.js/releases - * Use the correct release that matches your Firefox version - * Each release - - run the prefsCleaner or reset deprecated prefs (9999s) and prefs made redundant by RFP (4600s) + * It is best to use the arkenfox release that is optimized for and matches your Firefox version + * EVERYONE: each release + - run prefsCleaner or reset deprecated prefs (9999s) and prefs made redundant by RPF (4600s) - re-enable section 4600 if you don't use RFP + ESR78 + - If you are not using arkenfox v78... (not a definitive list) + - 1401: document fonts is inactive as it is now covered by RFP in FF80+ + - 4600: some prefs may apply even if you use RFP (currently none apply as of FF84) + - 9999: switch the appropriate deprecated section(s) back on * INDEX: From accef19af474c4aba5534325f465d45c5fb85ea1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 11 Nov 2020 16:27:43 +0000 Subject: [PATCH 185/657] add LSNG, fixes #1059 --- user.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user.js b/user.js index 41aa7f8..caad195 100644 --- a/user.js +++ b/user.js @@ -1280,6 +1280,8 @@ user_pref("browser.cache.offline.enable", false); /* 2755: disable Storage Access API [FF65+] * [1] https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/ // user_pref("dom.storage_access.enabled", false); +/* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/ +user_pref("dom.storage.next_gen", true); /*** [SECTION 2800]: SHUTDOWN You should set the values to what suits you best. From f2fe7f02b01068be6413fa1cb7e8e65295db7527 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 11 Nov 2020 16:59:27 +0000 Subject: [PATCH 186/657] add 2624: window.name protection, fixes #1012 --- user.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user.js b/user.js index caad195..c21b2d6 100644 --- a/user.js +++ b/user.js @@ -1183,6 +1183,10 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] * for these will show/use their correct 3rd party origin * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion */ user_pref("permissions.delegation.enabled", false); +/* 2624: enable "window.name" protection [FF82+] + * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original + * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks ***/ +user_pref("privacy.window.name.update.enabled", true); /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop From f7bee988de76778bd0ae0911e1b96b9852634974 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 11 Nov 2020 18:08:06 +0000 Subject: [PATCH 187/657] 0517: add creditCards.available / defense-in-depth see https://github.com/arkenfox/user.js/issues/1038#issuecomment-713643850 --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index c21b2d6..a960ad5 100644 --- a/user.js +++ b/user.js @@ -347,6 +347,7 @@ user_pref("browser.ping-centre.telemetry", false); * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] user_pref("extensions.formautofill.available", "off"); // [FF56+] +user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0518: disable Web Compatibility Reporter [FF56+] From 8dc43cfdc21edc6e7b208bf0779869c3cacf22ac Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 11 Nov 2020 18:20:13 +0000 Subject: [PATCH 188/657] RFP 82+ changes Note - this is not the same as 2517 which disables the API - RFP does not determine what is supported or not supported: so that entropy remains - with or without RFP, if the media config is not supported it returns false,false (so there is nothing to spoof here) --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index a960ad5..0004cef 100644 --- a/user.js +++ b/user.js @@ -1440,6 +1440,7 @@ user_pref("privacy.firstparty.isolate", true); FF78+ 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+) + 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] From ea0eb85404bc742a72c6ab3db877ecbc7fe95c3c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 11 Nov 2020 18:23:00 +0000 Subject: [PATCH 189/657] 82-beta --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 0004cef..bf75735 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 13 Oct 2020 -* version 82-alpha +* date: 11 Nov 2020 +* version 82-beta * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From d6186819f4e914dae416cebcd20896b34f5295c7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 11 Nov 2020 18:42:29 +0000 Subject: [PATCH 190/657] domIntersectionObserver it was removed after 81-beta was released --- scratchpad-scripts/arkenfox-clear-removed.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 4e824dc..46886f4 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -223,9 +223,8 @@ 'browser.search.region', /* 79-beta */ 'browser.urlbar.usepreloadedtopurls.enabled', - /* 80 */ - 'dom.IntersectionObserver.enabled', /* 82-beta */ + 'dom.IntersectionObserver.enabled', 'extensions.screenshots.upload-disabled', 'privacy.partition.network_state', 'security.ssl3.dhe_rsa_aes_128_sha', From 5b0d173078a4ec96904e8895b6f1d5ba0463b47e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 13 Nov 2020 00:55:45 +0000 Subject: [PATCH 191/657] 82 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index bf75735..d0d86fd 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 11 Nov 2020 -* version 82-beta +* date: 12 Nov 2020 +* version 82 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From ccbca41e2d73fa63908fd87c2a7d35615016e7f7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 13 Nov 2020 01:03:29 +0000 Subject: [PATCH 192/657] start 83 alpha, fixup 1244 setting info `browser.preferences.exposeHTTPSOnly` is now default true --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index d0d86fd..3d6dc70 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js * date: 12 Nov 2020 -* version 82 +* version 83-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -730,7 +730,7 @@ user_pref("security.mixed_content.block_object_subrequest", true); * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored * [WARNING] This is experimental [1] and you can't set exceptions if FPI is enabled [2] (fixed in FF83) * [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+) - * [SETTING] Privacy & Security>HTTPS-Only Mode (FF80+ with browser.preferences.exposeHTTPSOnly = true) + * [SETTING] Privacy & Security>HTTPS-Only Mode * [1] https://bugzilla.mozilla.org/1613063 [META] * [2] https://bugzilla.mozilla.org/1647829 ***/ // user_pref("dom.security.https_only_mode", true); // [FF76+] From c6ddda1aa3e3000336e3e421d6af21f62208c7cf Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 17 Nov 2020 19:17:59 +0000 Subject: [PATCH 193/657] Update troubleshooter.js - add `privacy.window.name.update.enabled` - remove `media.autoplay.enabled` (removed in FF63) - remove `dom.indexedDB.enabled` (removed in FF72) --- scratchpad-scripts/troubleshooter.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index 9284132..cce4069 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -17,7 +17,6 @@ /* Storage + Cache */ 'browser.cache.offline.enable', - 'dom.indexedDB.enabled', 'dom.storage.enabled', 'browser.storageManager.enabled', 'dom.storageManager.enabled', @@ -60,7 +59,6 @@ /* Audio + Video */ 'dom.webaudio.enabled', - 'media.autoplay.enabled', 'media.autoplay.default', // FF63+ 'media.autoplay.blocking_policy', // FF78+ @@ -103,6 +101,7 @@ 'network.protocol-handler.external.ms-windows-store', 'privacy.trackingprotection.enabled', 'security.data_uri.block_toplevel_data_uri_navigations', + 'privacy.window.name.update.enabled', // FF82+ 'last.one.without.comma' ] From ef93a754cee4425efe373d6abe77dbb276380b1b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 21 Nov 2020 01:49:19 +0000 Subject: [PATCH 194/657] warnings always come after notes --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 3d6dc70..8a9e0f3 100644 --- a/user.js +++ b/user.js @@ -800,8 +800,8 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618) * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4618) + * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] From 94712f59a3aa2064255ca8e90ca0f6f4ae0a47d3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Nov 2020 17:05:34 +0000 Subject: [PATCH 195/657] 83 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 8a9e0f3..02273d7 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 12 Nov 2020 -* version 83-alpha +* date: 22 Nov 2020 +* version 83 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 0189438e46980406ca5ab15b2158606329e8a352 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Nov 2020 17:11:31 +0000 Subject: [PATCH 196/657] start 84-alpha --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 02273d7..cfbb273 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js * date: 22 Nov 2020 -* version 83 +* version 84-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 699eacf1fdfc5f1f0a6394ecda306c3300d4c16c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Nov 2020 06:21:31 +1300 Subject: [PATCH 197/657] add FPI scheme, closes #1066 (#1067) --- user.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user.js b/user.js index cfbb273..a7728ba 100644 --- a/user.js +++ b/user.js @@ -1377,6 +1377,10 @@ user_pref("privacy.firstparty.isolate", true); * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] // user_pref("privacy.firstparty.isolate.block_post_message", true); +/* 4003: enable scheme with FPI [FF78+] + * [NOTE] Experimental: existing data and site permissions are incompatible + * and some site exceptions may not work e.g. HTTPS-only mode (see 1244) ***/ + // user_pref("privacy.firstparty.isolate.use_site", true); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) RFP covers a wide range of ongoing fingerprinting solutions. From a7e4268d8b956f05b5fa01415cadd7ed43bd9f8c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Nov 2020 17:25:33 +0000 Subject: [PATCH 198/657] 2730 appCache, closes #1055 --- user.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a7728ba..a445871 100644 --- a/user.js +++ b/user.js @@ -1268,8 +1268,10 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] * [WARNING] This will break a LOT of sites' functionality AND extensions! * You are better off using an extension for more granular control ***/ // user_pref("dom.storage.enabled", false); -/* 2730: disable offline cache ***/ -user_pref("browser.cache.offline.enable", false); +/* 2730: enforce no offline cache storage (appCache) + * The API is easily fingerprinted, use the "storage" pref instead ***/ + // user_pref("browser.cache.offline.enable", false); +user_pref("browser.cache.offline.storage.enable", false); // [FF71+] [DEFAULT: false FF84+] /* 2740: disable service worker cache and cache storage * [NOTE] We clear service worker cache on exiting Firefox (see 2803) * [1] https://w3c.github.io/ServiceWorker/#privacy ***/ From 91cbc1e09a15c2fb5ad151529712f4326a6b7308 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Nov 2020 17:59:44 +0000 Subject: [PATCH 199/657] HTTPS-Only mode, closes #1047 --- user.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index a445871..34d13dc 100644 --- a/user.js +++ b/user.js @@ -34,6 +34,7 @@ - re-enable section 4600 if you don't use RFP ESR78 - If you are not using arkenfox v78... (not a definitive list) + - 1244: HTTPS-Only mode is enabled - 1401: document fonts is inactive as it is now covered by RFP in FF80+ - 4600: some prefs may apply even if you use RFP (currently none apply as of FF84) - 9999: switch the appropriate deprecated section(s) back on @@ -728,14 +729,22 @@ user_pref("security.mixed_content.block_display_content", true); user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable HTTPS-Only mode [FF76+] * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored - * [WARNING] This is experimental [1] and you can't set exceptions if FPI is enabled [2] (fixed in FF83) - * [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+) + * [SETTING] to add site exceptions: Page Info>HTTPS-Only mode>On/Off/Off temporarily * [SETTING] Privacy & Security>HTTPS-Only Mode + * [TEST] http://example.com [upgrade] + * [TEST] http://neverssl.org/ [no upgrade] * [1] https://bugzilla.mozilla.org/1613063 [META] * [2] https://bugzilla.mozilla.org/1647829 ***/ - // user_pref("dom.security.https_only_mode", true); // [FF76+] +user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] - // user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+] +/* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ + // user_pref("dom.security.https_only_mode.upgrade_local", true); +/* 1246: disable HTTP background requests [FF82+] + * When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox + * sends HTTP requests requests in order to check if the server supports HTTPS or not. + * This is done to avoid waiting for a timeout which takes 90 seconds + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ +user_pref("dom.security.https_only_mode_send_http_background_request", false); /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] * These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1]) From cf53982086633cfae7f4d79f07dd0ebd6b785b16 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Nov 2020 18:15:25 +0000 Subject: [PATCH 200/657] 1244: CRLite, closes #1065 --- user.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/user.js b/user.js index 34d13dc..eee9baf 100644 --- a/user.js +++ b/user.js @@ -717,6 +717,15 @@ user_pref("security.family_safety.mode", 0); * by inspecting ALL your web traffic, then leave at current default=1 * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/ user_pref("security.cert_pinning.enforcement_level", 2); +/* 1224: enforce CRLite [FF73+] + * In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP, see [2] + * [1] https://bugzilla.mozilla.org/1429800 [META] + * [2] https://bugzilla.mozilla.org/1670985 + * [3] https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/ + * [4] https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/ + * [5] https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/ ***/ +user_pref("security.remote_settings.crlite_filters.enabled", true); +user_pref("security.pki.crlite_mode", 2); /** MIXED CONTENT ***/ /* 1240: enforce no insecure active content on https pages From fa85c9da5b357726e6f35a138d6b96b977655012 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Nov 2020 10:46:30 +0000 Subject: [PATCH 201/657] fixup double word --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index eee9baf..c3b7b38 100644 --- a/user.js +++ b/user.js @@ -750,7 +750,7 @@ user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode.upgrade_local", true); /* 1246: disable HTTP background requests [FF82+] * When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox - * sends HTTP requests requests in order to check if the server supports HTTPS or not. + * sends HTTP requests in order to check if the server supports HTTPS or not. * This is done to avoid waiting for a timeout which takes 90 seconds * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); From 77abf35761c746d703eee454ccefadaa6a2a41a7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 6 Dec 2020 21:09:07 +0000 Subject: [PATCH 202/657] tidy - shrink and remove outdated info from section 0300 header - combine some bugzillas - drop some references - 1647829 for HTTPS-Only mode - hardware metrics: not going to implicitly encourage users to use this pref or tell them what sizes to use - update [STATS] - also remove TLS [STATS].. stats on TLS 1.0 and 1.1 are irrelevant: the default is now TLS 1.2+ - single CRLite reference for all blog articles - save 588 bytes so all you bastards can theoretically load Firefox just that tiny bit faster --- user.js | 45 ++++++++++++++++++--------------------------- 1 file changed, 18 insertions(+), 27 deletions(-) diff --git a/user.js b/user.js index c3b7b38..b6f5990 100644 --- a/user.js +++ b/user.js @@ -172,19 +172,17 @@ user_pref("browser.region.update.enabled", false); // [[FF79+] * [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); /* 0211: enforce US English locale regardless of the system locale - * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages, see [2] - * [1] https://bugzilla.mozilla.org/867501 - * [2] https://bugzilla.mozilla.org/1629630 ***/ + * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages, see [1] + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIET FOX - Starting in user.js v67, we only disable the auto-INSTALL of Firefox. You still get prompts - to update, in one click. We have NEVER disabled auto-CHECKING, and highly discourage that. - Previously we also disabled auto-INSTALLING of extensions (302b). + We only disable the auto-INSTALL of Firefox (app) updates. You still get prompts to update, + and it only takes one click. We highly discourage disabling auto-CHECKING for updates. - There are many legitimate reasons to turn off auto-INSTALLS, including hijacked or monetized - extensions, time constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is - still important to do updates for security reasons, please do so manually if you make changes. + Legitimate reasons to disable auto-INSTALLS include hijacked/monetized extensions, time + constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is still important + to do updates for security reasons, please do so manually if you make changes. ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); /* 0301b: disable auto-CHECKING for extension and theme updates ***/ @@ -221,7 +219,7 @@ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/ user_pref("toolkit.telemetry.unified", false); -user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+ +user_pref("toolkit.telemetry.enabled", false); // see [NOTE] user_pref("toolkit.telemetry.server", "data:,"); user_pref("toolkit.telemetry.archive.enabled", false); user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+] @@ -304,7 +302,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/ // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); -/* 0419: disable 'ignore this warning' on SB warnings +/* 0419: disable 'ignore this warning' on SB warnings [FF45+] * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB * [TEST] see github wiki APPENDIX A: Test Sites: Section 5 * [1] https://bugzilla.mozilla.org/1226490 ***/ @@ -380,7 +378,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost /* 0701: disable IPv6 * IPv6 can be abused, especially with MAC addresses, and they do not play nice with VPNs. That's * even assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 - * [STATS] Firefox telemetry (June 2020) shows only 5% of all connections are IPv6 + * [STATS] Firefox telemetry (Dec 2020) shows ~8% of all connections are IPv6 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. @@ -642,7 +640,6 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 - * [STATS] Firefox telemetry (June 2020) shows only 0.16% of SSL handshakes use 1.0 or 1.1 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] @@ -718,12 +715,9 @@ user_pref("security.family_safety.mode", 0); * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/ user_pref("security.cert_pinning.enforcement_level", 2); /* 1224: enforce CRLite [FF73+] - * In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP, see [2] - * [1] https://bugzilla.mozilla.org/1429800 [META] - * [2] https://bugzilla.mozilla.org/1670985 - * [3] https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/ - * [4] https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/ - * [5] https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/ ***/ + * In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985 + * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ user_pref("security.remote_settings.crlite_filters.enabled", true); user_pref("security.pki.crlite_mode", 2); @@ -742,8 +736,7 @@ user_pref("security.mixed_content.block_object_subrequest", true); * [SETTING] Privacy & Security>HTTPS-Only Mode * [TEST] http://example.com [upgrade] * [TEST] http://neverssl.org/ [no upgrade] - * [1] https://bugzilla.mozilla.org/1613063 [META] - * [2] https://bugzilla.mozilla.org/1647829 ***/ + * [1] https://bugzilla.mozilla.org/1613063 [META] ***/ user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ @@ -778,7 +771,7 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); /** UI (User Interface) ***/ /* 1270: display warning on the padlock for "broken security" (if 1201 is false) * Bug: warning padlock not indicated for subresources on a secure page! [2] - * [STATS] SSL Labs (June 2020) reports 98.8% of sites have secure renegotiation [3] + * [STATS] SSL Labs (Dec 2020) reports 99.0% of sites have secure renegotiation [3] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://bugzilla.mozilla.org/1353705 * [3] https://www.ssllabs.com/ssl-pulse/ ***/ @@ -1384,13 +1377,12 @@ user_pref("privacy.sanitize.timeSpan", 0); user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); /* 4001: enable First Party Isolation [FF51+] * [SETUP-WEB] May break cross-domain logins and site functionality until perfected - * [1] https://bugzilla.mozilla.org/1260931 - * [2] https://bugzilla.mozilla.org/1299996 [META] ***/ + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ user_pref("privacy.firstparty.isolate", true); /* 4002: enforce FPI restriction for window.opener [FF54+] * [NOTE] Setting this to false may reduce the breakage in 4001 * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But - * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute, see [2],[3] + * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute, see [2] [3] * The 2nd pref removes that limitation and will only allow communication if FPDs also match. * [1] https://bugzilla.mozilla.org/1319773#c22 * [2] https://bugzilla.mozilla.org/1492607 @@ -1476,8 +1468,7 @@ user_pref("privacy.resistFingerprinting", true); /* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] * Width will round down to multiples of 200s and height to 100s, to fit your screen. * The override values are a starting point to round from if you want some control - * [1] https://bugzilla.mozilla.org/1330882 - * [2] https://hardware.metrics.mozilla.com/ ***/ + * [1] https://bugzilla.mozilla.org/1330882 ***/ // user_pref("privacy.window.maxInnerWidth", 1000); // user_pref("privacy.window.maxInnerHeight", 1000); /* 4503: disable mozAddonManager Web API [FF57+] From 5c37d50f4e0c22df321d57f92c6211c9690f0335 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 7 Dec 2020 19:34:14 +0000 Subject: [PATCH 203/657] tidy - remove useless `see` word for reference links - fixup 0701 - "do not play nice" is not measurable - don't reference to self as a source: people can just search "VPN leak Ipv6" or something --- user.js | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/user.js b/user.js index b6f5990..adf4864 100644 --- a/user.js +++ b/user.js @@ -172,7 +172,7 @@ user_pref("browser.region.update.enabled", false); // [[FF79+] * [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); /* 0211: enforce US English locale regardless of the system locale - * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages, see [1] + * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] @@ -215,7 +215,7 @@ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); * IF unified=true then .enabled ONLY controls whether to record extended data * so make sure to have both set as false * [NOTE] FF58+ 'toolkit.telemetry.enabled' is now LOCKED to reflect prerelease - * or release builds (true and false respectively), see [2] + * or release builds (true and false respectively) [2] * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/ user_pref("toolkit.telemetry.unified", false); @@ -376,16 +376,15 @@ user_pref("browser.send_pings.require_same_host", true); // defense-in-depth /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); /* 0701: disable IPv6 - * IPv6 can be abused, especially with MAC addresses, and they do not play nice with VPNs. That's - * even assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 + * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even + * assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 * [STATS] Firefox telemetry (Dec 2020) shows ~8% of all connections are IPv6 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" * [TEST] https://ipleak.org/ - * [1] https://github.com/arkenfox/user.js/issues/437#issuecomment-403740626 - * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/ + * [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/ user_pref("network.dns.disableIPv6", true); /* 0702: disable HTTP2 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to @@ -496,7 +495,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ // user_pref("browser.urlbar.autoFill", false); /* 0860: disable search and form history - * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties, see [1] [2] + * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] * [NOTE] We also clear formdata on exit (see 2803) * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html @@ -593,7 +592,7 @@ user_pref("browser.sessionstore.privacy_level", 2); /* 1022: disable resuming session from crash ***/ // user_pref("browser.sessionstore.resume_from_crash", false); /* 1023: set the minimum interval between session save operations - * Increasing this can help on older machines and some websites, as well as reducing writes, see [1] + * Increasing this can help on older machines and some websites, as well as reducing writes [1] * Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc * [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature: * i.e. the longer the interval the more chance a quick tab open/close won't be captured. @@ -805,7 +804,7 @@ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/ user_pref("gfx.font_rendering.opentype_svg.enabled", false); /* 1408: disable graphite - * Graphite has had many critical security issues in the past, see [1] + * Graphite has had many critical security issues in the past [1] * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ user_pref("gfx.font_rendering.graphite.enabled", false); @@ -914,7 +913,7 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); * [1] https://www.privacytools.io/#webrtc ***/ user_pref("media.peerconnection.enabled", false); /* 2002: limit WebRTC IP leaks if using WebRTC - * In FF70+ these settings match Mode 4 (Mode 3 in older versions), see [3] + * In FF70+ these settings match Mode 4 (Mode 3 in older versions) [3] * [TEST] https://browserleaks.com/webrtc * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy @@ -1033,7 +1032,7 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one - * is default false) then enabling this pref can leak clipboard content, see [1] + * is default false) then enabling this pref can leak clipboard content [1] * [1] https://bugzilla.mozilla.org/1528289 */ // user_pref("dom.event.clipboardevents.enabled", false); /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] @@ -1082,7 +1081,7 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * Initially a Linux issue (high precision readout) that was fixed. * However, it is still another metric for fingerprinting, used to raise entropy. * e.g. do you have a battery or not, current charging status, charge level, times remaining etc - * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code, see [1] + * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code [1] * [1] https://bugzilla.mozilla.org/1313580 ***/ // user_pref("dom.battery.enabled", false); /* 2505: disable media device enumeration [FF29+] @@ -1382,7 +1381,7 @@ user_pref("privacy.firstparty.isolate", true); /* 4002: enforce FPI restriction for window.opener [FF54+] * [NOTE] Setting this to false may reduce the breakage in 4001 * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But - * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute, see [2] [3] + * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3] * The 2nd pref removes that limitation and will only allow communication if FPDs also match. * [1] https://bugzilla.mozilla.org/1319773#c22 * [2] https://bugzilla.mozilla.org/1492607 @@ -1476,7 +1475,7 @@ user_pref("privacy.resistFingerprinting", true); * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] /* 4504: enable RFP letterboxing [FF67+] - * Dynamically resizes the inner window by applying margins in stepped ranges, see [2] + * Dynamically resizes the inner window by applying margins in stepped ranges [2] * If you use the dimension pref, then it will only apply those resolutions. The format is * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but @@ -1586,7 +1585,7 @@ user_pref("ui.use_standins_for_native_colors", true); user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // FF80+ // 4618: limit font visbility (non-ANDROID) [FF79+] - // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, see [1] + // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1] // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts // [NOTE] Bundled fonts are auto-allowed // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc From 335ee84540f140f417914b17a8e3c4ced4b0fd9b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 9 Dec 2020 09:26:50 +0000 Subject: [PATCH 204/657] remove layout.css.visited_links_enabled, #933 This no longer has any affect since FF77+: see https://bugzilla.mozilla.org/1632765 --- user.js | 8 -------- 1 file changed, 8 deletions(-) diff --git a/user.js b/user.js index adf4864..3396b9b 100644 --- a/user.js +++ b/user.js @@ -455,14 +455,6 @@ user_pref("keyword.enabled", false); user_pref("browser.fixup.alternate.enabled", false); /* 0803: display all parts of the url in the location bar ***/ user_pref("browser.urlbar.trimURLs", false); -/* 0805: disable coloring of visited links - CSS history leak - * [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's - * only in 'certain circumstances', also see latest comments in [2] - * [TEST] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use) - * [1] https://dbaron.org/mozilla/visited-privacy - * [2] https://bugzilla.mozilla.org/147777 - * [3] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector ***/ -user_pref("layout.css.visited_links_enabled", false); /* 0807: disable live search suggestions /* [NOTE] Both must be true for the location bar to work * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine From aa1c2145bb8c43a302f8840bb6f0da56d997701d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 9 Dec 2020 09:30:21 +0000 Subject: [PATCH 205/657] layout.css.visited_links_enabled --- scratchpad-scripts/arkenfox-clear-removed.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 46886f4..fe86fc2 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -229,6 +229,8 @@ 'privacy.partition.network_state', 'security.ssl3.dhe_rsa_aes_128_sha', 'security.ssl3.dhe_rsa_aes_256_sha', + /* 84-beta */ + 'layout.css.visited_links_enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From feaa1c3e99f658f28dc59d6aa92ed1cfeefbe57d Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 16 Dec 2020 14:40:42 +0000 Subject: [PATCH 206/657] prefs update `browser.storageManager.enabled` -- removed in FF61 (1428306) `security.csp.experimentalEnabled` -- removed in FF68 (1386214) `gfx.downloadable_fonts.woff2.enabled` -- removed in FF69 (1556991) `plugin.sessionPermissionNow.intervalInMinutes` -- removed in FF70 (1581664) `plugin.defaultXpi.state` -- removed in FF72 (1596090) `geo.wifi.uri` -- renamed to `geo.provider.network.url` in FF74 (1613627) `browser.tabs.remote.allowLinkedWebInFileUriProcess` -- removed in FF77 (1603007) --- scratchpad-scripts/troubleshooter.js | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index cce4069..3fec9ca 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -1,5 +1,5 @@ -/*** arkenfox user.js troubleshooter.js v1.6.2 ***/ +/*** arkenfox user.js troubleshooter.js v1.6.3 ***/ (function() { @@ -18,7 +18,6 @@ /* Storage + Cache */ 'browser.cache.offline.enable', 'dom.storage.enabled', - 'browser.storageManager.enabled', 'dom.storageManager.enabled', /* Workers, Web + Push Notifications */ @@ -33,7 +32,6 @@ /* Fonts */ 'browser.display.use_document_fonts', 'font.blacklist.underline_offset', - 'gfx.downloadable_fonts.woff2.enabled', 'gfx.font_rendering.graphite.enabled', 'gfx.font_rendering.opentype_svg.enabled', 'layout.css.font-loading-api.enabled', @@ -46,12 +44,10 @@ 'dom.IntersectionObserver.enabled', 'dom.popup_allowed_events', 'full-screen-api.enabled', - 'geo.wifi.uri', 'intl.accept_languages', 'javascript.options.asmjs', 'javascript.options.wasm', 'permissions.default.shortcuts', - 'security.csp.experimentalEnabled', /* Hardware */ 'dom.vr.enabled', @@ -87,13 +83,11 @@ /* Plugins + Flash */ 'plugin.default.state', - 'plugin.defaultXpi.state', - 'plugin.sessionPermissionNow.intervalInMinutes', 'plugin.state.flash', /* unlikely to cause problems */ - 'browser.tabs.remote.allowLinkedWebInFileUriProcess', 'dom.popup_maximum', + 'geo.provider.network.url' 'layout.css.visited_links_enabled', 'mathml.disabled', 'network.auth.subresource-http-auth-allow', From c980bda695df4232c769535fbe19327bf5ae86d8 Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 16 Dec 2020 14:43:46 +0000 Subject: [PATCH 207/657] Update troubleshooter.js oops --- scratchpad-scripts/troubleshooter.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index 3fec9ca..4c54f8f 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -87,7 +87,7 @@ /* unlikely to cause problems */ 'dom.popup_maximum', - 'geo.provider.network.url' + 'geo.provider.network.url', 'layout.css.visited_links_enabled', 'mathml.disabled', 'network.auth.subresource-http-auth-allow', From 2cfbba14722676f6b6438e2df3a2c53b3ce6c806 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 19 Dec 2020 07:23:13 +0000 Subject: [PATCH 208/657] search-to-tab: FF85+ --- user.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user.js b/user.js index 3396b9b..f8df1f9 100644 --- a/user.js +++ b/user.js @@ -475,6 +475,10 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // user_pref("browser.urlbar.suggest.bookmark", false); // user_pref("browser.urlbar.suggest.openpage", false); // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+] +/* 0850b: disable tab-to-search [FF85+] + * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search + * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ + // user_pref("browser.urlbar.suggest.engines", false); /* 0850c: disable location bar dropdown * This value controls the total number of entries to appear in the location bar dropdown * [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always From 46bab27f9455fb1c15a8993ddb17cf0c1e9bf672 Mon Sep 17 00:00:00 2001 From: ray851107 <16625236+ray851107@users.noreply.github.com> Date: Fri, 25 Dec 2020 14:02:35 +0000 Subject: [PATCH 209/657] updater.sh: support custom script names (#1075) thanks @ray851107 --- updater.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/updater.sh b/updater.sh index a27e98a..99d9d3b 100755 --- a/updater.sh +++ b/updater.sh @@ -10,9 +10,9 @@ readonly CURRDIR=$(pwd) -sfp=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null) -[ -z "$sfp" ] && sfp=${BASH_SOURCE[0]} -readonly SCRIPT_DIR=$(dirname "${sfp}") +SCRIPT_FILE=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null) +[ -z "$SCRIPT_FILE" ] && SCRIPT_FILE=${BASH_SOURCE[0]} +readonly SCRIPT_DIR=$(dirname "${SCRIPT_FILE}") ######################### @@ -198,7 +198,7 @@ update_updater () { declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')" [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed - if [[ $(get_updater_version "${SCRIPT_DIR}/updater.sh") < $(get_updater_version "${tmpfile}") ]]; then + if [[ $(get_updater_version "$SCRIPT_FILE") < $(get_updater_version "${tmpfile}") ]]; then if [ $UPDATE = 'check' ]; then echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}" read -p "" -n 1 -r @@ -208,9 +208,9 @@ update_updater () { else return 0 # No update available fi - mv "${tmpfile}" "${SCRIPT_DIR}/updater.sh" - chmod u+x "${SCRIPT_DIR}/updater.sh" - "${SCRIPT_DIR}/updater.sh" "$@" -d + mv "${tmpfile}" "$SCRIPT_FILE" + chmod u+x "$SCRIPT_FILE" + "$SCRIPT_FILE" "$@" -d exit 0 } From 63d1258f2e6a60f412aa095d9e64c36bf64832d2 Mon Sep 17 00:00:00 2001 From: earthlng Date: Fri, 25 Dec 2020 14:03:40 +0000 Subject: [PATCH 210/657] updater.sh v2.9 rollout the latest changes --- updater.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/updater.sh b/updater.sh index 99d9d3b..5f37ebc 100755 --- a/updater.sh +++ b/updater.sh @@ -2,7 +2,7 @@ ## arkenfox user.js updater for macOS and Linux -## version: 2.8 +## version: 2.9 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac From e6cf90146abd67c78bba3206b4d76a6996f77f72 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 25 Dec 2020 15:55:01 +0000 Subject: [PATCH 211/657] add override recipes --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index 4ed3b19..955c367 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -15,6 +15,7 @@ Before you proceed... - Note: We do not support forks See also: + - Override Recipes [issue 1080](https://github.com/arkenfox/user.js/issues/1080) - Extension breakage due to prefs [issue 391](https://github.com/arkenfox/user.js/issues/391) - Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts [issue 350](https://github.com/arkenfox/user.js/issues/350) From 0152b38b8bebc9e0ac35998ab9ed19668776f4f5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 25 Dec 2020 16:06:32 +0000 Subject: [PATCH 212/657] add override recipes link to readme steps --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index f8df1f9..a667278 100644 --- a/user.js +++ b/user.js @@ -25,6 +25,7 @@ [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related) [SETUP-PERF] may impact performance [WARNING] used sparingly, heed them + 6. Override Recipes: https://github.com/arkenfox/user.js/issues/1080 * RELEASES: https://github.com/arkenfox/user.js/releases From 8c9d0bbe7280307ff172b1a9db244344cabd424a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 27 Dec 2020 05:01:33 +0000 Subject: [PATCH 213/657] harden cross-domain referers, closes #1077 --- user.js | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index a667278..1e60234 100644 --- a/user.js +++ b/user.js @@ -815,10 +815,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false); /*** [SECTION 1600]: HEADERS / REFERERS Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone --- - harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below) - harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage - --- - If you want any REAL control over referers and breakage, then use an extension + Expect some breakage: Use an extension if you need precise control --- full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html @@ -829,17 +826,17 @@ user_pref("gfx.font_rendering.graphite.enabled", false); user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: ALL: control when images/links send a referer * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/ - // user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2] + // user_pref("network.http.sendRefererHeader", 2); /* 1602: ALL: control the amount of information to send * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ - // user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0] + // user_pref("network.http.referer.trimmingPolicy", 0); /* 1603: CROSS ORIGIN: control when to send a referer * 0=always (default), 1=only if base domains match, 2=only if hosts match * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/ -user_pref("network.http.referer.XOriginPolicy", 1); +user_pref("network.http.referer.XOriginPolicy", 2); /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ -user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0] +user_pref("network.http.referer.XOriginTrimmingPolicy", 2); /* 1605: ALL: disable spoofing a referer * [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF * (Cross-Site Request Forgery) protections that some sites may rely on ***/ From 9d74cb95266f60e73d4aba4a73e0623e4721082c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 30 Dec 2020 10:17:35 +0000 Subject: [PATCH 214/657] remove useless snippet pref --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 1e60234..853df49 100644 --- a/user.js +++ b/user.js @@ -116,7 +116,6 @@ user_pref("browser.newtabpage.activity-stream.telemetry", false); * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server * [1] https://abouthome-snippets-service.readthedocs.io/ ***/ user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); -user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); /* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); From 755a45505fb6f00e8f712006f4799cbeb934e720 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 30 Dec 2020 10:25:26 +0000 Subject: [PATCH 215/657] snippets providers `browser.newtabpage.activity-stream.asrouter.providers.snippets` These (which landed in FF64 with snippets above) are not in the user.js, so why bother with the snippet one - `browser.newtabpage.activity-stream.asrouter.providers.cfr` - `browser.newtabpage.activity-stream.asrouter.providers.onboarding` also these aren't in the user.js - `browser.newtabpage.activity-stream.asrouter.providers.cfr-fxa` - `browser.newtabpage.activity-stream.asrouter.providers.message-groups` - `browser.newtabpage.activity-stream.asrouter.providers.messaging-experiments` - `browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel` There are no privacy concerns here. At the end of the day, what Firefox connects to and sends is E2EE and only used locally in non-web content: and you have other prefs and a UI to disable them from being displayed --- scratchpad-scripts/arkenfox-clear-removed.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index fe86fc2..1b0be69 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 02-Nov-2020 + Last updated: 30-Dec-2020 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -230,6 +230,7 @@ 'security.ssl3.dhe_rsa_aes_128_sha', 'security.ssl3.dhe_rsa_aes_256_sha', /* 84-beta */ + 'browser.newtabpage.activity-stream.asrouter.providers.snippets', 'layout.css.visited_links_enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' From da58f84fa6f2f978c8623e204ecdfb5a3a2bb9ed Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 30 Dec 2020 15:06:49 +0000 Subject: [PATCH 216/657] Update troubleshooter.js --- scratchpad-scripts/troubleshooter.js | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index 4c54f8f..2fcf2fa 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -176,9 +176,9 @@ if (aDbg.length == 1) return alert("narrowed it down to:\n\n"+aDbg[0].name+"\n"); if (aDbg.length == aALL.length) { - let msg = "Failed to narrow it down beyond the initial "+aALL.length+" prefs. The problem is most likely caused by at least 2 prefs!\n\n"; - msg += "Either those prefs are too far apart in the list or there are exactly 2 culprits and they just happen to be at the wrong place.\n\n"; - msg += "In case it's the latter, the script can add a dummy pref and you can try again - Try again?"; + const msg = "Failed to narrow it down beyond the initial "+aALL.length+" prefs. The problem is most likely caused by at least 2 prefs!\n\n" + + "Either those prefs are too far apart in the list or there are exactly 2 culprits and they just happen to be at the wrong place.\n\n" + + "In case it's the latter, the script can add a dummy pref and you can try again - Try again?"; if (confirm(msg)) return _main([...aALL, oFILLER]); } else if (aDbg.length > 10 && confirm("Narrowed it down to "+aDbg.length+" prefs. Try narrowing it down further?")) { return _main(aDbg.reverse()); @@ -194,14 +194,18 @@ const aBAK = getMyList(aPREFS); //console.log(aBAK.length, "user-set prefs from our list detected and their values stored."); + + const sMsg = "all detected prefs reset.\n\n" + + "!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\n" + + "IF the problem still exists, this script can't help you - click Cancel to re-apply your values and exit.\n\n" + + "Click OK if your problem is fixed."; focus(); myreset(aBAK); - if (!confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) { + if (!confirm(sMsg)) { reapply(aBAK); return; } - _main(aBAK); })(); From c570e4fdbd68a1cdbb3fef5d946498b5e585345f Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 30 Dec 2020 15:12:07 +0000 Subject: [PATCH 217/657] Update troubleshooter.js --- scratchpad-scripts/troubleshooter.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index 2fcf2fa..be64708 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -161,8 +161,8 @@ reapply(aALL); myreset(aTmp.slice(0, _h(aTmp))); while (aTmp.length) { - alert("NOW TEST AGAIN !"); - if (confirm("if the problem still exists click OK, otherwise click cancel.")) { + alert('NOW TEST AGAIN !'); + if (confirm('if the problem still exists click OK, otherwise click Cancel.')) { aTmp = aTmp.slice(_h(aTmp)); } else { aTmp = aTmp.slice(0, _h(aTmp)); @@ -185,7 +185,7 @@ } alert("Narrowed it down to "+ aDbg.length.toString() +" prefs, check the console ..."); - console.log("The problem is caused by 2 or more of these prefs:"); + console.log('The problem is caused by 2 or more of these prefs:'); for (const oPref of aDbg) console.log(oPref.name); } From 27dd6aa62d1d73e9cdb0b751a7d4d4acdb893b75 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 5 Jan 2021 13:13:52 +0000 Subject: [PATCH 218/657] 84 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 853df49..8d3ed2c 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 22 Nov 2020 -* version 84-alpha +* date: 05 Jan 2021 +* version 84 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 11977e701730ba6a352d1d0bb7fe6f724688162e Mon Sep 17 00:00:00 2001 From: earthlng Date: Sun, 17 Jan 2021 15:27:50 +0000 Subject: [PATCH 219/657] v2.4 - add strlen check for prefs.js cmd.exe has a command line length limit of 8192 characters. Abort if prefs.js contains strings that would get dropped while recreating the new prefs.js. --- prefsCleaner.bat | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/prefsCleaner.bat b/prefsCleaner.bat index f82658a..616ec28 100644 --- a/prefsCleaner.bat +++ b/prefsCleaner.bat @@ -3,7 +3,7 @@ TITLE prefs.js cleaner REM ### prefs.js cleaner for Windows REM ## author: @claustromaniac -REM ## version: 2.3 +REM ## version: 2.4 CD /D "%~dp0" @@ -13,7 +13,7 @@ ECHO: ECHO ######################################## ECHO #### prefs.js cleaner for Windows #### ECHO #### by claustromaniac #### -ECHO #### v2.3 #### +ECHO #### v2.4 #### ECHO ######################################## ECHO: CALL :message "This script should be run from your Firefox profile directory." @@ -28,6 +28,7 @@ IF ERRORLEVEL 3 (EXIT /B) IF ERRORLEVEL 2 (GOTO :showhelp) IF NOT EXIST "user.js" (CALL :abort "user.js not found in the current directory." 30) IF NOT EXIST "prefs.js" (CALL :abort "prefs.js not found in the current directory." 30) +CALL :strlenCheck CALL :FFcheck CALL :message "Backing up prefs.js..." SET "_time=%time: =0%" @@ -50,6 +51,21 @@ ECHO: ECHO: %~1 ECHO: GOTO :EOF +REM ### string length Check Function #### +:strlenCheck +SET /a cnt=0 +setlocal ENABLEDELAYEDEXPANSION +FOR /F "tokens=1,* delims=:" %%G IN ('FINDSTR /N "^" prefs.js') DO ( + ECHO:%%H >nul + SET /a cnt += 1 + IF /I "%%G" NEQ "!cnt!" ( + ECHO: + CALL :message "ERROR: line !cnt! in prefs.js is too long." + (CALL :abort "Aborting ..." 30) + ) +) +endlocal +GOTO :EOF REM ####### Firefox Check Function ###### :FFcheck TASKLIST /FI "IMAGENAME eq firefox.exe" 2>NUL | FIND /I /N "firefox.exe">NUL From 1f098f2eaf7b68387dfd666942f856c1176e0ca7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 17 Jan 2021 23:04:37 +0000 Subject: [PATCH 220/657] start 85-alpha, also fix #1090 --- user.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 8d3ed2c..255e3b8 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 05 Jan 2021 -* version 84 +* date: 17 Jan 2021 +* version 85-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -1191,6 +1191,9 @@ user_pref("permissions.delegation.enabled", false); * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks ***/ user_pref("privacy.window.name.update.enabled", true); +/* 2625: disable bypassing 3rd party extension install prompts [FF82+] + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ +user_pref("extensions.postDownloadThirdPartyPrompt", false); /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop From ae6c76fe546a1e21601b99cf51f89108cb57a741 Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 19 Jan 2021 17:07:39 +0000 Subject: [PATCH 221/657] v4.13 - fix TLS issue with PowerShell --- updater.bat | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/updater.bat b/updater.bat index 7783860..2597ac1 100644 --- a/updater.bat +++ b/updater.bat @@ -3,10 +3,10 @@ TITLE arkenfox user.js updater REM ## arkenfox user.js updater for Windows REM ## author: @claustromaniac -REM ## version: 4.12 +REM ## version: 4.13 REM ## instructions: https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts -SET v=4.12 +SET v=4.13 VERIFY ON CD /D "%~dp0" @@ -51,9 +51,7 @@ IF DEFINED _updateb ( CALL :message "Updating script..." REM Uncomment the next line and comment out the PowerShell call for testing. REM COPY /B /Y "!_myname!.bat" "[updated]!_myname!.bat" >nul - ( - PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/arkenfox/user.js/master/updater.bat', '[updated]!_myname!.bat')" - ) >nul 2>&1 + CALL :psdownload https://raw.githubusercontent.com/arkenfox/user.js/master/updater.bat "[updated]!_myname!.bat" IF EXIST "[updated]!_myname!.bat" ( START /min CMD /C "[updated]!_myname!.bat" !_myparams! ) ELSE ( @@ -132,9 +130,7 @@ IF DEFINED _log ( ) IF EXIST user.js.new (DEL /F "user.js.new") CALL :message "Retrieving latest user.js file from github repository..." -( - PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/arkenfox/user.js/master/user.js', 'user.js.new')" -) >nul 2>&1 +CALL :psdownload https://raw.githubusercontent.com/arkenfox/user.js/master/user.js "user.js.new" IF EXIST user.js.new ( IF DEFINED _rfpalts ( CALL :message "Activating RFP Alternatives section..." @@ -218,6 +214,13 @@ IF NOT "2"=="%_log%" (ECHO:) ENDLOCAL GOTO :EOF +::::::::::::: Download ::::::::::::: +:psdownload +( + PowerShell -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object Net.WebClient).DownloadFile('%~1', '%~2')" +) >nul 2>&1 +GOTO :EOF + ::::::::::::::: Activate Section ::::::::::::::: :activate :: arg1 = file From 0cbd8a13a313b5f1e489532f34f6e52dba8757a3 Mon Sep 17 00:00:00 2001 From: earthlng Date: Tue, 19 Jan 2021 17:17:03 +0000 Subject: [PATCH 222/657] Update updater.bat --- updater.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/updater.bat b/updater.bat index 2597ac1..43b516d 100644 --- a/updater.bat +++ b/updater.bat @@ -214,7 +214,7 @@ IF NOT "2"=="%_log%" (ECHO:) ENDLOCAL GOTO :EOF -::::::::::::: Download ::::::::::::: +::::::::::::::: Download ::::::::::::::: :psdownload ( PowerShell -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object Net.WebClient).DownloadFile('%~1', '%~2')" From 480933484fbce3bf4e9147e5429eefbb646c91f6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 21 Jan 2021 11:17:16 +0000 Subject: [PATCH 223/657] 2624: windows.name default FF86+ https://bugzilla.mozilla.org/1685089 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 255e3b8..a0be1a8 100644 --- a/user.js +++ b/user.js @@ -1190,7 +1190,7 @@ user_pref("permissions.delegation.enabled", false); /* 2624: enable "window.name" protection [FF82+] * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks ***/ -user_pref("privacy.window.name.update.enabled", true); +user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /* 2625: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ user_pref("extensions.postDownloadThirdPartyPrompt", false); From c974b3252dc4bc67104382058280c5d455f9f87e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 22 Jan 2021 12:10:15 +0000 Subject: [PATCH 224/657] move [STATS] from 1270 to 1201, #1094 --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index a0be1a8..7a78bb2 100644 --- a/user.js +++ b/user.js @@ -629,9 +629,11 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * if it disables renegotiations but the problem is that the browser can't know that. * Setting this pref to true is the only way for the browser to ensure there will be * no unsafe renegotiations on the channel between the browser and the server. + * [STATS] SSL Labs (Dec 2020) reports 99.0% of sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://tools.ietf.org/html/rfc5746 - * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/ + * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 + * [4] https://www.ssllabs.com/ssl-pulse/ ***/ user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 @@ -766,10 +768,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); /** UI (User Interface) ***/ /* 1270: display warning on the padlock for "broken security" (if 1201 is false) * Bug: warning padlock not indicated for subresources on a secure page! [2] - * [STATS] SSL Labs (Dec 2020) reports 99.0% of sites have secure renegotiation [3] * [1] https://wiki.mozilla.org/Security:Renegotiation - * [2] https://bugzilla.mozilla.org/1353705 - * [3] https://www.ssllabs.com/ssl-pulse/ ***/ + * [2] https://bugzilla.mozilla.org/1353705 ***/ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); /* 1271: control "Add Security Exception" dialog on SSL warnings * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default) From 59ac1727f7be79fafca792c693292f834072d771 Mon Sep 17 00:00:00 2001 From: earthlng Date: Fri, 22 Jan 2021 12:15:12 +0000 Subject: [PATCH 225/657] v4.14 - check for TLS1.2 (#1097) --- updater.bat | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/updater.bat b/updater.bat index 43b516d..a806ca6 100644 --- a/updater.bat +++ b/updater.bat @@ -3,10 +3,10 @@ TITLE arkenfox user.js updater REM ## arkenfox user.js updater for Windows REM ## author: @claustromaniac -REM ## version: 4.13 +REM ## version: 4.14 REM ## instructions: https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts -SET v=4.13 +SET v=4.14 VERIFY ON CD /D "%~dp0" @@ -28,6 +28,15 @@ SHIFT GOTO parse :endparse +FOR /F %%i IN ('PowerShell -Command "[Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12'"') DO ( + IF "%%i" == "False" ( + CALL :message "Your PowerShell version doesn't support TLS1.2 ^!" + ECHO: Instructions to update PowerShell are on the arkenfox wiki + PAUSE + EXIT + ) +) + IF DEFINED _updateb ( REM The normal flow here goes from phase 1 to phase 2 and then phase 3. IF NOT "!_myname:~0,9!"=="[updated]" ( From 306610da8e3ba7580674e6385759f2764dad3b84 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 26 Jan 2021 19:37:54 +0000 Subject: [PATCH 226/657] remove 2614, see #1100 --- user.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/user.js b/user.js index 7a78bb2..9a33ad3 100644 --- a/user.js +++ b/user.js @@ -1143,10 +1143,6 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] /* 2611: disable middle mouse click opening links from clipboard * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ user_pref("middlemouse.contentLoadURL", false); -/* 2614: limit HTTP redirects (this does not control redirects with HTML meta tags or JS) - * [NOTE] A low setting of 5 or under will probably break some sites (e.g. gmail logins) - * To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/ -user_pref("network.http.redirection-limit", 10); /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+] * 0 (default) or 1=allow, 2=block * [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts ***/ From 2dd455ef83413468a5fcccec1d4097275fc13e94 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 26 Jan 2021 19:39:33 +0000 Subject: [PATCH 227/657] network.http.redirection-limit, fixes #1100 --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 1b0be69..060f76c 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 30-Dec-2020 + Last updated: 26-Jan-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -232,6 +232,8 @@ /* 84-beta */ 'browser.newtabpage.activity-stream.asrouter.providers.snippets', 'layout.css.visited_links_enabled', + /* 85-beta */ + 'network.http.redirection-limit', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From 2f6b14ab6eb5189637592a9575924db58e6f73fd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 26 Jan 2021 19:58:57 +0000 Subject: [PATCH 228/657] 1201: add error code, fixes #1094 --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 9a33ad3..dd05a00 100644 --- a/user.js +++ b/user.js @@ -624,10 +624,10 @@ user_pref("browser.shell.shortcutFavicons", false); user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/ /* 1201: require safe negotiation - * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially - * vulnerable to a MiTM attack [3]. A server *without* RFC 5746 can be safe from the attack - * if it disables renegotiations but the problem is that the browser can't know that. - * Setting this pref to true is the only way for the browser to ensure there will be + * Blocks connections (SSL_ERROR_UNSAFE_NEGOTIATION) to servers that don't support RFC 5746 [2] + * as they're potentially vulnerable to a MiTM attack [3]. A server without RFC 5746 can be + * safe from the attack if it disables renegotiations but the problem is that the browser can't + * know that. Setting this pref to true is the only way for the browser to ensure there will be * no unsafe renegotiations on the channel between the browser and the server. * [STATS] SSL Labs (Dec 2020) reports 99.0% of sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation From fa78c53114c7c5e2a9b7b61e3c0a502ae6082105 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 28 Jan 2021 03:13:36 +0000 Subject: [PATCH 229/657] v85 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index dd05a00..7d3ee43 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 17 Jan 2021 -* version 85-alpha +* date: 28 Jan 2021 +* version 85 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From b6e8dcab81e74d8f8a8b3b074e702cc68590cdd5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 30 Jan 2021 00:28:28 +0000 Subject: [PATCH 230/657] fixup spelling mistake --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 7d3ee43..3d0e228 100644 --- a/user.js +++ b/user.js @@ -1576,7 +1576,7 @@ user_pref("ui.use_standins_for_native_colors", true); // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // FF80+ -// 4618: limit font visbility (non-ANDROID) [FF79+] +// 4618: limit font visibility (non-ANDROID) [FF79+] // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1] // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts // [NOTE] Bundled fonts are auto-allowed From 96d558dd0c375b2350fd61dfc84f21644850624c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 31 Jan 2021 07:28:05 +0000 Subject: [PATCH 231/657] add window.name test --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 3d0e228..08e8630 100644 --- a/user.js +++ b/user.js @@ -1185,7 +1185,8 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] user_pref("permissions.delegation.enabled", false); /* 2624: enable "window.name" protection [FF82+] * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original - * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks ***/ + * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks + * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /* 2625: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ From 21fcd0bd358f41ef35b33c8d26785605d054a780 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 1 Feb 2021 05:14:46 +0000 Subject: [PATCH 232/657] update xul/xhtml config info - the XUL version is also pre FF71 - the XHTML version was removed in FF87+ --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 08e8630..009636d 100644 --- a/user.js +++ b/user.js @@ -82,8 +82,8 @@ user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); /* 0000: disable about:config warning - * FF71-72: chrome://global/content/config.xul - * FF73+: chrome://global/content/config.xhtml ***/ + * FF72 or lower: chrome://global/content/config.xul + * FF73-86: chrome://global/content/config.xhtml ***/ user_pref("general.warnOnAboutConfig", false); // XUL/XHTML version user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+] From fa5125123532c0f517d9f774aa00075a961568fb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 1 Feb 2021 17:17:16 +0000 Subject: [PATCH 233/657] remove widevine vis pref, see #1107 - It is controlled in both runtime and via user.js by the state of `media.eme.enabled`. Also, who cares about the vis of a ui option - note, there is no need to add this to the removed scratchpad list --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 009636d..3767880 100644 --- a/user.js +++ b/user.js @@ -890,7 +890,6 @@ user_pref("plugin.state.flash", 0); // user_pref("media.gmp-provider.enabled", false); /* 1825: disable widevine CDM (Content Decryption Module) * [SETUP-WEB] if you *need* CDM, e.g. Netflix, Amazon Prime, Hulu, whatever ***/ -user_pref("media.gmp-widevinecdm.visible", false); user_pref("media.gmp-widevinecdm.enabled", false); /* 1830: disable all DRM content (EME: Encryption Media Extension) * [SETUP-WEB] if you *need* EME, e.g. Netflix, Amazon Prime, Hulu, whatever From 0b51e98d91851a881e248aeb68b67a485fdc1c8a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 1 Feb 2021 17:25:00 +0000 Subject: [PATCH 234/657] media.gmp-widevinecdm.visible, see #1107 --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 060f76c..c9883b0 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 26-Jan-2021 + Last updated: 01-Feb-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -234,6 +234,8 @@ 'layout.css.visited_links_enabled', /* 85-beta */ 'network.http.redirection-limit', + /* 86-beta */ + 'media.gmp-widevinecdm.visible', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From cfaf354fe359eee6bdc219c4b75823b94f77d2c0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 2 Feb 2021 04:09:50 +0000 Subject: [PATCH 235/657] oophs, better start 86-alpha --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 3767880..f7ec4a1 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 28 Jan 2021 -* version 85 +* date: 01 Feb 2021 +* version 86-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From ecf99bf9e7df122f273392104ecc0f574c3252cc Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 3 Feb 2021 16:45:34 +0000 Subject: [PATCH 236/657] 0603: add default value AFAICT: false 48-51: true 52-55.0.1/ESR52.1: false ever since --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index f7ec4a1..7716dc7 100644 --- a/user.js +++ b/user.js @@ -364,7 +364,7 @@ user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); -user_pref("network.predictor.enable-prefetch", false); // [FF48+] +user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] /* 0605: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ user_pref("network.http.speculative-parallel-limit", 0); From a35a616de7e10b6fa37bd42a134659d2054cffc5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 4 Feb 2021 07:19:28 +0000 Subject: [PATCH 237/657] highlight 1603 (cross origin referer), fixes 1108 especially since we recently hardened it: also added it to the few things highlighted in the wiki --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 7716dc7..85fe751 100644 --- a/user.js +++ b/user.js @@ -18,6 +18,7 @@ * Some site breakage and unintended consequences will happen. Everyone's experience will differ e.g. some user data is erased on close (section 2800), change this to suit your needs * While not 100% definitive, search for "[SETUP" tags + e.g. third party images/videos not loading on some sites? check 1603 * Take the wiki link in step 2 and read the Troubleshooting entry 5. Some tag info [SETUP-SECURITY] it's one item, read it From 82bb3f987de619ccd61b1577d0fbb9e80675b76c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 8 Feb 2021 07:20:06 +0000 Subject: [PATCH 238/657] 2604, closes #1111 --- user.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/user.js b/user.js index 85fe751..424f1a9 100644 --- a/user.js +++ b/user.js @@ -1119,8 +1119,7 @@ user_pref("beacon.enabled", false); /* 2603: remove temp files opened with an external application * [1] https://bugzilla.mozilla.org/302433 ***/ user_pref("browser.helperApps.deleteTempFileOnExit", true); -/* 2604: disable page thumbnail collection - * look in profile/thumbnails directory - you may want to clean that out ***/ +/* 2604: disable page thumbnail collection ***/ user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF] /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ user_pref("browser.uitour.enabled", false); From de74f812eeb18866698ea01d6c5fa81f9deb3391 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 18 Feb 2021 15:00:06 +0000 Subject: [PATCH 239/657] 2012: webgl default FF86+ --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 424f1a9..07d3aa0 100644 --- a/user.js +++ b/user.js @@ -923,7 +923,7 @@ user_pref("webgl.disabled", true); user_pref("webgl.enable-webgl2", false); /* 2012: limit WebGL ***/ user_pref("webgl.min_capability_mode", true); -user_pref("webgl.disable-fail-if-major-performance-caveat", true); +user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] /* 2022: disable screensharing ***/ user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.browser.enabled", false); From 6505a9fefd2bf2ba9b5f804fbb53053961d8bed7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 18 Feb 2021 15:30:58 +0000 Subject: [PATCH 240/657] FF86 deprecated --- user.js | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/user.js b/user.js index 07d3aa0..a5d7b82 100644 --- a/user.js +++ b/user.js @@ -653,11 +653,6 @@ user_pref("security.tls.version.enable-deprecated", false); * [2] https://bugzilla.mozilla.org/967977 * [3] https://arxiv.org/abs/1810.07304 ***/ user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] -/* 1205: disable SSL Error Reporting - * [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/ -user_pref("security.ssl.errorReporting.automatic", false); -user_pref("security.ssl.errorReporting.enabled", false); -user_pref("security.ssl.errorReporting.url", ""); /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] * [1] https://github.com/tlswg/tls13-spec/issues/1001 * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ @@ -1202,8 +1197,6 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false); user_pref("browser.download.useDownloadDir", false); /* 2652: disable adding downloads to the system's "recent documents" list ***/ user_pref("browser.download.manager.addToRecentDocs", false); -/* 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin ***/ -user_pref("browser.download.hide_plugins_without_extensions", false); /* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN] * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) * in such a way that it is forbidden to run external applications. @@ -1653,6 +1646,16 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); /* ESR78.x still uses all the following prefs // [NOTE] replace the * with a slash in the line above to re-enable them +// FF86 +// 1205: disable SSL Error Reporting + // [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html + // [-] https://bugzilla.mozilla.org/1681839 +user_pref("security.ssl.errorReporting.automatic", false); +user_pref("security.ssl.errorReporting.enabled", false); +user_pref("security.ssl.errorReporting.url", ""); +// 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin + // [-] https://bugzilla.mozilla.org/1581678 +user_pref("browser.download.hide_plugins_without_extensions", false); // FF79 // 0212: enforce fallback text encoding to match en-US // When the content or server doesn't declare a charset the browser will @@ -1661,14 +1664,12 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 // [-] https://bugzilla.mozilla.org/1603712 user_pref("intl.charset.fallback.override", "windows-1252"); -// * * * / // FF82 // 0206: disable geographically specific results/search engines e.g. "browser.search.*.US" // i.e. ignore all of Mozilla's various search engines in multiple locales // [-] https://bugzilla.mozilla.org/1619926 user_pref("browser.search.geoSpecificDefaults", false); user_pref("browser.search.geoSpecificDefaults.url", ""); -// * * * / // ***/ /* END: internal custom pref to test for syntax errors ***/ From c31c825a74ca6bdf227887c069a15bc75994d1ec Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 18 Feb 2021 15:50:37 +0000 Subject: [PATCH 241/657] 2212: popup events, fixes DDG https://bugzilla.mozilla.org/show_bug.cgi?id=1686045 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a5d7b82..1175af6 100644 --- a/user.js +++ b/user.js @@ -961,8 +961,8 @@ user_pref("browser.link.open_newwindow.restriction", 0); * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ user_pref("dom.disable_open_during_load", true); /* 2212: limit events that can cause a popup [SETUP-WEB] - * default is "change click dblclick auxclick mouseup pointerup notificationclick reset submit touchend contextmenu" ***/ -user_pref("dom.popup_allowed_events", "click dblclick"); + * default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu ***/ +user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2300]: WEB WORKERS A worker is a JS "background task" running in a global context, i.e. it is different from From d905b4387def4b3da55c9edbd893602c922d729d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 21 Feb 2021 20:52:20 +0000 Subject: [PATCH 242/657] deprecated: put FF86 items in the right place --- user.js | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index 1175af6..056232a 100644 --- a/user.js +++ b/user.js @@ -1646,16 +1646,6 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); /* ESR78.x still uses all the following prefs // [NOTE] replace the * with a slash in the line above to re-enable them -// FF86 -// 1205: disable SSL Error Reporting - // [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html - // [-] https://bugzilla.mozilla.org/1681839 -user_pref("security.ssl.errorReporting.automatic", false); -user_pref("security.ssl.errorReporting.enabled", false); -user_pref("security.ssl.errorReporting.url", ""); -// 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin - // [-] https://bugzilla.mozilla.org/1581678 -user_pref("browser.download.hide_plugins_without_extensions", false); // FF79 // 0212: enforce fallback text encoding to match en-US // When the content or server doesn't declare a charset the browser will @@ -1670,6 +1660,16 @@ user_pref("intl.charset.fallback.override", "windows-1252"); // [-] https://bugzilla.mozilla.org/1619926 user_pref("browser.search.geoSpecificDefaults", false); user_pref("browser.search.geoSpecificDefaults.url", ""); +// FF86 +// 1205: disable SSL Error Reporting + // [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html + // [-] https://bugzilla.mozilla.org/1681839 +user_pref("security.ssl.errorReporting.automatic", false); +user_pref("security.ssl.errorReporting.enabled", false); +user_pref("security.ssl.errorReporting.url", ""); +// 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin + // [-] https://bugzilla.mozilla.org/1581678 +user_pref("browser.download.hide_plugins_without_extensions", false); // ***/ /* END: internal custom pref to test for syntax errors ***/ From 7c978d4e70af121d30d62f632a63162f02fb13e0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 22 Feb 2021 20:05:25 +0000 Subject: [PATCH 243/657] 0708: FTP default FF88+ https://bugzilla.mozilla.org/show_bug.cgi?id=1691890 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 056232a..723dba6 100644 --- a/user.js +++ b/user.js @@ -415,7 +415,7 @@ user_pref("network.http.altsvc.oe", false); * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ user_pref("network.proxy.socks_remote_dns", true); /* 0708: disable FTP [FF60+] ***/ - // user_pref("network.ftp.enabled", false); + // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+] /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ From e54ae465370556713f616d0e3d11abca98385ffc Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 24 Feb 2021 15:11:59 +0000 Subject: [PATCH 244/657] 1204: ssl session ids inactive, closes #1110 --- user.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 723dba6..2767b32 100644 --- a/user.js +++ b/user.js @@ -645,14 +645,15 @@ user_pref("security.ssl.require_safe_negotiation", true); /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */ user_pref("security.tls.version.enable-deprecated", false); /* 1204: disable SSL session tracking [FF36+] - * SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking - * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the - * consequences. FPI isolates these, but it was designed with the Tor protocol in mind, - * and the Tor Browser has extra protection, including enhanced sanitizing per Identity. + * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) + * [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001) + * and/or containers. In FF85+ they are isolated by default (privacy.partition.network_state) + * [WARNING] There are perf and passive fingerprinting costs, for little to no gain. Preventing + * tracking via this method does not address IPs, nor handle any sanitizing of current identifiers * [1] https://tools.ietf.org/html/rfc5077 * [2] https://bugzilla.mozilla.org/967977 * [3] https://arxiv.org/abs/1810.07304 ***/ -user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] + // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] * [1] https://github.com/tlswg/tls13-spec/issues/1001 * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ From cb5cdca99dc3956cfdbf403bc97d37852b8b09c9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 24 Feb 2021 22:10:29 +0000 Subject: [PATCH 245/657] update adding site exceptions - https://bugzilla.mozilla.org/show_bug.cgi?id=1692553 - also HoM is not Page Info --- user.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index 2767b32..633ecae 100644 --- a/user.js +++ b/user.js @@ -149,7 +149,7 @@ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely decease /* 0202: set a default permission for Location (see 0201) [FF58+] * 0=always ask (default), 1=allow, 2=block * [NOTE] Best left at default "always ask", fingerprintable via Permissions API - * [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/ // user_pref("permissions.default.geo", 2); /* 0203: use Mozilla geolocation service instead of Google when geolocation is enabled [FF74+] @@ -726,7 +726,7 @@ user_pref("security.mixed_content.block_display_content", true); user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable HTTPS-Only mode [FF76+] * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored - * [SETTING] to add site exceptions: Page Info>HTTPS-Only mode>On/Off/Off temporarily + * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily * [SETTING] Privacy & Security>HTTPS-Only Mode * [TEST] http://example.com [upgrade] * [TEST] http://neverssl.org/ [no upgrade] @@ -926,7 +926,7 @@ user_pref("media.getusermedia.browser.enabled", false); user_pref("media.getusermedia.audiocapture.enabled", false); /* 2024: set a default permission for Camera/Microphone [FF58+] * 0=always ask (default), 1=allow, 2=block - * [SETTING] to add site exceptions: Page Info>Permissions>Use the Camera/Microphone + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/ // user_pref("permissions.default.camera", 2); // user_pref("permissions.default.microphone", 2); @@ -1008,7 +1008,7 @@ user_pref("dom.push.enabled", false); /* 2306: set a default permission for Notifications (both 2304 and 2305) [FF58+] * 0=always ask (default), 1=allow, 2=block * [NOTE] Best left at default "always ask", fingerprintable via Permissions API - * [SETTING] to add site exceptions: Page Info>Permissions>Receive Notifications + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/ // user_pref("permissions.default.desktop-notification", 2); @@ -1099,7 +1099,7 @@ user_pref("dom.webaudio.enabled", false); // user_pref("dom.vr.enabled", false); /* 2521: set a default permission for Virtual Reality (see 2520) [FF73+] * 0=always ask (default), 1=allow, 2=block - * [SETTING] to add site exceptions: Page Info>Permissions>Access Virtual Reality Devices + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ // user_pref("permissions.default.xr", 0); @@ -1140,7 +1140,7 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] user_pref("middlemouse.contentLoadURL", false); /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+] * 0 (default) or 1=allow, 2=block - * [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts ***/ + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/ // user_pref("permissions.default.shortcuts", 2); /* 2616: remove special permissions for certain mozilla domains [FF35+] * [1] resource://app/defaults/permissions ***/ From 911206eed57d4e389d6ff6df792136c79cc33cc1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 25 Feb 2021 01:22:08 +0000 Subject: [PATCH 246/657] 5000s: disable ctrl-q quit shortcut FF87+ https://bugzilla.mozilla.org/show_bug.cgi?id=52821 .. 21 years, old enough to drink and vote --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 633ecae..914889b 100644 --- a/user.js +++ b/user.js @@ -1619,6 +1619,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("layout.spellcheckDefault", 2); // 0=none, 1-multi-line, 2=multi-line & single-line /* UX BEHAVIOR ***/ // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing + // user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] // user_pref("browser.tabs.closeWindowWithLastTab", false); // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] From 4596d721e6479aa2341554dc9e21cd999cd704a8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 26 Feb 2021 11:39:52 +0000 Subject: [PATCH 247/657] 2012: make webgl.min_capability_mode inactive - This is too minimal to be of any use, breaks too much (e.g. zoom video) - Tor browser stopped flipping this (I *think*) about 5 years ago: it certainly hasn't been used in ESR60+ based TB builds, I checked - we already disable webgl, so making this inactive removes yet another pref users need to flip/troubleshoot - I will leave it in the user js for a few releases so prefsCleaner will pick it up --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 914889b..b7f0413 100644 --- a/user.js +++ b/user.js @@ -918,7 +918,7 @@ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70 user_pref("webgl.disabled", true); user_pref("webgl.enable-webgl2", false); /* 2012: limit WebGL ***/ -user_pref("webgl.min_capability_mode", true); + // user_pref("webgl.min_capability_mode", true); user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] /* 2022: disable screensharing ***/ user_pref("media.getusermedia.screensharing.enabled", false); From 612cfbf3134d8685a1448d9dc2500dd8b91feb6e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Feb 2021 21:18:17 +0000 Subject: [PATCH 248/657] 0805: re-add visited links It can still be used to mitigate social engineering attacks (e.g. using visibility and user clicks), and advanced/targeted scripts --- user.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/user.js b/user.js index b7f0413..eec7d00 100644 --- a/user.js +++ b/user.js @@ -456,6 +456,17 @@ user_pref("keyword.enabled", false); user_pref("browser.fixup.alternate.enabled", false); /* 0803: display all parts of the url in the location bar ***/ user_pref("browser.urlbar.trimURLs", false); +/* 0805: disable coloring of visited links - CSS history leak + * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive + * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing + * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] + * and advanced targeted timing attacks could still produce usable results + * [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector + * [2] https://dbaron.org/mozilla/visited-privacy + * [3] https://bugzilla.mozilla.org/1632765 + * [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use) + * [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/ + // user_pref("layout.css.visited_links_enabled", false); /* 0807: disable live search suggestions /* [NOTE] Both must be true for the location bar to work * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine From 65fb24ff1b97ef2045aec354269934e11f274830 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Feb 2021 21:20:00 +0000 Subject: [PATCH 249/657] layout.css.visited_links_enabled added back to the user.js in https://github.com/arkenfox/user.js/commit/612cfbf3134d8685a1448d9dc2500dd8b91feb6e --- scratchpad-scripts/arkenfox-clear-removed.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index c9883b0..9a89288 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 01-Feb-2021 + Last updated: 27-Feb-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -231,7 +231,6 @@ 'security.ssl3.dhe_rsa_aes_256_sha', /* 84-beta */ 'browser.newtabpage.activity-stream.asrouter.providers.snippets', - 'layout.css.visited_links_enabled', /* 85-beta */ 'network.http.redirection-limit', /* 86-beta */ From 7163efdd1eed4c517d9ec475cbd8bfdfde114b74 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 28 Feb 2021 15:57:27 +0000 Subject: [PATCH 250/657] 1825: inactive: it is redundant, fixes #1107 --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index eec7d00..75914a2 100644 --- a/user.js +++ b/user.js @@ -897,10 +897,10 @@ user_pref("plugin.state.flash", 0); * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ // user_pref("media.gmp-provider.enabled", false); /* 1825: disable widevine CDM (Content Decryption Module) - * [SETUP-WEB] if you *need* CDM, e.g. Netflix, Amazon Prime, Hulu, whatever ***/ -user_pref("media.gmp-widevinecdm.enabled", false); + * [NOTE] This is covered by the EME master switch (1830) **/ + // user_pref("media.gmp-widevinecdm.enabled", false); /* 1830: disable all DRM content (EME: Encryption Media Extension) - * [SETUP-WEB] if you *need* EME, e.g. Netflix, Amazon Prime, Hulu, whatever + * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV * [SETTING] General>DRM Content>Play DRM-controlled content * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ user_pref("media.eme.enabled", false); From 5f9bb59b9524d97dfe9f9fa2611667e292aee1d9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 28 Feb 2021 20:49:57 +0000 Subject: [PATCH 251/657] 86 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 75914a2..5f53b37 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 01 Feb 2021 -* version 86-alpha +* date: 28 Feb 2021 +* version 86 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 03ffb901864a57bd9273e1f8cf26bb95522cb8f8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 2 Mar 2021 20:02:41 +0000 Subject: [PATCH 252/657] start 87-alpha, also fixes #1129 make all inactive permissions.default = same, blocked --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 5f53b37..5298948 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 28 Feb 2021 -* version 86 +* date: 02 March 2021 +* version 87-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -1112,7 +1112,7 @@ user_pref("dom.webaudio.enabled", false); * 0=always ask (default), 1=allow, 2=block * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ - // user_pref("permissions.default.xr", 0); + // user_pref("permissions.default.xr", 2); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); From 844f3ce9c81f12ea1d6b2994f440916ec4bdb4b0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 5 Mar 2021 10:15:26 +0000 Subject: [PATCH 253/657] tidy --- scratchpad-scripts/arkenfox-clear-removed.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 9a89288..20e7305 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 27-Feb-2021 + Last updated: 04-Mar-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -9,7 +9,7 @@ (function() { let ops = [ - /* removed in arkenfox user.js v52-57 */ + /* removed in arkenfox user.js */ /* 52-alpha */ 'browser.search.reset.enabled', 'browser.search.reset.whitelist', @@ -26,7 +26,6 @@ 'extensions.pocket.api', // covered by extensions.pocket.enabled 'extensions.pocket.oAuthConsumerKey', // ditto 'extensions.pocket.site', // ditto - /* 56-alpha: none */ /* 57-alpha */ 'geo.wifi.xhr.timeout', // covered by geo.enabled 'browser.search.geoip.timeout', // ditto From 3430507ae4062761cddf018397364710375c4ae2 Mon Sep 17 00:00:00 2001 From: earthlng Date: Sun, 7 Mar 2021 13:29:33 +0000 Subject: [PATCH 254/657] v3.0 - improve readIniFile() (#1128) - grep -c equals grep | wc -l - make output prettier - work with variable instead of temporary file + a few minor changes/cleanup --- updater.sh | 51 +++++++++++++++++++++------------------------------ 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/updater.sh b/updater.sh index 5f37ebc..e265445 100755 --- a/updater.sh +++ b/updater.sh @@ -2,7 +2,7 @@ ## arkenfox user.js updater for macOS and Linux -## version: 2.9 +## version: 3.0 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac @@ -103,7 +103,6 @@ Optional Arguments: # File Handling # ######################### -# Download files download_file () { # expects URL as argument ($1) declare -r tf=$(mktemp) @@ -122,36 +121,33 @@ open_file () { # expects one argument: file_path readIniFile () { # expects one argument: absolute path of profiles.ini declare -r inifile="$1" - declare -r tfile=$(mktemp) - if [ $(grep '^\[Profile' "$inifile" | wc -l) == "1" ]; then ### only 1 profile found - grep '^\[Profile' -A 4 "$inifile" | grep -v '^\[Profile' > $tfile + # tempIni will contain: [ProfileX], Name=, IsRelative= and Path= (and Default= if present) of the only (if) or the selected (else) profile + if [ $(grep -c '^\[Profile' "${inifile}") -eq "1" ]; then ### only 1 profile found + tempIni="$(grep '^\[Profile' -A 4 "${inifile}")" else - grep -E -v '^\[General\]|^StartWithLastProfile=|^IsRelative=' "$inifile" - echo '' + echo -e "Profiles found:\n––––––––––––––––––––––––––––––" + ## cmd-substitution to strip trailing newlines and in quotes to keep internal ones: + echo "$(grep --color=never -E 'Default=[^1]|\[Profile[0-9]*\]|Name=|Path=|^$' "${inifile}")" + echo '––––––––––––––––––––––––––––––' read -p 'Select the profile number ( 0 for Profile0, 1 for Profile1, etc ) : ' -r echo -e "\n" if [[ $REPLY =~ ^(0|[1-9][0-9]*)$ ]]; then - grep '^\[Profile'${REPLY} -A 4 "$inifile" | grep -v '^\[Profile'${REPLY} > $tfile - if [[ "$?" != "0" ]]; then - echo "Profile${REPLY} does not exist!" && exit 1 - fi + tempIni="$(grep "^\[Profile${REPLY}" -A 4 "${inifile}")" || { + echo -e "${RED}Profile${REPLY} does not exist!${NC}" && exit 1 + } else - echo "Invalid selection!" && exit 1 + echo -e "${RED}Invalid selection!${NC}" && exit 1 fi fi - declare -r profpath=$(grep '^Path=' $tfile) - declare -r pathisrel=$(grep '^IsRelative=' $tfile) + # extracting 0 or 1 from the "IsRelative=" line + declare -r pathisrel=$(sed -n 's/^IsRelative=\([01]\)$/\1/p' <<< "${tempIni}") - rm "$tfile" - - # update global variable - if [[ ${pathisrel#*=} == "1" ]]; then - PROFILE_PATH="$(dirname "$inifile")/${profpath#*=}" - else - PROFILE_PATH="${profpath#*=}" - fi + # extracting only the path itself, excluding "Path=" + PROFILE_PATH=$(sed -n 's/^Path=\(.*\)$/\1/p' <<< "${tempIni}") + # update global variable if path is relative + [[ ${pathisrel} == "1" ]] && PROFILE_PATH="$(dirname "${inifile}")/${PROFILE_PATH}" } getProfilePath () { @@ -161,16 +157,14 @@ getProfilePath () { if [ "$PROFILE_PATH" = false ]; then PROFILE_PATH="$SCRIPT_DIR" elif [ "$PROFILE_PATH" = 'list' ]; then - local ini='' if [[ -f "$f1" ]]; then - ini="$f1" + readIniFile "$f1" # updates PROFILE_PATH or exits on error elif [[ -f "$f2" ]]; then - ini="$f2" + readIniFile "$f2" else echo -e "${RED}Error: Sorry, -l is not supported for your OS${NC}" exit 1 fi - readIniFile "$ini" # updates PROFILE_PATH or exits on error #else # PROFILE_PATH already set by user with -p fi @@ -191,9 +185,7 @@ get_updater_version () { # -d: New version will not be looked for and update will not occur # -u: Check for update, if available, execute without asking update_updater () { - if [ $UPDATE = 'no' ]; then - return 0 # User signified not to check for updates - fi + [ $UPDATE = 'no' ] && return 0 # User signified not to check for updates declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')" [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed @@ -214,7 +206,6 @@ update_updater () { exit 0 } - ######################### # Update user.js # ######################### From 692ed70ea9f1eddc1a72725df25197a4847110d7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 8 Mar 2021 01:49:21 +0000 Subject: [PATCH 255/657] remove maintenance of this comment --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 5298948..eee08bd 100644 --- a/user.js +++ b/user.js @@ -38,7 +38,7 @@ - If you are not using arkenfox v78... (not a definitive list) - 1244: HTTPS-Only mode is enabled - 1401: document fonts is inactive as it is now covered by RFP in FF80+ - - 4600: some prefs may apply even if you use RFP (currently none apply as of FF84) + - 4600: some prefs may apply even if you use RFP - 9999: switch the appropriate deprecated section(s) back on * INDEX: From 9138e342fdccfed95c899ac795f8e7a0c6f20b55 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 10 Mar 2021 00:06:30 +0000 Subject: [PATCH 256/657] misc (#1136) - 0000: remove old XUL info, dropped in FF73+ - 0201: save 3 chars - 0350: add default status for unsubmittedCheck - 0351: change to enforce: has been default false going back to at least FF60, including current Beta/Dev/Nightly - along with 0602 `network.dns.disablePrefetchFromHTTPS` and 0603 `network.predictor.enable-prefetch`, I considered making them inactive, but decided it was good to leave them active for non-stable users just in case they get flipped - 0515: add default status - 0850c: remove info: out of date: doesn't work lilke that anymore and can't be assed figuring it out what with megabar and urlbar2 changes - 0871: make inactive: default false since at least FF60 - no need to enforce for non-stable in case it is flipped. It's a pretty minor shoulder-surfer privacy issue and the previews are small. If you're not sure what this pref does. On false you get one tab shown, on true you get as many as can fit across your screen. I squeezed in 15, and after that it became a list - fixup `***/` - shave off six lines and almost 400 bytes for you bastards --- user.js | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/user.js b/user.js index eee08bd..2eee2e0 100644 --- a/user.js +++ b/user.js @@ -83,9 +83,8 @@ user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); /* 0000: disable about:config warning - * FF72 or lower: chrome://global/content/config.xul * FF73-86: chrome://global/content/config.xhtml ***/ -user_pref("general.warnOnAboutConfig", false); // XUL/XHTML version +user_pref("general.warnOnAboutConfig", false); // XHTML version user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+] /*** [SECTION 0100]: STARTUP ***/ @@ -143,7 +142,7 @@ user_pref("browser.newtabpage.activity-stream.default.sites", ""); user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); /** GEOLOCATION ***/ /* 0201: disable Location-Aware Browsing - * [NOTE] Best left at default "true", fingerprintable, is already behind a prompt (see 0202) + * [NOTE] Best left at default "true", fingerprintable, already behind a prompt (see 0202) * [1] https://www.mozilla.org/firefox/geolocation/ ***/ // user_pref("geo.enabled", false); /* 0202: set a default permission for Location (see 0201) [FF58+] @@ -251,10 +250,10 @@ user_pref("browser.discovery.enabled", false); /* 0350: disable Crash Reports ***/ user_pref("breakpad.reportURL", ""); user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+] -user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] -/* 0351: disable backlogged Crash Reports +user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] [DEFAULT: false except Nightly] +/* 0351: enforce no submission of backlogged Crash Reports [FF58+] * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/ -user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+] +user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false] /* 0390: disable Captive Portal detection * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy * [2] https://wiki.mozilla.org/Necko/CaptivePortal ***/ @@ -352,7 +351,7 @@ user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0518: disable Web Compatibility Reporter [FF56+] * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ -user_pref("extensions.webcompat-reporter.enabled", false); +user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false in stable] /*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/ user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!"); @@ -492,12 +491,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ // user_pref("browser.urlbar.suggest.engines", false); /* 0850c: disable location bar dropdown - * This value controls the total number of entries to appear in the location bar dropdown - * [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always - * be displayed (no we do not know how these are calculated or what the threshold is), - * and this does not affect the search by search engine suggestion (see 0807) - * [NOTE] This setting is only useful if you want to enable search engine keywords - * (i.e. at least one of 0850a suggestion types must be true) but you want to *limit* suggestions shown ***/ + * This value controls the total number of entries to appear in the location bar dropdown ***/ // user_pref("browser.urlbar.maxRichResults", 0); /* 0850d: disable location bar autofill * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ @@ -519,7 +513,7 @@ user_pref("browser.taskbar.lists.frequent.enabled", false); user_pref("browser.taskbar.lists.recent.enabled", false); user_pref("browser.taskbar.lists.tasks.enabled", false); /* 0871: disable Windows taskbar preview [WINDOWS] ***/ -user_pref("browser.taskbar.previews.enable", false); + // user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false] /*** [SECTION 0900]: PASSWORDS ***/ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); @@ -653,7 +647,7 @@ user_pref("security.ssl.require_safe_negotiation", true); * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); -/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */ +/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/ user_pref("security.tls.version.enable-deprecated", false); /* 1204: disable SSL session tracking [FF36+] * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) @@ -897,7 +891,7 @@ user_pref("plugin.state.flash", 0); * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ // user_pref("media.gmp-provider.enabled", false); /* 1825: disable widevine CDM (Content Decryption Module) - * [NOTE] This is covered by the EME master switch (1830) **/ + * [NOTE] This is covered by the EME master switch (1830) ***/ // user_pref("media.gmp-widevinecdm.enabled", false); /* 1830: disable all DRM content (EME: Encryption Media Extension) * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV @@ -1033,7 +1027,7 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one * is default false) then enabling this pref can leak clipboard content [1] - * [1] https://bugzilla.mozilla.org/1528289 */ + * [1] https://bugzilla.mozilla.org/1528289 ***/ // user_pref("dom.event.clipboardevents.enabled", false); /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] * this disables document.execCommand("cut"/"copy") to protect your clipboard @@ -1187,7 +1181,7 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] * Currently applies to cross-origin geolocation, camera, mic and screen-sharing * permissions, and fullscreen requests. Disabling delegation means any prompts * for these will show/use their correct 3rd party origin - * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion */ + * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/ user_pref("permissions.delegation.enabled", false); /* 2624: enable "window.name" protection [FF82+] * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original From 95645f59a39d6a6f3b2b824b6a1c0b2f4eb22be6 Mon Sep 17 00:00:00 2001 From: earthlng Date: Thu, 11 Mar 2021 14:06:38 +0000 Subject: [PATCH 257/657] Add files via upload --- wikipiki/parseError.png | Bin 0 -> 3467 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 wikipiki/parseError.png diff --git a/wikipiki/parseError.png b/wikipiki/parseError.png new file mode 100644 index 0000000000000000000000000000000000000000..8f8a42005986f13d2726cff807e732d4f4427dc0 GIT binary patch literal 3467 zcmZu!cQhN&9uC#gC_z)ZvCA`BB~@CR6tzc-PP3uJUNIV*QdNRjMbW0iD7B@viy~&V zh}ndO8i`#b4{x0F&Ut^_@!fOB@BGI1o%__xM2`)~4+H=JYzF$e761U_(fl$C<6#et z;D#Lz489h6+JG{=Ao&n5!L^LF0Dy{Q)_wbvhxoLYzO63+z}|M$7&<-QIvw65Y@n-U z74%^FWuJ#&J!kj8+> z)KYi(FUkIZ?fj$*ar7Os-9jgww)wDWe{E-BbvuuS+$WkA9q1LEzBiq`O{eaVr)j(E z_$JiuUNW8UV54cWyCsOuQKnXxr`q`X$LI2dLaBt-0cwF%LLrL_(hLkUXR1;?1X7H5 zAi)cN|BhFKNn1rr$SY*AONT3ZwP+vAz$Px+1zDHARu#5OC9N;?3k&he1K(hl+EmZ1 z((Sn8^6yBFNB~uR1OlNM(>^=<>T}-!b>O-xqHZ~( zQ+h`p)V8OQ+0k;Q+VOs2ytXshimJe$Q~+^DAU=ofaZ5+Yfd=Yuxae`f^71m`#}!zQ z&gxp#Y)y~K`SP&Z`EtrT^p;k4-0GtU8!`MbwfLci6OXF@jVWGpk zl7+J^G+oT`ddby2D+Q-F+?dWgh%i}YmLpqbeRk()2mT?;I9l4xfQP8wzd;59LJwD` zP_)KI28o}v17x8%LAx!xd1?1`*f>774KAFce>EM~EE!qKA)1quGutMr^B=p&OD?~_ zVd4B7_?N?= ziEb0Mi&>GT<$=VV{yv|ll#>Vk^1)mIq9K0?TZIrB~;p0FUg&twzJFHF06UCeqH zzXCJ*^704R3UP1{vTBz-X9*zQrVefAey6+0%%q_;8NzI!NlpPRemfV=zBF)=cY0O( zpj6Qjf;5eH9oG;t)Jd^F3e{7ufU_TY*CH=>y1J?J&nUKrWmly!yPLXIKn2I=(W0U4 zy4{J9uHzCj4i^|bFd^#KI{{~vnmeOZA#JJG{ z&mY?ArCB1HUvN(#oR_0d>13EeG$B*ckRytiU#R-*8>BlPne|>(6TaPCM0yn%G_Kh?v-hbg zq$5C`fCGK=YY!PKu(Ujq3ph$^(f+O#P z?iS(h)anA;iq^kOF&XR+SCs;dGLui9tx0BO>}B`pV_Me}O~>84e;tFeR~_-+MvrB0~C8Fb;7K>XKPC-En?7xNeH-Q zeF4C~W>8UIe|mXHqow%R1zrX=k%umR zo)I@S>w0%o<2UGr^)lVc?!WuaE^?iO)E}$O$uHu7K+7Xe{~chl!qt#xjaH`?lC;dh zFwXxggxj>8U+4$H=Qa z)}U5Au(NHHuU{$5fno|D9&yUUX_VO{>(Ti*Yk}!f7;~?jUnb6%F(T&ga5Uxp{Lo@b zr!8Of$|N`(w&_Lbw$+@vyEP-|1To>PU{}Wl|0Mew<~K4wQETp%B#yLeWIlr!}@f))uwLbg;}RE*Ufr#=$S&8 zAx$0OeE}w%$3#qgy?0#NQ*+ghxr+2{tx9m~GV!OsZ`hQv()0fNT0Z4lnNN*C(%8GL z6W_QpgAQhO+28x9MfRUzd1f7gnAtcb0Q(44|lo8(CbLdXn zEfuYg9oE`?!6ULeZC!g_eR484@pgJv5xv)@#%GnC!N5U|g>xCq?3e(wyfnUb`Q}%~ z^*n8S^uWBWQaII1rVQQ^9Q#&<@=?ygCquJ?{SdVMt z@&$P_*9E`INzy9`JQ-K4+@mhZQp4!Hbng=fJa#~DgiujfY_1<@l@;d^)Wx10D=%HA z6>q}7^Y&+p+q~D31Jt5V7>#a_BjI7-}HRCUN0w zmqGoOLEn(r76Y*7By=w+yQHhP!Lu0 zglk62mA-&?&;uZw_r-R}t0T*w>=MhFL>$<>A3;f?7=4+WYuFrz_L)()UxPD6`uX}7 zoQk?+se&+WOknJ)rqM@P0Zo)Ms(aK|ysx*dEWR((IcBEk#Et0~i=QShPV=~=7R#zR z2#G&_qjR&z`lClq=s@Tkhn?hwLs;HJJgjaj3&H;CDu@Wc9&r|an;G3TBH5<- z2j`wx*t=0$L4sl($#*1Z(Ntku)08WUphi(8$Bc8@QXut%VtcBS1(yP+xITYaJt$Sm zkFUen*{PMfDQWKS4cMfHdvqm=y(}P~IANJz1k*~c`%}>57YqELl*Rf*DkYVBTsUyg zEIULYVVDc9q8=%yV{mZ{$OSe32%%&>Ff=XyWXXe?+iHYs`R|~tzbv%i#7QUWO6XkYsk?7qJdi; zL+DDWUF2h#*&LA!=4X%Yq4s<5`by6qrqsF?S~og-VvGta&YEZxxn;mWHA&Z;-U1b^XG?$wC3L$6QgU73JB* zcDOwflk($zRp3k|d!0dwqE=;I%ayzKQ%y35RdiQA8!i}vDIhUKagA;`cxT)1Qcw8t zZCo8bV^i72dy`iIFM}RVx2qo Date: Sun, 14 Mar 2021 11:21:13 +0000 Subject: [PATCH 258/657] tweak defaults (#1140) - don't differentiate between channels - both can be made inactive - webcompat requires user action: and I don't see this as a bad thing to have in non-stable - unsubmitted crashReports on Nightly is probably already covered by killing the URL, so no big deal --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 2eee2e0..05ab9cd 100644 --- a/user.js +++ b/user.js @@ -250,7 +250,7 @@ user_pref("browser.discovery.enabled", false); /* 0350: disable Crash Reports ***/ user_pref("breakpad.reportURL", ""); user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+] -user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] [DEFAULT: false except Nightly] + // user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] [DEFAULT: false] /* 0351: enforce no submission of backlogged Crash Reports [FF58+] * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/ user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false] @@ -351,7 +351,7 @@ user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0518: disable Web Compatibility Reporter [FF56+] * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ -user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false in stable] + // user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/ user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!"); From 3a24c01f030ef6b83c75b1a31ad4f030dbc66179 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 17 Mar 2021 14:01:16 +0000 Subject: [PATCH 259/657] 0518: enforce no Web Compat Reporter only stable is false, at the time of writing. but enforcing this for all channels is good, so no-one ends up wasting mozilla resources reporting a compat problem when they've got 200 odd prefs flipped --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 05ab9cd..019a73c 100644 --- a/user.js +++ b/user.js @@ -349,9 +349,9 @@ user_pref("extensions.formautofill.available", "off"); // [FF56+] user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] -/* 0518: disable Web Compatibility Reporter [FF56+] +/* 0518: enforce disabling of Web Compatibility Reporter [FF56+] * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ - // user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] +user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/ user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!"); From 3b6cd93749f3885b5cbbc54013e7342b6ce995ac Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Mar 2021 07:32:19 +0000 Subject: [PATCH 260/657] 1606: default Referrer Policy default --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 019a73c..00b6ab3 100644 --- a/user.js +++ b/user.js @@ -847,8 +847,9 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy * [1] https://www.w3.org/TR/referrer-policy/ * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy - * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/ - // user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3] + * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ + * [4] https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/ ***/ + // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] /* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+] * [NOTE] Firefox cannot access .onion sites by default. We recommend you use From b592e0e592bb80141b0b4f880dc3b0069e21301c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Mar 2021 07:49:14 +0000 Subject: [PATCH 261/657] 87 deprecated It is simpler to leave the PointerEvent pref where it is, until ESR78 is EOL - FF87+ users who use RFP Alts simply add a dead pref, no harm - This way ESR78 users don't have to worry about extra char flipping: it's the same as before: 1 flip for ESR, 1 flip for RFP Alts --- user.js | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 00b6ab3..4729016 100644 --- a/user.js +++ b/user.js @@ -121,8 +121,6 @@ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); user_pref("browser.newtabpage.activity-stream.showSponsored", false); user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+] -/* 0105d: disable Activity Stream recent Highlights in the Library [FF57+] ***/ - // user_pref("browser.library.activity-stream.enabled", false); /* 0105e: clear default topsites * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); @@ -1562,8 +1560,9 @@ user_pref("webgl.enable-debug-renderer-info", false); // 0=no-preference, 1=reduce user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // FF64+ -// 4615: [2516] disable PointerEvents +// 4615: [2516] disable PointerEvents [FF86 or lower] // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent + // [-] https://bugzilla.mozilla.org/1688105 user_pref("dom.w3c_pointer_events.enabled", false); // * * * / // FF67+ @@ -1678,6 +1677,10 @@ user_pref("security.ssl.errorReporting.url", ""); // 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin // [-] https://bugzilla.mozilla.org/1581678 user_pref("browser.download.hide_plugins_without_extensions", false); +// FF87 +// 0105d: disable Activity Stream recent Highlights in the Library [FF57+] + // [-] https://bugzilla.mozilla.org/1689405 + // user_pref("browser.library.activity-stream.enabled", false); // ***/ /* END: internal custom pref to test for syntax errors ***/ From b1927f9de1e7a2559f0e83c484d5cb243a4d5722 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Mar 2021 18:42:52 +0000 Subject: [PATCH 262/657] 1607 make inactive Useless, since Firefox doesn't use Tor (and which we don't recommend). It was added for the info factor. --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 4729016..f3b34f2 100644 --- a/user.js +++ b/user.js @@ -853,7 +853,7 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); * [NOTE] Firefox cannot access .onion sites by default. We recommend you use * the Tor Browser which is specifically designed for hidden services * [1] https://bugzilla.mozilla.org/1305144 ***/ -user_pref("network.http.referer.hideOnionSource", true); + // user_pref("network.http.referer.hideOnionSource", true); /* 1610: ALL: enable the DNT (Do Not Track) HTTP header * [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/ From 46ccd9f6547bac30f57840e95a453b434051ef12 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 3 Apr 2021 14:20:39 +0000 Subject: [PATCH 263/657] cleanup 0600s three prefs are default since at least 78, and one pref is redundant for a pref that has been at our default since it was added --- user.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index f3b34f2..49a3267 100644 --- a/user.js +++ b/user.js @@ -359,17 +359,16 @@ user_pref("network.prefetch-next", false); /* 0602: disable DNS prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ user_pref("network.dns.disablePrefetch", true); -user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] + // user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); -user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] + // user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] /* 0605: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ user_pref("network.http.speculative-parallel-limit", 0); /* 0606: enforce no "Hyperlink Auditing" (click tracking) * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ -user_pref("browser.send_pings", false); // [DEFAULT: false] -user_pref("browser.send_pings.require_same_host", true); // defense-in-depth + // user_pref("browser.send_pings", false); // [DEFAULT: false] /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); From 87cd828b5b30d78e6ed7cfc660a012267cbf7ef3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 3 Apr 2021 14:25:46 +0000 Subject: [PATCH 264/657] browser.send_pings.require_same_host redundant/defense-in-depth pref for `browser.send_pings` which is still at default false after six years of watching it (false is what we want) --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 20e7305..8ec83a0 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 04-Mar-2021 + Last updated: 03-Apr-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -234,6 +234,8 @@ 'network.http.redirection-limit', /* 86-beta */ 'media.gmp-widevinecdm.visible', + /* 87-beta */ + 'browser.send_pings.require_same_host', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From 8f1c0044b91e7df4e7f369c71b7aed2a4ba7bdd5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 11:07:39 +0000 Subject: [PATCH 265/657] 2701: add cookie behavior 5 --- user.js | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 49a3267..11d46bc 100644 --- a/user.js +++ b/user.js @@ -1244,12 +1244,18 @@ user_pref("security.dialog_enable_delay", 700); accessible to websites except shared/service workers where the cookie setting *must* be "Allow" ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); -/* 2701: disable 3rd-party cookies and site-data [SETUP-WEB] - * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies, - * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default) - * [NOTE] You can set exceptions under site permissions or use an extension +/* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB] + * 0 = Accept cookies and site data + * 1 = (Block) All third-party cookies + * 2 = (Block) All cookies + * 3 = (Block) Cookies from unvisited websites + * 4 = (Block) Cross-site tracking cookies (default) + * 5 = (Isolate All) Cross-site cookies (TCP: Total Cookie Protection / dFPI: dynamic FPI) [1] (FF86+) + * Option 5 with FPI enabled (4001) is ignored and not shown, and option 4 used instead + * [NOTE] You can set cookie exceptions under site permissions or use an extension * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored - * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/ + * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies + * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/ user_pref("network.cookie.cookieBehavior", 1); user_pref("browser.contentblocking.category", "custom"); /* 2702: set third-party cookies (if enabled, see 2701) to session-only From f77102713892d92a34f781e75840a09091a5c485 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 11:18:54 +0000 Subject: [PATCH 266/657] 2720 was removed in FF72 https://bugzilla.mozilla.org/1488583 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 11d46bc..59dc5fd 100644 --- a/user.js +++ b/user.js @@ -1298,7 +1298,7 @@ user_pref("dom.storage.next_gen", true); /*** [SECTION 2800]: SHUTDOWN You should set the values to what suits you best. - "Offline Website Data" includes appCache (2730), localStorage (2710), - service worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache) + service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the Firefox interface as "Browsing & Download History" and their values will be synced ***/ From ca99add0067c5644bf280a00ca26e2aaea1621f3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 11:49:07 +0000 Subject: [PATCH 267/657] turn ETP on everywhere It literally cannot hurt [1], and makes it easier for users to use custom mode with TCP/dFPI. Turning on socialtracking helps gain parity with strict mode [1] gorhill: https://old.reddit.com/r/firefox/comments/l7xetb/network_priority_for_firefoxs_enhanced_tracking/gl9rn9n/ > All extensions and ETP work in parallel, they all inspect network requests and all make the decision to block or not, hence if they all decide to block, they will all report that they block something. ETP is a bit different than normal extension in that it will give precedence to an extension trying to redirect to a local resource, this ensures ETP works harmoniously with normal extensions. > > Once something is not blocked, it then goes through a DNS query, and the browser waits for the response. > > I will add examples of how ETP + multiple blocker extensions work together when dealing with a network request; let's say "A" and "B" are two different blockers: > > - ETP=block, A=allow, B=allow: result=block > - ETP=allow, A=block, B=allow: result=block > - ETP=allow, A=allow, B=redirect: result=redirect > - ETP=allow, A=block, B=redirect: result=block > - ETP=block, A=allow, B=redirect: result=redirect > > So as you can see, ETP is a bit different than a normal extension in that it won't prevent redirection from happening if ever a network request is redirected by one of the normal extension. --- user.js | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 59dc5fd..636ed0f 100644 --- a/user.js +++ b/user.js @@ -1269,7 +1269,16 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] * [NOTE] The setting below is disabled (but not changed) if you block all cookies (2701 = 2) * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/ // user_pref("network.cookie.lifetimePolicy", 2); -/* 2710: disable DOM (Document Object Model) Storage +/* 2710: enable Enhanced Tracking Protection (ETP) in all windows + * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content + * [SETTING] to add site exceptions: Urlbar>ETP Shield + * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ +user_pref("privacy.trackingprotection.enabled", true); +/* 2711: enable various ETP lists ***/ +user_pref("privacy.trackingprotection.socialtracking.enabled", true); + // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] + // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] +/* 2720: disable DOM (Document Object Model) Storage * [WARNING] This will break a LOT of sites' functionality AND extensions! * You are better off using an extension for more granular control ***/ // user_pref("dom.storage.enabled", false); @@ -1297,7 +1306,7 @@ user_pref("dom.storage.next_gen", true); /*** [SECTION 2800]: SHUTDOWN You should set the values to what suits you best. - - "Offline Website Data" includes appCache (2730), localStorage (2710), + - "Offline Website Data" includes appCache (2730), localStorage (2720), service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the Firefox interface as "Browsing & Download History" and their values will be synced From 728c962684db82b9dcace81aa6c1e4901caf65d2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 12:01:49 +0000 Subject: [PATCH 268/657] 2402: potential clipboard leak fixed in FF89+ Thanks @gwarser for testing, creating the bugzilla, being patient, and confirming the fix --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 636ed0f..7a2eaf5 100644 --- a/user.js +++ b/user.js @@ -1023,8 +1023,8 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! /* 2402: disable website access to clipboard events/content [SETUP-HARDEN] * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website - * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one - * is default false) then enabling this pref can leak clipboard content [1] + * [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and + * 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1] * [1] https://bugzilla.mozilla.org/1528289 ***/ // user_pref("dom.event.clipboardevents.enabled", false); /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] From bc07ca94c09e35d1b7b4faefd68b5c8bab77677e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 12:37:17 +0000 Subject: [PATCH 269/657] 1830: add [TEST] --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 7a2eaf5..10b4610 100644 --- a/user.js +++ b/user.js @@ -894,6 +894,7 @@ user_pref("plugin.state.flash", 0); /* 1830: disable all DRM content (EME: Encryption Media Extension) * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV * [SETTING] General>DRM Content>Play DRM-controlled content + * [TEST] https://bitmovin.com/demos/drm * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ user_pref("media.eme.enabled", false); From abe37add6e39975b4372253ca7e35a5e5fbf444d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 12:54:17 +0000 Subject: [PATCH 270/657] save some overrides, closes #1157 I do not think anyone will bemoan these four "personal" choices --- user.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 10b4610..46f6de9 100644 --- a/user.js +++ b/user.js @@ -1617,10 +1617,11 @@ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow // user_pref("general.useragent.override", ""); // [HIDDEN PREF] /*** [SECTION 5000]: PERSONAL - Non-project related but useful. If any of these interest you, add them to your overrides ***/ + Non-project related but useful. If any of these interest you, add them to your overrides + To save some overrides, we've made a few active as they seem to be universally used ***/ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); /* WELCOME & WHAT's NEW NOTICES ***/ - // user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch +user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch // user_pref("startup.homepage_welcome_url", ""); // user_pref("startup.homepage_welcome_url.additional", ""); // user_pref("startup.homepage_override_url", ""); // What's New page after updates @@ -1647,15 +1648,15 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] /* UX FEATURES: disable and hide the icons and menus ***/ - // user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+] +user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+] // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] // user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] // user_pref("reader.parse-on-load.enabled", false); // Reader View /* OTHER ***/ // user_pref("browser.bookmarks.max_backups", 2); - // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] // [SETTING] General>Browsing>Recommend extensions as you browse - // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] // [SETTING] General>Browsing>Recommend features as you browse // user_pref("network.manage-offline-status", false); // see bugzilla 620472 // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) From f0822782175932a96d0eed4fecc51c0a2bab239a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 14:15:53 +0000 Subject: [PATCH 271/657] 1607: save one line and some bytes and make it even MOAR clear we do NOT support tor over firefox --- user.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/user.js b/user.js index 46f6de9..b5e8478 100644 --- a/user.js +++ b/user.js @@ -849,8 +849,7 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] /* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+] - * [NOTE] Firefox cannot access .onion sites by default. We recommend you use - * the Tor Browser which is specifically designed for hidden services + * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser * [1] https://bugzilla.mozilla.org/1305144 ***/ // user_pref("network.http.referer.hideOnionSource", true); /* 1610: ALL: enable the DNT (Do Not Track) HTTP header From 2071939c5e5fdb0898aadb06b37cdbc3ccb70011 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 14:21:24 +0000 Subject: [PATCH 272/657] use [TOR] tags, add 1247 not that we recommend using tor over firefox: but at least the info is there for fiddlers --- user.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index b5e8478..985f68f 100644 --- a/user.js +++ b/user.js @@ -743,6 +743,10 @@ user_pref("dom.security.https_only_mode", true); // [FF76+] * This is done to avoid waiting for a timeout which takes 90 seconds * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); +/* 1247: treat .onion as a secure context [FF60+] [TOR] + * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser + * [1] https://bugzilla.mozilla.org/1382359 ***/ + // user_pref("dom.securecontext.whitelist_onions", true); /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] * These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1]) @@ -848,7 +852,7 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); * [4] https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/ ***/ // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] -/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+] +/* 1607: hide (not spoof) referrer when leaving a .onion domain [FF54+] [TOR] * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser * [1] https://bugzilla.mozilla.org/1305144 ***/ // user_pref("network.http.referer.hideOnionSource", true); From ada8158caf3f0c0fac7f1e4d2694fcdf7fc28b59 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 4 Apr 2021 20:33:23 +0000 Subject: [PATCH 273/657] v87 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 985f68f..60874a5 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 02 March 2021 -* version 87-alpha +* date: 04 April 2021 +* version 87 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 2da3b0192f14a47e5d48446989251e1fd9c380a0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 7 Apr 2021 09:36:01 +0000 Subject: [PATCH 274/657] update HTTP2 stats --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 60874a5..1569e7e 100644 --- a/user.js +++ b/user.js @@ -386,8 +386,8 @@ user_pref("network.dns.disableIPv6", true); /* 0702: disable HTTP2 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to * enhance privacy, and opens up a number of server-side fingerprinting opportunities. - * [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is - * at 40% (December 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites + * [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is over + * 50% of sites (April 2021) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites * [1] https://http2.github.io/faq/ * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html * [3] https://http2.github.io/http2-spec/#rfc.section.10.8 From 5dcf639d33d645df1278b5ffba1a5d8726473684 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 7 Apr 2021 09:36:56 +0000 Subject: [PATCH 275/657] oophs .. and start 88-alpha --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 1569e7e..dfa382f 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 04 April 2021 -* version 87 +* date: 06 April 2021 +* version 88-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 7ad3bb9e614f77d150f359686b7afa624b1634d9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 7 Apr 2021 09:44:24 +0000 Subject: [PATCH 276/657] 0702: use a [STATS] tag --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index dfa382f..1d0dc7e 100644 --- a/user.js +++ b/user.js @@ -386,8 +386,8 @@ user_pref("network.dns.disableIPv6", true); /* 0702: disable HTTP2 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to * enhance privacy, and opens up a number of server-side fingerprinting opportunities. - * [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is over - * 50% of sites (April 2021) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites + * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites + * [STATS] Over 50% of sites (April 2021) and growing [5] * [1] https://http2.github.io/faq/ * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html * [3] https://http2.github.io/http2-spec/#rfc.section.10.8 From 6c10e03ce52423d87fada431a49369c7b73a4337 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 8 Apr 2021 01:19:42 +0000 Subject: [PATCH 277/657] 2012: remove webgl.min_capability_mode as promised in https://github.com/arkenfox/user.js/commit/4596d721e6479aa2341554dc9e21cd999cd704a8 --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 1d0dc7e..be4ea89 100644 --- a/user.js +++ b/user.js @@ -925,7 +925,6 @@ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70 user_pref("webgl.disabled", true); user_pref("webgl.enable-webgl2", false); /* 2012: limit WebGL ***/ - // user_pref("webgl.min_capability_mode", true); user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] /* 2022: disable screensharing ***/ user_pref("media.getusermedia.screensharing.enabled", false); From 9b8735a87a1696a0124246b92d5c6beadf2d4567 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 8 Apr 2021 01:21:14 +0000 Subject: [PATCH 278/657] webgl.min_capability_mode --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 8ec83a0..74cd070 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 03-Apr-2021 + Last updated: 07-Apr-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -236,6 +236,8 @@ 'media.gmp-widevinecdm.visible', /* 87-beta */ 'browser.send_pings.require_same_host', + /* 88-beta */ + 'webgl.min_capability_mode', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From 7738e320d5a05e662c0c523ba502b0462661b28b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 15 Apr 2021 07:10:54 +0000 Subject: [PATCH 279/657] RFP & Presentation API --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index be4ea89..07cd486 100644 --- a/user.js +++ b/user.js @@ -1433,7 +1433,7 @@ user_pref("privacy.firstparty.isolate", true); 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) 1382545 - reduce fingerprinting in Animation API 1354633 - limit MediaError.message to a whitelist - 1382533 - enable fingerprinting resistance for Presentation API + 1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87) This blocks exposure of local IP Addresses via mDNS (Multicast DNS) FF58+ 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction From 9930cfbc077917497f54ad6d449b76432e97b697 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 17 Apr 2021 07:12:20 +0000 Subject: [PATCH 280/657] 0102: add setup tag #1166 --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 07cd486..cc11451 100644 --- a/user.js +++ b/user.js @@ -92,7 +92,8 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); /* 0101: disable default browser check * [SETTING] General>Startup>Always check if Firefox is your default browser ***/ user_pref("browser.shell.checkDefaultBrowser", false); -/* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session) +/* 0102: set startup page [SETUP-CHROME] + * 0=blank, 1=home, 2=last visited page, 3=resume previous session * [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804) * [SETTING] General>Startup>Restore previous session ***/ user_pref("browser.startup.page", 0); From da9f912862172f49454b5be977e0c7d133c03b25 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 23 Apr 2021 14:25:54 +0000 Subject: [PATCH 281/657] 2620: disable pdfjs scripting, v88 final --- user.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index cc11451..c029dd5 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 06 April 2021 -* version 88-alpha +* date: 23 April 2021 +* version 88 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -1163,17 +1163,18 @@ user_pref("webchannel.allowObject.urlWhitelist", ""); * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/ user_pref("network.IDN_show_punycode", true); -/* 2620: enforce Firefox's built-in PDF reader [SETUP-CHROME] +/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME] * This setting controls if the option "Display in Firefox" is available in the setting below * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) - * Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly. + * Exploits are rare (one serious case in seven years), treated seriously and patched quickly. * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. * CONS: You may prefer a different pdf reader for security reasons * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) * [SETTING] General>Applications>Portable Document Format (PDF) ***/ user_pref("pdfjs.disabled", false); // [DEFAULT: false] +user_pref("pdfjs.enableScripting", false); // [FF86+] /* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ user_pref("network.protocol-handler.external.ms-windows-store", false); /* 2622: enforce no system colors; they can be fingerprinted From cfd7cd01d1ac131df8b0a0b8bccad757c0aec046 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 25 Apr 2021 11:18:39 +0000 Subject: [PATCH 282/657] cleanup 0500s, #1170 - they all have on/off switches - dxr no longer exists: update URL - don't recommend users delete files - saves two lines - they poses zero threat (they have prefs) - deleting them can causes unwanted console errors/noise --- user.js | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index c029dd5..08e5572 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 23 April 2021 -* version 88 +* date: 25 April 2021 +* version 89-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -312,8 +312,6 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); built-in features to Firefox, that are hidden from the about:addons UI. To view your System Add-ons go to about:support, they are listed under "Firefox Features" - Some System Add-ons have no on-off prefs. Instead you can manually remove them. Note that app - updates will restore them. They may also be updated and possibly restored automatically (see 0505) * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit) * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit) * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\" @@ -321,7 +319,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); * Linux: "/usr/lib/firefox/browser/features" (or similar) [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html - [2] https://dxr.mozilla.org/mozilla-central/source/browser/extensions + [2] https://searchfox.org/mozilla-central/source/browser/extensions ***/ user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!"); /* 0503: disable Normandy/Shield [FF60+] From 79c5539edb939e4c005e794119312ec7d2f3dcba Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 5 May 2021 16:41:43 +0000 Subject: [PATCH 283/657] goodbye flash The prefs still exist, but won't do anything since most of the NPAPI code has been removed --- user.js | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/user.js b/user.js index 08e5572..96be4c4 100644 --- a/user.js +++ b/user.js @@ -200,10 +200,6 @@ user_pref("app.update.auto", false); /* 0308: disable search engine updates (e.g. OpenSearch) * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ user_pref("browser.search.update", false); -/* 0309: disable sending Flash crash reports ***/ -user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); -/* 0310: disable sending the URL of the website where a plugin crashed ***/ -user_pref("dom.ipc.plugins.reportCrashURL", false); /* 0320: disable about:addons' Recommendations pane (uses Google Analytics) ***/ user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF] /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/ @@ -882,11 +878,6 @@ user_pref("privacy.userContext.enabled", true); /*** [SECTION 1800]: PLUGINS ***/ user_pref("_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!"); -/* 1803: disable Flash plugin - * 0=deactivated, 1=ask, 2=enabled - * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash - * [NOTE] You can still override individual sites via site permissions ***/ -user_pref("plugin.state.flash", 0); /* 1820: disable GMP (Gecko Media Plugins) * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ // user_pref("media.gmp-provider.enabled", false); @@ -1699,6 +1690,19 @@ user_pref("browser.download.hide_plugins_without_extensions", false); // 0105d: disable Activity Stream recent Highlights in the Library [FF57+] // [-] https://bugzilla.mozilla.org/1689405 // user_pref("browser.library.activity-stream.enabled", false); +// FF89 +// 0309: disable sending Flash crash reports + // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] +user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); +// 0310: disable sending the URL of the website where a plugin crashed + // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] +user_pref("dom.ipc.plugins.reportCrashURL", false); +// 1803: disable Flash plugin + // 0=deactivated, 1=ask, 2=enabled + // ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash + // [NOTE] You can still override individual sites via site permissions + // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] +user_pref("plugin.state.flash", 0); // [DEFAULT: 1] // ***/ /* END: internal custom pref to test for syntax errors ***/ From ba9b3c217be47c752876d6b55166e52f2d315a8c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 8 May 2021 14:45:32 +0000 Subject: [PATCH 284/657] tweak 4600s: closes #1172 --- user.js | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/user.js b/user.js index 96be4c4..85f9516 100644 --- a/user.js +++ b/user.js @@ -1497,20 +1497,18 @@ user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan"); /* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these // FF55+ -// 4601: [2514] spoof (or limit?) number of CPU cores [FF48+] - // [NOTE] *may* affect core chrome/Firefox performance, will affect content. +// 4601: [2514] spoof number of CPU cores [FF48+] // [1] https://bugzilla.mozilla.org/1008453 // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 // [3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 // [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency - // user_pref("dom.maxHardwareConcurrency", 2); -// * * * / +user_pref("dom.maxHardwareConcurrency", 2); // FF56+ // 4602: [2411] disable resource/navigation timing user_pref("dom.enable_resource_timing", false); // 4603: [2412] disable timing attacks // [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI -user_pref("dom.enable_performance", false); + // user_pref("dom.enable_performance", false); // 4604: [2512] disable device sensor API // Optional protection depending on your device // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 @@ -1537,7 +1535,6 @@ user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] // [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis // [3] https://wiki.mozilla.org/HTML5_Speech_API user_pref("media.webspeech.synth.enabled", false); -// * * * / // FF57+ // 4610: [2506] disable video statistics - JS performance fingerprinting [FF25+] // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 @@ -1550,19 +1547,16 @@ user_pref("media.video_stats.enabled", false); // [1] https://developer.mozilla.org/docs/Web/API/Touch_events // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 // user_pref("dom.w3c_touch_events.enabled", 0); -// * * * / // FF59+ // 4612: [2511] disable MediaDevices change detection [FF51+] // [1] https://developer.mozilla.org/docs/Web/Events/devicechange // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange user_pref("media.ondevicechange.enabled", false); -// * * * / // FF60+ // 4613: [2011] disable WebGL debug info being available to websites // [1] https://bugzilla.mozilla.org/1171228 // [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info user_pref("webgl.enable-debug-renderer-info", false); -// * * * / // FF63+ // 4614: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] // 0=no-preference, 1=reduce @@ -1572,7 +1566,6 @@ user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent // [-] https://bugzilla.mozilla.org/1688105 user_pref("dom.w3c_pointer_events.enabled", false); -// * * * / // FF67+ // 4616: [2618] disable exposure of system colors to CSS or canvas [FF44+] // [NOTE] See second listed bug: may cause black on black for elements with undefined colors @@ -1589,7 +1582,6 @@ user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // [NOTE] Bundled fonts are auto-allowed // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc user_pref("layout.css.font-visibility.level", 1); -// * * * / // ***/ /*** [SECTION 4700]: RFP ALTERNATIVES (USER AGENT SPOOFING) From 0566ded651817b0150a803652064ad9348d40d00 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 9 May 2021 17:52:38 +0000 Subject: [PATCH 285/657] fixup, closes #1174 --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 74cd070..b390a18 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 07-Apr-2021 + Last updated: 09-May-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -127,7 +127,6 @@ 'browser.cache.disk.smart_size.enabled', 'browser.cache.disk.smart_size.first_run', 'browser.cache.offline.insecure.enable', - 'browser.safebrowsing.downloads.remote.url', 'browser.safebrowsing.provider.google.reportMalwareMistakeURL', 'browser.safebrowsing.provider.google.reportPhishMistakeURL', 'browser.safebrowsing.provider.google.reportURL', @@ -178,7 +177,6 @@ 'browser.safebrowsing.provider.mozilla.updateURL', 'browser.urlbar.userMadeSearchSuggestionsChoice', 'privacy.trackingprotection.annotate_channels', - 'privacy.trackingprotection.enabled', 'privacy.trackingprotection.lower_network_priority', 'privacy.trackingprotection.pbmode.enabled', 'services.blocklist.addons.collection', From 9419e2faabc9f88619adf9650fc190fb7688e167 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 25 May 2021 17:30:40 +0000 Subject: [PATCH 286/657] remove 1210 been default true since FF26 - thanks earthlng --- user.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/user.js b/user.js index 85f9516..0c5b9ef 100644 --- a/user.js +++ b/user.js @@ -658,9 +658,6 @@ user_pref("security.tls.enable_0rtt_data", false); /** OCSP (Online Certificate Status Protocol) #Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/ -/* 1210: enable OCSP Stapling - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/ -user_pref("security.ssl.enable_ocsp_stapling", true); /* 1211: control when to use OCSP fetching (to confirm current validity of certificates) * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) From 9cc132e69db7688aa1d5f9ff72b99627527e5e78 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 25 May 2021 17:32:07 +0000 Subject: [PATCH 287/657] security.ssl.enable_ocsp_stapling default true since FF26 --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index b390a18..5b05072 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 09-May-2021 + Last updated: 25-May-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -236,6 +236,8 @@ 'browser.send_pings.require_same_host', /* 88-beta */ 'webgl.min_capability_mode', + /* 89-beta */ + 'security.ssl.enable_ocsp_stapling', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ] From f0b5e3649d75a2b3f467a0b832eb24ee3e7d686b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 25 May 2021 17:46:45 +0000 Subject: [PATCH 288/657] tidy --- user.js | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/user.js b/user.js index 0c5b9ef..82878bf 100644 --- a/user.js +++ b/user.js @@ -116,7 +116,7 @@ user_pref("browser.newtabpage.activity-stream.telemetry", false); /* 0105b: disable Activity Stream Snippets * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server * [1] https://abouthome-snippets-service.readthedocs.io/ ***/ -user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); +user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false FF89+] /* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); @@ -273,9 +273,9 @@ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] Firefox also takes measures such as striping out identifying parameters and since SBv4 (FF57+) doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) - #Required reading [#] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ - [1] https://wiki.mozilla.org/Security/Safe_Browsing - [2] https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work + [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ + [2] https://wiki.mozilla.org/Security/Safe_Browsing + [3] https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work ***/ /* 0410: disable SB (Safe Browsing) * [WARNING] Do this at your own risk! These are the master switches. @@ -425,8 +425,7 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] your environment (no unwanted eyeballs), your device (restricted access), your device's unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check the items cleared on shutdown in section 2800. - [NOTE] The urlbar is also commonly referred to as the location bar and address bar - #Required reading [#] https://xkcd.com/538/ + [1] https://xkcd.com/538/ ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); /* 0801: disable location bar using search @@ -657,7 +656,9 @@ user_pref("security.tls.version.enable-deprecated", false); user_pref("security.tls.enable_0rtt_data", false); /** OCSP (Online Certificate Status Protocol) - #Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/ + [1] https://scotthelme.co.uk/revocation-is-broken/ + [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ +***/ /* 1211: control when to use OCSP fetching (to confirm current validity of certificates) * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) @@ -815,7 +816,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false); scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port: https://example.com:8888 --- - #Required reading [#] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ + [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: ALL: control when images/links send a referer @@ -1250,8 +1251,8 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin user_pref("network.cookie.cookieBehavior", 1); user_pref("browser.contentblocking.category", "custom"); /* 2702: set third-party cookies (if enabled, see 2701) to session-only - [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and - .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones + * [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and + * .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ user_pref("network.cookie.thirdparty.sessionOnly", true); user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] @@ -1449,7 +1450,7 @@ user_pref("privacy.firstparty.isolate", true); 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) FF78+ 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) - 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+) + 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (Windows, Mac, some Linux) (FF80+) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); From 74f804a0567181049b7653475ba3653ee5c1643b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 25 May 2021 18:19:22 +0000 Subject: [PATCH 289/657] 1243: more dead flash --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 82878bf..65dfd4b 100644 --- a/user.js +++ b/user.js @@ -716,9 +716,6 @@ user_pref("security.pki.crlite_mode", 2); user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] /* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/ user_pref("security.mixed_content.block_display_content", true); -/* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+] - * [1] https://bugzilla.mozilla.org/1190623 ***/ -user_pref("security.mixed_content.block_object_subrequest", true); /* 1244: enable HTTPS-Only mode [FF76+] * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily @@ -1687,6 +1684,10 @@ user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); // 0310: disable sending the URL of the website where a plugin crashed // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] user_pref("dom.ipc.plugins.reportCrashURL", false); +// 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+] + // [1] https://bugzilla.mozilla.org/1190623 + // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] +user_pref("security.mixed_content.block_object_subrequest", true); // 1803: disable Flash plugin // 0=deactivated, 1=ask, 2=enabled // ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash From b6d7b2bff53b1a87b8bfdbb28ba0c019eadadfbb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 1 Jun 2021 11:02:30 +0000 Subject: [PATCH 290/657] RFP info tweak --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 65dfd4b..bef679e 100644 --- a/user.js +++ b/user.js @@ -1406,7 +1406,7 @@ user_pref("privacy.firstparty.isolate", true); FF56+ 1369303 - spoof/disable performance API (see 4602, 4603) 1333651 - spoof User Agent & Navigator API (see section 4700) - JS: FF78+ the version is spoofed as 78, and the OS as Windows 10, OS 10.15, Android 9, or Linux + JS: FF78+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 9 (FF91+ as 10), or Linux HTTP Headers: spoofed as Windows or Android 1369319 - disable device sensor API (see 4604) 1369357 - disable site specific zoom (see 4605) From d973e1171415282d1a2b7a88dbafd1e6d3a0e549 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 5 Jun 2021 17:36:56 +0000 Subject: [PATCH 291/657] add instagram word, closes #1184 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index bef679e..42243e4 100644 --- a/user.js +++ b/user.js @@ -824,7 +824,7 @@ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); // user_pref("network.http.referer.trimmingPolicy", 0); /* 1603: CROSS ORIGIN: control when to send a referer * 0=always (default), 1=only if base domains match, 2=only if hosts match - * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/ + * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/ user_pref("network.http.referer.XOriginPolicy", 2); /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ From ada31d4f504d666530c038d9cf75fcfbb940ba67 Mon Sep 17 00:00:00 2001 From: earthlng Date: Sun, 6 Jun 2021 18:01:56 +0000 Subject: [PATCH 292/657] v3.1 - (mostly) fix diff functionality see #1188 this should fix the issue that "All prefs after a multi-line comment declaration, on a single line, are deleted with the remove_comments function from the updater." --- updater.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/updater.sh b/updater.sh index e265445..c054a22 100755 --- a/updater.sh +++ b/updater.sh @@ -2,7 +2,7 @@ ## arkenfox user.js updater for macOS and Linux -## version: 3.0 +## version: 3.1 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac @@ -236,7 +236,7 @@ add_override () { } remove_comments () { # expects 2 arguments: from-file and to-file - sed -e 's/^[[:space:]]*\/\/.*$//' -e '/^\/\*/,/\*\//d' -e '/^[[:space:]]*$/d' -e 's/);[[:space:]]*\/\/.*/);/' "$1" > "$2" + sed -e 's/^[[:space:]]*\/\/.*$//' -e '/^\/\*.\+\*\/[[:space:]]*$/d' -e '/^\/\*/,/\*\//d' -e '/^[[:space:]]*$/d' -e 's/);[[:space:]]*\/\/.*/);/' "$1" > "$2" } # Applies latest version of user.js and any custom overrides From 6968b9a369c30f912195e56c132f6357c00ba8e8 Mon Sep 17 00:00:00 2001 From: earthlng Date: Sun, 6 Jun 2021 21:30:14 +0000 Subject: [PATCH 293/657] v3.2 - proper fix for the diff issue - re-arrange the match patterns to fix the remaining issue of dropping lines after the 9999 block - make it work on Mac too - use `|` where possible so we don't need to escape the forward-slashes. That saves a few bytes and makes the pattern easier to read --- updater.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/updater.sh b/updater.sh index c054a22..6f761c9 100755 --- a/updater.sh +++ b/updater.sh @@ -2,7 +2,7 @@ ## arkenfox user.js updater for macOS and Linux -## version: 3.1 +## version: 3.2 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac @@ -236,7 +236,7 @@ add_override () { } remove_comments () { # expects 2 arguments: from-file and to-file - sed -e 's/^[[:space:]]*\/\/.*$//' -e '/^\/\*.\+\*\/[[:space:]]*$/d' -e '/^\/\*/,/\*\//d' -e '/^[[:space:]]*$/d' -e 's/);[[:space:]]*\/\/.*/);/' "$1" > "$2" + sed -e '/^\/\*.*\*\/[[:space:]]*$/d' -e '/^\/\*/,/\*\//d' -e 's|^[[:space:]]*//.*$||' -e '/^[[:space:]]*$/d' -e 's|);[[:space:]]*//.*|);|' "$1" > "$2" } # Applies latest version of user.js and any custom overrides From 9018577a3e4880b881981e801891a3531c433aba Mon Sep 17 00:00:00 2001 From: earthlng Date: Mon, 7 Jun 2021 11:18:40 +0000 Subject: [PATCH 294/657] v1.4 (#1189) - add -s parameter to start immediately / skip prompt / run non-interactive This is useful if the user wants to automate the process of updating the user.js and cleaning prefs. - fQuit: error messages to stderr - fFF_check: info msg to stderr Better support for suppressing/redirecting stdout while still showing any error messages in the console, useful for example with `prefsCleaner.sh -s >/dev/null` --- prefsCleaner.sh | 49 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 17 deletions(-) diff --git a/prefsCleaner.sh b/prefsCleaner.sh index c9d92d9..60cf70e 100644 --- a/prefsCleaner.sh +++ b/prefsCleaner.sh @@ -2,7 +2,7 @@ ## prefs.js cleaner for Linux/Mac ## author: @claustromaniac -## version: 1.3 +## version: 1.4 ## special thanks to @overdodactyl and @earthlng for a few snippets that I stol..*cough* borrowed from the updater.sh @@ -20,15 +20,22 @@ cd "$(dirname "${sfp}")" fQuit() { ## change directory back to the original working directory cd "${currdir}" - echo -e "\n$2" + [ $1 -eq 0 ] && echo -e "\n$2" || echo -e "\n$2" >&2 exit $1 } +fUsage() { + echo -e "\nUsage: $0 [-s]" + echo -e " +Optional Arguments: + -s Start immediately" +} + fFF_check() { # there are many ways to see if firefox is running or not, some more reliable than others # this isn't elegant and might not be future-proof but should at least be compatible with any environment while [ -e lock ]; do - echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n" + echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n" >&2 read -p "Press any key to continue." done } @@ -54,34 +61,42 @@ fClean() { done < "$1" > prefs.js } +fStart() { + if [ ! -e user.js ]; then + fQuit 1 "user.js not found in the current directory." + elif [ ! -e prefs.js ]; then + fQuit 1 "prefs.js not found in the current directory." + fi + + fFF_check + bakfile="prefs.js.backup.$(date +"%Y-%m-%d_%H%M")" + mv prefs.js "${bakfile}" || fQuit 1 "Operation aborted.\nReason: Could not create backup file $bakfile" + echo -e "\nprefs.js backed up: $bakfile" + echo "Cleaning prefs.js..." + fClean "$bakfile" + fQuit 0 "All done!" +} + echo -e "\n\n" echo " ╔══════════════════════════╗" echo " ║ prefs.js cleaner ║" echo " ║ by claustromaniac ║" -echo " ║ v1.3 ║" +echo " ║ v1.4 ║" echo " ╚══════════════════════════╝" echo -e "\nThis script should be run from your Firefox profile directory.\n" echo "It will remove any entries from prefs.js that also exist in user.js." echo "This will allow inactive preferences to be reset to their default values." echo -e "\nThis Firefox profile shouldn't be in use during the process.\n" + +[ "$1" == '-s' ] && fStart + select option in Start Help Exit; do case $option in Start) - if [ ! -e user.js ]; then - fQuit 1 "user.js not found in the current directory." - elif [ ! -e prefs.js ]; then - fQuit 1 "prefs.js not found in the current directory." - fi - - fFF_check - bakfile="prefs.js.backup.$(date +"%Y-%m-%d_%H%M")" - mv prefs.js "${bakfile}" || fQuit 1 "Operation aborted.\nReason: Could not create backup file $bakfile" - echo -e "\nprefs.js backed up: $bakfile" - echo "Cleaning prefs.js..." - fClean "$bakfile" - fQuit 0 "All done!" + fStart ;; Help) + fUsage echo -e "\nThis script creates a backup of your prefs.js file before doing anything." echo -e "It should be safe, but you can follow these steps if something goes wrong:\n" echo "1. Make sure Firefox is closed." From efcceaf2c36e42f503cc80b9a1aae1e03f9190a8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 15 Jun 2021 09:55:42 +0000 Subject: [PATCH 295/657] enforce non-native widget theme --- user.js | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 42243e4..42500d7 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 25 April 2021 -* version 89-alpha +* date: 15 June 2021 +* version 89 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -38,6 +38,7 @@ - If you are not using arkenfox v78... (not a definitive list) - 1244: HTTPS-Only mode is enabled - 1401: document fonts is inactive as it is now covered by RFP in FF80+ + - 2626: non-native widget theme is enforced - 4600: some prefs may apply even if you use RFP - 9999: switch the appropriate deprecated section(s) back on @@ -1178,6 +1179,12 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /* 2625: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ user_pref("extensions.postDownloadThirdPartyPrompt", false); +/* 2626: enforce non-native widget theme + * Security: removes/reduces system API calls, e.g. win32k API [1] + * Fingerprinting: provides a uniform look and feel across platforms [2] + * [1] https://bugzilla.mozilla.org/1381938 + * [2] https://bugzilla.mozilla.org/1411425 ***/ +user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop From 12c063190098b6a62e0671db0f704939678811eb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 16 Jun 2021 16:48:14 +0000 Subject: [PATCH 296/657] 4501: remove confusing RFP line --- user.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 42500d7..96cf304 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 15 June 2021 -* version 89 +* date: 16 June 2021 +* version 90-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -1459,7 +1459,6 @@ user_pref("privacy.firstparty.isolate", true); ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] - * This pref is the master switch for all other privacy.resist* prefs unless stated * [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects, * but is largely robust nowadays. Give it a try. Your choice. Also see 4504 (letterboxing). * [1] https://bugzilla.mozilla.org/418986 ***/ From c98606430c770dab1386756c60c55c6d49e3f260 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 20 Jun 2021 09:29:38 +0000 Subject: [PATCH 297/657] move 2505 to RFP alts, closes #1099 --- user.js | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/user.js b/user.js index 96cf304..cba1306 100644 --- a/user.js +++ b/user.js @@ -782,7 +782,7 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); /* 1401: disable websites choosing fonts (0=block, 1=allow) * This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector - * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618) + * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4619) * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/ // user_pref("browser.display.use_document_fonts", 0); /* 1403: disable icon fonts (glyphs) and local fallback rendering @@ -800,8 +800,8 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4618) - * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618) + * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4619) + * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4619) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] @@ -1065,11 +1065,6 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code [1] * [1] https://bugzilla.mozilla.org/1313580 ***/ // user_pref("dom.battery.enabled", false); -/* 2505: disable media device enumeration [FF29+] - * [NOTE] media.peerconnection.enabled should also be set to false (see 2001) - * [1] https://wiki.mozilla.org/Media/getUserMedia - * [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/ -user_pref("media.navigator.enabled", false); /* 2508: disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN] * [WARNING] Affects text rendering (fonts will look different), impacts video performance, * and parts of Quantum that utilize the GPU will also be affected as they are rolled out @@ -1433,28 +1428,28 @@ user_pref("privacy.firstparty.isolate", true); FF59+ 1372073 - spoof/block fingerprinting in MediaDevices API Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if - media.navigator.enabled is true (see 2505 which we chose to keep disabled) - Block: suppresses the ondevicechange event (see 4612) + media.navigator.enabled is true (see 4612 which we chose to keep disabled) + Block: suppresses the ondevicechange event (see 4613) 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events Spoofing mimics the content language of the document. Currently it only supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. FF60-67 - 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) + 1337157 - disable WebGL debug renderer info (see 4614) (FF60+) 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) - 1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+) - 1363508 - spoof/suppress Pointer Events (see 4615) (FF64+) + 1479239 - return "no-preference" with prefers-reduced-motion (see 4615) (FF63+) + 1363508 - spoof/suppress Pointer Events (see 4616) (FF64+) FF65: pointerEvent.pointerid (1492766) - 1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+) + 1485266 - disable exposure of system colors to CSS or canvas (see 4617) (FF67+) 1407366 - enable inner window letterboxing (see 4504) (FF67+) - 1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+) + 1494034 - return "light" with prefers-color-scheme (see 4618) (FF67+) FF68-77 1564422 - spoof audioContext outputLatency (FF70+) 1595823 - spoof audioContext sampleRate (FF72+) 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) FF78+ 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) - 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (Windows, Mac, some Linux) (FF80+) + 1653987 - limit font visibility to bundled and "Base Fonts" (see 4619) (Windows, Mac, some Linux) (FF80+) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); @@ -1549,35 +1544,40 @@ user_pref("media.video_stats.enabled", false); // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 // user_pref("dom.w3c_touch_events.enabled", 0); // FF59+ -// 4612: [2511] disable MediaDevices change detection [FF51+] +// 4612: [2505] disable media device enumeration [FF29+] + // [NOTE] media.peerconnection.enabled should also be set to false (see 2001) + // [1] https://wiki.mozilla.org/Media/getUserMedia + // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices +user_pref("media.navigator.enabled", false); +// 4613: [2511] disable MediaDevices change detection [FF51+] // [1] https://developer.mozilla.org/docs/Web/Events/devicechange // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange user_pref("media.ondevicechange.enabled", false); // FF60+ -// 4613: [2011] disable WebGL debug info being available to websites +// 4614: [2011] disable WebGL debug info being available to websites // [1] https://bugzilla.mozilla.org/1171228 // [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info user_pref("webgl.enable-debug-renderer-info", false); // FF63+ -// 4614: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] +// 4615: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] // 0=no-preference, 1=reduce user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // FF64+ -// 4615: [2516] disable PointerEvents [FF86 or lower] +// 4616: [2516] disable PointerEvents [FF86 or lower] // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent // [-] https://bugzilla.mozilla.org/1688105 user_pref("dom.w3c_pointer_events.enabled", false); // FF67+ -// 4616: [2618] disable exposure of system colors to CSS or canvas [FF44+] +// 4617: [2618] disable exposure of system colors to CSS or canvas [FF44+] // [NOTE] See second listed bug: may cause black on black for elements with undefined colors // [SETUP-CHROME] Might affect CSS in themes and extensions // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 user_pref("ui.use_standins_for_native_colors", true); -// 4617: enforce prefers-color-scheme as light [FF67+] +// 4618: enforce prefers-color-scheme as light [FF67+] // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // FF80+ -// 4618: limit font visibility (non-ANDROID) [FF79+] +// 4619: limit font visibility (non-ANDROID) [FF79+] // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1] // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts // [NOTE] Bundled fonts are auto-allowed From b93a5e334c1f66d1a2cb7b7b79dfe506805c888e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 20 Jun 2021 12:49:57 +0000 Subject: [PATCH 298/657] 2510 webaudio -> inactive RFP alts, closes #1194 --- user.js | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index cba1306..928d15b 100644 --- a/user.js +++ b/user.js @@ -782,7 +782,7 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); /* 1401: disable websites choosing fonts (0=block, 1=allow) * This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector - * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4619) + * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/ // user_pref("browser.display.use_document_fonts", 0); /* 1403: disable icon fonts (glyphs) and local fallback rendering @@ -800,8 +800,8 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4619) - * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4619) + * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4620) + * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] @@ -1072,9 +1072,6 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ // user_pref("gfx.direct2d.disabled", true); // [WINDOWS] // user_pref("layers.acceleration.disabled", true); -/* 2510: disable Web Audio API [FF51+] - * [1] https://bugzilla.mozilla.org/1288359 ***/ -user_pref("dom.webaudio.enabled", false); /* 2517: disable Media Capabilities API [FF63+] * [WARNING] This *may* affect media performance if disabled, no one is sure * [1] https://github.com/WICG/media-capabilities @@ -1444,12 +1441,12 @@ user_pref("privacy.firstparty.isolate", true); 1407366 - enable inner window letterboxing (see 4504) (FF67+) 1494034 - return "light" with prefers-color-scheme (see 4618) (FF67+) FF68-77 - 1564422 - spoof audioContext outputLatency (FF70+) - 1595823 - spoof audioContext sampleRate (FF72+) + 1564422 - spoof audioContext outputLatency (see 4619) (FF70+) + 1595823 - return audioContext sampleRate as 44100 (see 4619) (FF72+) 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) FF78+ 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) - 1653987 - limit font visibility to bundled and "Base Fonts" (see 4619) (Windows, Mac, some Linux) (FF80+) + 1653987 - limit font visibility to bundled and "Base Fonts" (see 4620) (Windows, Mac, some Linux) (FF80+) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); @@ -1576,8 +1573,12 @@ user_pref("ui.use_standins_for_native_colors", true); // 4618: enforce prefers-color-scheme as light [FF67+] // 0=light, 1=dark : This overrides your OS value user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] +// FF72+ +// 4619: [2510] disable Web Audio API [FF51+] + // [1] https://bugzilla.mozilla.org/1288359 + // user_pref("dom.webaudio.enabled", false); // FF80+ -// 4619: limit font visibility (non-ANDROID) [FF79+] +// 4620: limit font visibility (non-ANDROID) [FF79+] // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1] // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts // [NOTE] Bundled fonts are auto-allowed From a6d20eaf5b4d6fc306257cf56beb89595c6be173 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 23 Jun 2021 16:22:10 +0000 Subject: [PATCH 299/657] 1264: update ciphers, fixes #1196 (#1197) --- user.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 928d15b..7d5b929 100644 --- a/user.js +++ b/user.js @@ -740,8 +740,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); // user_pref("dom.securecontext.whitelist_onions", true); /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] - * These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1]) - * Additionally some have other weaknesses like key sizes of 128 (or lower) [2] and/or no Perfect Forward Secrecy [3]. + * These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC, + * and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128 * [1] https://browserleaks.com/ssl * [2] https://en.wikipedia.org/wiki/Key_size * [3] https://en.wikipedia.org/wiki/Forward_secrecy @@ -756,6 +756,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); + // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS + // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS From d940ffb3c6294ad30b1ffc2027b5b3b03c8744f3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 6 Jul 2021 06:32:58 +0000 Subject: [PATCH 300/657] 105c: add "sponsored shortcuts" --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 7d5b929..0ee1997 100644 --- a/user.js +++ b/user.js @@ -123,6 +123,7 @@ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); user_pref("browser.newtabpage.activity-stream.showSponsored", false); user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+] +user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+] /* 0105e: clear default topsites * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); From 981462ee54cd627682038b7e5251ae706c7743be Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 6 Jul 2021 13:26:44 +0000 Subject: [PATCH 301/657] FF90 deprecated --- user.js | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index 0ee1997..b00bb63 100644 --- a/user.js +++ b/user.js @@ -407,8 +407,6 @@ user_pref("network.http.altsvc.oe", false); * as a remote Tor node will handle the DNS request * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ user_pref("network.proxy.socks_remote_dns", true); -/* 0708: disable FTP [FF60+] ***/ - // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+] /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ @@ -1273,10 +1271,8 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); * [WARNING] This will break a LOT of sites' functionality AND extensions! * You are better off using an extension for more granular control ***/ // user_pref("dom.storage.enabled", false); -/* 2730: enforce no offline cache storage (appCache) - * The API is easily fingerprinted, use the "storage" pref instead ***/ - // user_pref("browser.cache.offline.enable", false); -user_pref("browser.cache.offline.storage.enable", false); // [FF71+] [DEFAULT: false FF84+] +/* 2730: enforce no offline cache storage (appCache) [FF71+] ***/ +user_pref("browser.cache.offline.storage.enable", false); // [DEFAULT: false FF84+] /* 2740: disable service worker cache and cache storage * [NOTE] We clear service worker cache on exiting Firefox (see 2803) * [1] https://w3c.github.io/ServiceWorker/#privacy ***/ @@ -1699,11 +1695,17 @@ user_pref("dom.ipc.plugins.reportCrashURL", false); // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] user_pref("security.mixed_content.block_object_subrequest", true); // 1803: disable Flash plugin - // 0=deactivated, 1=ask, 2=enabled - // ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash - // [NOTE] You can still override individual sites via site permissions - // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] + // 0=deactivated, 1=ask, 2=enabled + // ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash + // [NOTE] You can still override individual sites via site permissions + // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] user_pref("plugin.state.flash", 0); // [DEFAULT: 1] +// FF90 +// 0708: disable FTP [FF60+] + // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+] +// 2730: disable offline cache (appCache) + // The API is easily fingerprinted, use "browser.cache.offline.storage.enable" instead + // user_pref("browser.cache.offline.enable", false); // ***/ /* END: internal custom pref to test for syntax errors ***/ From f229a3cb753e59c06ab9ba43eec455db831ca452 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 7 Jul 2021 11:51:44 +0000 Subject: [PATCH 302/657] fixup FF90 deprecated (#1207) --- user.js | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index b00bb63..2313b78 100644 --- a/user.js +++ b/user.js @@ -1271,8 +1271,10 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); * [WARNING] This will break a LOT of sites' functionality AND extensions! * You are better off using an extension for more granular control ***/ // user_pref("dom.storage.enabled", false); -/* 2730: enforce no offline cache storage (appCache) [FF71+] ***/ -user_pref("browser.cache.offline.storage.enable", false); // [DEFAULT: false FF84+] +/* 2730: disable offline cache (appCache) + * [NOTE] In FF90+ the storage (not the API) is disabled. For FF78-89 see the 2730 deprecated pref + * [WARNING] The API is easily fingerprinted, do not disable ***/ + // user_pref("browser.cache.offline.enable", false); /* 2740: disable service worker cache and cache storage * [NOTE] We clear service worker cache on exiting Firefox (see 2803) * [1] https://w3c.github.io/ServiceWorker/#privacy ***/ @@ -1702,10 +1704,11 @@ user_pref("security.mixed_content.block_object_subrequest", true); user_pref("plugin.state.flash", 0); // [DEFAULT: 1] // FF90 // 0708: disable FTP [FF60+] + // [-] https://bugzilla.mozilla.org/1574475 // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+] -// 2730: disable offline cache (appCache) - // The API is easily fingerprinted, use "browser.cache.offline.storage.enable" instead - // user_pref("browser.cache.offline.enable", false); +// 2730: enforce no offline cache storage (appCache) [FF71+] + // [-] https://bugzilla.mozilla.org/1694662 +user_pref("browser.cache.offline.storage.enable", false); // [DEFAULT: false FF84+] // ***/ /* END: internal custom pref to test for syntax errors ***/ From a231c1e90e64d345b3002e2f2ace6aae8b17069c Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 7 Jul 2021 14:10:24 +0000 Subject: [PATCH 303/657] Update arkenfox-clear-RFP-alternatives.js --- .../arkenfox-clear-RFP-alternatives.js | 57 ++++++++++--------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js index 4be4b81..b9a1b29 100644 --- a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js +++ b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js @@ -1,16 +1,19 @@ /*** - Version: up to and including FF/ESR78 + Version: up to and including FF/ESR78 - This will reset the preferences that are under sections 4600 & 4700 in the - arkenfox user.js. These are the prefs that are no longer necessary, or they - conflict with, privacy.resistFingerprinting if you have that enabled. + This will reset the preferences that are under sections 4600 & 4700 in the + arkenfox user.js. These are the prefs that are no longer necessary, or they + conflict with, privacy.resistFingerprinting if you have that enabled. - For instructions see: - https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] + For instructions see: + https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ - -(function() { - let ops = [ + +(() => { + + if ("undefined" === typeof(Services)) return alert('about:config needs to be the active tab!'); + + const aPREFS = [ /* section 4600 */ 'dom.maxHardwareConcurrency', 'dom.enable_resource_timing', @@ -37,29 +40,27 @@ 'general.oscpu.override', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' - ] + ]; + + console.clear(); - if("undefined" === typeof(Services)) { - alert("about:config needs to be the active tab!"); - return; - } - let c = 0; - for (let i = 0, len = ops.length; i < len; i++) { - if (Services.prefs.prefHasUserValue(ops[i])) { - Services.prefs.clearUserPref(ops[i]); - if (!Services.prefs.prefHasUserValue(ops[i])) { - console.log("reset", ops[i]); + for (const sPname of aPREFS) { + if (Services.prefs.prefHasUserValue(sPname)) { + Services.prefs.clearUserPref(sPname); + if (!Services.prefs.prefHasUserValue(sPname)) { + console.info("reset", sPname); c++; - } else { console.log("failed to reset", ops[i]); } + } else console.warn("failed to reset", sPname); } } - + focus(); - - let d = (c==1) ? " pref" : " prefs"; - if (c > 0) { - alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); - } else { alert("nothing to reset"); } - + + const d = (c==1) ? " pref" : " prefs"; + alert(c ? "successfully reset " + c + d + "\n\nfor details check the console" : 'nothing to reset'); + + return 'all done'; + })(); + From 3b573bf9f0f69dcc26c6d20c41056ca4c6e7503f Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 7 Jul 2021 14:15:51 +0000 Subject: [PATCH 304/657] Update arkenfox-clear-RFP-alternatives.js --- scratchpad-scripts/arkenfox-clear-RFP-alternatives.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js index b9a1b29..c82c5fa 100644 --- a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js +++ b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js @@ -11,7 +11,7 @@ (() => { - if ("undefined" === typeof(Services)) return alert('about:config needs to be the active tab!'); + if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!'); const aPREFS = [ /* section 4600 */ @@ -49,16 +49,16 @@ if (Services.prefs.prefHasUserValue(sPname)) { Services.prefs.clearUserPref(sPname); if (!Services.prefs.prefHasUserValue(sPname)) { - console.info("reset", sPname); + console.info('reset', sPname); c++; - } else console.warn("failed to reset", sPname); + } else console.warn('failed to reset', sPname); } } focus(); - const d = (c==1) ? " pref" : " prefs"; - alert(c ? "successfully reset " + c + d + "\n\nfor details check the console" : 'nothing to reset'); + const d = (c==1) ? ' pref' : ' prefs'; + alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset'); return 'all done'; From 939d75e5ebb886708abfdd5c3cd4ade171f9a650 Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 7 Jul 2021 14:25:08 +0000 Subject: [PATCH 305/657] Update arkenfox-clear-removed.js --- scratchpad-scripts/arkenfox-clear-removed.js | 52 ++++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 5b05072..f460c6e 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,14 +1,17 @@ /*** - This will reset the preferences that have been removed completely from the arkenfox user.js. + This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 25-May-2021 + Last updated: 25-May-2021 - For instructions see: - https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] + For instructions see: + https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ - -(function() { - let ops = [ + +(() => { + + if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!'); + + const aPREFS = [ /* removed in arkenfox user.js */ /* 52-alpha */ 'browser.search.reset.enabled', @@ -240,29 +243,26 @@ 'security.ssl.enable_ocsp_stapling', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' - ] + ]; + + console.clear(); - if("undefined" === typeof(Services)) { - alert("about:config needs to be the active tab!"); - return; - } - let c = 0; - for (let i = 0, len = ops.length; i < len; i++) { - if (Services.prefs.prefHasUserValue(ops[i])) { - Services.prefs.clearUserPref(ops[i]); - if (!Services.prefs.prefHasUserValue(ops[i])) { - console.log("reset", ops[i]); + for (const sPname of aPREFS) { + if (Services.prefs.prefHasUserValue(sPname)) { + Services.prefs.clearUserPref(sPname); + if (!Services.prefs.prefHasUserValue(sPname)) { + console.info('reset', sPname); c++; - } else { console.log("failed to reset", ops[i]); } + } else console.warn('failed to reset', sPname); } } - + focus(); - - let d = (c==1) ? " pref" : " prefs"; - if (c > 0) { - alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); - } else { alert("nothing to reset"); } - + + const d = (c==1) ? ' pref' : ' prefs'; + alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset'); + + return 'all done'; + })(); From acc1376c37f6ac385f43095d1a7db4c395c97b19 Mon Sep 17 00:00:00 2001 From: earthlng Date: Wed, 7 Jul 2021 14:33:20 +0000 Subject: [PATCH 306/657] Update arkenfox-clear-deprecated.js --- .../arkenfox-clear-deprecated.js | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-deprecated.js b/scratchpad-scripts/arkenfox-clear-deprecated.js index 766dd33..e12f0f4 100644 --- a/scratchpad-scripts/arkenfox-clear-deprecated.js +++ b/scratchpad-scripts/arkenfox-clear-deprecated.js @@ -1,17 +1,20 @@ /*** - Version: up to and including FF/ESR78 + Version: up to and including FF/ESR78 - This will reset the preferences that have been deprecated by Mozilla - and used in the arkenfox user.js + This will reset the preferences that have been deprecated by Mozilla + and used in the arkenfox user.js - It is in reverse order, so feel free to remove sections that do not apply + It is in reverse order, so feel free to remove sections that do not apply - For instructions see: - https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] + For instructions see: + https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ -(function() { - let ops = [ +(() => { + + if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!'); + + const aPREFS = [ /* deprecated */ /* 78 */ @@ -220,29 +223,26 @@ /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' - ] + ]; + + console.clear(); - if("undefined" === typeof(Services)) { - alert("about:config needs to be the active tab!"); - return; - } - let c = 0; - for (let i = 0, len = ops.length; i < len; i++) { - if (Services.prefs.prefHasUserValue(ops[i])) { - Services.prefs.clearUserPref(ops[i]); - if (!Services.prefs.prefHasUserValue(ops[i])) { - console.log("reset", ops[i]); + for (const sPname of aPREFS) { + if (Services.prefs.prefHasUserValue(sPname)) { + Services.prefs.clearUserPref(sPname); + if (!Services.prefs.prefHasUserValue(sPname)) { + console.info('reset', sPname); c++; - } else { console.log("failed to reset", ops[i]); } + } else console.warn('failed to reset', sPname); } } - + focus(); - - let d = (c==1) ? " pref" : " prefs"; - if (c > 0) { - alert("successfully reset " + c + d + "\n\nfor details check the Browser Console (Ctrl+Shift+J)"); - } else { alert("nothing to reset"); } - + + const d = (c==1) ? ' pref' : ' prefs'; + alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset'); + + return 'all done'; + })(); From 31e864c16c95c4c9a4d8c4d0c151a7623b962f17 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 8 Jul 2021 06:21:53 +0000 Subject: [PATCH 307/657] 0913: disable windows SSO FF91+ - and make 2730 more accurate and add bugzilla - future RFP additions will be FF91+ --- user.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 2313b78..5d41699 100644 --- a/user.js +++ b/user.js @@ -536,6 +536,9 @@ user_pref("signon.formlessCapture.enabled", false); * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ user_pref("network.auth.subresource-http-auth-allow", 1); +/* 0913: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS] + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1695693,1719301 ***/ +user_pref("network.http.windows-sso.enabled", false); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001) @@ -1272,7 +1275,7 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); * You are better off using an extension for more granular control ***/ // user_pref("dom.storage.enabled", false); /* 2730: disable offline cache (appCache) - * [NOTE] In FF90+ the storage (not the API) is disabled. For FF78-89 see the 2730 deprecated pref + * [NOTE] In FF90+ the storage capability has been removed (1694662). For FF78-89 see the 2730 deprecated pref * [WARNING] The API is easily fingerprinted, do not disable ***/ // user_pref("browser.cache.offline.enable", false); /* 2740: disable service worker cache and cache storage @@ -1445,7 +1448,7 @@ user_pref("privacy.firstparty.isolate", true); 1564422 - spoof audioContext outputLatency (see 4619) (FF70+) 1595823 - return audioContext sampleRate as 44100 (see 4619) (FF72+) 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) - FF78+ + FF78-90 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) 1653987 - limit font visibility to bundled and "Base Fonts" (see 4620) (Windows, Mac, some Linux) (FF80+) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) From 0da2ecdb4df27360d059c7e4fd2e5c658caa2aab Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 8 Jul 2021 06:41:59 +0000 Subject: [PATCH 308/657] keep current rather than every ESR --- .../arkenfox-clear-RFP-alternatives.js | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js index c82c5fa..92d619d 100644 --- a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js +++ b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js @@ -1,10 +1,10 @@ /*** - Version: up to and including FF/ESR78 - This will reset the preferences that are under sections 4600 & 4700 in the arkenfox user.js. These are the prefs that are no longer necessary, or they conflict with, privacy.resistFingerprinting if you have that enabled. + Last updated: 08-July-2021 + For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ @@ -25,19 +25,22 @@ 'media.webspeech.synth.enabled', 'media.video_stats.enabled', 'dom.w3c_touch_events.enabled', + 'media.navigator.enabled', 'media.ondevicechange.enabled', 'webgl.enable-debug-renderer-info', - 'dom.w3c_pointer_events.enabled', + 'ui.prefersReducedMotion', + 'dom.w3c_pointer_events.enabled', // deprecated FF87 'ui.use_standins_for_native_colors', 'ui.systemUsesDarkTheme', - 'ui.prefersReducedMotion', + 'dom.webaudio.enabled', + 'layout.css.font-visibility.level', /* section 4700 */ - 'general.useragent.override', - 'general.buildID.override', 'general.appname.override', 'general.appversion.override', - 'general.platform.override', + 'general.buildID.override', 'general.oscpu.override', + 'general.platform.override', + 'general.useragent.override', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From b761a9dd32f79395b0fca183ad8fe45f7e99d26f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 8 Jul 2021 07:08:38 +0000 Subject: [PATCH 309/657] 4505: experimental RFP prefs and tidy up all instances (eight) of "do not use": all caps, no asterisks, immediately after [warning] --- user.js | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index 5d41699..79757b0 100644 --- a/user.js +++ b/user.js @@ -786,7 +786,7 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); /* 1401: disable websites choosing fonts (0=block, 1=allow) * This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector - * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) + * [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/ // user_pref("browser.display.use_document_fonts", 0); /* 1403: disable icon fonts (glyphs) and local fallback rendering @@ -805,7 +805,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4620) - * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) + * [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] @@ -1393,8 +1393,8 @@ user_pref("privacy.firstparty.isolate", true); RFP covers a wide range of ongoing fingerprinting solutions. It is an all-or-nothing buy in: you cannot pick and choose what parts you want - [WARNING] Do NOT use extensions to alter RFP protected metrics - [WARNING] Do NOT use prefs in section 4600 with RFP as they can interfere + [WARNING] DO NOT USE extensions to alter RFP protected metrics + [WARNING] DO NOT USE prefs in section 4600 with RFP as they can interfere FF41+ 418986 - limit window.screen & CSS media queries leaking identifiable info @@ -1475,11 +1475,16 @@ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDE * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but * dislike margins being applied, then flip this pref, keeping in mind that it is effectively fingerprintable - * [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it + * [WARNING] DO NOT USE: the dimension pref is only meant for testing * [1] https://bugzilla.mozilla.org/1407366 * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF] +/* 4505: experimental RFP [FF91+] + * [WARNING] DO NOT USE unless testing, see [1] comment 12 + * [1] https://bugzilla.mozilla.org/1635603 ***/ + // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); + // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); /* 4510: disable showing about:blank as soon as possible during startup [FF60+] * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ @@ -1489,7 +1494,7 @@ user_pref("browser.startup.blankWindow", false); user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] /*** [SECTION 4600]: RFP ALTERNATIVES - [WARNING] Do NOT use prefs in this section with RFP as they can interfere + [WARNING] DO NOT USE prefs in this section with RFP as they can interfere ***/ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan"); /* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these From 3bb9fc713f141d794fc4adfb38d3fcf86c9307ab Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 20 Jul 2021 02:00:33 +0000 Subject: [PATCH 310/657] remove 1203 default false since it was added in FF71 - see https://bugzilla.mozilla.org/1579285 --- user.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/user.js b/user.js index 79757b0..af9c87d 100644 --- a/user.js +++ b/user.js @@ -641,8 +641,6 @@ user_pref("security.ssl.require_safe_negotiation", true); * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); -/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/ -user_pref("security.tls.version.enable-deprecated", false); /* 1204: disable SSL session tracking [FF36+] * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) * [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001) From 4c8c9bc01f214aee0bc60b76e4175ffff2bfca0d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 20 Jul 2021 02:02:26 +0000 Subject: [PATCH 311/657] security.tls.version.enable-deprecated default false since it was added in FF71 - see https://bugzilla.mozilla.org/1579285 --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index f460c6e..e61e258 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 25-May-2021 + Last updated: 20-July-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -241,6 +241,8 @@ 'webgl.min_capability_mode', /* 89-beta */ 'security.ssl.enable_ocsp_stapling', + /* 90-beta */ + 'security.tls.version.enable-deprecated', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From 44a8088481f3ee46b38f5a8549652e31a61973df Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 20 Jul 2021 02:51:52 +0000 Subject: [PATCH 312/657] tidy - "enforce" is for when we set the default value - use [WARNING] for inactive (they're inactive for a reason and people really do not need to turn them on) but less scary [NOTE] for active (tweak away at your own risk) - seems neater, easier and less scary for users setting up the first time: i.e they only need to initially look at active items - FYI: I was going to add something to LSNG (2760) that it is required for Fission, but will wait, and it struck me that 2680 was the only active item with a warning: seems inconsistent - 2684: security delay .. make enforce mean enforce (default) ... not worth occasionally saving .3 seconds - for now it's one less item in differences/flips - might make this inactive in 91+, and add a warning - it has been a very long time since we added this due to bad advise/references on the internet on how to speed up Firefox --- user.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/user.js b/user.js index af9c87d..da504fa 100644 --- a/user.js +++ b/user.js @@ -25,7 +25,7 @@ [SETUP-WEB] can cause some websites to break [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related) [SETUP-PERF] may impact performance - [WARNING] used sparingly, heed them + [WARNING] used on some commented out items, heed them 6. Override Recipes: https://github.com/arkenfox/user.js/issues/1080 * RELEASES: https://github.com/arkenfox/user.js/releases @@ -172,7 +172,7 @@ user_pref("browser.region.update.enabled", false); // [[FF79+] /* 0210: set preferred language for displaying web pages * [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); -/* 0211: enforce US English locale regardless of the system locale +/* 0211: use US English locale regardless of the system locale * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] @@ -402,7 +402,7 @@ user_pref("network.dns.disableIPv6", true); * [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/ user_pref("network.http.altsvc.enabled", false); user_pref("network.http.altsvc.oe", false); -/* 0704: enforce the proxy server to do any DNS lookups when using SOCKS +/* 0704: set the proxy server to do any DNS lookups when using SOCKS * e.g. in Tor, this stops your local DNS server from knowing your Tor destination * as a remote Tor node will handle the DNS request * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ @@ -698,13 +698,13 @@ user_pref("security.family_safety.mode", 0); * Saved logins and passwords are not available. Reset the pref and restart to return them. * [1] https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/ ***/ // user_pref("security.nocertdb", true); // [HIDDEN PREF] -/* 1223: enforce strict pinning +/* 1223: enable strict pinning * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing * by inspecting ALL your web traffic, then leave at current default=1 * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/ user_pref("security.cert_pinning.enforcement_level", 2); -/* 1224: enforce CRLite [FF73+] +/* 1224: enable CRLite [FF73+] * In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985 * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ @@ -1133,7 +1133,7 @@ user_pref("middlemouse.contentLoadURL", false); user_pref("permissions.manager.defaultsUrl", ""); /* 2617: remove webchannel whitelist ***/ user_pref("webchannel.allowObject.urlWhitelist", ""); -/* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing +/* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing * Firefox has *some* protections, but it is better to be safe than sorry * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) @@ -1185,7 +1185,7 @@ user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] * 0=desktop, 1=downloads (default), 2=last used * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ // user_pref("browser.download.folderList", 2); -/* 2651: enforce user interaction for security by always asking where to download +/* 2651: enable user interaction for security by always asking where to download * [SETUP-CHROME] On Android this blocks longtapping and saving images * [SETTING] General>Downloads>Always ask you where to save files ***/ user_pref("browser.download.useDownloadDir", false); @@ -1212,12 +1212,12 @@ user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] /** SECURITY ***/ /* 2680: enforce CSP (Content Security Policy) - * [WARNING] CSP is a very important and widespread security feature. Don't disable it! + * [NOTE] CSP is a very important and widespread security feature. Don't disable it! * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ user_pref("security.csp.enable", true); // [DEFAULT: true] /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ -user_pref("security.dialog_enable_delay", 700); +user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] /*** [SECTION 2700]: PERSISTENT STORAGE Data SET by websites including From bb48fe4ebe27fe0ca9b3de9ad8c75af8f75ea049 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 20 Jul 2021 03:34:49 +0000 Subject: [PATCH 313/657] RFP: 4612 is not disabled (by default) --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index da504fa..da7bea2 100644 --- a/user.js +++ b/user.js @@ -1427,7 +1427,7 @@ user_pref("privacy.firstparty.isolate", true); FF59+ 1372073 - spoof/block fingerprinting in MediaDevices API Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if - media.navigator.enabled is true (see 4612 which we chose to keep disabled) + media.navigator.enabled is true (see 4612) Block: suppresses the ondevicechange event (see 4613) 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events From b22e349d44b578d38ee4b2ef0fbb1f9988c6df68 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 20 Jul 2021 03:38:49 +0000 Subject: [PATCH 314/657] make 4620 more accurate and match RFP section info --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index da7bea2..52bee1f 100644 --- a/user.js +++ b/user.js @@ -1585,7 +1585,7 @@ user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] // [1] https://bugzilla.mozilla.org/1288359 // user_pref("dom.webaudio.enabled", false); // FF80+ -// 4620: limit font visibility (non-ANDROID) [FF79+] +// 4620: limit font visibility (Windows, Mac, some Linux) [FF79+] // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1] // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts // [NOTE] Bundled fonts are auto-allowed From babb9f3682c1353124939f0a7e96c3039b7b34a7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 22 Jul 2021 03:41:39 +0000 Subject: [PATCH 315/657] 4612: remove outdated confusing line --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 52bee1f..448696a 100644 --- a/user.js +++ b/user.js @@ -1549,7 +1549,6 @@ user_pref("media.video_stats.enabled", false); // user_pref("dom.w3c_touch_events.enabled", 0); // FF59+ // 4612: [2505] disable media device enumeration [FF29+] - // [NOTE] media.peerconnection.enabled should also be set to false (see 2001) // [1] https://wiki.mozilla.org/Media/getUserMedia // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices user_pref("media.navigator.enabled", false); From a7ba61c0d4e5af6f63a27b89e73baeb09ba146cb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 24 Jul 2021 00:52:38 +0000 Subject: [PATCH 316/657] 0304: background service app update [windows] - the service implies a check is done first, I'm more concerned with the actual updating: not that updates are bad, it's about controlling when (if ever e.g. my test suite) - since 0301 has to be done manually in Windows, 0302 is a good fallback **IF** the background service is applicable (read the link) - clean up the numbering --- user.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 448696a..4526ca1 100644 --- a/user.js +++ b/user.js @@ -186,13 +186,17 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] to do updates for security reasons, please do so manually if you make changes. ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); -/* 0301b: disable auto-CHECKING for extension and theme updates ***/ - // user_pref("extensions.update.enabled", false); -/* 0302a: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] +/* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] * [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/ user_pref("app.update.auto", false); -/* 0302b: disable auto-INSTALLING extension and theme updates (after the check in 0301b) +/* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS] + * [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running + * [1] https://support.mozilla.org/en-US/kb/enable-background-updates-firefox-windows ***/ +user_pref("app.update.background.scheduling.enabled", false); +/* 0303: disable auto-CHECKING for extension and theme updates ***/ + // user_pref("extensions.update.enabled", false); +/* 0304: disable auto-INSTALLING extension and theme updates (after the check in 0303) * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/ // user_pref("extensions.update.autoUpdateDefault", false); /* 0306: disable extension metadata From f24899fcac1114b0bff087280a71886fa2ec0832 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 24 Jul 2021 01:04:03 +0000 Subject: [PATCH 317/657] cleanup language specific links --- user.js | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index 4526ca1..cdbd164 100644 --- a/user.js +++ b/user.js @@ -192,7 +192,7 @@ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the user_pref("app.update.auto", false); /* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS] * [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running - * [1] https://support.mozilla.org/en-US/kb/enable-background-updates-firefox-windows ***/ + * [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/ user_pref("app.update.background.scheduling.enabled", false); /* 0303: disable auto-CHECKING for extension and theme updates ***/ // user_pref("extensions.update.enabled", false); @@ -281,7 +281,7 @@ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ [2] https://wiki.mozilla.org/Security/Safe_Browsing - [3] https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work + [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work ***/ /* 0410: disable SB (Safe Browsing) * [WARNING] Do this at your own risk! These are the master switches. @@ -489,7 +489,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * This value controls the total number of entries to appear in the location bar dropdown ***/ // user_pref("browser.urlbar.maxRichResults", 0); /* 0850d: disable location bar autofill - * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ + * [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ // user_pref("browser.urlbar.autoFill", false); /* 0860: disable search and form history * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] @@ -999,8 +999,8 @@ user_pref("dom.serviceWorkers.enabled", false); * a prompt (2306). Disabling service workers alone doesn't stop Firefox polling the * Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config * or on start), and you will get a new one within a few seconds. - * [1] https://support.mozilla.org/en-US/kb/push-notifications-firefox - * [2] https://developer.mozilla.org/en-US/docs/Web/API/Push_API ***/ + * [1] https://support.mozilla.org/kb/push-notifications-firefox + * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ user_pref("dom.push.enabled", false); // user_pref("dom.push.userAgentID", ""); /* 2306: set a default permission for Notifications (both 2304 and 2305) [FF58+] @@ -1293,7 +1293,7 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/ // user_pref("dom.storageManager.enabled", false); /* 2755: disable Storage Access API [FF65+] - * [1] https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/ + * [1] https://developer.mozilla.org/docs/Web/API/Storage_Access_API ***/ // user_pref("dom.storage_access.enabled", false); /* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/ user_pref("dom.storage.next_gen", true); @@ -1383,7 +1383,7 @@ user_pref("privacy.firstparty.isolate", true); * The 2nd pref removes that limitation and will only allow communication if FPDs also match. * [1] https://bugzilla.mozilla.org/1319773#c22 * [2] https://bugzilla.mozilla.org/1492607 - * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/ + * [3] https://developer.mozilla.org/docs/Web/API/Window/postMessage ***/ // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] // user_pref("privacy.firstparty.isolate.block_post_message", true); /* 4003: enable scheme with FPI [FF78+] @@ -1571,7 +1571,7 @@ user_pref("webgl.enable-debug-renderer-info", false); user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // FF64+ // 4616: [2516] disable PointerEvents [FF86 or lower] - // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent + // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent // [-] https://bugzilla.mozilla.org/1688105 user_pref("dom.w3c_pointer_events.enabled", false); // FF67+ From f394fd0290e9399629cb1926aa656364a5dcecdd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 24 Jul 2021 01:56:46 +0000 Subject: [PATCH 318/657] move webgl to hardware fingerprinting - merge into a single number, update the alt pref number - update RFP info to reflect that it is not a cure-all --- user.js | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/user.js b/user.js index cdbd164..baded50 100644 --- a/user.js +++ b/user.js @@ -909,15 +909,6 @@ user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.ice.default_address_only", true); user_pref("media.peerconnection.ice.no_host", true); // [FF51+] user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] -/* 2010: disable WebGL (Web Graphics Library) - * [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy, - * especially with readPixels(). Some of the other entropy is lessened with RFP (see 4501) - * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ - * [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ -user_pref("webgl.disabled", true); -user_pref("webgl.enable-webgl2", false); -/* 2012: limit WebGL ***/ -user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] /* 2022: disable screensharing ***/ user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.browser.enabled", false); @@ -1092,6 +1083,14 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ // user_pref("permissions.default.xr", 2); +/* 2522: disable/limit WebGL (Web Graphics Library) + * [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy, + * especially with readPixels(). Some of the other entropy is lessened with RFP (see 4501) + * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ + * [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ +user_pref("webgl.disabled", true); +user_pref("webgl.enable-webgl2", false); +user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -1421,7 +1420,7 @@ user_pref("privacy.firstparty.isolate", true); FF57+ 1369309 - spoof media statistics (see 4610) 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) - 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) + 1217290 & 1409677 - enable some fingerprinting resistance for WebGL 1382545 - reduce fingerprinting in Animation API 1354633 - limit MediaError.message to a whitelist 1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87) @@ -1561,7 +1560,7 @@ user_pref("media.navigator.enabled", false); // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange user_pref("media.ondevicechange.enabled", false); // FF60+ -// 4614: [2011] disable WebGL debug info being available to websites +// 4614: [2522] disable WebGL debug info being available to websites // [1] https://bugzilla.mozilla.org/1171228 // [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info user_pref("webgl.enable-debug-renderer-info", false); From cc8674c16de021bc4efeb9c714a8ffe09c3dc8c5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 24 Jul 2021 12:49:39 +0000 Subject: [PATCH 319/657] revert last commit --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index e61e258..fe97e52 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 20-July-2021 + Last updated: 24-July-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -241,8 +241,6 @@ 'webgl.min_capability_mode', /* 89-beta */ 'security.ssl.enable_ocsp_stapling', - /* 90-beta */ - 'security.tls.version.enable-deprecated', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From 18dbb56a3d143a97dc2f78e0cf63c4565c16db33 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 24 Jul 2021 12:51:15 +0000 Subject: [PATCH 320/657] put 1203 back see https://github.com/arkenfox/user.js/commit/3bb9fc713f141d794fc4adfb38d3fcf86c9307ab --- user.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user.js b/user.js index baded50..164a4b9 100644 --- a/user.js +++ b/user.js @@ -645,6 +645,8 @@ user_pref("security.ssl.require_safe_negotiation", true); * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); +/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/ +user_pref("security.tls.version.enable-deprecated", false); /* 1204: disable SSL session tracking [FF36+] * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) * [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001) From f53f01823f482d600017d33c3c220a761c799984 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 24 Jul 2021 12:56:27 +0000 Subject: [PATCH 321/657] 1203 default info --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 164a4b9..a734cfa 100644 --- a/user.js +++ b/user.js @@ -646,7 +646,7 @@ user_pref("security.ssl.require_safe_negotiation", true); // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/ -user_pref("security.tls.version.enable-deprecated", false); +user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] /* 1204: disable SSL session tracking [FF36+] * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) * [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001) From b8f3d93a5cbcd431405e2915508827ac69bfaa8b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 26 Jul 2021 03:11:09 +0000 Subject: [PATCH 322/657] v90 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a734cfa..55ae12a 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 16 June 2021 -* version 90-alpha +* date: 26 July 2021 +* version 90 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 5c93ebb54f7248bb9419ebed27ced383e65be324 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 30 Jul 2021 05:48:17 +0000 Subject: [PATCH 323/657] misc, closes #1220 --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 55ae12a..f1a9bc3 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 26 July 2021 -* version 90 +* date: 30 July 2021 +* version 91-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -585,8 +585,7 @@ user_pref("media.memory_cache_max_size", 65536); /* 1020: exclude "Undo Closed Tabs" in Session Restore ***/ // user_pref("browser.sessionstore.max_tabs_undo", 0); /* 1021: disable storing extra session data [SETUP-CHROME] - * extra session data contains contents of forms, scrollbar positions, cookies and POST data - * define on which sites to save extra session data: + * define on which sites to save extra session data such as form content, cookies and POST data * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ user_pref("browser.sessionstore.privacy_level", 2); /* 1022: disable resuming session from crash ***/ @@ -1371,6 +1370,7 @@ user_pref("privacy.sanitize.timeSpan", 0); 1506693 - pdfjs range-based requests (FF68+) 1330467 - site permissions (FF69+) 1534339 - IPv6 (FF73+) + 1721858 - WebSocket (FF92+) ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); /* 4001: enable First Party Isolation [FF51+] From eb4363dc180666554ca81a7909156e0893e80c3b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 1 Aug 2021 17:36:04 +0000 Subject: [PATCH 324/657] tweak info in section 2800 header, #1223 --- user.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index f1a9bc3..b846464 100644 --- a/user.js +++ b/user.js @@ -1299,7 +1299,11 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); user_pref("dom.storage.next_gen", true); /*** [SECTION 2800]: SHUTDOWN - You should set the values to what suits you best. + - Sanitizing on shutdown is all or nothing. It does not use Managed Exceptions under + Privacy & Security>Delete cookies and site data when Firefox is closed (1681701) + - If you want to keep some sites' cookies (exception as "Allow") and optionally other site + data but clear all the rest on close, then you need to set the "cookie" and optionally the + "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) - "Offline Website Data" includes appCache (2730), localStorage (2720), service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the From 06e5de43328a75b1b249987aa0c67744083729cf Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 4 Aug 2021 10:32:33 +0000 Subject: [PATCH 325/657] tweak windows SSO info/reference --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index b846464..17ae8d1 100644 --- a/user.js +++ b/user.js @@ -540,8 +540,9 @@ user_pref("signon.formlessCapture.enabled", false); * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ user_pref("network.auth.subresource-http-auth-allow", 1); -/* 0913: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS] - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1695693,1719301 ***/ +/* 0913: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] + * [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single sign-on for... + * [1] https://support.mozilla.org/kb/windows-sso ***/ user_pref("network.http.windows-sso.enabled", false); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS From 404d1d466a35fada3050222261a85c0bf422a887 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 4 Aug 2021 17:23:38 +0000 Subject: [PATCH 326/657] update [STATS] - just in time for ESR91 --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 17ae8d1..375908d 100644 --- a/user.js +++ b/user.js @@ -376,7 +376,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost /* 0701: disable IPv6 * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even * assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 - * [STATS] Firefox telemetry (Dec 2020) shows ~8% of all connections are IPv6 + * [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. @@ -388,7 +388,7 @@ user_pref("network.dns.disableIPv6", true); * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to * enhance privacy, and opens up a number of server-side fingerprinting opportunities. * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites - * [STATS] Over 50% of sites (April 2021) and growing [5] + * [STATS] ~46% of sites (July 2021) [5] * [1] https://http2.github.io/faq/ * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html * [3] https://http2.github.io/http2-spec/#rfc.section.10.8 @@ -633,7 +633,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * safe from the attack if it disables renegotiations but the problem is that the browser can't * know that. Setting this pref to true is the only way for the browser to ensure there will be * no unsafe renegotiations on the channel between the browser and the server. - * [STATS] SSL Labs (Dec 2020) reports 99.0% of sites have secure renegotiation [4] + * [STATS] SSL Labs (July 2020) reports over 99% of sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://tools.ietf.org/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 From 92b7fb81d0ca6bfd58aeca175749b4bd2777ef20 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 4 Aug 2021 18:45:15 +0000 Subject: [PATCH 327/657] fixup STATS year --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 375908d..2878c4e 100644 --- a/user.js +++ b/user.js @@ -633,7 +633,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * safe from the attack if it disables renegotiations but the problem is that the browser can't * know that. Setting this pref to true is the only way for the browser to ensure there will be * no unsafe renegotiations on the channel between the browser and the server. - * [STATS] SSL Labs (July 2020) reports over 99% of sites have secure renegotiation [4] + * [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://tools.ietf.org/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 From dd112a167def8de25707ced259a7f62e3d252f81 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 9 Aug 2021 20:39:47 +0000 Subject: [PATCH 328/657] final update --- ...x-clear-RFP-alternatives.js => arkenfox-clear-non-RFP.js} | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) rename scratchpad-scripts/{arkenfox-clear-RFP-alternatives.js => arkenfox-clear-non-RFP.js} (91%) diff --git a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-non-RFP.js similarity index 91% rename from scratchpad-scripts/arkenfox-clear-RFP-alternatives.js rename to scratchpad-scripts/arkenfox-clear-non-RFP.js index 92d619d..9d251d4 100644 --- a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js +++ b/scratchpad-scripts/arkenfox-clear-non-RFP.js @@ -3,8 +3,11 @@ arkenfox user.js. These are the prefs that are no longer necessary, or they conflict with, privacy.resistFingerprinting if you have that enabled. - Last updated: 08-July-2021 + Final update: 10-August-2021 + As of v91, section 4600 is no longer recommended, and is all inactive. This + now includes the old 4700 section. You can reset them using prefsCleaner. + For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ From d19d4ba784bb96ccc8301d59da77c0e58746bb21 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 9 Aug 2021 20:42:51 +0000 Subject: [PATCH 329/657] final update in hindsight, the original name is more accurate --- ...kenfox-clear-non-RFP.js => arkenfox-clear-RFP-alternatives.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename scratchpad-scripts/{arkenfox-clear-non-RFP.js => arkenfox-clear-RFP-alternatives.js} (100%) diff --git a/scratchpad-scripts/arkenfox-clear-non-RFP.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js similarity index 100% rename from scratchpad-scripts/arkenfox-clear-non-RFP.js rename to scratchpad-scripts/arkenfox-clear-RFP-alternatives.js From 4b38e20f14cbb62378cad1de3628cec7250a6760 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 10 Aug 2021 00:18:19 +0000 Subject: [PATCH 330/657] change 4600s into do not use, #1221 (#1225) see https://github.com/arkenfox/user.js/issues/1221#issuecomment-895623028 --- user.js | 354 +++++++++++++++++++++++--------------------------------- 1 file changed, 146 insertions(+), 208 deletions(-) diff --git a/user.js b/user.js index 2878c4e..ceedf39 100644 --- a/user.js +++ b/user.js @@ -32,14 +32,12 @@ * It is best to use the arkenfox release that is optimized for and matches your Firefox version * EVERYONE: each release - - run prefsCleaner or reset deprecated prefs (9999s) and prefs made redundant by RPF (4600s) - - re-enable section 4600 if you don't use RFP + - run prefsCleaner to reset prefs made inactive, including deprecated (9999s) ESR78 - If you are not using arkenfox v78... (not a definitive list) - 1244: HTTPS-Only mode is enabled - 1401: document fonts is inactive as it is now covered by RFP in FF80+ - 2626: non-native widget theme is enforced - - 4600: some prefs may apply even if you use RFP - 9999: switch the appropriate deprecated section(s) back on * INDEX: @@ -69,8 +67,7 @@ 2800: SHUTDOWN 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) - 4600: RFP ALTERNATIVES - 4700: RFP ALTERNATIVES (USER AGENT SPOOFING) + 4600: NON-RFP 5000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED @@ -178,12 +175,12 @@ user_pref("intl.accept_languages", "en-US, en"); user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIET FOX - We only disable the auto-INSTALL of Firefox (app) updates. You still get prompts to update, - and it only takes one click. We highly discourage disabling auto-CHECKING for updates. + We only disable the auto-INSTALL of Firefox (app) updates. You still get prompts to update, + and it only takes one click. We highly discourage disabling auto-CHECKING for updates. - Legitimate reasons to disable auto-INSTALLS include hijacked/monetized extensions, time - constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is still important - to do updates for security reasons, please do so manually if you make changes. + Legitimate reasons to disable auto-INSTALLS include hijacked/monetized extensions, time + constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is still important + to do updates for security reasons, please do so manually if you make changes. ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); /* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] @@ -273,15 +270,15 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] /** SAFE BROWSING (SB) - Safe Browsing has taken many steps to preserve privacy. *IF* required, a full url is never - sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real - PART-hashes. Google also swear it is anonymized and only used to flag malicious sites. - Firefox also takes measures such as striping out identifying parameters and since SBv4 (FF57+) - doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) + Safe Browsing has taken many steps to preserve privacy. *IF* required, a full url is never + sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real + PART-hashes. Google also swear it is anonymized and only used to flag malicious sites. + Firefox also takes measures such as striping out identifying parameters and since SBv4 (FF57+) + doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) - [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ - [2] https://wiki.mozilla.org/Security/Safe_Browsing - [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work + [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ + [2] https://wiki.mozilla.org/Security/Safe_Browsing + [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work ***/ /* 0410: disable SB (Safe Browsing) * [WARNING] Do this at your own risk! These are the master switches. @@ -310,18 +307,18 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); // user_pref("browser.safebrowsing.allowOverride", false); /*** [SECTION 0500]: SYSTEM ADD-ONS / EXPERIMENTS - System Add-ons are a method for shipping extensions, considered to be - built-in features to Firefox, that are hidden from the about:addons UI. - To view your System Add-ons go to about:support, they are listed under "Firefox Features" + System Add-ons are a method for shipping extensions, considered to be + built-in features to Firefox, that are hidden from the about:addons UI. + To view your System Add-ons go to about:support, they are listed under "Firefox Features" - * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit) - * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit) - * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\" - [NOTE] On Mac you can right-click on the application and select "Show Package Contents" - * Linux: "/usr/lib/firefox/browser/features" (or similar) + * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit) + * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit) + * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\" + [NOTE] On Mac you can right-click on the application and select "Show Package Contents" + * Linux: "/usr/lib/firefox/browser/features" (or similar) - [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html - [2] https://searchfox.org/mozilla-central/source/browser/extensions + [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html + [2] https://searchfox.org/mozilla-central/source/browser/extensions ***/ user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!"); /* 0503: disable Normandy/Shield [FF60+] @@ -425,11 +422,11 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS - Change items 0850 and above to suit for privacy vs convenience and functionality. Consider - your environment (no unwanted eyeballs), your device (restricted access), your device's - unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check - the items cleared on shutdown in section 2800. - [1] https://xkcd.com/538/ + Change items 0850 and above to suit for privacy vs convenience and functionality. Consider + your environment (no unwanted eyeballs), your device (restricted access), your device's + unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check + the items cleared on shutdown in section 2800. + [1] https://xkcd.com/538/ ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); /* 0801: disable location bar using search @@ -546,20 +543,20 @@ user_pref("network.auth.subresource-http-auth-allow", 1); user_pref("network.http.windows-sso.enabled", false); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS - Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001) - *and* memory (1003) caches is one solution; but that's extreme and fingerprintable. A hardened - Temporary Containers configuration can effectively do the same thing, by isolating every tab [4]. + Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001) + *and* memory (1003) caches is one solution; but that's extreme and fingerprintable. A hardened + Temporary Containers configuration can effectively do the same thing, by isolating every tab [4]. - We consider avoiding disk cache (1001) so cache is session/memory only (like Private Browsing - mode), and isolating cache to first party (4001) is sufficient and a good balance between - risk and performance. ETAGs can also be neutralized by modifying response headers [5], and - you can clear the cache manually or on a regular basis with an extension. + We consider avoiding disk cache (1001) so cache is session/memory only (like Private Browsing + mode), and isolating cache to first party (4001) is sufficient and a good balance between + risk and performance. ETAGs can also be neutralized by modifying response headers [5], and + you can clear the cache manually or on a regular basis with an extension. - [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags - [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/ - [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache - [4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 - [5] https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor + [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags + [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/ + [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache + [4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 + [5] https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); /** CACHE ***/ @@ -663,8 +660,8 @@ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] user_pref("security.tls.enable_0rtt_data", false); /** OCSP (Online Certificate Status Protocol) - [1] https://scotthelme.co.uk/revocation-is-broken/ - [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ + [1] https://scotthelme.co.uk/revocation-is-broken/ + [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/ /* 1211: control when to use OCSP fetching (to confirm current validity of certificates) * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only @@ -746,11 +743,11 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); // user_pref("dom.securecontext.whitelist_onions", true); /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] - * These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC, - * and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128 - * [1] https://browserleaks.com/ssl - * [2] https://en.wikipedia.org/wiki/Key_size - * [3] https://en.wikipedia.org/wiki/Forward_secrecy + These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC, + and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128 + [1] https://browserleaks.com/ssl + [2] https://en.wikipedia.org/wiki/Key_size + [3] https://en.wikipedia.org/wiki/Forward_secrecy ***/ /* 1261: disable 3DES (effective key size < 128 and no PFS) * [1] https://en.wikipedia.org/wiki/3des#Security @@ -814,15 +811,15 @@ user_pref("gfx.font_rendering.graphite.enabled", false); // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] /*** [SECTION 1600]: HEADERS / REFERERS - Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone - --- - Expect some breakage: Use an extension if you need precise control - --- - full URI: https://example.com:8888/foo/bar.html?id=1234 - scheme+host+port+path: https://example.com:8888/foo/bar.html - scheme+host+port: https://example.com:8888 - --- - [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ + Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone + --- + Expect some breakage: Use an extension if you need precise control + --- + full URI: https://example.com:8888/foo/bar.html?id=1234 + scheme+host+port+path: https://example.com:8888/foo/bar.html + scheme+host+port: https://example.com:8888 + --- + [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: ALL: control when images/links send a referer @@ -861,12 +858,12 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); user_pref("privacy.donottrackheader.enabled", true); /*** [SECTION 1700]: CONTAINERS - If you want to *really* leverage containers, we highly recommend Temporary Containers [2]. - Read the article by the extension author [3], and check out the github wiki/repo [4]. - [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers - [2] https://addons.mozilla.org/firefox/addon/temporary-containers/ - [3] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 - [4] https://github.com/stoically/temporary-containers/wiki + If you want to *really* leverage containers, we highly recommend Temporary Containers [2]. + Read the article by the extension author [3], and check out the github wiki/repo [4]. + [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers + [2] https://addons.mozilla.org/firefox/addon/temporary-containers/ + [3] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 + [4] https://github.com/stoically/temporary-containers/wiki ***/ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!"); /* 1701: enable Container Tabs setting in preferences (see 1702) [FF50+] @@ -957,17 +954,17 @@ user_pref("dom.disable_open_during_load", true); user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2300]: WEB WORKERS - A worker is a JS "background task" running in a global context, i.e. it is different from - the current window. Workers can spawn new workers (must be the same origin & scheme), - including service and shared workers. Shared workers can be utilized by multiple scripts and - communicate between browsing contexts (windows/tabs/iframes) and can even control your cache. + A worker is a JS "background task" running in a global context, i.e. it is different from + the current window. Workers can spawn new workers (must be the same origin & scheme), + including service and shared workers. Shared workers can be utilized by multiple scripts and + communicate between browsing contexts (windows/tabs/iframes) and can even control your cache. - [1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API - [2] Worker: https://developer.mozilla.org/docs/Web/API/Worker - [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API - [4] SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker - [5] ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker - [6] Notifications: https://support.mozilla.org/questions/1165867#answer-981820 + [1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API + [2] Worker: https://developer.mozilla.org/docs/Web/API/Worker + [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API + [4] SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker + [5] ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker + [6] Notifications: https://support.mozilla.org/questions/1165867#answer-981820 ***/ user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!"); /* 2302: disable service workers [FF32, FF44-compat] @@ -1225,18 +1222,18 @@ user_pref("security.csp.enable", true); // [DEFAULT: true] user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] /*** [SECTION 2700]: PERSISTENT STORAGE - Data SET by websites including - cookies : profile\cookies.sqlite - localStorage : profile\webappsstore.sqlite - indexedDB : profile\storage\default - appCache : profile\OfflineCache - serviceWorkers : + Data SET by websites including + cookies : profile\cookies.sqlite + localStorage : profile\webappsstore.sqlite + indexedDB : profile\storage\default + appCache : profile\OfflineCache (FF89 or lower) + serviceWorkers : - [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode - [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage), - indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications) - If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become - accessible to websites except shared/service workers where the cookie setting *must* be "Allow" + [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode + [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage), + indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications) + If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become + accessible to websites except shared/service workers where the cookie setting *must* be "Allow" ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB] @@ -1300,15 +1297,15 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); user_pref("dom.storage.next_gen", true); /*** [SECTION 2800]: SHUTDOWN - - Sanitizing on shutdown is all or nothing. It does not use Managed Exceptions under - Privacy & Security>Delete cookies and site data when Firefox is closed (1681701) - - If you want to keep some sites' cookies (exception as "Allow") and optionally other site - data but clear all the rest on close, then you need to set the "cookie" and optionally the - "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) - - "Offline Website Data" includes appCache (2730), localStorage (2720), - service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) - - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the - Firefox interface as "Browsing & Download History" and their values will be synced + * Sanitizing on shutdown is all or nothing. It does not use Managed Exceptions under + Privacy & Security>Delete cookies and site data when Firefox is closed (1681701) + * If you want to keep some sites' cookies (exception as "Allow") and optionally other site + data but clear all the rest on close, then you need to set the "cookie" and optionally the + "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) + * "Offline Website Data" includes appCache (2730), localStorage (2720), + service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) + * In both 2803 + 2804, the 'download' and 'history' prefs are combined in the + Firefox interface as "Browsing & Download History" and their values will be synced ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); /* 2802: enable Firefox to clear items on shutdown (see 2803) @@ -1409,14 +1406,14 @@ user_pref("privacy.firstparty.isolate", true); [TEST] https://arkenfox.github.io/TZP/tzp.html#screen FF50+ 1281949 - spoof screen orientation - 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) + 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes FF55+ 1330890 - spoof timezone as UTC 0 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) 1217238 - reduce precision of time exposed by javascript FF56+ 1369303 - spoof/disable performance API (see 4602, 4603) - 1333651 - spoof User Agent & Navigator API (see section 4700) + 1333651 - spoof User Agent & Navigator API (see 4650) JS: FF78+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 9 (FF91+ as 10), or Linux HTTP Headers: spoofed as Windows or Android 1369319 - disable device sensor API (see 4604) @@ -1501,117 +1498,53 @@ user_pref("browser.startup.blankWindow", false); * [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] -/*** [SECTION 4600]: RFP ALTERNATIVES - [WARNING] DO NOT USE prefs in this section with RFP as they can interfere +/*** [SECTION 4600]: NON-RFP + [WARNING] DO NOT USE with RFP. RFP already covers these, and they can interfere + [NOTE] These prefs will not help anti-fingerprinting. They are insufficient + on their own, can cause breakage, and will make you stand out ***/ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan"); -/* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these -// FF55+ -// 4601: [2514] spoof number of CPU cores [FF48+] - // [1] https://bugzilla.mozilla.org/1008453 - // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 - // [3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 - // [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency -user_pref("dom.maxHardwareConcurrency", 2); -// FF56+ -// 4602: [2411] disable resource/navigation timing -user_pref("dom.enable_resource_timing", false); -// 4603: [2412] disable timing attacks - // [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI +/* 4601: spoof number of CPU cores [FF48+] ***/ + // user_pref("dom.maxHardwareConcurrency", 2); +/* 4602: disable Resource Timing API ***/ + // user_pref("dom.enable_resource_timing", false); +/* 4603: disable Navigation Timing API ***/ // user_pref("dom.enable_performance", false); -// 4604: [2512] disable device sensor API - // Optional protection depending on your device - // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 - // [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ - // [3] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 +/* 4604: disable device Sensor APIs ***/ // user_pref("device.sensors.enabled", false); -// 4605: [2515] disable site specific zoom - // Zoom levels affect screen res and are highly fingerprintable. This does not stop you using - // zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs - // and new windows are reset to default and only the current tab retains the current zoom -user_pref("browser.zoom.siteSpecific", false); -// 4606: [2501] disable gamepad API - USB device ID enumeration - // Optional protection depending on your connected devices - // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 +/* 4605: disable remembering site specific zoom ***/ + // user_pref("browser.zoom.siteSpecific", false); +/* 4606: disable gamepad API to prevent USB device ID enumeration ***/ // user_pref("dom.gamepad.enabled", false); -// 4607: [2503] disable giving away network info [FF31+] - // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none - // [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API - // [2] https://wicg.github.io/netinfo/ - // [3] https://bugzilla.mozilla.org/960426 -user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] -// 4608: [2021] disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API - // [1] https://developer.mozilla.org/docs/Web/API/Web_Speech_API - // [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis - // [3] https://wiki.mozilla.org/HTML5_Speech_API -user_pref("media.webspeech.synth.enabled", false); -// FF57+ -// 4610: [2506] disable video statistics - JS performance fingerprinting [FF25+] - // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 - // [2] https://bugzilla.mozilla.org/654550 -user_pref("media.video_stats.enabled", false); -// 4611: [2509] disable touch events - // fingerprinting attack vector - leaks screen res & actual screen coordinates - // 0=disabled, 1=enabled, 2=autodetect - // Optional protection depending on your device - // [1] https://developer.mozilla.org/docs/Web/API/Touch_events - // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 +/* 4607: disable Network Information API [FF31+] ***/ + // user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] +/* 4608: disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API ***/ + // user_pref("media.webspeech.synth.enabled", false); +/* 4610: disable video statistics to mitigate JS performance fingerprinting [FF25+] ***/ + // user_pref("media.video_stats.enabled", false); +/* 4611: disable touch events: 0=disabled, 1=enabled, 2=autodetect ***/ // user_pref("dom.w3c_touch_events.enabled", 0); -// FF59+ -// 4612: [2505] disable media device enumeration [FF29+] - // [1] https://wiki.mozilla.org/Media/getUserMedia - // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices -user_pref("media.navigator.enabled", false); -// 4613: [2511] disable MediaDevices change detection [FF51+] - // [1] https://developer.mozilla.org/docs/Web/Events/devicechange - // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange -user_pref("media.ondevicechange.enabled", false); -// FF60+ -// 4614: [2522] disable WebGL debug info being available to websites - // [1] https://bugzilla.mozilla.org/1171228 - // [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info -user_pref("webgl.enable-debug-renderer-info", false); -// FF63+ -// 4615: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] - // 0=no-preference, 1=reduce -user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] -// FF64+ -// 4616: [2516] disable PointerEvents [FF86 or lower] - // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent - // [-] https://bugzilla.mozilla.org/1688105 -user_pref("dom.w3c_pointer_events.enabled", false); -// FF67+ -// 4617: [2618] disable exposure of system colors to CSS or canvas [FF44+] - // [NOTE] See second listed bug: may cause black on black for elements with undefined colors - // [SETUP-CHROME] Might affect CSS in themes and extensions - // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 -user_pref("ui.use_standins_for_native_colors", true); -// 4618: enforce prefers-color-scheme as light [FF67+] - // 0=light, 1=dark : This overrides your OS value -user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] -// FF72+ -// 4619: [2510] disable Web Audio API [FF51+] - // [1] https://bugzilla.mozilla.org/1288359 +/* 4612: disable media device enumeration [FF29+] ***/ + // user_pref("media.navigator.enabled", false); +/* 4613: disable MediaDevices change detection [FF51+] ***/ + // user_pref("media.ondevicechange.enabled", false); +/* 4614: disable WebGL debug info being available to websites ***/ + // user_pref("webgl.enable-debug-renderer-info", false); +/* 4615: enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART] ***/ + // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] +/* 4617: disable exposure of system colors to CSS or canvas [FF44+] ***/ + // user_pref("ui.use_standins_for_native_colors", true); +/* 4618: enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+] ***/ + // user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] +/* 4619: disable Web Audio API [FF51+] ***/ // user_pref("dom.webaudio.enabled", false); -// FF80+ -// 4620: limit font visibility (Windows, Mac, some Linux) [FF79+] - // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1] - // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts - // [NOTE] Bundled fonts are auto-allowed - // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc -user_pref("layout.css.font-visibility.level", 1); -// ***/ - -/*** [SECTION 4700]: RFP ALTERNATIVES (USER AGENT SPOOFING) - These prefs are insufficient and leak. Use RFP and **nothing else** - - Many of the user agent components can be derived by other means. When those - values differ, you provide more bits and raise entropy. Examples include - workers, iframes, headers, tcp/ip attributes, feature detection, and many more - - Web extensions also lack APIs to fully protect spoofing -***/ -user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow"); -/* 4701: navigator DOM object overrides - * [WARNING] DO NOT USE ***/ +/* 4620: limit font visibility (Windows, Mac, some Linux) [FF79+] + * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed + * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts + * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ + // user_pref("layout.css.font-visibility.level", 1); +/* 4650: navigator DOM object overrides + * [WANRING] NO NOT USE: these prefs are insufficient and leak ***/ // user_pref("general.appname.override", ""); // [HIDDEN PREF] // user_pref("general.appversion.override", ""); // [HIDDEN PREF] // user_pref("general.buildID.override", ""); // [HIDDEN PREF] @@ -1620,8 +1553,9 @@ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow // user_pref("general.useragent.override", ""); // [HIDDEN PREF] /*** [SECTION 5000]: PERSONAL - Non-project related but useful. If any of these interest you, add them to your overrides - To save some overrides, we've made a few active as they seem to be universally used ***/ + Non-project related but useful. If any of these interest you, add them to your overrides + To save some overrides, we've made a few active as they seem to be universally used +***/ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); /* WELCOME & WHAT's NEW NOTICES ***/ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch @@ -1665,9 +1599,9 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED - Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1], - which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets - [1] https://github.com/arkenfox/user.js/issues/123 + Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1], + which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets + [1] https://github.com/arkenfox/user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); /* ESR78.x still uses all the following prefs @@ -1700,6 +1634,10 @@ user_pref("browser.download.hide_plugins_without_extensions", false); // 0105d: disable Activity Stream recent Highlights in the Library [FF57+] // [-] https://bugzilla.mozilla.org/1689405 // user_pref("browser.library.activity-stream.enabled", false); +// 4616: disable PointerEvents + // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent + // [-] https://bugzilla.mozilla.org/1688105 + // user_pref("dom.w3c_pointer_events.enabled", false); // FF89 // 0309: disable sending Flash crash reports // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] From c3b7f7538c3c97331d000b08fedaa889df9e204b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 10 Aug 2021 01:21:04 +0000 Subject: [PATCH 331/657] i do not like mixed case lists --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ec755c6..39ddaa1 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,9 @@ Also be aware that the `arkenfox user.js` is made specifically for desktop Firef ### 🟧 sitemap - - [Releases](https://github.com/arkenfox/user.js/releases) + - [releases](https://github.com/arkenfox/user.js/releases) - [changelogs](https://github.com/arkenfox/user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog) - - [Wiki](https://github.com/arkenfox/user.js/wiki) + - [wiki](https://github.com/arkenfox/user.js/wiki) - [stickies](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22) - [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs) From c45094fdd95b02f4d5cb70422ef953937a4d9e80 Mon Sep 17 00:00:00 2001 From: icpantsparti <35049679+icpantsparti@users.noreply.github.com> Date: Wed, 11 Aug 2021 20:56:51 +0000 Subject: [PATCH 332/657] nits! (edit 2 typos) (#1232) --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index ceedf39..da72086 100644 --- a/user.js +++ b/user.js @@ -459,7 +459,7 @@ user_pref("browser.urlbar.trimURLs", false); * [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/ // user_pref("layout.css.visited_links_enabled", false); /* 0807: disable live search suggestions -/* [NOTE] Both must be true for the location bar to work + * [NOTE] Both must be true for the location bar to work * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/ user_pref("browser.search.suggest.enabled", false); @@ -1544,7 +1544,7 @@ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ // user_pref("layout.css.font-visibility.level", 1); /* 4650: navigator DOM object overrides - * [WANRING] NO NOT USE: these prefs are insufficient and leak ***/ + * [WARNING] NO NOT USE: these prefs are insufficient and leak ***/ // user_pref("general.appname.override", ""); // [HIDDEN PREF] // user_pref("general.appversion.override", ""); // [HIDDEN PREF] // user_pref("general.buildID.override", ""); // [HIDDEN PREF] From 568a05ad7dfa744fe3bf6d2afc6b97ebbaf5dff0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 14 Aug 2021 04:18:04 +0000 Subject: [PATCH 333/657] 2502: trim this info is useless .. save three lines --- user.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/user.js b/user.js index da72086..29d8c90 100644 --- a/user.js +++ b/user.js @@ -1055,9 +1055,6 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] /*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); /* 2502: disable Battery Status API - * Initially a Linux issue (high precision readout) that was fixed. - * However, it is still another metric for fingerprinting, used to raise entropy. - * e.g. do you have a battery or not, current charging status, charge level, times remaining etc * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code [1] * [1] https://bugzilla.mozilla.org/1313580 ***/ // user_pref("dom.battery.enabled", false); From 1b33f574bbfa3f3f8639a0b108e2575daffc8313 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 14 Aug 2021 04:44:50 +0000 Subject: [PATCH 334/657] RFP stuff --- user.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user.js b/user.js index 29d8c90..3108477 100644 --- a/user.js +++ b/user.js @@ -1454,6 +1454,8 @@ user_pref("privacy.firstparty.isolate", true); 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) 1653987 - limit font visibility to bundled and "Base Fonts" (see 4620) (Windows, Mac, some Linux) (FF80+) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) + FF91+ + 531915 - use fdlibm's sin, cos and tan in jsmath (FF93+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] From 68568c1abfceea921676290cb7e4b8386b71ab5d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 16 Aug 2021 04:02:15 +0000 Subject: [PATCH 335/657] trim 1198 bytes (u lucky bastards!) + 13 lines --- user.js | 169 ++++++++++++++++++++++++++------------------------------ 1 file changed, 78 insertions(+), 91 deletions(-) diff --git a/user.js b/user.js index 3108477..bdf68c9 100644 --- a/user.js +++ b/user.js @@ -7,7 +7,7 @@ * README: - 1. Consider using Tor Browser if it meets your needs or fits your threat model better + 1. Consider using Tor Browser if it meets your needs or fits your threat model * https://www.torproject.org/about/torusers.html.en 2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries * https://github.com/arkenfox/user.js/wiki @@ -71,11 +71,12 @@ 5000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED + ******/ /* START: internal custom pref to test for syntax errors - * [NOTE] In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug - * pref no longer necessarily means that all prefs have been applied. Check the console right + * [NOTE] Not all syntax errors cause parsing to abort i.e. reaching the last debug pref + * no longer necessarily means that all prefs have been applied. Check the console right * after startup for any warnings/error messages related to non-applied prefs * [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/ user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); @@ -105,7 +106,7 @@ user_pref("browser.startup.homepage", "about:blank"); user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtab.preload", false); /* 0105: disable Activity Stream stuff (AS) - * AS is the default homepage/newtab in FF57+, based on metadata and browsing behavior. + * AS is the default homepage/newtab based on metadata and browsing behavior * **NOT LISTING ALL OF THESE: USE THE PREFERENCES UI** * [SETTING] Home>Firefox Home Content>... to show/hide what you want ***/ /* 0105a: disable Activity Stream telemetry ***/ @@ -125,7 +126,7 @@ user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); /* 0110: start Firefox in PB (Private Browsing) mode - * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed + * [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed * [WARNING] The P in PB mode is misleading: it means no "persistent" disk storage such as history, * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). * In fact, PB mode limits or removes the ability to control some of these, and you need to quit @@ -177,10 +178,6 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIET FOX We only disable the auto-INSTALL of Firefox (app) updates. You still get prompts to update, and it only takes one click. We highly discourage disabling auto-CHECKING for updates. - - Legitimate reasons to disable auto-INSTALLS include hijacked/monetized extensions, time - constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is still important - to do updates for security reasons, please do so manually if you make changes. ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); /* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] @@ -208,11 +205,10 @@ user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF] /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); /* 0330: disable telemetry - * the pref (.unified) affects the behaviour of the pref (.enabled) - * IF unified=false then .enabled controls the telemetry module - * IF unified=true then .enabled ONLY controls whether to record extended data - * so make sure to have both set as false - * [NOTE] FF58+ 'toolkit.telemetry.enabled' is now LOCKED to reflect prerelease + * The "unified" pref affects the behaviour of the "enabled" pref + * - If "unified" is false then "enabled" controls the telemetry module + * - If "unified" is true then "enabled" only controls whether to record extended data + * [NOTE] FF58+ "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease * or release builds (true and false respectively) [2] * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/ @@ -281,8 +277,8 @@ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work ***/ /* 0410: disable SB (Safe Browsing) - * [WARNING] Do this at your own risk! These are the master switches. - * [SETTING] Privacy & Security>Security>... "Block dangerous and deceptive content" ***/ + * [WARNING] Do this at your own risk! These are the master switches + * [SETTING] Privacy & Security>Security>... Block dangerous and deceptive content ***/ // user_pref("browser.safebrowsing.malware.enabled", false); // user_pref("browser.safebrowsing.phishing.enabled", false); /* 0411: disable SB checks for downloads (both local lookups + remote) @@ -300,7 +296,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/ // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); -/* 0419: disable 'ignore this warning' on SB warnings [FF45+] +/* 0419: disable "ignore this warning" on SB warnings [FF45+] * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB * [TEST] see github wiki APPENDIX A: Test Sites: Section 5 * [1] https://bugzilla.mozilla.org/1226490 ***/ @@ -331,7 +327,7 @@ user_pref("app.normandy.api_url", ""); user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+] - * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/ + * Currently blocked by "datareporting.healthreport.uploadEnabled" (see 0340) ***/ user_pref("browser.ping-centre.telemetry", false); /* 0515: disable Screenshots ***/ // user_pref("extensions.screenshots.disabled", true); // [FF55+] @@ -371,10 +367,10 @@ user_pref("network.http.speculative-parallel-limit", 0); /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); /* 0701: disable IPv6 - * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even - * assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 + * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming + * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4 * [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6 - * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an + * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" @@ -383,7 +379,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost user_pref("network.dns.disableIPv6", true); /* 0702: disable HTTP2 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to - * enhance privacy, and opens up a number of server-side fingerprinting opportunities. + * enhance privacy, and opens up a number of server-side fingerprinting opportunities * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites * [STATS] ~46% of sites (July 2021) [5] * [1] https://http2.github.io/faq/ @@ -396,7 +392,7 @@ user_pref("network.dns.disableIPv6", true); // user_pref("network.http.spdy.enabled.http2", false); // user_pref("network.http.spdy.websockets", false); // [FF65+] /* 0703: disable HTTP Alternative Services [FF37+] - * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the + * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) and you understand the * consequences. FPI isolates these, but it was designed with the Tor protocol in mind, * and the Tor Browser has extra protection, including enhanced sanitizing per Identity. * [1] https://tools.ietf.org/html/rfc7838#section-9 @@ -422,18 +418,18 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS - Change items 0850 and above to suit for privacy vs convenience and functionality. Consider - your environment (no unwanted eyeballs), your device (restricted access), your device's - unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check - the items cleared on shutdown in section 2800. + Change 0850 and above to suit for privacy vs convenience and functionality. + Consider your environment (no unwanted eyeballs), your device (restricted access), + your device's unattended state (locked, encrypted, forensic hardened). Likewise, + you may want to check the items cleared on shutdown in section 2800. [1] https://xkcd.com/538/ ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); /* 0801: disable location bar using search - * Don't leak URL typos to a search engine, give an error message instead. + * Don't leak URL typos to a search engine, give an error message instead * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" - * [NOTE] This does **not** affect explicit user action such as using search buttons in the - * dropdown, or using keyword search shortcuts you configure in options (e.g. 'd' for DuckDuckGo) + * [NOTE] This does not affect explicit user action such as using search buttons in the + * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) * [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search * engine that respects privacy, then you probably don't need this ***/ user_pref("keyword.enabled", false); @@ -514,7 +510,7 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ // user_pref("signon.rememberSignons", false); /* 0902: use a primary password - * There are no preferences for this. It is all handled internally. + * There are no preferences for this. It is all handled internally * [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ /* 0903: set how often Firefox should ask for the primary password @@ -545,12 +541,12 @@ user_pref("network.http.windows-sso.enabled", false); /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001) *and* memory (1003) caches is one solution; but that's extreme and fingerprintable. A hardened - Temporary Containers configuration can effectively do the same thing, by isolating every tab [4]. + Temporary Containers configuration can effectively do the same thing, by isolating every tab [4] We consider avoiding disk cache (1001) so cache is session/memory only (like Private Browsing mode), and isolating cache to first party (4001) is sufficient and a good balance between risk and performance. ETAGs can also be neutralized by modifying response headers [5], and - you can clear the cache manually or on a regular basis with an extension. + you can clear the cache manually or on a regular basis with an extension [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/ @@ -590,12 +586,10 @@ user_pref("browser.sessionstore.privacy_level", 2); // user_pref("browser.sessionstore.resume_from_crash", false); /* 1023: set the minimum interval between session save operations * Increasing this can help on older machines and some websites, as well as reducing writes [1] - * Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc - * [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature: - * i.e. the longer the interval the more chance a quick tab open/close won't be captured. - * This longer interval *may* affect history but we cannot replicate any history not recorded + * [SETUP-CHROME] This can affect entries in "Recently Closed Tabs": i.e. the + * longer the interval the more chance a quick tab open/close won't be captured * [1] https://bugzilla.mozilla.org/1304389 ***/ -user_pref("browser.sessionstore.interval", 30000); +user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 1500] /* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] * [1] https://bugzilla.mozilla.org/603903 ***/ user_pref("toolkit.winRegisterApplicationRestart", false); @@ -603,7 +597,7 @@ user_pref("toolkit.winRegisterApplicationRestart", false); /** FAVICONS ***/ /* 1030: disable favicons in shortcuts * URL shortcuts use a cached randomly named .ico file which is stored in your - * profile/shortcutCache directory. The .ico remains after the shortcut is deleted. + * profile/shortcutCache directory. The .ico remains after the shortcut is deleted * If set to false then the shortcuts use a generic Firefox icon ***/ user_pref("browser.shell.shortcutFavicons", false); /* 1031: disable favicons in history and bookmarks @@ -638,7 +632,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 - * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. + * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint * [1] https://www.ssllabs.com/ssl-pulse/ ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); @@ -686,8 +680,8 @@ user_pref("security.OCSP.require", true); * 2=deprecated option that now maps to 1 * 3=only allowed for locally-added roots (e.g. anti-virus) * 4=only allowed for locally-added roots or for certs in 2015 and earlier - * [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and - * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete. + * [SETUP-CHROME] When disabled, some man-in-the-middle devices, e.g. security scanners and + * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/ user_pref("security.pki.sha1_enforcement_level", 1); /* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS] @@ -732,8 +726,8 @@ user_pref("dom.security.https_only_mode", true); // [FF76+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ // user_pref("dom.security.https_only_mode.upgrade_local", true); /* 1246: disable HTTP background requests [FF82+] - * When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox - * sends HTTP requests in order to check if the server supports HTTPS or not. + * When attempting to upgrade, if the server doesn't respond within 3 seconds, + * Firefox sends HTTP requests in order to check if the server supports HTTPS or not * This is done to avoid waiting for a timeout which takes 90 seconds * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); @@ -805,14 +799,13 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4620) + * [NOTE] In FF81+ the whitelist overrides RFP's font visibility (see 4620) * [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] /*** [SECTION 1600]: HEADERS / REFERERS Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone - --- Expect some breakage: Use an extension if you need precise control --- full URI: https://example.com:8888/foo/bar.html?id=1234 @@ -935,8 +928,8 @@ user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!"); /* 2202: prevent scripts from moving and resizing open windows ***/ user_pref("dom.disable_window_move_resize", true); /* 2203: open links targeting new windows in a new tab instead - * This stops malicious window sizes and some screen resolution leaks. - * You can still right-click a link and open in a new window. + * Stops malicious window sizes and some screen resolution leaks. + * You can still right-click a link and open in a new window * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab @@ -949,8 +942,7 @@ user_pref("browser.link.open_newwindow.restriction", 0); /* 2210: block popup windows * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ user_pref("dom.disable_open_during_load", true); -/* 2212: limit events that can cause a popup [SETUP-WEB] - * default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu ***/ +/* 2212: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2300]: WEB WORKERS @@ -971,11 +963,11 @@ user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!"); * Service workers essentially act as proxy servers that sit between web apps, and the * browser and network, are event driven, and can control the web page/site it is associated * with, intercepting and modifying navigation and resource requests, and caching resources. - * [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. - * [NOTE] Service workers only run over HTTPS. Service workers have no DOM access. + * [NOTE] Service workers require HTTPS, have no DOM access, and are not supported in PB mode [1] * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for * service worker notifications (2304), push notifications (disabled, 2305) and service worker - * cache (2740). If you enable this pref, then check those settings as well ***/ + * cache (2740). If you enable this pref, then check those settings as well + * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/ user_pref("dom.serviceWorkers.enabled", false); /* 2304: disable Web Notifications * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (2306) @@ -984,11 +976,10 @@ user_pref("dom.serviceWorkers.enabled", false); // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] /* 2305: disable Push Notifications [FF44+] * Push is an API that allows websites to send you (subscribed) messages even when the site - * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server. + * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind * a prompt (2306). Disabling service workers alone doesn't stop Firefox polling the - * Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config - * or on start), and you will get a new one within a few seconds. + * Mozilla Push Server. To remove all subscriptions, reset your userAgentID. * [1] https://support.mozilla.org/kb/push-notifications-firefox * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ user_pref("dom.push.enabled", false); @@ -1008,8 +999,8 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! /* 2402: disable website access to clipboard events/content [SETUP-HARDEN] * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website - * [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and - * 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1] + * [WARNING] In FF88 or lower, with clipboardevents enabled, if both "middlemouse.paste" and + * "general.autoScroll" are true (at least one is default false) then the clipboard can leak [1] * [1] https://bugzilla.mozilla.org/1528289 ***/ // user_pref("dom.event.clipboardevents.enabled", false); /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] @@ -1017,9 +1008,8 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! * [1] https://bugzilla.mozilla.org/1170911 ***/ user_pref("dom.allow_cut_copy", false); /* 2405: disable "Confirm you want to leave" dialog on page close - * Does not prevent JS leaks of the page close event. - * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload - * [2] https://support.mozilla.org/questions/1043508 ***/ + * Does not prevent JS leaks of the page close event + * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload ***/ user_pref("dom.disable_beforeunload", true); /* 2414: disable shaking the screen ***/ user_pref("dom.vibrator.enabled", false); @@ -1117,7 +1107,7 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] * [1] https://bugzilla.mozilla.org/1173199 ***/ // user_pref("mathml.disabled", true); /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] - * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. + * [WARNING] Expect breakage including youtube player controls * [1] https://bugzilla.mozilla.org/1216893 ***/ // user_pref("svg.disabled", true); /* 2611: disable middle mouse click opening links from clipboard @@ -1144,12 +1134,12 @@ user_pref("network.IDN_show_punycode", true); /* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME] * This setting controls if the option "Display in Firefox" is available in the setting below * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") - * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) + * PROS: pdfjs is lightweight, open source, and as secure/vetted more than most * Exploits are rare (one serious case in seven years), treated seriously and patched quickly. * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. * CONS: You may prefer a different pdf reader for security reasons - * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) + * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code * [SETTING] General>Applications>Portable Document Format (PDF) ***/ user_pref("pdfjs.disabled", false); // [DEFAULT: false] user_pref("pdfjs.enableScripting", false); // [FF86+] @@ -1268,11 +1258,10 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 2720: disable DOM (Document Object Model) Storage - * [WARNING] This will break a LOT of sites' functionality AND extensions! - * You are better off using an extension for more granular control ***/ + * [WARNING] This will break lots of sites and extensions! ***/ // user_pref("dom.storage.enabled", false); /* 2730: disable offline cache (appCache) - * [NOTE] In FF90+ the storage capability has been removed (1694662). For FF78-89 see the 2730 deprecated pref + * [NOTE] In FF90+ the storage capability has been removed (1694662) * [WARNING] The API is easily fingerprinted, do not disable ***/ // user_pref("browser.cache.offline.enable", false); /* 2740: disable service worker cache and cache storage @@ -1301,7 +1290,7 @@ user_pref("dom.storage.next_gen", true); "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) * "Offline Website Data" includes appCache (2730), localStorage (2720), service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) - * In both 2803 + 2804, the 'download' and 'history' prefs are combined in the + * In both 2803 + 2804, the "download" and "history" prefs are combined in the Firefox interface as "Browsing & Download History" and their values will be synced ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); @@ -1309,11 +1298,10 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); /* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME] - * [NOTE] If 'history' is true, downloads will also be cleared regardless of the value - * but if 'history' is false, downloads can still be cleared independently - * However, this may not always be the case. The interface combines and syncs these - * prefs when set from there, and the sanitize code may change at any time - * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/ + * [NOTE] If "history" is true, downloads will also be cleared + * [NOTE] Active Logins does not refer to logins via cookies, but rather HTTP Basic Authentication [1] + * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings + * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cookies", true); user_pref("privacy.clearOnShutdown.downloads", true); // see note above @@ -1324,9 +1312,9 @@ user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences /* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History - * Firefox remembers your last choices. This will reset them when you start Firefox. - * [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog - * for "Clear Recent History" is opened, it is synced to the same as 'history' ***/ + * Firefox remembers your last choices. This will reset them when you start Firefox + * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog + * for "Clear Recent History" is opened, it is synced to the same as "history" ***/ user_pref("privacy.cpd.cache", true); user_pref("privacy.cpd.cookies", true); // user_pref("privacy.cpd.downloads", true); // not used, see note above @@ -1342,12 +1330,11 @@ user_pref("privacy.cpd.siteSettings", false); // Site Preferences * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ // user_pref("privacy.clearOnShutdown.openWindows", true); // user_pref("privacy.cpd.openWindows", true); -/* 2806: reset default 'Time range to clear' for 'Clear Recent History' (see 2804) - * Firefox remembers your last choice. This will reset the value when you start Firefox. - * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, - * 4=today, 5=last five minutes, 6=last twenty-four hours - * [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a - * blank value if they are used, but they do work as advertised ***/ +/* 2806: reset default "Time range to clear" for "Clear Recent History" (see 2804) + * Firefox remembers your last choice. This will reset the value when you start Firefox + * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today + * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown, + * which will display a blank value, and are not guaranteed to work ***/ user_pref("privacy.sanitize.timeSpan", 0); /*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION) @@ -1380,7 +1367,7 @@ user_pref("privacy.firstparty.isolate", true); * [NOTE] Setting this to false may reduce the breakage in 4001 * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3] - * The 2nd pref removes that limitation and will only allow communication if FPDs also match. + * The 2nd pref removes that limitation and will only allow communication if FPDs also match * [1] https://bugzilla.mozilla.org/1319773#c22 * [2] https://bugzilla.mozilla.org/1492607 * [3] https://developer.mozilla.org/docs/Web/API/Window/postMessage ***/ @@ -1459,13 +1446,13 @@ user_pref("privacy.firstparty.isolate", true); ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] - * [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects, - * but is largely robust nowadays. Give it a try. Your choice. Also see 4504 (letterboxing). + * [SETUP-WEB] RFP can some cause website breakage: mainly canvas, use a site exception via the urlbar + * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme * [1] https://bugzilla.mozilla.org/418986 ***/ user_pref("privacy.resistFingerprinting", true); /* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] * Width will round down to multiples of 200s and height to 100s, to fit your screen. - * The override values are a starting point to round from if you want some control + * The max values are a starting point to round from if you want some control * [1] https://bugzilla.mozilla.org/1330882 ***/ // user_pref("privacy.window.maxInnerWidth", 1000); // user_pref("privacy.window.maxInnerHeight", 1000); @@ -1475,10 +1462,10 @@ user_pref("privacy.resistFingerprinting", true); user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF] /* 4504: enable RFP letterboxing [FF67+] * Dynamically resizes the inner window by applying margins in stepped ranges [2] - * If you use the dimension pref, then it will only apply those resolutions. The format is - * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900") - * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but - * dislike margins being applied, then flip this pref, keeping in mind that it is effectively fingerprintable + * If you use the dimension pref, then it will only apply those resolutions. + * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000") + * [SETUP-WEB] This is independent of RFP (4501). If you're not using RFP, or you are but + * dislike the margins, then flip this pref, keeping in mind that it is effectively fingerprintable * [WARNING] DO NOT USE: the dimension pref is only meant for testing * [1] https://bugzilla.mozilla.org/1407366 * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ @@ -1556,7 +1543,7 @@ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan To save some overrides, we've made a few active as they seem to be universally used ***/ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); -/* WELCOME & WHAT's NEW NOTICES ***/ +/* WELCOME & WHAT'S NEW NOTICES ***/ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch // user_pref("startup.homepage_welcome_url", ""); // user_pref("startup.homepage_welcome_url.additional", ""); From dcc736bb85240c63b9897d770ef08bddcd77bd29 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 16 Aug 2021 04:03:56 +0000 Subject: [PATCH 336/657] I meant 14 lines, u lucky bastards --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index bdf68c9..1105839 100644 --- a/user.js +++ b/user.js @@ -71,7 +71,6 @@ 5000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED - ******/ /* START: internal custom pref to test for syntax errors From 7d1e244f5aef715da3488c9969305df571671a0d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 16 Aug 2021 04:10:20 +0000 Subject: [PATCH 337/657] 0506: clarify oh noes! what's blocked, the pref or the ping? .. also save MOAR bytes --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 1105839..71ac044 100644 --- a/user.js +++ b/user.js @@ -326,7 +326,7 @@ user_pref("app.normandy.api_url", ""); user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+] - * Currently blocked by "datareporting.healthreport.uploadEnabled" (see 0340) ***/ + * Defense-in-depth: currently covered by 0340 ***/ user_pref("browser.ping-centre.telemetry", false); /* 0515: disable Screenshots ***/ // user_pref("extensions.screenshots.disabled", true); // [FF55+] From 8d6ee7c0c74b0b458091164a691f90d83f39beed Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 16 Aug 2021 04:18:12 +0000 Subject: [PATCH 338/657] oophs --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 71ac044..6c1a4aa 100644 --- a/user.js +++ b/user.js @@ -588,7 +588,7 @@ user_pref("browser.sessionstore.privacy_level", 2); * [SETUP-CHROME] This can affect entries in "Recently Closed Tabs": i.e. the * longer the interval the more chance a quick tab open/close won't be captured * [1] https://bugzilla.mozilla.org/1304389 ***/ -user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 1500] +user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 15000] /* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] * [1] https://bugzilla.mozilla.org/603903 ***/ user_pref("toolkit.winRegisterApplicationRestart", false); From e7872b193be81126e20da7f25d3fac4984901c7c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 16 Aug 2021 04:22:46 +0000 Subject: [PATCH 339/657] !yoda no bytes were harmed in the making of this commit --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 6c1a4aa..e21c8cf 100644 --- a/user.js +++ b/user.js @@ -1445,7 +1445,7 @@ user_pref("privacy.firstparty.isolate", true); ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] - * [SETUP-WEB] RFP can some cause website breakage: mainly canvas, use a site exception via the urlbar + * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a site exception via the urlbar * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme * [1] https://bugzilla.mozilla.org/418986 ***/ user_pref("privacy.resistFingerprinting", true); From 51e388ae866a2f133b575c7b3c850afdfd46a0c3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 16 Aug 2021 15:06:06 +0000 Subject: [PATCH 340/657] dom.storage.enabled --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index fe97e52..6d23182 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 24-July-2021 + Last updated: 16-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -241,6 +241,8 @@ 'webgl.min_capability_mode', /* 89-beta */ 'security.ssl.enable_ocsp_stapling', + /* 91-beta */ + 'dom.storage.enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From 668e843fcea93871fefe968894309b17d520ba1c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 16 Aug 2021 15:34:57 +0000 Subject: [PATCH 341/657] misc - remove 2720 - this is a very old pref, been inactive since at least our first github release: v51 - disabling the API is not how you control client side state: you do that by blocking cookies which also controls other state such as IDB etc - 2700 section header - history/downloads is redundant - Offline Website Data info -> relevant item number with Active Logins info - ^ technically it still includes appCache for ESR78 users, but that will be moot in less than three months - tidy RFP - update to FF91 userAgent spoofing: there is no Android ESR so we don't need to mention "Android 9" - we don't need to say if the API is enabled for mediaDevices --- user.js | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/user.js b/user.js index e21c8cf..2e1c291 100644 --- a/user.js +++ b/user.js @@ -1256,9 +1256,6 @@ user_pref("privacy.trackingprotection.enabled", true); user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] -/* 2720: disable DOM (Document Object Model) Storage - * [WARNING] This will break lots of sites and extensions! ***/ - // user_pref("dom.storage.enabled", false); /* 2730: disable offline cache (appCache) * [NOTE] In FF90+ the storage capability has been removed (1694662) * [WARNING] The API is easily fingerprinted, do not disable ***/ @@ -1287,10 +1284,6 @@ user_pref("dom.storage.next_gen", true); * If you want to keep some sites' cookies (exception as "Allow") and optionally other site data but clear all the rest on close, then you need to set the "cookie" and optionally the "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) - * "Offline Website Data" includes appCache (2730), localStorage (2720), - service worker cache (2740), and QuotaManager (IndexedDB, asm-cache) - * In both 2803 + 2804, the "download" and "history" prefs are combined in the - Firefox interface as "Browsing & Download History" and their values will be synced ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); /* 2802: enable Firefox to clear items on shutdown (see 2803) @@ -1298,7 +1291,8 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" user_pref("privacy.sanitize.sanitizeOnShutdown", true); /* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME] * [NOTE] If "history" is true, downloads will also be cleared - * [NOTE] Active Logins does not refer to logins via cookies, but rather HTTP Basic Authentication [1] + * [NOTE] Active Logins: does not refer to logins via cookies, but rather HTTP Basic Authentication [1] + * [NOTE] Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ user_pref("privacy.clearOnShutdown.cache", true); @@ -1389,15 +1383,15 @@ user_pref("privacy.firstparty.isolate", true); [TEST] https://arkenfox.github.io/TZP/tzp.html#screen FF50+ 1281949 - spoof screen orientation - 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes + 1281963 - hide contents of navigator.plugins and navigator.mimeTypes FF55+ - 1330890 - spoof timezone as UTC 0 + 1330890 - spoof timezone as UTC0 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) 1217238 - reduce precision of time exposed by javascript FF56+ 1369303 - spoof/disable performance API (see 4602, 4603) 1333651 - spoof User Agent & Navigator API (see 4650) - JS: FF78+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 9 (FF91+ as 10), or Linux + JS: FF91+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux HTTP Headers: spoofed as Windows or Android 1369319 - disable device sensor API (see 4604) 1369357 - disable site specific zoom (see 4605) @@ -1411,13 +1405,12 @@ user_pref("privacy.firstparty.isolate", true); 1382545 - reduce fingerprinting in Animation API 1354633 - limit MediaError.message to a whitelist 1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87) - This blocks exposure of local IP Addresses via mDNS (Multicast DNS) + Blocks exposure of local IP Addresses via mDNS (Multicast DNS) FF58+ 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction FF59+ 1372073 - spoof/block fingerprinting in MediaDevices API - Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if - media.navigator.enabled is true (see 4612) + Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" (see 4612) Block: suppresses the ondevicechange event (see 4613) 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events From 1d63e836ee02e19b081fd7f49c8b61dbe1dc53c8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 17 Aug 2021 02:52:19 +0000 Subject: [PATCH 342/657] musical chairs part 1 - move 2200s into respective sections - move FPing items into 2500s --- user.js | 76 +++++++++++++++++++++++++++------------------------------ 1 file changed, 36 insertions(+), 40 deletions(-) diff --git a/user.js b/user.js index 2e1c291..4ef5425 100644 --- a/user.js +++ b/user.js @@ -37,7 +37,7 @@ - If you are not using arkenfox v78... (not a definitive list) - 1244: HTTPS-Only mode is enabled - 1401: document fonts is inactive as it is now covered by RFP in FF80+ - - 2626: non-native widget theme is enforced + - 2525: non-native widget theme is enforced - 9999: switch the appropriate deprecated section(s) back on * INDEX: @@ -58,7 +58,6 @@ 1700: CONTAINERS 1800: PLUGINS 2000: MEDIA / CAMERA / MIC - 2200: WINDOW MEDDLING & LEAKS / POPUPS 2300: WEB WORKERS 2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT 2500: HARDWARE FINGERPRINTING @@ -922,28 +921,6 @@ user_pref("media.getusermedia.audiocapture.enabled", false); * [1] https://support.mozilla.org/questions/1293231 ***/ user_pref("media.autoplay.blocking_policy", 2); -/*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/ -user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!"); -/* 2202: prevent scripts from moving and resizing open windows ***/ -user_pref("dom.disable_window_move_resize", true); -/* 2203: open links targeting new windows in a new tab instead - * Stops malicious window sizes and some screen resolution leaks. - * You can still right-click a link and open in a new window - * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ -user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab -user_pref("browser.link.open_newwindow.restriction", 0); -/* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks - * [NOTE] You can still manually toggle the browser's fullscreen state (F11), - * but this pref will disable embedded video/game fullscreen controls, e.g. youtube - * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ - // user_pref("full-screen-api.enabled", false); -/* 2210: block popup windows - * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ -user_pref("dom.disable_open_during_load", true); -/* 2212: limit events that can cause a popup [SETUP-WEB] ***/ -user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); - /*** [SECTION 2300]: WEB WORKERS A worker is a JS "background task" running in a global context, i.e. it is different from the current window. Workers can spawn new workers (must be the same origin & scheme), @@ -1002,14 +979,24 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket! * "general.autoScroll" are true (at least one is default false) then the clipboard can leak [1] * [1] https://bugzilla.mozilla.org/1528289 ***/ // user_pref("dom.event.clipboardevents.enabled", false); -/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] +/* 2403: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] * this disables document.execCommand("cut"/"copy") to protect your clipboard * [1] https://bugzilla.mozilla.org/1170911 ***/ user_pref("dom.allow_cut_copy", false); -/* 2405: disable "Confirm you want to leave" dialog on page close +/* 2404: disable "Confirm you want to leave" dialog on page close * Does not prevent JS leaks of the page close event * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload ***/ user_pref("dom.disable_beforeunload", true); +/* 2405: prevent scripts from moving and resizing open windows ***/ +user_pref("dom.disable_window_move_resize", true); +/* 2406: block popup windows + * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ +user_pref("dom.disable_open_during_load", true); +/* 2407: limit events that can cause a popup [SETUP-WEB] ***/ +user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); +/* 2408: enable (limited but sufficient) window.opener protection [FF65+] + * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] /* 2414: disable shaking the screen ***/ user_pref("dom.vibrator.enabled", false); /* 2420: disable asm.js [FF22+] [SETUP-PERF] @@ -1037,14 +1024,11 @@ user_pref("javascript.options.asmjs", false); * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ user_pref("javascript.options.wasm", false); -/* 2429: enable (limited but sufficient) window.opener protection [FF65+] - * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ -user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] /*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); /* 2502: disable Battery Status API - * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code [1] + * [NOTE] FF52+ Battery Status API is only available in chrome/privileged code [1] * [1] https://bugzilla.mozilla.org/1313580 ***/ // user_pref("dom.battery.enabled", false); /* 2508: disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN] @@ -1076,6 +1060,22 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m user_pref("webgl.disabled", true); user_pref("webgl.enable-webgl2", false); user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] +/* 2523: enforce no system colors + * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ +user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] +/* 2524: open links targeting new windows in a new tab instead + * Stops malicious window sizes and some screen resolution leaks. + * You can still right-click a link and open in a new window + * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ +user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab +user_pref("browser.link.open_newwindow.restriction", 0); +/* 2525: enforce non-native widget theme + * Security: removes/reduces system API calls, e.g. win32k API [1] + * Fingerprinting: provides a uniform look and feel across platforms [2] + * [1] https://bugzilla.mozilla.org/1381938 + * [2] https://bugzilla.mozilla.org/1411425 ***/ +user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -1144,9 +1144,6 @@ user_pref("pdfjs.disabled", false); // [DEFAULT: false] user_pref("pdfjs.enableScripting", false); // [FF86+] /* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ user_pref("network.protocol-handler.external.ms-windows-store", false); -/* 2622: enforce no system colors; they can be fingerprinted - * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] /* 2623: disable permissions delegation [FF73+] * Currently applies to cross-origin geolocation, camera, mic and screen-sharing * permissions, and fullscreen requests. Disabling delegation means any prompts @@ -1161,12 +1158,11 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /* 2625: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ user_pref("extensions.postDownloadThirdPartyPrompt", false); -/* 2626: enforce non-native widget theme - * Security: removes/reduces system API calls, e.g. win32k API [1] - * Fingerprinting: provides a uniform look and feel across platforms [2] - * [1] https://bugzilla.mozilla.org/1381938 - * [2] https://bugzilla.mozilla.org/1411425 ***/ -user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] +/* 2626: disable Fullscreen API (requires user interaction) + * [NOTE] You can still toggle fullscreen with F11 + * [WARNING] This is fingerprintable and will break embedded video/game FS controls, e.g. youtube + * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ + // user_pref("full-screen-api.enabled", false); /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop @@ -1276,7 +1272,7 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); * [1] https://developer.mozilla.org/docs/Web/API/Storage_Access_API ***/ // user_pref("dom.storage_access.enabled", false); /* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/ -user_pref("dom.storage.next_gen", true); +user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] /*** [SECTION 2800]: SHUTDOWN * Sanitizing on shutdown is all or nothing. It does not use Managed Exceptions under From 77410bf86d4dd2d2ca163bbdbcfd54e65bc49ddb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 17 Aug 2021 03:08:48 +0000 Subject: [PATCH 343/657] musical chairs part 2 merge plugins with webrtc (camera + mic) and "media" --- user.js | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/user.js b/user.js index 4ef5425..598abe1 100644 --- a/user.js +++ b/user.js @@ -56,8 +56,7 @@ 1400: FONTS 1600: HEADERS / REFERERS 1700: CONTAINERS - 1800: PLUGINS - 2000: MEDIA / CAMERA / MIC + 2000: PLUGINS / MEDIA / WEBRTC 2300: WEB WORKERS 2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT 2500: HARDWARE FINGERPRINTING @@ -868,22 +867,7 @@ user_pref("privacy.userContext.enabled", true); * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/ // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true); -/*** [SECTION 1800]: PLUGINS ***/ -user_pref("_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!"); -/* 1820: disable GMP (Gecko Media Plugins) - * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ - // user_pref("media.gmp-provider.enabled", false); -/* 1825: disable widevine CDM (Content Decryption Module) - * [NOTE] This is covered by the EME master switch (1830) ***/ - // user_pref("media.gmp-widevinecdm.enabled", false); -/* 1830: disable all DRM content (EME: Encryption Media Extension) - * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV - * [SETTING] General>DRM Content>Play DRM-controlled content - * [TEST] https://bitmovin.com/demos/drm - * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ -user_pref("media.eme.enabled", false); - -/*** [SECTION 2000]: MEDIA / CAMERA / MIC ***/ +/*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); /* 2001: disable WebRTC (Web Real-Time Communication) * [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not @@ -899,18 +883,30 @@ user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.ice.default_address_only", true); user_pref("media.peerconnection.ice.no_host", true); // [FF51+] user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] -/* 2022: disable screensharing ***/ +/* 2003: disable screensharing ***/ user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.browser.enabled", false); user_pref("media.getusermedia.audiocapture.enabled", false); -/* 2024: set a default permission for Camera/Microphone [FF58+] +/* 2004: set a default permission for Camera/Microphone [FF58+] * 0=always ask (default), 1=allow, 2=block * [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/ // user_pref("permissions.default.camera", 2); // user_pref("permissions.default.microphone", 2); +/* 2020: disable GMP (Gecko Media Plugins) + * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ + // user_pref("media.gmp-provider.enabled", false); +/* 2021: disable widevine CDM (Content Decryption Module) + * [NOTE] This is covered by the EME master switch (2022) ***/ + // user_pref("media.gmp-widevinecdm.enabled", false); +/* 2022: disable all DRM content (EME: Encryption Media Extension) + * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV + * [SETTING] General>DRM Content>Play DRM-controlled content + * [TEST] https://bitmovin.com/demos/drm + * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ +user_pref("media.eme.enabled", false); /* 2030: disable autoplay of HTML5 media [FF63+] - * 0=Allow all, 1=Block non-muted media (default in FF67+), 2=Prompt (removed in FF66), 5=Block all (FF69+) + * 0=Allow all, 1=Block non-muted media (default), 5=Block all * [NOTE] You can set exceptions under site permissions * [SETTING] Privacy & Security>Permissions>Autoplay>Settings>Default for all websites ***/ // user_pref("media.autoplay.default", 5); From d7208ccf344a254c2117c911ba41c38428161479 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 17 Aug 2021 03:41:56 +0000 Subject: [PATCH 344/657] tidy --- user.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 598abe1..51d1d01 100644 --- a/user.js +++ b/user.js @@ -1027,20 +1027,19 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [NOTE] FF52+ Battery Status API is only available in chrome/privileged code [1] * [1] https://bugzilla.mozilla.org/1313580 ***/ // user_pref("dom.battery.enabled", false); -/* 2508: disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN] - * [WARNING] Affects text rendering (fonts will look different), impacts video performance, - * and parts of Quantum that utilize the GPU will also be affected as they are rolled out +/* 2508: disable hardware acceleration [SETUP-HARDEN] + * [WARNING] Affects rendering and performance * [SETTING] General>Performance>Custom>Use hardware acceleration when available * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ // user_pref("gfx.direct2d.disabled", true); // [WINDOWS] // user_pref("layers.acceleration.disabled", true); /* 2517: disable Media Capabilities API [FF63+] - * [WARNING] This *may* affect media performance if disabled, no one is sure + * [WARNING] The API state is fingerprintable and disabling may affect performance * [1] https://github.com/WICG/media-capabilities * [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ // user_pref("media.media-capabilities.enabled", false); /* 2520: disable virtual reality devices - * Optional protection depending on your connected devices + * [WARNING] The API state is fingerprintable * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ // user_pref("dom.vr.enabled", false); /* 2521: set a default permission for Virtual Reality (see 2520) [FF73+] From 41c3c0ec26ef4392169fa1d04fd5783ac03bfc8e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 17 Aug 2021 03:47:33 +0000 Subject: [PATCH 345/657] tweak 2522: webgl - we already disable webgl, that's enough - the other two prefs are not going to provide much protection if a user decides they want webgl - "disable-fail-if-major-performance-caveat" only applies to ESR78 and will removed in the future - one (or two) less pref(2) for users to troubleshoot/flip --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 51d1d01..27885ea 100644 --- a/user.js +++ b/user.js @@ -1053,8 +1053,8 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ * [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ user_pref("webgl.disabled", true); -user_pref("webgl.enable-webgl2", false); -user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] + // user_pref("webgl.enable-webgl2", false); + // user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] /* 2523: enforce no system colors * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] From fdc9376c69ef850ef2cc58e9da3c97f247dd0407 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 01:50:09 +0000 Subject: [PATCH 346/657] tidy - 0105*: merge into a single block - 1220: make values more readable with spaces, like 2701 (no need for value 2), add default, update advise (get a new AV, SHA1 is dead baby) - 2619: remove fluff --- user.js | 37 ++++++++++++++----------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/user.js b/user.js index 27885ea..cba4c36 100644 --- a/user.js +++ b/user.js @@ -102,24 +102,18 @@ user_pref("browser.startup.homepage", "about:blank"); * [SETTING] Home>New Windows and Tabs>New tabs ***/ user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtab.preload", false); -/* 0105: disable Activity Stream stuff (AS) - * AS is the default homepage/newtab based on metadata and browsing behavior - * **NOT LISTING ALL OF THESE: USE THE PREFERENCES UI** +/* 0105: disable some Activity Stream items + * Activity Stream is the default homepage/newtab based on metadata and browsing behavior * [SETTING] Home>Firefox Home Content>... to show/hide what you want ***/ -/* 0105a: disable Activity Stream telemetry ***/ user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); user_pref("browser.newtabpage.activity-stream.telemetry", false); -/* 0105b: disable Activity Stream Snippets - * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server - * [1] https://abouthome-snippets-service.readthedocs.io/ ***/ user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false FF89+] -/* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); user_pref("browser.newtabpage.activity-stream.showSponsored", false); user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+] user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+] -/* 0105e: clear default topsites +/* 0106: clear default topsites * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); /* 0110: start Firefox in PB (Private Browsing) mode @@ -263,7 +257,7 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] /** SAFE BROWSING (SB) - Safe Browsing has taken many steps to preserve privacy. *IF* required, a full url is never + Safe Browsing has taken many steps to preserve privacy. If required, a full url is never sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real PART-hashes. Google also swear it is anonymized and only used to flag malicious sites. Firefox also takes measures such as striping out identifying parameters and since SBv4 (FF57+) @@ -672,13 +666,11 @@ user_pref("security.OCSP.require", true); /** CERTS / HPKP (HTTP Public Key Pinning) ***/ /* 1220: disable or limit SHA-1 certificates - * 0=all SHA1 certs are allowed - * 1=all SHA1 certs are blocked - * 2=deprecated option that now maps to 1 - * 3=only allowed for locally-added roots (e.g. anti-virus) - * 4=only allowed for locally-added roots or for certs in 2015 and earlier - * [SETUP-CHROME] When disabled, some man-in-the-middle devices, e.g. security scanners and - * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete + * 0 = allow all + * 1 = block all + * 3 = only allow locally-added roots (e.g. anti-virus) (default) + * 4 = only allow locally-added roots or for certs in 2015 and earlier + * [SETUP-CHROME] If you have problems, update your software: SHA-1 is obsolete * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/ user_pref("security.pki.sha1_enforcement_level", 1); /* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS] @@ -802,7 +794,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false); // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] /*** [SECTION 1600]: HEADERS / REFERERS - Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone + Only **cross domain** referers need controlling: leave 1601, 1602, 1605 and 1606 alone Expect some breakage: Use an extension if you need precise control --- full URI: https://example.com:8888/foo/bar.html?id=1234 @@ -848,7 +840,7 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); user_pref("privacy.donottrackheader.enabled", true); /*** [SECTION 1700]: CONTAINERS - If you want to *really* leverage containers, we highly recommend Temporary Containers [2]. + If you want to really leverage containers, we recommend Temporary Containers [2]. Read the article by the extension author [3], and check out the github wiki/repo [4]. [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers [2] https://addons.mozilla.org/firefox/addon/temporary-containers/ @@ -1117,7 +1109,6 @@ user_pref("permissions.manager.defaultsUrl", ""); /* 2617: remove webchannel whitelist ***/ user_pref("webchannel.allowObject.urlWhitelist", ""); /* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing - * Firefox has *some* protections, but it is better to be safe than sorry * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) * [1] https://wiki.mozilla.org/IDN_Display_Algorithm @@ -1210,7 +1201,7 @@ user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage), indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications) If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become - accessible to websites except shared/service workers where the cookie setting *must* be "Allow" + accessible to websites except shared/service workers where the cookie setting must be "Allow" ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB] @@ -1425,7 +1416,7 @@ user_pref("privacy.firstparty.isolate", true); 1653987 - limit font visibility to bundled and "Base Fonts" (see 4620) (Windows, Mac, some Linux) (FF80+) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) FF91+ - 531915 - use fdlibm's sin, cos and tan in jsmath (FF93+) + 531915 - use fdlibm's sin, cos and tan in jsmath (FF93+, ESR91.1+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] @@ -1620,7 +1611,7 @@ user_pref("dom.ipc.plugins.reportCrashURL", false); user_pref("security.mixed_content.block_object_subrequest", true); // 1803: disable Flash plugin // 0=deactivated, 1=ask, 2=enabled - // ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash + // ESR52.x is the last branch to fully support NPAPI, FF52+ stable only supports Flash // [NOTE] You can still override individual sites via site permissions // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] user_pref("plugin.state.flash", 0); // [DEFAULT: 1] From 08e9fb35fd9f432bd9513c62be8268691db1f5bc Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 07:16:19 +0000 Subject: [PATCH 347/657] update some references --- user.js | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index cba4c36..4568704 100644 --- a/user.js +++ b/user.js @@ -125,7 +125,7 @@ user_pref("browser.newtabpage.activity-stream.default.sites", ""); * a temporary self-contained new session. Close all Private Windows to clear the PB mode session. * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode * [1] https://wiki.mozilla.org/Private_Browsing - * [2] https://spreadprivacy.com/is-private-browsing-really-private/ ***/ + * [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/ // user_pref("browser.privatebrowsing.autostart", true); /*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ @@ -240,8 +240,7 @@ user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+] * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/ user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false] /* 0390: disable Captive Portal detection - * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy - * [2] https://wiki.mozilla.org/Necko/CaptivePortal ***/ + * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy ***/ user_pref("captivedetect.canonicalURL", ""); user_pref("network.captive-portal-service.enabled", false); // [FF52+] /* 0391: disable Network Connectivity checks [FF65+] @@ -310,8 +309,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!"); /* 0503: disable Normandy/Shield [FF60+] * Shield is an telemetry system (including Heartbeat) that can also push and test "recipes" - * [1] https://wiki.mozilla.org/Firefox/Shield - * [2] https://github.com/mozilla/normandy ***/ + * [1] https://mozilla.github.io/normandy/ ***/ user_pref("app.normandy.enabled", false); user_pref("app.normandy.api_url", ""); /* 0505: disable System Add-on updates ***/ From e7e6cfffe852a558f870e74ab3f6bcff7f894781 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 07:30:55 +0000 Subject: [PATCH 348/657] 0503: tidy --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 4568704..14492d4 100644 --- a/user.js +++ b/user.js @@ -308,7 +308,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); ***/ user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!"); /* 0503: disable Normandy/Shield [FF60+] - * Shield is an telemetry system (including Heartbeat) that can also push and test "recipes" + * Shield is a telemetry system that can push and test "recipes" * [1] https://mozilla.github.io/normandy/ ***/ user_pref("app.normandy.enabled", false); user_pref("app.normandy.api_url", ""); From 783786290d2278d00a3bb13d3e61678991845a5c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 08:24:44 +0000 Subject: [PATCH 349/657] tidy - geo -> warning - merge container prefs - remove redundant "see"s - remove corresponding 4600's item number in RFP mitigations - it's pretty clear by the preference names in 4600 - could be misconstrued that the 4600 pref is the same result - RFP's language prompt only checks for en*, not en-US (so en-GB, en-CA etc do not get prompted) - https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPHelper.jsm#196 --- user.js | 102 +++++++++++++++++++++++++++----------------------------- 1 file changed, 49 insertions(+), 53 deletions(-) diff --git a/user.js b/user.js index 14492d4..13e2533 100644 --- a/user.js +++ b/user.js @@ -132,10 +132,10 @@ user_pref("browser.newtabpage.activity-stream.default.sites", ""); user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); /** GEOLOCATION ***/ /* 0201: disable Location-Aware Browsing - * [NOTE] Best left at default "true", fingerprintable, already behind a prompt (see 0202) + * [WARNING] The API state is fingerprintable. Permission is already behind a prompt (0202) * [1] https://www.mozilla.org/firefox/geolocation/ ***/ // user_pref("geo.enabled", false); -/* 0202: set a default permission for Location (see 0201) [FF58+] +/* 0202: set a default permission for Location (0201) [FF58+] * 0=always ask (default), 1=allow, 2=block * [NOTE] Best left at default "always ask", fingerprintable via Permissions API * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location @@ -154,7 +154,7 @@ user_pref("geo.provider.use_gpsd", false); // [LINUX] user_pref("browser.region.network.url", ""); // [FF78+] user_pref("browser.region.update.enabled", false); // [[FF79+] /* 0208: set search region - * [NOTE] May not be hidden if Firefox has changed your settings due to your region (see 0207) ***/ + * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0207) ***/ // user_pref("browser.search.region", "US"); // [HIDDEN PREF] /** LANGUAGE / LOCALE ***/ @@ -224,7 +224,7 @@ user_pref("datareporting.healthreport.uploadEnabled", false); * If disabled, no policy is shown or upload takes place, ever * [1] https://bugzilla.mozilla.org/1195552 ***/ user_pref("datareporting.policy.dataSubmissionEnabled", false); -/* 0342: disable Studies (see 0503) +/* 0342: disable Studies * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/ user_pref("app.shield.optoutstudies.enabled", false); /* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+] @@ -364,7 +364,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost * then this won't make much difference. If you are masking your IP, then it can only help. * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" * [TEST] https://ipleak.org/ - * [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/ + * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ user_pref("network.dns.disableIPv6", true); /* 0702: disable HTTP2 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to @@ -381,7 +381,7 @@ user_pref("network.dns.disableIPv6", true); // user_pref("network.http.spdy.enabled.http2", false); // user_pref("network.http.spdy.websockets", false); // [FF65+] /* 0703: disable HTTP Alternative Services [FF37+] - * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) and you understand the + * [SETUP-PERF] Relax this if you have FPI enabled (4001) and you understand the * consequences. FPI isolates these, but it was designed with the Tor protocol in mind, * and the Tor Browser has extra protection, including enhanced sanitizing per Identity. * [1] https://tools.ietf.org/html/rfc7838#section-9 @@ -475,13 +475,13 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // user_pref("browser.urlbar.autoFill", false); /* 0860: disable search and form history * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] - * [NOTE] We also clear formdata on exit (see 2803) + * [NOTE] We also clear formdata on exit (2803) * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); /* 0862: disable browsing and download history - * [NOTE] We also clear history and downloads on exiting Firefox (see 2803) + * [NOTE] We also clear history and downloads on exit (2803) * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/ // user_pref("places.history.enabled", false); /* 0870: disable Windows jumplist [WINDOWS] ***/ @@ -503,11 +503,10 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); * [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ /* 0903: set how often Firefox should ask for the primary password - * 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/ + * 0=the first time (default), 1=every time it's needed, 2=every n minutes (0904) ***/ user_pref("security.ask_for_password", 2); -/* 0904: set how often in minutes Firefox should ask for the primary password (see 0903) - * in minutes, default is 30 ***/ -user_pref("security.password_lifetime", 5); +/* 0904: set how often in minutes Firefox should ask for the primary password (0903) ***/ +user_pref("security.password_lifetime", 5); // [DEFAULT: 30] /* 0905: disable auto-filling username & password form fields * can leak in cross-site forms *and* be spoofed * [NOTE] Username & password is still available when you enter the field @@ -548,7 +547,7 @@ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is m /* 1001: disable disk cache * [SETUP-PERF] If you think disk cache may help (heavy tab user, high-res video), * or you use a hardened Temporary Containers, then feel free to override this - * [NOTE] We also clear cache on exiting Firefox (see 2803) ***/ + * [NOTE] We also clear cache on exit (2803) ***/ user_pref("browser.cache.disk.enable", false); /* 1003: disable memory cache * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/ @@ -786,7 +785,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("gfx.font_rendering.graphite.enabled", false); /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] In FF81+ the whitelist overrides RFP's font visibility (see 4620) + * [NOTE] In FF81+ the whitelist overrides RFP's font visibility (4620) * [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) * [1] https://bugzilla.mozilla.org/1121643 ***/ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] @@ -846,12 +845,10 @@ user_pref("privacy.donottrackheader.enabled", true); [4] https://github.com/stoically/temporary-containers/wiki ***/ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!"); -/* 1701: enable Container Tabs setting in preferences (see 1702) [FF50+] - * [1] https://bugzilla.mozilla.org/1279029 ***/ -user_pref("privacy.userContext.ui.enabled", true); -/* 1702: enable Container Tabs [FF50+] +/* 1702: enable Container Tabs and it's UI setting [FF50+] * [SETTING] General>Tabs>Enable Container Tabs ***/ user_pref("privacy.userContext.enabled", true); +user_pref("privacy.userContext.ui.enabled", true); /* 1703: set behaviour on "+ Tab" button to display container menu on left click [FF74+] * [NOTE] The menu is always shown on long press and right click * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/ @@ -903,7 +900,7 @@ user_pref("media.eme.enabled", false); /* 2031: disable autoplay of HTML5 media if you interacted with the site [FF78+] * 0=sticky (default), 1=transient, 2=user * Firefox's Autoplay Policy Documentation [PDF] is linked below via SUMO - * [NOTE] If you have trouble with some video sites, then add an exception (see 2030) + * [NOTE] If you have trouble with some video sites, then add an exception (2030) * [1] https://support.mozilla.org/questions/1293231 ***/ user_pref("media.autoplay.blocking_policy", 2); @@ -1024,22 +1021,22 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m // user_pref("gfx.direct2d.disabled", true); // [WINDOWS] // user_pref("layers.acceleration.disabled", true); /* 2517: disable Media Capabilities API [FF63+] - * [WARNING] The API state is fingerprintable and disabling may affect performance + * [WARNING] The API state is fingerprintable. Disabling may affect performance * [1] https://github.com/WICG/media-capabilities * [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ // user_pref("media.media-capabilities.enabled", false); /* 2520: disable virtual reality devices - * [WARNING] The API state is fingerprintable + * [WARNING] The API state is fingerprintable. Permission is already behind a prompt (2521) * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ // user_pref("dom.vr.enabled", false); -/* 2521: set a default permission for Virtual Reality (see 2520) [FF73+] +/* 2521: set a default permission for Virtual Reality (2520) [FF73+] * 0=always ask (default), 1=allow, 2=block * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ // user_pref("permissions.default.xr", 2); /* 2522: disable/limit WebGL (Web Graphics Library) * [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy, - * especially with readPixels(). Some of the other entropy is lessened with RFP (see 4501) + * especially with readPixels(). Some of the other entropy is lessened with RFP (4501) * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ * [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ user_pref("webgl.disabled", true); @@ -1237,11 +1234,10 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 2730: disable offline cache (appCache) - * [NOTE] In FF90+ the storage capability has been removed (1694662) - * [WARNING] The API is easily fingerprinted, do not disable ***/ + * [WARNING] The API state is fingerprintable. Storage capability was removed in FF90+ (1694662) ***/ // user_pref("browser.cache.offline.enable", false); /* 2740: disable service worker cache and cache storage - * [NOTE] We clear service worker cache on exiting Firefox (see 2803) + * [NOTE] We clear service worker cache on exit (2803) * [1] https://w3c.github.io/ServiceWorker/#privacy ***/ // user_pref("dom.caches.enabled", false); /* 2750: disable Storage API [FF51+] @@ -1266,7 +1262,7 @@ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); -/* 2802: enable Firefox to clear items on shutdown (see 2803) +/* 2802: enable Firefox to clear items on shutdown (2803) * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); /* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME] @@ -1298,12 +1294,12 @@ user_pref("privacy.cpd.passwords", false); // this is not listed user_pref("privacy.cpd.sessions", true); // Active Logins user_pref("privacy.cpd.siteSettings", false); // Site Preferences /* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+] - * [NOTE] Not needed if Session Restore is not used (see 0102) or is already cleared with history (see 2803) - * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (see 1022) + * [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803) + * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (1022) * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ // user_pref("privacy.clearOnShutdown.openWindows", true); // user_pref("privacy.cpd.openWindows", true); -/* 2806: reset default "Time range to clear" for "Clear Recent History" (see 2804) +/* 2806: reset default "Time range to clear" for "Clear Recent History" (2804) * Firefox remembers your last choice. This will reset the value when you start Firefox * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown, @@ -1348,7 +1344,7 @@ user_pref("privacy.firstparty.isolate", true); // user_pref("privacy.firstparty.isolate.block_post_message", true); /* 4003: enable scheme with FPI [FF78+] * [NOTE] Experimental: existing data and site permissions are incompatible - * and some site exceptions may not work e.g. HTTPS-only mode (see 1244) ***/ + * and some site exceptions may not work e.g. HTTPS-only mode (1244) ***/ // user_pref("privacy.firstparty.isolate.use_site", true); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) @@ -1366,21 +1362,21 @@ user_pref("privacy.firstparty.isolate", true); 1281963 - hide contents of navigator.plugins and navigator.mimeTypes FF55+ 1330890 - spoof timezone as UTC0 - 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) + 1360039 - spoof navigator.hardwareConcurrency as 2 1217238 - reduce precision of time exposed by javascript FF56+ - 1369303 - spoof/disable performance API (see 4602, 4603) - 1333651 - spoof User Agent & Navigator API (see 4650) + 1369303 - spoof/disable performance API + 1333651 - spoof User Agent & Navigator API JS: FF91+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux HTTP Headers: spoofed as Windows or Android - 1369319 - disable device sensor API (see 4604) - 1369357 - disable site specific zoom (see 4605) - 1337161 - hide gamepads from content (see 4606) - 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) - 1333641 - reduce fingerprinting in WebSpeech API (see 4608) + 1369319 - disable device sensor API + 1369357 - disable site specific zoom + 1337161 - hide gamepads from content + 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true + 1333641 - reduce fingerprinting in WebSpeech API FF57+ - 1369309 - spoof media statistics (see 4610) - 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) + 1369309 - spoof media statistics + 1382499 - reduce screen co-ordinate fingerprinting in Touch API 1217290 & 1409677 - enable some fingerprinting resistance for WebGL 1382545 - reduce fingerprinting in Animation API 1354633 - limit MediaError.message to a whitelist @@ -1390,28 +1386,28 @@ user_pref("privacy.firstparty.isolate", true); 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction FF59+ 1372073 - spoof/block fingerprinting in MediaDevices API - Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" (see 4612) - Block: suppresses the ondevicechange event (see 4613) - 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) + Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" + Block: suppresses the ondevicechange event + 1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events Spoofing mimics the content language of the document. Currently it only supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. FF60-67 - 1337157 - disable WebGL debug renderer info (see 4614) (FF60+) + 1337157 - disable WebGL debug renderer info (FF60+) 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) - 1479239 - return "no-preference" with prefers-reduced-motion (see 4615) (FF63+) - 1363508 - spoof/suppress Pointer Events (see 4616) (FF64+) + 1479239 - return "no-preference" with prefers-reduced-motion (FF63+) + 1363508 - spoof/suppress Pointer Events (FF64+) FF65: pointerEvent.pointerid (1492766) - 1485266 - disable exposure of system colors to CSS or canvas (see 4617) (FF67+) - 1407366 - enable inner window letterboxing (see 4504) (FF67+) - 1494034 - return "light" with prefers-color-scheme (see 4618) (FF67+) + 1485266 - disable exposure of system colors to CSS or canvas (FF67+) + 1407366 - enable inner window letterboxing (4504) (FF67+) + 1494034 - return "light" with prefers-color-scheme (FF67+) FF68-77 - 1564422 - spoof audioContext outputLatency (see 4619) (FF70+) - 1595823 - return audioContext sampleRate as 44100 (see 4619) (FF72+) + 1564422 - spoof audioContext outputLatency (FF70+) + 1595823 - return audioContext sampleRate as 44100 (FF72+) 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) FF78-90 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) - 1653987 - limit font visibility to bundled and "Base Fonts" (see 4620) (Windows, Mac, some Linux) (FF80+) + 1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80+) 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) FF91+ 531915 - use fdlibm's sin, cos and tan in jsmath (FF93+, ESR91.1+) From 679648b33e633f1e494fcffa051672813f1e7cda Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 09:03:16 +0000 Subject: [PATCH 350/657] RFP info tweak --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 13e2533..3823594 100644 --- a/user.js +++ b/user.js @@ -1397,7 +1397,7 @@ user_pref("privacy.firstparty.isolate", true); 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) 1479239 - return "no-preference" with prefers-reduced-motion (FF63+) 1363508 - spoof/suppress Pointer Events (FF64+) - FF65: pointerEvent.pointerid (1492766) + 1492766 - spoof pointerEvent.pointerid (FF65+) 1485266 - disable exposure of system colors to CSS or canvas (FF67+) 1407366 - enable inner window letterboxing (4504) (FF67+) 1494034 - return "light" with prefers-color-scheme (FF67+) From 29ad768a22d4b097188f6e0dcfbbeb29aa6f13c3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 09:08:36 +0000 Subject: [PATCH 351/657] RFP tweak letterboxing is not part of RFP, it is a separate pref: bugzilla and FF version info is in 4504 --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 3823594..77c712d 100644 --- a/user.js +++ b/user.js @@ -1399,7 +1399,6 @@ user_pref("privacy.firstparty.isolate", true); 1363508 - spoof/suppress Pointer Events (FF64+) 1492766 - spoof pointerEvent.pointerid (FF65+) 1485266 - disable exposure of system colors to CSS or canvas (FF67+) - 1407366 - enable inner window letterboxing (4504) (FF67+) 1494034 - return "light" with prefers-color-scheme (FF67+) FF68-77 1564422 - spoof audioContext outputLatency (FF70+) From 2ce269362e6103312cdb46200e874da62aa5cf51 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 12:40:27 +0000 Subject: [PATCH 352/657] dom.battery.enabled --- scratchpad-scripts/arkenfox-clear-removed.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 6d23182..a2ec706 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 16-August-2021 + Last updated: 18-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -242,6 +242,7 @@ /* 89-beta */ 'security.ssl.enable_ocsp_stapling', /* 91-beta */ + 'dom.battery.enabled', 'dom.storage.enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' From a70c31293830625145db7035af8ec142546c4b5b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 12:46:24 +0000 Subject: [PATCH 353/657] goodbye battery - dead weight since 2017-06-13 when ESR45 reached EOL .. good riddance - if someone does use it, it's not going to do any harm, so no need to carry it for prefsCleaner --- user.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/user.js b/user.js index 77c712d..cef74b9 100644 --- a/user.js +++ b/user.js @@ -1010,10 +1010,6 @@ user_pref("javascript.options.wasm", false); /*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); -/* 2502: disable Battery Status API - * [NOTE] FF52+ Battery Status API is only available in chrome/privileged code [1] - * [1] https://bugzilla.mozilla.org/1313580 ***/ - // user_pref("dom.battery.enabled", false); /* 2508: disable hardware acceleration [SETUP-HARDEN] * [WARNING] Affects rendering and performance * [SETTING] General>Performance>Custom>Use hardware acceleration when available From dc63a752a58d591ec5c48b5c98ad815ce7bad463 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 18 Aug 2021 13:55:41 +0000 Subject: [PATCH 354/657] tidy 0300 + 0301 --- user.js | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index cef74b9..24c316d 100644 --- a/user.js +++ b/user.js @@ -166,13 +166,10 @@ user_pref("intl.accept_languages", "en-US, en"); * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] -/*** [SECTION 0300]: QUIET FOX - We only disable the auto-INSTALL of Firefox (app) updates. You still get prompts to update, - and it only takes one click. We highly discourage disabling auto-CHECKING for updates. -***/ +/*** [SECTION 0300]: QUIET FOX ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); -/* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+] - * [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed +/* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS] + * [NOTE] You will still get prompts to update, and should do so in a timely manner * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/ user_pref("app.update.auto", false); /* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS] From 7264271063c0c3c8baa1412f12ddf13511e65c91 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Aug 2021 00:15:30 +0000 Subject: [PATCH 355/657] rusty-snake improvements, #1235 --- user.js | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index 24c316d..173450a 100644 --- a/user.js +++ b/user.js @@ -370,7 +370,7 @@ user_pref("network.dns.disableIPv6", true); * [STATS] ~46% of sites (July 2021) [5] * [1] https://http2.github.io/faq/ * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html - * [3] https://http2.github.io/http2-spec/#rfc.section.10.8 + * [3] https://datatracker.ietf.org/doc/html/rfc7540#section-10.8 * [4] https://queue.acm.org/detail.cfm?id=2716278 * [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/ // user_pref("network.http.spdy.enabled", false); @@ -981,17 +981,14 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] user_pref("dom.vibrator.enabled", false); /* 2420: disable asm.js [FF22+] [SETUP-PERF] * [1] http://asmjs.org/ - * [2] https://www.mozilla.org/security/advisories/mfsa2015-29/ - * [3] https://www.mozilla.org/security/advisories/mfsa2015-50/ - * [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 - * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 - * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ + * [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js + * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ user_pref("javascript.options.asmjs", false); /* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new * hidden pref is enabled, then Ion can still be used by extensions (1599226) * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss - * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT ***/ // user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] @@ -1568,7 +1565,7 @@ user_pref("browser.search.geoSpecificDefaults", false); user_pref("browser.search.geoSpecificDefaults.url", ""); // FF86 // 1205: disable SSL Error Reporting - // [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html + // [1] https://firefox-source-docs.mozilla.org/main/65.0/browser/base/sslerrorreport/preferences.html // [-] https://bugzilla.mozilla.org/1681839 user_pref("security.ssl.errorReporting.automatic", false); user_pref("security.ssl.errorReporting.enabled", false); From f19d8508452ab96f1648f672f4c5c431264d8e33 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Aug 2021 01:46:47 +0000 Subject: [PATCH 356/657] tidy #1235 8000s (was 4600s) - move below personal, so user-relevant part is shorter - swap out font vis with document fonts + font whitelist - font vis still has usability/visual purposes: it just won't really help much with fingerprinting - ESR78 users (who can't use font vis), sorry, but we made doc fonts inactive for a while now, and now recommend you don't use it anyway --- user.js | 155 +++++++++++++++++++++++++++----------------------------- 1 file changed, 76 insertions(+), 79 deletions(-) diff --git a/user.js b/user.js index 173450a..3cfa190 100644 --- a/user.js +++ b/user.js @@ -36,7 +36,6 @@ ESR78 - If you are not using arkenfox v78... (not a definitive list) - 1244: HTTPS-Only mode is enabled - - 1401: document fonts is inactive as it is now covered by RFP in FF80+ - 2525: non-native widget theme is enforced - 9999: switch the appropriate deprecated section(s) back on @@ -65,8 +64,9 @@ 2800: SHUTDOWN 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) - 4600: NON-RFP 5000: PERSONAL + 7000: DON'T BOTHER + 8000: DON'T BOTHER: NON-RFP 9999: DEPRECATED / REMOVED / LEGACY / RENAMED ******/ @@ -118,10 +118,10 @@ user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // user_pref("browser.newtabpage.activity-stream.default.sites", ""); /* 0110: start Firefox in PB (Private Browsing) mode * [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed - * [WARNING] The P in PB mode is misleading: it means no "persistent" disk storage such as history, + * [WARNING] The P in PB mode can be misleading: it means no "persistent" disk state such as history, * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). * In fact, PB mode limits or removes the ability to control some of these, and you need to quit - * Firefox to clear them. PB is best used as a one off window (File>New Private Window) to provide + * Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide * a temporary self-contained new session. Close all Private Windows to clear the PB mode session. * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode * [1] https://wiki.mozilla.org/Private_Browsing @@ -141,7 +141,7 @@ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely decease * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/ // user_pref("permissions.default.geo", 2); -/* 0203: use Mozilla geolocation service instead of Google when geolocation is enabled [FF74+] +/* 0203: use Mozilla geolocation service instead of Google if geolocation is granted [FF74+] * Optionally enable logging to the console (defaults to false) ***/ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] @@ -719,7 +719,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); * [1] https://bugzilla.mozilla.org/1382359 ***/ // user_pref("dom.securecontext.whitelist_onions", true); -/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] +/** CIPHERS + [WARNING] DO NOT USE: see the section 1200 intro These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC, and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128 [1] https://browserleaks.com/ssl @@ -762,30 +763,25 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] /*** [SECTION 1400]: FONTS ***/ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); -/* 1401: disable websites choosing fonts (0=block, 1=allow) - * This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector - * [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) - * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/ - // user_pref("browser.display.use_document_fonts", 0); -/* 1403: disable icon fonts (glyphs) and local fallback rendering - * [1] https://bugzilla.mozilla.org/789788 - * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ - // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] - // user_pref("gfx.downloadable_fonts.fallback_delay", -1); -/* 1404: disable rendering of SVG OpenType fonts +/* 1401: disable rendering of SVG OpenType fonts * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/ user_pref("gfx.font_rendering.opentype_svg.enabled", false); -/* 1408: disable graphite +/* 1402: disable graphite * Graphite has had many critical security issues in the past [1] * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ user_pref("gfx.font_rendering.graphite.enabled", false); -/* 1409: limit system font exposure to a whitelist [FF52+] [RESTART] - * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] In FF81+ the whitelist overrides RFP's font visibility (4620) - * [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620) - * [1] https://bugzilla.mozilla.org/1121643 ***/ - // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] +/* 1403: limit font visibility (Windows, Mac, some Linux) [FF79+] + * [NOTE] IN FF8)+ RFP ignores the pref and uses value 1 + * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed + * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts + * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ + // user_pref("layout.css.font-visibility.level", 1); +/* 1404: disable icon fonts (glyphs) and local fallback rendering + * [1] https://bugzilla.mozilla.org/789788 + * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ + // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] + // user_pref("gfx.downloadable_fonts.fallback_delay", -1); /*** [SECTION 1600]: HEADERS / REFERERS Only **cross domain** referers need controlling: leave 1601, 1602, 1605 and 1606 alone @@ -1342,7 +1338,7 @@ user_pref("privacy.firstparty.isolate", true); It is an all-or-nothing buy in: you cannot pick and choose what parts you want [WARNING] DO NOT USE extensions to alter RFP protected metrics - [WARNING] DO NOT USE prefs in section 4600 with RFP as they can interfere + [WARNING] DO NOT USE prefs in section 8000 with RFP as they can interfere FF41+ 418986 - limit window.screen & CSS media queries leaking identifiable info @@ -1441,60 +1437,6 @@ user_pref("browser.startup.blankWindow", false); * [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] -/*** [SECTION 4600]: NON-RFP - [WARNING] DO NOT USE with RFP. RFP already covers these, and they can interfere - [NOTE] These prefs will not help anti-fingerprinting. They are insufficient - on their own, can cause breakage, and will make you stand out -***/ -user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan"); -/* 4601: spoof number of CPU cores [FF48+] ***/ - // user_pref("dom.maxHardwareConcurrency", 2); -/* 4602: disable Resource Timing API ***/ - // user_pref("dom.enable_resource_timing", false); -/* 4603: disable Navigation Timing API ***/ - // user_pref("dom.enable_performance", false); -/* 4604: disable device Sensor APIs ***/ - // user_pref("device.sensors.enabled", false); -/* 4605: disable remembering site specific zoom ***/ - // user_pref("browser.zoom.siteSpecific", false); -/* 4606: disable gamepad API to prevent USB device ID enumeration ***/ - // user_pref("dom.gamepad.enabled", false); -/* 4607: disable Network Information API [FF31+] ***/ - // user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] -/* 4608: disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API ***/ - // user_pref("media.webspeech.synth.enabled", false); -/* 4610: disable video statistics to mitigate JS performance fingerprinting [FF25+] ***/ - // user_pref("media.video_stats.enabled", false); -/* 4611: disable touch events: 0=disabled, 1=enabled, 2=autodetect ***/ - // user_pref("dom.w3c_touch_events.enabled", 0); -/* 4612: disable media device enumeration [FF29+] ***/ - // user_pref("media.navigator.enabled", false); -/* 4613: disable MediaDevices change detection [FF51+] ***/ - // user_pref("media.ondevicechange.enabled", false); -/* 4614: disable WebGL debug info being available to websites ***/ - // user_pref("webgl.enable-debug-renderer-info", false); -/* 4615: enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART] ***/ - // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] -/* 4617: disable exposure of system colors to CSS or canvas [FF44+] ***/ - // user_pref("ui.use_standins_for_native_colors", true); -/* 4618: enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+] ***/ - // user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] -/* 4619: disable Web Audio API [FF51+] ***/ - // user_pref("dom.webaudio.enabled", false); -/* 4620: limit font visibility (Windows, Mac, some Linux) [FF79+] - * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed - * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts - * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ - // user_pref("layout.css.font-visibility.level", 1); -/* 4650: navigator DOM object overrides - * [WARNING] NO NOT USE: these prefs are insufficient and leak ***/ - // user_pref("general.appname.override", ""); // [HIDDEN PREF] - // user_pref("general.appversion.override", ""); // [HIDDEN PREF] - // user_pref("general.buildID.override", ""); // [HIDDEN PREF] - // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] - // user_pref("general.platform.override", ""); // [HIDDEN PREF] - // user_pref("general.useragent.override", ""); // [HIDDEN PREF] - /*** [SECTION 5000]: PERSONAL Non-project related but useful. If any of these interest you, add them to your overrides To save some overrides, we've made a few active as they seem to be universally used @@ -1541,6 +1483,61 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", // user_pref("network.manage-offline-status", false); // see bugzilla 620472 // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) +/*** [SECTION 8000]: DON'T BOTHER: NON-RFP + [WHY] They are insufficient to help anti-fingerprinting and can cause breakage + [WARNING] DO NOT USE with RFP. RFP already covers these, and they can interfere +***/ +user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan"); +/* 8001: spoof number of CPU cores [FF48+] ***/ + // user_pref("dom.maxHardwareConcurrency", 2); +/* 8002: disable Resource Timing API ***/ + // user_pref("dom.enable_resource_timing", false); +/* 8003: disable Navigation Timing API ***/ + // user_pref("dom.enable_performance", false); +/* 8004: disable device Sensor APIs ***/ + // user_pref("device.sensors.enabled", false); +/* 8005: disable remembering site specific zoom ***/ + // user_pref("browser.zoom.siteSpecific", false); +/* 8006: disable gamepad API to prevent USB device ID enumeration ***/ + // user_pref("dom.gamepad.enabled", false); +/* 8007: disable Network Information API [FF31+] ***/ + // user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] +/* 8008: disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API ***/ + // user_pref("media.webspeech.synth.enabled", false); +/* 8010: disable video statistics to mitigate JS performance fingerprinting [FF25+] ***/ + // user_pref("media.video_stats.enabled", false); +/* 8011: disable touch events: 0=disabled, 1=enabled, 2=autodetect ***/ + // user_pref("dom.w3c_touch_events.enabled", 0); +/* 8012: disable media device enumeration [FF29+] ***/ + // user_pref("media.navigator.enabled", false); +/* 8013: disable MediaDevices change detection [FF51+] ***/ + // user_pref("media.ondevicechange.enabled", false); +/* 8014: disable WebGL debug info being available to websites ***/ + // user_pref("webgl.enable-debug-renderer-info", false); +/* 8015: enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART] ***/ + // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] +/* 8017: disable exposure of system colors to CSS or canvas [FF44+] ***/ + // user_pref("ui.use_standins_for_native_colors", true); +/* 8018: enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+] ***/ + // user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] +/* 8019: disable Web Audio API [FF51+] ***/ + // user_pref("dom.webaudio.enabled", false); +/* 8020: disable websites choosing fonts (0=block, 1=allow) ***/ + // user_pref("browser.display.use_document_fonts", 0); +/* 8021: limit system font exposure to a whitelist [FF52+] [RESTART] + * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed + * [NOTE] In FF81+ the whitelist overrides RFP and font visibility (1403) + * [1] https://bugzilla.mozilla.org/1121643 ***/ + // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] +/* 8050: navigator DOM object overrides + * [WHY] These prefs are insufficient and leak ***/ + // user_pref("general.appname.override", ""); // [HIDDEN PREF] + // user_pref("general.appversion.override", ""); // [HIDDEN PREF] + // user_pref("general.buildID.override", ""); // [HIDDEN PREF] + // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] + // user_pref("general.platform.override", ""); // [HIDDEN PREF] + // user_pref("general.useragent.override", ""); // [HIDDEN PREF] + /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1], which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets From ac84da2af4b1c9454b3d97a93e67d58b1f448c38 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Aug 2021 02:07:03 +0000 Subject: [PATCH 357/657] remove XHTML config warning dead weight: ESR users will already be aware of and ticked the warning box by now --- user.js | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 3cfa190..9e9c78c 100644 --- a/user.js +++ b/user.js @@ -78,10 +78,8 @@ * [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/ user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?"); -/* 0000: disable about:config warning - * FF73-86: chrome://global/content/config.xhtml ***/ -user_pref("general.warnOnAboutConfig", false); // XHTML version -user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+] +/* 0000: disable about:config warning ***/ +user_pref("browser.aboutConfig.showWarning", false); /*** [SECTION 0100]: STARTUP ***/ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); From 00fa8f1b50dbc717ef9cc702679f3829d91fee05 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Aug 2021 02:14:23 +0000 Subject: [PATCH 358/657] general.warnOnAboutConfig https://github.com/arkenfox/user.js/commit/ac84da2af4b1c9454b3d97a93e67d58b1f448c38 --- scratchpad-scripts/arkenfox-clear-removed.js | 35 ++++---------------- 1 file changed, 6 insertions(+), 29 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index a2ec706..040604f 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 18-August-2021 + Last updated: 19-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -13,15 +13,13 @@ const aPREFS = [ /* removed in arkenfox user.js */ - /* 52-alpha */ + /* 60 or lower */ 'browser.search.reset.enabled', 'browser.search.reset.whitelist', - /* 54-alpha */ 'browser.migrate.automigrate.enabled', 'services.sync.enabled', 'webextensions.storage.sync.enabled', 'webextensions.storage.sync.serverURL', - /* 55-alpha */ 'dom.keyboardevent.dispatch_during_composition', // default is false anyway 'dom.vr.oculus.enabled', // covered by dom.vr.enabled 'dom.vr.openvr.enabled', // ditto @@ -29,12 +27,10 @@ 'extensions.pocket.api', // covered by extensions.pocket.enabled 'extensions.pocket.oAuthConsumerKey', // ditto 'extensions.pocket.site', // ditto - /* 57-alpha */ 'geo.wifi.xhr.timeout', // covered by geo.enabled 'browser.search.geoip.timeout', // ditto 'media.webspeech.recognition.enable', // default is false anyway 'gfx.layerscope.enabled', // default is false anyway - /* 58-alpha */ // excluding these e10 settings // 'browser.tabs.remote.autostart', // 'browser.tabs.remote.autostart.2', @@ -56,7 +52,6 @@ 'dom.presentation.enabled', 'dom.presentation.receiver.enabled', 'dom.presentation.session_transport.data_channel.enable', - /* 59-alpha */ 'browser.stopReloadAnimation.enabled', 'browser.tabs.insertRelatedAfterCurrent', 'browser.tabs.loadDivertedInBackground', @@ -80,7 +75,6 @@ 'media.wmf.enabled', 'media.wmf.vp9.enabled', 'ui.submenuDelay', - /* 60-beta - these were all at default anyway */ 'device.storage.enabled', 'general.useragent.compatMode.firefox', 'network.dns.blockDotOnion', @@ -88,7 +82,7 @@ 'security.block_script_with_wrong_mime', 'security.fileuri.strict_origin_policy', 'security.sri.enable', - /* 61-beta */ + /* 61-68 */ 'browser.laterrun.enabled', 'browser.offline-apps.notify', 'browser.rights.3.shown', @@ -101,14 +95,11 @@ 'network.http.fast-fallback-to-IPv4', 'offline-apps.quota.warn', 'services.blocklist.signing.enforced', - /* 62-beta */ 'browser.urlbar.autoFill.typed', 'security.tls.version.fallback-limit', - /* 63-beta */ 'extensions.webextensions.keepStorageOnUninstall', 'extensions.webextensions.keepUuidOnUninstall', 'privacy.trackingprotection.ui.enabled', - /* 64-beta */ 'browser.eme.ui.enabled', 'browser.sessionstore.max_windows_undo', 'network.auth.subresource-img-cross-origin-http-auth-allow', @@ -119,10 +110,8 @@ 'media.peerconnection.use_document_iceservers', 'media.peerconnection.video.enabled', 'media.navigator.video.enabled', - /* 65-beta */ 'browser.contentblocking.enabled', 'browser.urlbar.maxHistoricalSearchSuggestions', - /* 67-beta */ 'app.update.service.enabled', 'app.update.silent', 'app.update.staging.enabled', @@ -168,7 +157,6 @@ 'signon.autofillForms.http', 'signon.storeWhenAutocompleteOff', 'xpinstall.whitelist.required', - /* 67-beta: Blocklist, SB & TP cleanup: these were all inactive */ 'browser.safebrowsing.downloads.remote.block_dangerous', 'browser.safebrowsing.downloads.remote.block_dangerous_host', 'browser.safebrowsing.blockedURIs.enabled', @@ -188,7 +176,6 @@ 'services.blocklist.plugins.collection', 'services.blocklist.update_enabled', 'urlclassifier.trackingTable', - /* 68-beta */ 'dom.forms.datetime', 'font.blacklist.underline_offset', 'font.name.monospace.x-unicode', @@ -199,9 +186,8 @@ 'font.name.serif.x-western', 'layout.css.font-loading-api.enabled', 'toolkit.telemetry.cachedClientID', - /* 69-beta */ + /* 69-78 */ 'plugin.sessionPermissionNow.intervalInMinutes', - /* 70-beta */ 'browser.cache.disk_cache_ssl', 'browser.sessionhistory.max_entries', 'dom.push.connection.enabled', @@ -215,35 +201,26 @@ 'security.insecure_connection_icon.pbmode.enabled', 'security.insecure_connection_text.pbmode.enabled', 'webgl.dxgl.enabled', - /* 71-beta */ 'media.block-autoplay-until-in-foreground', 'middlemouse.paste', - /* 75-beta */ 'browser.search.geoip.url', 'browser.search.region', - /* 79-beta */ + /* 79-91 */ 'browser.urlbar.usepreloadedtopurls.enabled', - /* 82-beta */ 'dom.IntersectionObserver.enabled', 'extensions.screenshots.upload-disabled', 'privacy.partition.network_state', 'security.ssl3.dhe_rsa_aes_128_sha', 'security.ssl3.dhe_rsa_aes_256_sha', - /* 84-beta */ 'browser.newtabpage.activity-stream.asrouter.providers.snippets', - /* 85-beta */ 'network.http.redirection-limit', - /* 86-beta */ 'media.gmp-widevinecdm.visible', - /* 87-beta */ 'browser.send_pings.require_same_host', - /* 88-beta */ 'webgl.min_capability_mode', - /* 89-beta */ 'security.ssl.enable_ocsp_stapling', - /* 91-beta */ 'dom.battery.enabled', 'dom.storage.enabled', + 'general.warnOnAboutConfig', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From 93f6aea06afd0fefc37f8df84a4129e4ee1354a8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Aug 2021 13:17:07 +0000 Subject: [PATCH 359/657] 1605: change to active enforced --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 9e9c78c..dd6452e 100644 --- a/user.js +++ b/user.js @@ -805,10 +805,10 @@ user_pref("network.http.referer.XOriginPolicy", 2); /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); -/* 1605: ALL: disable spoofing a referer - * [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF - * (Cross-Site Request Forgery) protections that some sites may rely on ***/ - // user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] +/* 1605: ALL: enforce no spoofing of referer + * Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) + * protections that some sites may rely on ***/ +user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] /* 1606: ALL: set the default Referrer Policy [FF59+] * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy From 45c52b66201d4ded8e119530195329e3185b7465 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Aug 2021 14:44:06 +0000 Subject: [PATCH 360/657] start section 7000s --- user.js | 75 +++++++++++++++++++++------------------------------------ 1 file changed, 28 insertions(+), 47 deletions(-) diff --git a/user.js b/user.js index dd6452e..bd4b41b 100644 --- a/user.js +++ b/user.js @@ -128,18 +128,7 @@ user_pref("browser.newtabpage.activity-stream.default.sites", ""); /*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); -/** GEOLOCATION ***/ -/* 0201: disable Location-Aware Browsing - * [WARNING] The API state is fingerprintable. Permission is already behind a prompt (0202) - * [1] https://www.mozilla.org/firefox/geolocation/ ***/ - // user_pref("geo.enabled", false); -/* 0202: set a default permission for Location (0201) [FF58+] - * 0=always ask (default), 1=allow, 2=block - * [NOTE] Best left at default "always ask", fingerprintable via Permissions API - * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location - * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/ - // user_pref("permissions.default.geo", 2); -/* 0203: use Mozilla geolocation service instead of Google if geolocation is granted [FF74+] +/* 0203: use Mozilla geolocation service instead of Google if permission is granted [FF74+] * Optionally enable logging to the console (defaults to false) ***/ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] @@ -154,8 +143,6 @@ user_pref("browser.region.update.enabled", false); // [[FF79+] /* 0208: set search region * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0207) ***/ // user_pref("browser.search.region", "US"); // [HIDDEN PREF] - -/** LANGUAGE / LOCALE ***/ /* 0210: set preferred language for displaying web pages * [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); @@ -865,12 +852,6 @@ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70 user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.browser.enabled", false); user_pref("media.getusermedia.audiocapture.enabled", false); -/* 2004: set a default permission for Camera/Microphone [FF58+] - * 0=always ask (default), 1=allow, 2=block - * [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone - * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/ - // user_pref("permissions.default.camera", 2); - // user_pref("permissions.default.microphone", 2); /* 2020: disable GMP (Gecko Media Plugins) * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ // user_pref("media.gmp-provider.enabled", false); @@ -920,7 +901,7 @@ user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!"); * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/ user_pref("dom.serviceWorkers.enabled", false); /* 2304: disable Web Notifications - * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (2306) + * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (7002) * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/ // user_pref("dom.webnotifications.enabled", false); // [FF22+] // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] @@ -928,18 +909,12 @@ user_pref("dom.serviceWorkers.enabled", false); * Push is an API that allows websites to send you (subscribed) messages even when the site * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind - * a prompt (2306). Disabling service workers alone doesn't stop Firefox polling the + * a prompt (7002). Disabling service workers alone doesn't stop Firefox polling the * Mozilla Push Server. To remove all subscriptions, reset your userAgentID. * [1] https://support.mozilla.org/kb/push-notifications-firefox * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ user_pref("dom.push.enabled", false); // user_pref("dom.push.userAgentID", ""); -/* 2306: set a default permission for Notifications (both 2304 and 2305) [FF58+] - * 0=always ask (default), 1=allow, 2=block - * [NOTE] Best left at default "always ask", fingerprintable via Permissions API - * [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications - * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/ - // user_pref("permissions.default.desktop-notification", 2); /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); @@ -1009,15 +984,6 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [1] https://github.com/WICG/media-capabilities * [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ // user_pref("media.media-capabilities.enabled", false); -/* 2520: disable virtual reality devices - * [WARNING] The API state is fingerprintable. Permission is already behind a prompt (2521) - * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/ - // user_pref("dom.vr.enabled", false); -/* 2521: set a default permission for Virtual Reality (2520) [FF73+] - * 0=always ask (default), 1=allow, 2=block - * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices - * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/ - // user_pref("permissions.default.xr", 2); /* 2522: disable/limit WebGL (Web Graphics Library) * [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy, * especially with readPixels(). Some of the other entropy is lessened with RFP (4501) @@ -1123,11 +1089,6 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /* 2625: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ user_pref("extensions.postDownloadThirdPartyPrompt", false); -/* 2626: disable Fullscreen API (requires user interaction) - * [NOTE] You can still toggle fullscreen with F11 - * [WARNING] This is fingerprintable and will break embedded video/game FS controls, e.g. youtube - * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen ***/ - // user_pref("full-screen-api.enabled", false); /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop @@ -1173,7 +1134,6 @@ user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] cookies : profile\cookies.sqlite localStorage : profile\webappsstore.sqlite indexedDB : profile\storage\default - appCache : profile\OfflineCache (FF89 or lower) serviceWorkers : [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode @@ -1217,9 +1177,6 @@ user_pref("privacy.trackingprotection.enabled", true); user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] -/* 2730: disable offline cache (appCache) - * [WARNING] The API state is fingerprintable. Storage capability was removed in FF90+ (1694662) ***/ - // user_pref("browser.cache.offline.enable", false); /* 2740: disable service worker cache and cache storage * [NOTE] We clear service worker cache on exit (2803) * [1] https://w3c.github.io/ServiceWorker/#privacy ***/ @@ -1481,6 +1438,30 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", // user_pref("network.manage-offline-status", false); // see bugzilla 620472 // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) +/*** [SECTION 7000] DON'T BOTHER ***/ +user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies!"); +/* 7001: disable APIs + * Location-Aware Browsing, Full Screen, offline cache (appCache), Virtual Reality + * [WHY] The API state is easily fingerprintable. Geo and VR are behind prompts (7002). + * appCache storage capability was removed in FF90. Full screen requires user interaction, + * and you can still toggle fullscreen with F11 ***/ + // user_pref("geo.enabled", false); + // user_pref("full-screen-api.enabled", false); + // user_pref("browser.cache.offline.enable", false); + // user_pref("dom.vr.enabled", false); +/* 7002: set default permissions + * Location, Camera, Microphone, Notifications [FF58+] Virtual Reality [FF73+] + * 0=always ask (default), 1=allow, 2=block + * [WHY] These are fingerprintable via Permissions API, except VR. Just add site + * exceptions as block for frequently visited annoying sites: i.e not global + * [SETTING] to add site exceptions: Ctrl+I>Permissions> + * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ + // user_pref("permissions.default.geo", 0); + // user_pref("permissions.default.camera", 0); + // user_pref("permissions.default.microphone", 0); + // user_pref("permissions.default.desktop-notification", 0); + // user_pref("permissions.default.xr", 0); // Virtual Reality + /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and can cause breakage [WARNING] DO NOT USE with RFP. RFP already covers these, and they can interfere @@ -1597,7 +1578,7 @@ user_pref("plugin.state.flash", 0); // [DEFAULT: 1] // 0708: disable FTP [FF60+] // [-] https://bugzilla.mozilla.org/1574475 // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+] -// 2730: enforce no offline cache storage (appCache) [FF71+] +// 7001: enforce no offline cache storage (appCache) [FF71+] // [-] https://bugzilla.mozilla.org/1694662 user_pref("browser.cache.offline.storage.enable", false); // [DEFAULT: false FF84+] // ***/ From 5ab3c47b6bd5c61512a451aa65ac91ad8bb72509 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 19 Aug 2021 15:26:22 +0000 Subject: [PATCH 361/657] 7001: tweak F11 has nothing to do with the API or why --- user.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/user.js b/user.js index bd4b41b..4577a80 100644 --- a/user.js +++ b/user.js @@ -1443,8 +1443,7 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies /* 7001: disable APIs * Location-Aware Browsing, Full Screen, offline cache (appCache), Virtual Reality * [WHY] The API state is easily fingerprintable. Geo and VR are behind prompts (7002). - * appCache storage capability was removed in FF90. Full screen requires user interaction, - * and you can still toggle fullscreen with F11 ***/ + * appCache storage capability was removed in FF90. Full screen requires user interaction ***/ // user_pref("geo.enabled", false); // user_pref("full-screen-api.enabled", false); // user_pref("browser.cache.offline.enable", false); From a8e95e73107cd40a73229c571caf7a265b656301 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 20 Aug 2021 02:13:53 +0000 Subject: [PATCH 362/657] dexter would be proud #1235 - just to be clear, this section is not supported: not interested in references or explanations or FF version numbers or default info etc - "do more harm than good" - ambiguous, not interested in explaining why exactly: but FYI - some leak - most break shit - almost all are easily fingerprinted and the combo of them would make you really stand out - removed the duplicate `ui.prefersReducedMotion` - this should move to personal as well - moved `ui.systemUsesDarkTheme` to personal --- user.js | 59 +++++++++++++++++++-------------------------------------- 1 file changed, 19 insertions(+), 40 deletions(-) diff --git a/user.js b/user.js index 4577a80..0719d45 100644 --- a/user.js +++ b/user.js @@ -1389,6 +1389,7 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); /* 4520: disable chrome animations [FF77+] [RESTART] + * 0=no-preference, 1=reduce * [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] @@ -1410,6 +1411,7 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("full-screen-api.warning.timeout", 0); /* APPEARANCE ***/ // user_pref("browser.download.autohideButton", false); // [FF57+] + // user_pref("ui.systemUsesDarkTheme", 1); // with RFP this only affects chrome: 0=light, 1=dark [FF67+] [HIDDEN PREF] // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent /* CONTENT BEHAVIOR ***/ // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" @@ -1462,59 +1464,36 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies // user_pref("permissions.default.xr", 0); // Virtual Reality /*** [SECTION 8000]: DON'T BOTHER: NON-RFP - [WHY] They are insufficient to help anti-fingerprinting and can cause breakage - [WARNING] DO NOT USE with RFP. RFP already covers these, and they can interfere + [WHY] They are insufficient to help anti-fingerprinting and do more harm than good + [WARNING] DO NOT USE with RFP. RFP already covers these and they can interfere ***/ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan"); -/* 8001: spoof number of CPU cores [FF48+] ***/ - // user_pref("dom.maxHardwareConcurrency", 2); -/* 8002: disable Resource Timing API ***/ - // user_pref("dom.enable_resource_timing", false); -/* 8003: disable Navigation Timing API ***/ - // user_pref("dom.enable_performance", false); -/* 8004: disable device Sensor APIs ***/ +/* 8001: disable APIs ***/ // user_pref("device.sensors.enabled", false); -/* 8005: disable remembering site specific zoom ***/ - // user_pref("browser.zoom.siteSpecific", false); -/* 8006: disable gamepad API to prevent USB device ID enumeration ***/ + // user_pref("dom.enable_performance", false); + // user_pref("dom.enable_resource_timing", false); // user_pref("dom.gamepad.enabled", false); -/* 8007: disable Network Information API [FF31+] ***/ - // user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] -/* 8008: disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API ***/ - // user_pref("media.webspeech.synth.enabled", false); -/* 8010: disable video statistics to mitigate JS performance fingerprinting [FF25+] ***/ - // user_pref("media.video_stats.enabled", false); -/* 8011: disable touch events: 0=disabled, 1=enabled, 2=autodetect ***/ - // user_pref("dom.w3c_touch_events.enabled", 0); -/* 8012: disable media device enumeration [FF29+] ***/ - // user_pref("media.navigator.enabled", false); -/* 8013: disable MediaDevices change detection [FF51+] ***/ - // user_pref("media.ondevicechange.enabled", false); -/* 8014: disable WebGL debug info being available to websites ***/ - // user_pref("webgl.enable-debug-renderer-info", false); -/* 8015: enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART] ***/ - // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] -/* 8017: disable exposure of system colors to CSS or canvas [FF44+] ***/ - // user_pref("ui.use_standins_for_native_colors", true); -/* 8018: enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+] ***/ - // user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF] -/* 8019: disable Web Audio API [FF51+] ***/ + // user_pref("dom.netinfo.enabled", false); // user_pref("dom.webaudio.enabled", false); -/* 8020: disable websites choosing fonts (0=block, 1=allow) ***/ +/* 8002: disable other ***/ // user_pref("browser.display.use_document_fonts", 0); -/* 8021: limit system font exposure to a whitelist [FF52+] [RESTART] - * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed - * [NOTE] In FF81+ the whitelist overrides RFP and font visibility (1403) - * [1] https://bugzilla.mozilla.org/1121643 ***/ + // user_pref("browser.zoom.siteSpecific", false); + // user_pref("dom.w3c_touch_events.enabled", 0); + // user_pref("media.navigator.enabled", false); + // user_pref("media.ondevicechange.enabled", false); + // user_pref("media.video_stats.enabled", false); + // user_pref("media.webspeech.synth.enabled", false); + // user_pref("webgl.enable-debug-renderer-info", false); +/* 8003: spoof ***/ + // user_pref("dom.maxHardwareConcurrency", 2); // user_pref("font.system.whitelist", ""); // [HIDDEN PREF] -/* 8050: navigator DOM object overrides - * [WHY] These prefs are insufficient and leak ***/ // user_pref("general.appname.override", ""); // [HIDDEN PREF] // user_pref("general.appversion.override", ""); // [HIDDEN PREF] // user_pref("general.buildID.override", ""); // [HIDDEN PREF] // user_pref("general.oscpu.override", ""); // [HIDDEN PREF] // user_pref("general.platform.override", ""); // [HIDDEN PREF] // user_pref("general.useragent.override", ""); // [HIDDEN PREF] + // user_pref("ui.use_standins_for_native_colors", true); /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1], From cef08b63f1947847e21e40021dc3d426afe5bdb9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 20 Aug 2021 02:52:55 +0000 Subject: [PATCH 363/657] 4520 -> personal --- user.js | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index 0719d45..7be38af 100644 --- a/user.js +++ b/user.js @@ -1388,10 +1388,6 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); -/* 4520: disable chrome animations [FF77+] [RESTART] - * 0=no-preference, 1=reduce - * [NOTE] pref added in FF63, but applied to chrome in FF77. RFP spoofs this for web content ***/ -user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] /*** [SECTION 5000]: PERSONAL Non-project related but useful. If any of these interest you, add them to your overrides @@ -1411,8 +1407,11 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("full-screen-api.warning.timeout", 0); /* APPEARANCE ***/ // user_pref("browser.download.autohideButton", false); // [FF57+] - // user_pref("ui.systemUsesDarkTheme", 1); // with RFP this only affects chrome: 0=light, 1=dark [FF67+] [HIDDEN PREF] + // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] + // 0=light, 1=dark: with RFP this only affects chrome // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent + // user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] + // 0=no-preference, 1=reduce: with RFP this only affects chrome /* CONTENT BEHAVIOR ***/ // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] @@ -1454,7 +1453,7 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies * Location, Camera, Microphone, Notifications [FF58+] Virtual Reality [FF73+] * 0=always ask (default), 1=allow, 2=block * [WHY] These are fingerprintable via Permissions API, except VR. Just add site - * exceptions as block for frequently visited annoying sites: i.e not global + * exceptions as allow/block for frequently visited/annoying sites: i.e. not global * [SETTING] to add site exceptions: Ctrl+I>Permissions> * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ // user_pref("permissions.default.geo", 0); From 2d3d8ae5b0c8d57187c808c39dbfbc1070f1a177 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 20 Aug 2021 03:12:59 +0000 Subject: [PATCH 364/657] alerts.showFavicons --- scratchpad-scripts/arkenfox-clear-removed.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 040604f..2ad92a9 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 19-August-2021 + Last updated: 20-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -205,7 +205,7 @@ 'middlemouse.paste', 'browser.search.geoip.url', 'browser.search.region', - /* 79-91 */ + /* 79-90 */ 'browser.urlbar.usepreloadedtopurls.enabled', 'dom.IntersectionObserver.enabled', 'extensions.screenshots.upload-disabled', @@ -218,6 +218,8 @@ 'browser.send_pings.require_same_host', 'webgl.min_capability_mode', 'security.ssl.enable_ocsp_stapling', + /* 91 */ + 'alerts.showFavicons', 'dom.battery.enabled', 'dom.storage.enabled', 'general.warnOnAboutConfig', From 78d953bfda9e6c91639f643a8397da3f5f9facc2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 20 Aug 2021 03:16:25 +0000 Subject: [PATCH 365/657] remove 1032 dead wood: marked as default false since at least v68, inactive since at least v78, and web notifications are controlled in 2300s --- user.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/user.js b/user.js index 7be38af..a60750a 100644 --- a/user.js +++ b/user.js @@ -576,8 +576,6 @@ user_pref("browser.shell.shortcutFavicons", false); * control that instead; e.g. disable history, clear history on close, use PB mode * [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/ // user_pref("browser.chrome.site_icons", false); -/* 1032: disable favicons in web notifications ***/ - // user_pref("alerts.showFavicons", false); // [DEFAULT: false] /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS) Your cipher and other settings can be used in server side fingerprinting From 95136382e1abbb8a8e6744bd049204a1988a86bd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 20 Aug 2021 13:18:43 +0000 Subject: [PATCH 366/657] improve 1244, closes #1047 again --- user.js | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index a60750a..49513fa 100644 --- a/user.js +++ b/user.js @@ -680,13 +680,12 @@ user_pref("security.pki.crlite_mode", 2); user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] /* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/ user_pref("security.mixed_content.block_display_content", true); -/* 1244: enable HTTPS-Only mode [FF76+] - * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored - * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily - * [SETTING] Privacy & Security>HTTPS-Only Mode +/* 1244: enable HTTPS-Only mode in all windows [FF76+] + * When the top-level is HTTPS, insecure subresources are also upgraded (silent fail) + * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site") + * [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions) * [TEST] http://example.com [upgrade] - * [TEST] http://neverssl.org/ [no upgrade] - * [1] https://bugzilla.mozilla.org/1613063 [META] ***/ + * [TEST] http://neverssl.org/ [no upgrade] ***/ user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ From c9bdceb8d6fe734197655fe1fcfa3dbdc0af66e3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 20 Aug 2021 13:23:59 +0000 Subject: [PATCH 367/657] 1244: fix no upgrade test --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 49513fa..f7fb75a 100644 --- a/user.js +++ b/user.js @@ -685,7 +685,7 @@ user_pref("security.mixed_content.block_display_content", true); * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site") * [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions) * [TEST] http://example.com [upgrade] - * [TEST] http://neverssl.org/ [no upgrade] ***/ + * [TEST] http://neverssl.com/ [no upgrade] ***/ user_pref("dom.security.https_only_mode", true); // [FF76+] // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ From 37ded2a519745850e888a374dd9e681c24a3578a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 20 Aug 2021 14:10:09 +0000 Subject: [PATCH 368/657] remove redundant warning --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index f7fb75a..5006b2b 100644 --- a/user.js +++ b/user.js @@ -1290,7 +1290,6 @@ user_pref("privacy.firstparty.isolate", true); It is an all-or-nothing buy in: you cannot pick and choose what parts you want [WARNING] DO NOT USE extensions to alter RFP protected metrics - [WARNING] DO NOT USE prefs in section 8000 with RFP as they can interfere FF41+ 418986 - limit window.screen & CSS media queries leaking identifiable info From 27ce48f31943a6c26403fac85bb5eaa0d7c6b7e8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 21 Aug 2021 02:00:43 +0000 Subject: [PATCH 369/657] trim fluff --- user.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/user.js b/user.js index 5006b2b..8b94f41 100644 --- a/user.js +++ b/user.js @@ -1491,8 +1491,7 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan // user_pref("ui.use_standins_for_native_colors", true); /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED - Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1], - which also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets + Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1] [1] https://github.com/arkenfox/user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); From da0c291127529fdafc072aa781e3c0163bd0678e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 21 Aug 2021 02:26:17 +0000 Subject: [PATCH 370/657] update to ESR91 --- .../arkenfox-clear-deprecated.js | 338 +++++++++--------- 1 file changed, 161 insertions(+), 177 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-deprecated.js b/scratchpad-scripts/arkenfox-clear-deprecated.js index e12f0f4..9ef8100 100644 --- a/scratchpad-scripts/arkenfox-clear-deprecated.js +++ b/scratchpad-scripts/arkenfox-clear-deprecated.js @@ -1,5 +1,5 @@ /*** - Version: up to and including FF/ESR78 + Version: up to and including FF/ESR91 This will reset the preferences that have been deprecated by Mozilla and used in the arkenfox user.js @@ -16,210 +16,194 @@ const aPREFS = [ /* deprecated */ - - /* 78 */ - 'media.autoplay.enabled.user-gestures-needed', - 'toolkit.cosmeticAnimations.enabled', - /* 77 */ - 'browser.urlbar.oneOffSearches', - 'browser.tabs.remote.allowLinkedWebInFileUriProcess', - /* 76 */ - 'extensions.blocklist.url', - /* 74 */ - 'geo.wifi.uri', - 'geo.wifi.logging.enabled', - 'privacy.userContext.longPressBehavior', - 'webgl.disable-extensions', - /* 72 */ + /* FF79-91 */ + 'browser.cache.offline.storage.enable', + 'browser.download.hide_plugins_without_extensions', + 'browser.library.activity-stream.enabled', + 'browser.search.geoSpecificDefaults', + 'browser.search.geoSpecificDefaults.url', + 'dom.ipc.plugins.flash.subprocess.crashreporter.enabled', + 'dom.ipc.plugins.reportCrashURL', + 'dom.w3c_pointer_events.enabled', + 'intl.charset.fallback.override', + 'network.ftp.enabled', + 'plugin.state.flash', + 'security.mixed_content.block_object_subrequest', + 'security.ssl.errorReporting.automatic', + 'security.ssl.errorReporting.enabled', + 'security.ssl.errorReporting.url', + /* 69-78 */ 'browser.newtabpage.activity-stream.telemetry.ping.endpoint', - 'toolkit.telemetry.hybridContent.enabled', - 'dom.indexedDB.enabled', - /* 71 */ - 'devtools.webide.enabled', + 'browser.tabs.remote.allowLinkedWebInFileUriProcess', + 'browser.urlbar.oneOffSearches', 'devtools.webide.autoinstallADBExtension', - 'offline-apps.allow_by_default', - /* 69 */ + 'devtools.webide.enabled', + 'dom.indexedDB.enabled', + 'extensions.blocklist.url', + 'geo.wifi.logging.enabled', + 'geo.wifi.uri', 'gfx.downloadable_fonts.woff2.enabled', - 'plugins.click_to_play', 'media.autoplay.allow-muted', - /* 68 */ - 'browser.newtabpage.activity-stream.disableSnippets', + 'media.autoplay.enabled.user-gestures-needed', + 'offline-apps.allow_by_default', + 'plugins.click_to_play', + 'privacy.userContext.longPressBehavior', + 'toolkit.cosmeticAnimations.enabled', + 'toolkit.telemetry.hybridContent.enabled', + 'webgl.disable-extensions', + /* 61-68 */ + 'app.update.enabled', 'browser.aboutHomeSnippets.updateUrl', - 'lightweightThemes.update.enabled', - 'security.csp.experimentalEnabled', - /* F67 */ - 'dom.event.highrestimestamp.enabled', - 'browser.newtabpage.activity-stream.asrouter.userprefs.cfr', - /* 66 */ 'browser.chrome.errorReporter.enabled', 'browser.chrome.errorReporter.submitUrl', - 'network.allow-experiments', - /* 65 */ - 'browser.urlbar.autocomplete.enabled', - 'browser.fixup.hide_user_pass', - /* 64 */ - 'browser.onboarding.enabled', - 'devtools.webide.autoinstallADBHelper', - 'devtools.webide.adbAddonURL', - 'security.csp.enable_violation_events', - /* 63 */ - 'browser.search.countryCode', - 'app.update.enabled', - 'shield.savant.enabled', 'browser.chrome.favicons', - 'media.autoplay.enabled', - 'network.cookie.lifetime.days', 'browser.ctrlTab.previews', - /* 62 */ - 'plugin.state.java', - /* 61 */ + 'browser.fixup.hide_user_pass', + 'browser.newtabpage.activity-stream.asrouter.userprefs.cfr', + 'browser.newtabpage.activity-stream.disableSnippets', + 'browser.onboarding.enabled', + 'browser.search.countryCode', + 'browser.urlbar.autocomplete.enabled', + 'devtools.webide.adbAddonURL', + 'devtools.webide.autoinstallADBHelper', + 'dom.event.highrestimestamp.enabled', + 'experiments.activeExperiment', 'experiments.enabled', 'experiments.manifest.uri', 'experiments.supported', - 'experiments.activeExperiment', + 'lightweightThemes.update.enabled', + 'media.autoplay.enabled', + 'network.allow-experiments', + 'network.cookie.lifetime.days', 'network.jar.block-remote-files', 'network.jar.open-unsafe-types', - /* 60 */ + 'plugin.state.java', + 'security.csp.enable_violation_events', + 'security.csp.experimentalEnabled', + 'shield.savant.enabled', + /* 60 or earlier */ + 'browser.bookmarks.showRecentlyBookmarked', + 'browser.casting.enabled', + 'browser.crashReports.unsubmittedCheck.autoSubmit', + 'browser.formautofill.enabled', + 'browser.formfill.saveHttpsForms', + 'browser.fullscreen.animate', + 'browser.history.allowPopState', + 'browser.history.allowPushState', + 'browser.history.allowReplaceState', + 'browser.newtabpage.activity-stream.enabled', + 'browser.newtabpage.directory.ping', 'browser.newtabpage.directory.source', 'browser.newtabpage.enhanced', 'browser.newtabpage.introShown', - 'extensions.shield-recipe-client.enabled', - 'extensions.shield-recipe-client.api_url', - 'browser.newtabpage.activity-stream.enabled', - 'dom.workers.enabled', - /* 59 */ - 'intl.locale.matchOS', - 'general.useragent.locale', - 'datareporting.healthreport.about.reportUrl', - 'dom.flyweb.enabled', - 'security.mixed_content.use_hsts', - 'security.mixed_content.send_hsts_priming', - 'network.http.referer.userControlPolicy', - 'security.xpconnect.plugin.unrestricted', - 'media.getusermedia.screensharing.allowed_domains', - 'camera.control.face_detection.enabled', - 'dom.disable_window_status_change', - 'dom.idle-observers-api.enabled', - /* 58 */ - 'browser.crashReports.unsubmittedCheck.autoSubmit', - /* 57 */ - 'social.whitelist', - 'social.toast-notifications.enabled', - 'social.shareDirectory', - 'social.remote-install.enabled', - 'social.directories', - 'social.share.activationPanelEnabled', - 'social.enabled', - 'media.eme.chromium-api.enabled', - 'devtools.webide.autoinstallFxdtAdapters', - 'browser.casting.enabled', - 'browser.bookmarks.showRecentlyBookmarked', - /* 56 */ - 'extensions.screenshots.system-disabled', - 'extensions.formautofill.experimental', - /* 55 */ - 'geo.security.allowinsecure', + 'browser.pocket.api', + 'browser.pocket.enabled', + 'browser.pocket.oAuthConsumerKey', + 'browser.pocket.site', + 'browser.polaris.enabled', + 'browser.safebrowsing.appRepURL', + 'browser.safebrowsing.enabled', + 'browser.safebrowsing.gethashURL', + 'browser.safebrowsing.malware.reportURL', + 'browser.safebrowsing.provider.google.appRepURL', + 'browser.safebrowsing.reportErrorURL', + 'browser.safebrowsing.reportGenericURL', + 'browser.safebrowsing.reportMalwareErrorURL', + 'browser.safebrowsing.reportMalwareMistakeURL', + 'browser.safebrowsing.reportMalwareURL', + 'browser.safebrowsing.reportPhishMistakeURL', + 'browser.safebrowsing.reportURL', + 'browser.safebrowsing.updateURL', + 'browser.search.showOneOffButtons', 'browser.selfsupport.enabled', 'browser.selfsupport.url', - 'browser.newtabpage.directory.ping', - 'browser.formfill.saveHttpsForms', - 'browser.formautofill.enabled', - 'dom.enable_user_timing', - 'dom.keyboardevent.code.enabled', + 'browser.sessionstore.privacy_level_deferred', 'browser.tabs.animate', - 'browser.fullscreen.animate', - /* 54 */ - 'browser.safebrowsing.reportMalwareMistakeURL', - 'browser.safebrowsing.reportPhishMistakeURL', - 'media.eme.apiVisible', - 'dom.archivereader.enabled', - /* 53 */ - 'security.tls.unrestricted_rc4_fallback', - 'plugin.scan.Acrobat', - 'plugin.scan.Quicktime', - 'plugin.scan.WindowsMediaPlayer', - 'media.getusermedia.screensharing.allow_on_old_platforms', - 'dom.beforeAfterKeyboardEvent.enabled', - /* 52 */ - 'network.http.sendSecureXSiteReferrer', - 'media.gmp-eme-adobe.enabled', - 'media.gmp-eme-adobe.visible', - 'media.gmp-eme-adobe.autoupdate', - 'dom.telephony.enabled', - 'dom.battery.enabled', - /* 51 */ - 'media.block-play-until-visible', - 'dom.vr.oculus050.enabled', - 'network.http.spdy.enabled.v3-1', - /* 50 */ + 'browser.trackingprotection.gethashURL', + 'browser.trackingprotection.updateURL', + 'browser.urlbar.unifiedcomplete', 'browser.usedOnWindows10.introURL', - 'plugins.update.notifyUser', - 'browser.safebrowsing.enabled', - 'security.ssl3.ecdhe_ecdsa_rc4_128_sha', - 'security.ssl3.ecdhe_rsa_rc4_128_sha', - 'security.ssl3.rsa_rc4_128_md5', - 'security.ssl3.rsa_rc4_128_sha', - 'plugins.update.url', - /* 49 */ + 'camera.control.autofocus_moving_callback.enabled', + 'camera.control.face_detection.enabled', + 'datareporting.healthreport.about.reportUrl', + 'datareporting.healthreport.about.reportUrlUnified', + 'datareporting.healthreport.documentServerURI', + 'datareporting.healthreport.service.enabled', + 'datareporting.policy.dataSubmissionEnabled.v2', + 'devtools.webide.autoinstallFxdtAdapters', + 'dom.archivereader.enabled', + 'dom.battery.enabled', + 'dom.beforeAfterKeyboardEvent.enabled', + 'dom.disable_image_src_set', + 'dom.disable_window_open_feature.scrollbars', + 'dom.disable_window_status_change', + 'dom.enable_user_timing', + 'dom.flyweb.enabled', + 'dom.idle-observers-api.enabled', + 'dom.keyboardevent.code.enabled', + 'dom.network.enabled', + 'dom.push.udp.wakeupEnabled', + 'dom.telephony.enabled', + 'dom.vr.oculus050.enabled', + 'dom.workers.enabled', + 'dom.workers.sharedWorkers.enabled', + 'extensions.formautofill.experimental', + 'extensions.screenshots.system-disabled', + 'extensions.shield-recipe-client.api_url', + 'extensions.shield-recipe-client.enabled', + 'full-screen-api.approval-required', + 'general.useragent.locale', + 'geo.security.allowinsecure', + 'intl.locale.matchOS', 'loop.enabled', - 'loop.server', - 'loop.feedback.formURL', - 'loop.feedback.manualFormURL', 'loop.facebook.appId', 'loop.facebook.enabled', 'loop.facebook.fallbackUrl', 'loop.facebook.shareUrl', + 'loop.feedback.formURL', + 'loop.feedback.manualFormURL', 'loop.logDomains', - 'dom.disable_window_open_feature.scrollbars', - 'dom.push.udp.wakeupEnabled', - /* 48 */ - 'browser.urlbar.unifiedcomplete', - /* 47 */ - 'toolkit.telemetry.unifiedIsOptIn', - 'datareporting.healthreport.about.reportUrlUnified', - 'browser.history.allowPopState', - 'browser.history.allowPushState', - 'browser.history.allowReplaceState', - /* 46 */ - 'datareporting.healthreport.service.enabled', - 'datareporting.healthreport.documentServerURI', - 'datareporting.policy.dataSubmissionEnabled.v2', - 'browser.safebrowsing.appRepURL', - 'browser.polaris.enabled', - 'browser.pocket.enabled', - 'browser.pocket.api', - 'browser.pocket.site', - 'browser.pocket.oAuthConsumerKey', - /* 45 */ - 'browser.sessionstore.privacy_level_deferred', - /* 44 */ - 'browser.safebrowsing.provider.google.appRepURL', - 'security.tls.insecure_fallback_hosts.use_static_list', - 'dom.workers.sharedWorkers.enabled', - 'dom.disable_image_src_set', - /* 43 */ - 'browser.safebrowsing.gethashURL', - 'browser.safebrowsing.updateURL', - 'browser.safebrowsing.malware.reportURL', - 'browser.trackingprotection.gethashURL', - 'browser.trackingprotection.updateURL', + 'loop.server', + 'media.block-play-until-visible', + 'media.eme.apiVisible', + 'media.eme.chromium-api.enabled', + 'media.getusermedia.screensharing.allow_on_old_platforms', + 'media.getusermedia.screensharing.allowed_domains', + 'media.gmp-eme-adobe.autoupdate', + 'media.gmp-eme-adobe.enabled', + 'media.gmp-eme-adobe.visible', + 'network.http.referer.userControlPolicy', + 'network.http.sendSecureXSiteReferrer', + 'network.http.spdy.enabled.http2draft', + 'network.http.spdy.enabled.v3-1', + 'network.websocket.enabled', + 'pageThumbs.enabled', 'pfs.datasource.url', - 'browser.search.showOneOffButtons', - /* 42 and earlier */ - 'privacy.clearOnShutdown.passwords', // 42 - 'full-screen-api.approval-required', // 42 - 'browser.safebrowsing.reportErrorURL', // 41 - 'browser.safebrowsing.reportGenericURL', // 41 - 'browser.safebrowsing.reportMalwareErrorURL', // 41 - 'browser.safebrowsing.reportMalwareURL', // 41 - 'browser.safebrowsing.reportURL', // 41 - 'plugins.enumerable_names', // 41 - 'network.http.spdy.enabled.http2draft', // 41 - 'camera.control.autofocus_moving_callback.enabled', // 37 - 'privacy.donottrackheader.value', // 36 - 'network.websocket.enabled', // 35 - 'dom.network.enabled', // 31 - 'pageThumbs.enabled', // 25 + 'plugin.scan.Acrobat', + 'plugin.scan.Quicktime', + 'plugin.scan.WindowsMediaPlayer', + 'plugins.enumerable_names', + 'plugins.update.notifyUser', + 'plugins.update.url', + 'privacy.clearOnShutdown.passwords', + 'privacy.donottrackheader.value', + 'security.mixed_content.send_hsts_priming', + 'security.mixed_content.use_hsts', + 'security.ssl3.ecdhe_ecdsa_rc4_128_sha', + 'security.ssl3.ecdhe_rsa_rc4_128_sha', + 'security.ssl3.rsa_rc4_128_md5', + 'security.ssl3.rsa_rc4_128_sha', + 'security.tls.insecure_fallback_hosts.use_static_list', + 'security.tls.unrestricted_rc4_fallback', + 'security.xpconnect.plugin.unrestricted', + 'social.directories', + 'social.enabled', + 'social.remote-install.enabled', + 'social.share.activationPanelEnabled', + 'social.shareDirectory', + 'social.toast-notifications.enabled', + 'social.whitelist', + 'toolkit.telemetry.unifiedIsOptIn', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' From 213467d91bb1bc4f5c517c2d542b11fe41422387 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 21 Aug 2021 03:21:32 +0000 Subject: [PATCH 371/657] remove 2517 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - inactive since we added it in v63 - this is not how you defeat fingerprinting (unless done in an enforced set) - for the record: not even tor browser disable this - fingerprinting this is not cheap in gecko (for now) - from [2] - decoding/encoding capabilities: "it is expected that the entropy ... isn’t going to be significant" - HDR detection: "... has the potential to add significant entropy .. however .. but ... thus minimizing effective entropy" - it is what it is - note that RFP has some mitigations in FF82+ 1461454 --- user.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/user.js b/user.js index 8b94f41..59021dc 100644 --- a/user.js +++ b/user.js @@ -976,11 +976,6 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ // user_pref("gfx.direct2d.disabled", true); // [WINDOWS] // user_pref("layers.acceleration.disabled", true); -/* 2517: disable Media Capabilities API [FF63+] - * [WARNING] The API state is fingerprintable. Disabling may affect performance - * [1] https://github.com/WICG/media-capabilities - * [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/ - // user_pref("media.media-capabilities.enabled", false); /* 2522: disable/limit WebGL (Web Graphics Library) * [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy, * especially with readPixels(). Some of the other entropy is lessened with RFP (4501) From 2a011f10539a473434303165cf8a578a3ebe50e6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 21 Aug 2021 03:23:17 +0000 Subject: [PATCH 372/657] media.media-capabilities.enabled see https://github.com/arkenfox/user.js/commit/213467d91bb1bc4f5c517c2d542b11fe41422387 --- scratchpad-scripts/arkenfox-clear-removed.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 2ad92a9..efafd79 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 20-August-2021 + Last updated: 21-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -223,6 +223,7 @@ 'dom.battery.enabled', 'dom.storage.enabled', 'general.warnOnAboutConfig', + 'media.media-capabilities.enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From aded0707a4ad6c91f68d81d5b0fc75578d5aa048 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 21 Aug 2021 04:39:08 +0000 Subject: [PATCH 373/657] misc - renumber 0200s, 2500s - remove 2414: doesn't apply to desktop, and I think it has been neutered in android --- user.js | 64 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 31 insertions(+), 33 deletions(-) diff --git a/user.js b/user.js index 59021dc..4ee3628 100644 --- a/user.js +++ b/user.js @@ -36,7 +36,7 @@ ESR78 - If you are not using arkenfox v78... (not a definitive list) - 1244: HTTPS-Only mode is enabled - - 2525: non-native widget theme is enforced + - 2502: non-native widget theme is enforced - 9999: switch the appropriate deprecated section(s) back on * INDEX: @@ -58,7 +58,7 @@ 2000: PLUGINS / MEDIA / WEBRTC 2300: WEB WORKERS 2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT - 2500: HARDWARE FINGERPRINTING + 2500: FINGERPRINTING 2600: MISCELLANEOUS 2700: PERSISTENT STORAGE 2800: SHUTDOWN @@ -128,20 +128,20 @@ user_pref("browser.newtabpage.activity-stream.default.sites", ""); /*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); -/* 0203: use Mozilla geolocation service instead of Google if permission is granted [FF74+] +/* 0201: use Mozilla geolocation service instead of Google if permission is granted [FF74+] * Optionally enable logging to the console (defaults to false) ***/ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF] -/* 0204: disable using the OS's geolocation service ***/ +/* 0202: disable using the OS's geolocation service ***/ user_pref("geo.provider.ms-windows-location", false); // [WINDOWS] user_pref("geo.provider.use_corelocation", false); // [MAC] user_pref("geo.provider.use_gpsd", false); // [LINUX] -/* 0207: disable region updates +/* 0203: disable region updates * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/ user_pref("browser.region.network.url", ""); // [FF78+] user_pref("browser.region.update.enabled", false); // [[FF79+] -/* 0208: set search region - * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0207) ***/ +/* 0204: set search region + * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0203) ***/ // user_pref("browser.search.region", "US"); // [HIDDEN PREF] /* 0210: set preferred language for displaying web pages * [TEST] https://addons.mozilla.org/about ***/ @@ -943,8 +943,6 @@ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /* 2408: enable (limited but sufficient) window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] -/* 2414: disable shaking the screen ***/ -user_pref("dom.vibrator.enabled", false); /* 2420: disable asm.js [FF22+] [SETUP-PERF] * [1] http://asmjs.org/ * [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js @@ -968,15 +966,25 @@ user_pref("javascript.options.asmjs", false); * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ user_pref("javascript.options.wasm", false); -/*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/ +/*** [SECTION 2500]: FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); -/* 2508: disable hardware acceleration [SETUP-HARDEN] - * [WARNING] Affects rendering and performance - * [SETTING] General>Performance>Custom>Use hardware acceleration when available - * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ - // user_pref("gfx.direct2d.disabled", true); // [WINDOWS] - // user_pref("layers.acceleration.disabled", true); -/* 2522: disable/limit WebGL (Web Graphics Library) +/* 2501: enforce no system colors + * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ +user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] +/* 2502: enforce non-native widget theme + * Security: removes/reduces system API calls, e.g. win32k API [1] + * Fingerprinting: provides a uniform look and feel across platforms [2] + * [1] https://bugzilla.mozilla.org/1381938 + * [2] https://bugzilla.mozilla.org/1411425 ***/ +user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] +/* 2503: open links targeting new windows in a new tab instead + * Stops malicious window sizes and some screen resolution leaks. + * You can still right-click a link and open in a new window + * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ +user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab +user_pref("browser.link.open_newwindow.restriction", 0); +/* 2504: disable/limit WebGL (Web Graphics Library) * [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy, * especially with readPixels(). Some of the other entropy is lessened with RFP (4501) * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ @@ -984,22 +992,12 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m user_pref("webgl.disabled", true); // user_pref("webgl.enable-webgl2", false); // user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] -/* 2523: enforce no system colors - * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] -/* 2524: open links targeting new windows in a new tab instead - * Stops malicious window sizes and some screen resolution leaks. - * You can still right-click a link and open in a new window - * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ -user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab -user_pref("browser.link.open_newwindow.restriction", 0); -/* 2525: enforce non-native widget theme - * Security: removes/reduces system API calls, e.g. win32k API [1] - * Fingerprinting: provides a uniform look and feel across platforms [2] - * [1] https://bugzilla.mozilla.org/1381938 - * [2] https://bugzilla.mozilla.org/1411425 ***/ -user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] +/* 2508: disable hardware acceleration [SETUP-HARDEN] + * [WARNING] Affects rendering and performance + * [SETTING] General>Performance>Custom>Use hardware acceleration when available + * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ + // user_pref("gfx.direct2d.disabled", true); // [WINDOWS] + // user_pref("layers.acceleration.disabled", true); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); From 7cdc76ecf9a72372487de7d27821bd810e9ea589 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 21 Aug 2021 04:40:11 +0000 Subject: [PATCH 374/657] dom.vibrator.enabled see https://github.com/arkenfox/user.js/commit/aded0707a4ad6c91f68d81d5b0fc75578d5aa048 --- scratchpad-scripts/arkenfox-clear-removed.js | 1 + 1 file changed, 1 insertion(+) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index efafd79..5c5a352 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -222,6 +222,7 @@ 'alerts.showFavicons', 'dom.battery.enabled', 'dom.storage.enabled', + 'dom.vibrator.enabled', 'general.warnOnAboutConfig', 'media.media-capabilities.enabled', /* reset parrot: check your open about:config after running the script */ From 04d648d55b4aeff5aada935356b59031ab75b482 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Aug 2021 01:53:01 +0000 Subject: [PATCH 375/657] remove 2508 - inactive in user.js since - v55: gfx.direct2d.disabled - v67: layers.acceleration.disabled - the way to counter hardware fingerprinting is within each API that may expose it - this may have made some sense way back in the day, when there were less options/protections, but not any more - [are we web render yet](https://arewewebrenderyet.com/) - yes, 100% - there is no need to cripple your browser's perf --- user.js | 6 ------ 1 file changed, 6 deletions(-) diff --git a/user.js b/user.js index 4ee3628..b681b28 100644 --- a/user.js +++ b/user.js @@ -992,12 +992,6 @@ user_pref("browser.link.open_newwindow.restriction", 0); user_pref("webgl.disabled", true); // user_pref("webgl.enable-webgl2", false); // user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] -/* 2508: disable hardware acceleration [SETUP-HARDEN] - * [WARNING] Affects rendering and performance - * [SETTING] General>Performance>Custom>Use hardware acceleration when available - * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ - // user_pref("gfx.direct2d.disabled", true); // [WINDOWS] - // user_pref("layers.acceleration.disabled", true); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); From 8bfee5b59f41aa0ad67cf421560524f7fe87625f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Aug 2021 01:55:28 +0000 Subject: [PATCH 376/657] hardware acceleration see https://github.com/arkenfox/user.js/commit/04d648d55b4aeff5aada935356b59031ab75b482 --- scratchpad-scripts/arkenfox-clear-removed.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 5c5a352..a5e1a01 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 21-August-2021 + Last updated: 22-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -224,6 +224,8 @@ 'dom.storage.enabled', 'dom.vibrator.enabled', 'general.warnOnAboutConfig', + 'gfx.direct2d.disabled', + 'layers.acceleration.disabled', 'media.media-capabilities.enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' From 2b26cd4f41d7d7e8e0d00ab2a7411238aac98d67 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Aug 2021 05:18:54 +0000 Subject: [PATCH 377/657] 7000s: ciphers, #1235 - merged 3DES cipher to bottom: it is still the same order of [1] - 3DES pref will be deprecated: pref name changes, and the cipher slated to be unavailable unless you downgrade to < TLS1.2 - see https://bugzilla.mozilla.org/show_bug.cgi?id=1724072 - FYI: we reset TLS downgrades to session only by resetting the pref currently in 1203 - "Minimal/non-existent threat of downgrade attacks" - FYI: these old ciphers are about 1-2% of traffic (from memory) - but that's still significant breakage - So the only reason to do this would be to harden against downgrade attacks (and inadvertently use weak sites = breakage): but that doesn't fit most user's threat model: and is probably never going to happen for them. Not sure if I can word that much better and just as succinct --- user.js | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/user.js b/user.js index b681b28..2208639 100644 --- a/user.js +++ b/user.js @@ -51,7 +51,7 @@ 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS 0900: PASSWORDS 1000: CACHE / SESSION (RE)STORE / FAVICONS - 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS) + 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) 1400: FONTS 1600: HEADERS / REFERERS 1700: CONTAINERS @@ -577,7 +577,7 @@ user_pref("browser.shell.shortcutFavicons", false); * [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/ // user_pref("browser.chrome.site_icons", false); -/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS) +/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) Your cipher and other settings can be used in server side fingerprinting [TEST] https://www.ssllabs.com/ssltest/viewMyClient.html [TEST] https://browserleaks.com/ssl @@ -701,29 +701,6 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); * [1] https://bugzilla.mozilla.org/1382359 ***/ // user_pref("dom.securecontext.whitelist_onions", true); -/** CIPHERS - [WARNING] DO NOT USE: see the section 1200 intro - These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC, - and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128 - [1] https://browserleaks.com/ssl - [2] https://en.wikipedia.org/wiki/Key_size - [3] https://en.wikipedia.org/wiki/Forward_secrecy - ***/ -/* 1261: disable 3DES (effective key size < 128 and no PFS) - * [1] https://en.wikipedia.org/wiki/3des#Security - * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack - * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/ - // user_pref("security.ssl3.rsa_des_ede3_sha", false); -/* 1264: disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/ - // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); - // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); - // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); - // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); - // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS - // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS - // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS - // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS - /** UI (User Interface) ***/ /* 1270: display warning on the padlock for "broken security" (if 1201 is false) * Bug: warning padlock not indicated for subresources on a secure page! [2] @@ -1444,6 +1421,18 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies // user_pref("permissions.default.microphone", 0); // user_pref("permissions.default.desktop-notification", 0); // user_pref("permissions.default.xr", 0); // Virtual Reality +/* 7003: disable non-modern cipher suites [1] + * [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks + * [1] https://browserleaks.com/ssl ***/ + // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); + // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); + // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); + // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); + // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS + // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS + // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS + // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS + // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From cf379bcce01e88e6a442943e1b64a5ec34353968 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Aug 2021 05:45:08 +0000 Subject: [PATCH 378/657] typos --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 2208639..f51ede8 100644 --- a/user.js +++ b/user.js @@ -731,7 +731,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ user_pref("gfx.font_rendering.graphite.enabled", false); /* 1403: limit font visibility (Windows, Mac, some Linux) [FF79+] - * [NOTE] IN FF8)+ RFP ignores the pref and uses value 1 + * [NOTE] In FF80+ RFP ignores the pref and uses value 1 * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ From c55e6dcd682f275018122f0e7093d0b5208e80fb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 22 Aug 2021 08:27:15 +0000 Subject: [PATCH 379/657] flip order, order within groups - note: keeping 91 separate for now for the easy info factpr --- scratchpad-scripts/arkenfox-clear-removed.js | 386 +++++++++---------- 1 file changed, 193 insertions(+), 193 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index a5e1a01..5120643 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -13,24 +13,205 @@ const aPREFS = [ /* removed in arkenfox user.js */ + /* 91 */ + 'alerts.showFavicons', + 'dom.battery.enabled', + 'dom.storage.enabled', + 'dom.vibrator.enabled', + 'general.warnOnAboutConfig', + 'gfx.direct2d.disabled', + 'layers.acceleration.disabled', + 'media.media-capabilities.enabled', + /* 79-90 */ + 'browser.newtabpage.activity-stream.asrouter.providers.snippets', + 'browser.send_pings.require_same_host', + 'browser.urlbar.usepreloadedtopurls.enabled', + 'dom.IntersectionObserver.enabled', + 'extensions.screenshots.upload-disabled', + 'media.gmp-widevinecdm.visible', + 'network.http.redirection-limit', + 'privacy.partition.network_state', + 'security.ssl.enable_ocsp_stapling', + 'security.ssl3.dhe_rsa_aes_128_sha', + 'security.ssl3.dhe_rsa_aes_256_sha', + 'webgl.min_capability_mode', + /* 69-78 */ + 'browser.cache.disk_cache_ssl', + 'browser.search.geoip.url', + 'browser.search.region', + 'browser.sessionhistory.max_entries', + 'dom.push.connection.enabled', + 'dom.push.serverURL', + 'extensions.getAddons.discovery.api_url', + 'extensions.htmlaboutaddons.discover.enabled', + 'extensions.webservice.discoverURL', + 'intl.locale.requested', + 'intl.regional_prefs.use_os_locales', + 'media.block-autoplay-until-in-foreground', + 'middlemouse.paste', + 'plugin.sessionPermissionNow.intervalInMinutes', + 'privacy.usercontext.about_newtab_segregation.enabled', + 'security.insecure_connection_icon.pbmode.enabled', + 'security.insecure_connection_text.pbmode.enabled', + 'webgl.dxgl.enabled', + /* 61-68 */ + 'app.update.service.enabled', + 'app.update.silent', + 'app.update.staging.enabled', + 'browser.cache.disk.capacity', + 'browser.cache.disk.smart_size.enabled', + 'browser.cache.disk.smart_size.first_run', + 'browser.cache.offline.insecure.enable', + 'browser.contentblocking.enabled', + 'browser.eme.ui.enabled', + 'browser.laterrun.enabled', + 'browser.offline-apps.notify', + 'browser.rights.3.shown', + 'browser.safebrowsing.blockedURIs.enabled', + 'browser.safebrowsing.downloads.remote.block_dangerous', + 'browser.safebrowsing.downloads.remote.block_dangerous_host', + 'browser.safebrowsing.provider.google.gethashURL', + 'browser.safebrowsing.provider.google.reportMalwareMistakeURL', + 'browser.safebrowsing.provider.google.reportPhishMistakeURL', + 'browser.safebrowsing.provider.google.reportURL', + 'browser.safebrowsing.provider.google.updateURL', + 'browser.safebrowsing.provider.google4.dataSharing.enabled', + 'browser.safebrowsing.provider.google4.dataSharingURL', + 'browser.safebrowsing.provider.google4.gethashURL', + 'browser.safebrowsing.provider.google4.reportMalwareMistakeURL', + 'browser.safebrowsing.provider.google4.reportPhishMistakeURL', + 'browser.safebrowsing.provider.google4.reportURL', + 'browser.safebrowsing.provider.google4.updateURL', + 'browser.safebrowsing.provider.mozilla.gethashURL', + 'browser.safebrowsing.provider.mozilla.updateURL', + 'browser.safebrowsing.reportPhishURL', + 'browser.sessionhistory.max_total_viewers', + 'browser.sessionstore.max_windows_undo', + 'browser.slowStartup.maxSamples', + 'browser.slowStartup.notificationDisabled', + 'browser.slowStartup.samples', + 'browser.storageManager.enabled', + 'browser.urlbar.autoFill.typed', + 'browser.urlbar.filter.javascript', + 'browser.urlbar.maxHistoricalSearchSuggestions', + 'browser.urlbar.userMadeSearchSuggestionsChoice', + 'canvas.capturestream.enabled', + 'dom.allow_scripts_to_close_windows', + 'dom.disable_window_flip', + 'dom.forms.datetime', + 'dom.imagecapture.enabled', + 'dom.popup_maximum', + 'extensions.webextensions.keepStorageOnUninstall', + 'extensions.webextensions.keepUuidOnUninstall', + 'font.blacklist.underline_offset', + 'font.name.monospace.x-unicode', + 'font.name.monospace.x-western', + 'font.name.sans-serif.x-unicode', + 'font.name.sans-serif.x-western', + 'font.name.serif.x-unicode', + 'font.name.serif.x-western', + 'gfx.offscreencanvas.enabled', + 'javascript.options.shared_memory', + 'layout.css.font-loading-api.enabled', + 'media.gmp-gmpopenh264.autoupdate', + 'media.gmp-gmpopenh264.enabled', + 'media.gmp-manager.updateEnabled', + 'media.gmp-manager.url', + 'media.gmp-manager.url.override', + 'media.gmp-widevinecdm.autoupdate', + 'media.gmp.trial-create.enabled', + 'media.navigator.video.enabled', + 'media.peerconnection.ice.tcp', + 'media.peerconnection.identity.enabled', + 'media.peerconnection.identity.timeout', + 'media.peerconnection.turn.disable', + 'media.peerconnection.use_document_iceservers', + 'media.peerconnection.video.enabled', + 'network.auth.subresource-img-cross-origin-http-auth-allow', + 'network.cookie.leave-secure-alone', + 'network.cookie.same-site.enabled', + 'network.dnsCacheEntries', + 'network.dnsCacheExpiration', + 'network.http.fast-fallback-to-IPv4', + 'network.proxy.autoconfig_url.include_path', + 'offline-apps.quota.warn', + 'pdfjs.enableWebGL', + 'plugin.default.state', + 'plugin.defaultXpi.state', + 'plugin.scan.plid.all', + 'privacy.trackingprotection.annotate_channels', + 'privacy.trackingprotection.lower_network_priority', + 'privacy.trackingprotection.pbmode.enabled', + 'privacy.trackingprotection.ui.enabled', + 'security.data_uri.block_toplevel_data_uri_navigations', + 'security.insecure_field_warning.contextual.enabled', + 'security.insecure_password.ui.enabled', + 'security.tls.version.fallback-limit', + 'services.blocklist.addons.collection', + 'services.blocklist.gfx.collection', + 'services.blocklist.onecrl.collection', + 'services.blocklist.plugins.collection', + 'services.blocklist.signing.enforced', + 'services.blocklist.update_enabled', + 'signon.autofillForms.http', + 'signon.storeWhenAutocompleteOff', + 'toolkit.telemetry.cachedClientID', + 'urlclassifier.trackingTable', + 'xpinstall.whitelist.required', /* 60 or lower */ + 'browser.migrate.automigrate.enabled', + 'browser.search.geoip.timeout', 'browser.search.reset.enabled', 'browser.search.reset.whitelist', - 'browser.migrate.automigrate.enabled', + 'browser.stopReloadAnimation.enabled', + 'browser.tabs.insertRelatedAfterCurrent', + 'browser.tabs.loadDivertedInBackground', + 'browser.tabs.loadInBackground', + 'browser.tabs.selectOwnerOnClose', + 'browser.urlbar.clickSelectsAll', + 'browser.urlbar.doubleClickSelectsAll', + 'device.storage.enabled', + 'dom.keyboardevent.dispatch_during_composition', + 'dom.presentation.controller.enabled', + 'dom.presentation.discoverable', + 'dom.presentation.discovery.enabled', + 'dom.presentation.enabled', + 'dom.presentation.receiver.enabled', + 'dom.presentation.session_transport.data_channel.enable', + 'dom.vr.oculus.enabled', + 'dom.vr.openvr.enabled', + 'dom.vr.osvr.enabled', + 'extensions.pocket.api', + 'extensions.pocket.oAuthConsumerKey', + 'extensions.pocket.site', + 'general.useragent.compatMode.firefox', + 'geo.wifi.xhr.timeout', + 'gfx.layerscope.enabled', + 'media.flac.enabled', + 'media.mediasource.enabled', + 'media.mediasource.mp4.enabled', + 'media.mediasource.webm.audio.enabled', + 'media.mediasource.webm.enabled', + 'media.mp4.enabled', + 'media.ogg.enabled', + 'media.ogg.flac.enabled', + 'media.opus.enabled', + 'media.raw.enabled', + 'media.wave.enabled', + 'media.webm.enabled', + 'media.webspeech.recognition.enable', + 'media.wmf.amd.vp9.enabled', + 'media.wmf.enabled', + 'media.wmf.vp9.enabled', + 'network.dns.blockDotOnion', + 'network.stricttransportsecurity.preloadlist', + 'security.block_script_with_wrong_mime', + 'security.fileuri.strict_origin_policy', + 'security.sri.enable', 'services.sync.enabled', + 'ui.submenuDelay', 'webextensions.storage.sync.enabled', 'webextensions.storage.sync.serverURL', - 'dom.keyboardevent.dispatch_during_composition', // default is false anyway - 'dom.vr.oculus.enabled', // covered by dom.vr.enabled - 'dom.vr.openvr.enabled', // ditto - 'dom.vr.osvr.enabled', // ditto - 'extensions.pocket.api', // covered by extensions.pocket.enabled - 'extensions.pocket.oAuthConsumerKey', // ditto - 'extensions.pocket.site', // ditto - 'geo.wifi.xhr.timeout', // covered by geo.enabled - 'browser.search.geoip.timeout', // ditto - 'media.webspeech.recognition.enable', // default is false anyway - 'gfx.layerscope.enabled', // default is false anyway // excluding these e10 settings // 'browser.tabs.remote.autostart', // 'browser.tabs.remote.autostart.2', @@ -46,187 +227,6 @@ // 'dom.ipc.plugins.sandbox-level.default', // 'dom.ipc.plugins.sandbox-level.flash', // 'security.sandbox.logging.enabled', - 'dom.presentation.controller.enabled', - 'dom.presentation.discoverable', - 'dom.presentation.discovery.enabled', - 'dom.presentation.enabled', - 'dom.presentation.receiver.enabled', - 'dom.presentation.session_transport.data_channel.enable', - 'browser.stopReloadAnimation.enabled', - 'browser.tabs.insertRelatedAfterCurrent', - 'browser.tabs.loadDivertedInBackground', - 'browser.tabs.loadInBackground', - 'browser.tabs.selectOwnerOnClose', - 'browser.urlbar.clickSelectsAll', - 'browser.urlbar.doubleClickSelectsAll', - 'media.flac.enabled', - 'media.mediasource.enabled', - 'media.mediasource.mp4.enabled', - 'media.mediasource.webm.audio.enabled', - 'media.mediasource.webm.enabled', - 'media.mp4.enabled', - 'media.ogg.enabled', - 'media.ogg.flac.enabled', - 'media.opus.enabled', - 'media.raw.enabled', - 'media.wave.enabled', - 'media.webm.enabled', - 'media.wmf.amd.vp9.enabled', - 'media.wmf.enabled', - 'media.wmf.vp9.enabled', - 'ui.submenuDelay', - 'device.storage.enabled', - 'general.useragent.compatMode.firefox', - 'network.dns.blockDotOnion', - 'network.stricttransportsecurity.preloadlist', - 'security.block_script_with_wrong_mime', - 'security.fileuri.strict_origin_policy', - 'security.sri.enable', - /* 61-68 */ - 'browser.laterrun.enabled', - 'browser.offline-apps.notify', - 'browser.rights.3.shown', - 'browser.slowStartup.maxSamples', - 'browser.slowStartup.notificationDisabled', - 'browser.slowStartup.samples', - 'browser.storageManager.enabled', - 'dom.allow_scripts_to_close_windows', - 'dom.disable_window_flip', - 'network.http.fast-fallback-to-IPv4', - 'offline-apps.quota.warn', - 'services.blocklist.signing.enforced', - 'browser.urlbar.autoFill.typed', - 'security.tls.version.fallback-limit', - 'extensions.webextensions.keepStorageOnUninstall', - 'extensions.webextensions.keepUuidOnUninstall', - 'privacy.trackingprotection.ui.enabled', - 'browser.eme.ui.enabled', - 'browser.sessionstore.max_windows_undo', - 'network.auth.subresource-img-cross-origin-http-auth-allow', - 'media.peerconnection.ice.tcp', - 'media.peerconnection.identity.enabled', - 'media.peerconnection.identity.timeout', - 'media.peerconnection.turn.disable', - 'media.peerconnection.use_document_iceservers', - 'media.peerconnection.video.enabled', - 'media.navigator.video.enabled', - 'browser.contentblocking.enabled', - 'browser.urlbar.maxHistoricalSearchSuggestions', - 'app.update.service.enabled', - 'app.update.silent', - 'app.update.staging.enabled', - 'browser.cache.disk.capacity', - 'browser.cache.disk.smart_size.enabled', - 'browser.cache.disk.smart_size.first_run', - 'browser.cache.offline.insecure.enable', - 'browser.safebrowsing.provider.google.reportMalwareMistakeURL', - 'browser.safebrowsing.provider.google.reportPhishMistakeURL', - 'browser.safebrowsing.provider.google.reportURL', - 'browser.safebrowsing.provider.google4.dataSharing.enabled', - 'browser.safebrowsing.provider.google4.dataSharingURL', - 'browser.safebrowsing.provider.google4.reportMalwareMistakeURL', - 'browser.safebrowsing.provider.google4.reportPhishMistakeURL', - 'browser.safebrowsing.provider.google4.reportURL', - 'browser.safebrowsing.reportPhishURL', - 'browser.sessionhistory.max_total_viewers', - 'browser.urlbar.filter.javascript', - 'canvas.capturestream.enabled', - 'dom.imagecapture.enabled', - 'dom.popup_maximum', - 'gfx.offscreencanvas.enabled', - 'javascript.options.shared_memory', - 'media.gmp-gmpopenh264.autoupdate', - 'media.gmp-gmpopenh264.enabled', - 'media.gmp-manager.updateEnabled', - 'media.gmp-manager.url', - 'media.gmp-manager.url.override', - 'media.gmp.trial-create.enabled', - 'media.gmp-widevinecdm.autoupdate', - 'network.cookie.leave-secure-alone', - 'network.cookie.same-site.enabled', - 'network.dnsCacheEntries', - 'network.dnsCacheExpiration', - 'network.proxy.autoconfig_url.include_path', - 'pdfjs.enableWebGL', - 'plugin.default.state', - 'plugin.defaultXpi.state', - 'plugin.scan.plid.all', - 'security.data_uri.block_toplevel_data_uri_navigations', - 'security.insecure_field_warning.contextual.enabled', - 'security.insecure_password.ui.enabled', - 'signon.autofillForms.http', - 'signon.storeWhenAutocompleteOff', - 'xpinstall.whitelist.required', - 'browser.safebrowsing.downloads.remote.block_dangerous', - 'browser.safebrowsing.downloads.remote.block_dangerous_host', - 'browser.safebrowsing.blockedURIs.enabled', - 'browser.safebrowsing.provider.google.gethashURL', - 'browser.safebrowsing.provider.google.updateURL', - 'browser.safebrowsing.provider.google4.gethashURL', - 'browser.safebrowsing.provider.google4.updateURL', - 'browser.safebrowsing.provider.mozilla.gethashURL', - 'browser.safebrowsing.provider.mozilla.updateURL', - 'browser.urlbar.userMadeSearchSuggestionsChoice', - 'privacy.trackingprotection.annotate_channels', - 'privacy.trackingprotection.lower_network_priority', - 'privacy.trackingprotection.pbmode.enabled', - 'services.blocklist.addons.collection', - 'services.blocklist.gfx.collection', - 'services.blocklist.onecrl.collection', - 'services.blocklist.plugins.collection', - 'services.blocklist.update_enabled', - 'urlclassifier.trackingTable', - 'dom.forms.datetime', - 'font.blacklist.underline_offset', - 'font.name.monospace.x-unicode', - 'font.name.monospace.x-western', - 'font.name.sans-serif.x-unicode', - 'font.name.sans-serif.x-western', - 'font.name.serif.x-unicode', - 'font.name.serif.x-western', - 'layout.css.font-loading-api.enabled', - 'toolkit.telemetry.cachedClientID', - /* 69-78 */ - 'plugin.sessionPermissionNow.intervalInMinutes', - 'browser.cache.disk_cache_ssl', - 'browser.sessionhistory.max_entries', - 'dom.push.connection.enabled', - 'dom.push.serverURL', - 'extensions.getAddons.discovery.api_url', - 'extensions.htmlaboutaddons.discover.enabled', - 'extensions.webservice.discoverURL', - 'intl.locale.requested', - 'intl.regional_prefs.use_os_locales', - 'privacy.usercontext.about_newtab_segregation.enabled', - 'security.insecure_connection_icon.pbmode.enabled', - 'security.insecure_connection_text.pbmode.enabled', - 'webgl.dxgl.enabled', - 'media.block-autoplay-until-in-foreground', - 'middlemouse.paste', - 'browser.search.geoip.url', - 'browser.search.region', - /* 79-90 */ - 'browser.urlbar.usepreloadedtopurls.enabled', - 'dom.IntersectionObserver.enabled', - 'extensions.screenshots.upload-disabled', - 'privacy.partition.network_state', - 'security.ssl3.dhe_rsa_aes_128_sha', - 'security.ssl3.dhe_rsa_aes_256_sha', - 'browser.newtabpage.activity-stream.asrouter.providers.snippets', - 'network.http.redirection-limit', - 'media.gmp-widevinecdm.visible', - 'browser.send_pings.require_same_host', - 'webgl.min_capability_mode', - 'security.ssl.enable_ocsp_stapling', - /* 91 */ - 'alerts.showFavicons', - 'dom.battery.enabled', - 'dom.storage.enabled', - 'dom.vibrator.enabled', - 'general.warnOnAboutConfig', - 'gfx.direct2d.disabled', - 'layers.acceleration.disabled', - 'media.media-capabilities.enabled', /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From 8a22a90804de2a7884af3952791e0e52f4539fa2 Mon Sep 17 00:00:00 2001 From: icpantsparti <35049679+icpantsparti@users.noreply.github.com> Date: Sun, 22 Aug 2021 16:23:51 +0000 Subject: [PATCH 380/657] colon insertion (#1238) --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index f51ede8..3278474 100644 --- a/user.js +++ b/user.js @@ -1399,7 +1399,7 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", // user_pref("network.manage-offline-status", false); // see bugzilla 620472 // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) -/*** [SECTION 7000] DON'T BOTHER ***/ +/*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies!"); /* 7001: disable APIs * Location-Aware Browsing, Full Screen, offline cache (appCache), Virtual Reality From ab42deb541e2cc947fa5403596417f2afd3a2f9a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 02:55:36 +0000 Subject: [PATCH 381/657] Four more items to 7000s, #1235 --- user.js | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/user.js b/user.js index 3278474..ae60170 100644 --- a/user.js +++ b/user.js @@ -598,24 +598,8 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 * [4] https://www.ssllabs.com/ssl-pulse/ ***/ user_pref("security.ssl.require_safe_negotiation", true); -/* 1202: control TLS versions with min and max - * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 - * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint - * [1] https://www.ssllabs.com/ssl-pulse/ ***/ - // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] - // user_pref("security.tls.version.max", 4); /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] -/* 1204: disable SSL session tracking [FF36+] - * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) - * [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001) - * and/or containers. In FF85+ they are isolated by default (privacy.partition.network_state) - * [WARNING] There are perf and passive fingerprinting costs, for little to no gain. Preventing - * tracking via this method does not address IPs, nor handle any sanitizing of current identifiers - * [1] https://tools.ietf.org/html/rfc5077 - * [2] https://bugzilla.mozilla.org/967977 - * [3] https://arxiv.org/abs/1810.07304 ***/ - // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] * [1] https://github.com/tlswg/tls13-spec/issues/1001 * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ @@ -696,10 +680,6 @@ user_pref("dom.security.https_only_mode", true); // [FF76+] * This is done to avoid waiting for a timeout which takes 90 seconds * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); -/* 1247: treat .onion as a secure context [FF60+] [TOR] - * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser - * [1] https://bugzilla.mozilla.org/1382359 ***/ - // user_pref("dom.securecontext.whitelist_onions", true); /** UI (User Interface) ***/ /* 1270: display warning on the padlock for "broken security" (if 1201 is false) @@ -779,10 +759,6 @@ user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] * [4] https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/ ***/ // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] -/* 1607: hide (not spoof) referrer when leaving a .onion domain [FF54+] [TOR] - * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser - * [1] https://bugzilla.mozilla.org/1305144 ***/ - // user_pref("network.http.referer.hideOnionSource", true); /* 1610: ALL: enable the DNT (Do Not Track) HTTP header * [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/ @@ -1433,6 +1409,18 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES +/* 7004: control TLS versions + * [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction ***/ + // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] + // user_pref("security.tls.version.max", 4); +/* 7005: disable SSL session IDs [FF36+] + * [WHY] Passive fingerprinting and perf costs. These are session-only and isolated + * with network partitioning (FF85+) or when using FPI and/or containers ***/ + // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] +/* 7006: onions + * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/ + // user_pref("dom.securecontext.whitelist_onions", true); // 1382359 + // user_pref("network.http.referer.hideOnionSource", true); // 1305144 /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 033977fe1051abb00aa5ca4ccbedc7d34c8a82d5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 03:39:15 +0000 Subject: [PATCH 382/657] move personal to last probably more professional to keep it at the end since it isn't strictly project related. It also opens up space for `DON'T TOUCH` and `OPTIONAL OPSEC` --- user.js | 104 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/user.js b/user.js index ae60170..a3d87a3 100644 --- a/user.js +++ b/user.js @@ -64,9 +64,9 @@ 2800: SHUTDOWN 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) - 5000: PERSONAL 7000: DON'T BOTHER 8000: DON'T BOTHER: NON-RFP + 9000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED ******/ @@ -1325,58 +1325,8 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); -/*** [SECTION 5000]: PERSONAL - Non-project related but useful. If any of these interest you, add them to your overrides - To save some overrides, we've made a few active as they seem to be universally used -***/ -user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!"); -/* WELCOME & WHAT'S NEW NOTICES ***/ -user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch - // user_pref("startup.homepage_welcome_url", ""); - // user_pref("startup.homepage_welcome_url.additional", ""); - // user_pref("startup.homepage_override_url", ""); // What's New page after updates -/* WARNINGS ***/ - // user_pref("browser.tabs.warnOnClose", false); - // user_pref("browser.tabs.warnOnCloseOtherTabs", false); - // user_pref("browser.tabs.warnOnOpen", false); - // user_pref("full-screen-api.warning.delay", 0); - // user_pref("full-screen-api.warning.timeout", 0); -/* APPEARANCE ***/ - // user_pref("browser.download.autohideButton", false); // [FF57+] - // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] - // 0=light, 1=dark: with RFP this only affects chrome - // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent - // user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] - // 0=no-preference, 1=reduce: with RFP this only affects chrome -/* CONTENT BEHAVIOR ***/ - // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" - // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] - // user_pref("layout.spellcheckDefault", 2); // 0=none, 1-multi-line, 2=multi-line & single-line -/* UX BEHAVIOR ***/ - // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing - // user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] - // user_pref("browser.tabs.closeWindowWithLastTab", false); - // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] - // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] - // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] - // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] - // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] -/* UX FEATURES: disable and hide the icons and menus ***/ -user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+] - // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] - // user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] - // user_pref("reader.parse-on-load.enabled", false); // Reader View -/* OTHER ***/ - // user_pref("browser.bookmarks.max_backups", 2); -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] - // [SETTING] General>Browsing>Recommend extensions as you browse -user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] - // [SETTING] General>Browsing>Recommend features as you browse - // user_pref("network.manage-offline-status", false); // see bugzilla 620472 - // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) - /*** [SECTION 7000]: DON'T BOTHER ***/ -user_pref("_user.js.parrot", "8000 syntax error: the parrot's pushing up daisies!"); +user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); /* 7001: disable APIs * Location-Aware Browsing, Full Screen, offline cache (appCache), Virtual Reality * [WHY] The API state is easily fingerprintable. Geo and VR are behind prompts (7002). @@ -1454,6 +1404,56 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan // user_pref("general.useragent.override", ""); // [HIDDEN PREF] // user_pref("ui.use_standins_for_native_colors", true); +/*** [SECTION 9000]: PERSONAL + Non-project related but useful. If any interest you, add them to your overrides + To save some overrides, we've made a few active as they seem to be universally used +***/ +user_pref("_user.js.parrot", "9000 syntax error: this is an ex-parrot!"); +/* WELCOME & WHAT'S NEW NOTICES ***/ +user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch + // user_pref("startup.homepage_welcome_url", ""); + // user_pref("startup.homepage_welcome_url.additional", ""); + // user_pref("startup.homepage_override_url", ""); // What's New page after updates +/* WARNINGS ***/ + // user_pref("browser.tabs.warnOnClose", false); + // user_pref("browser.tabs.warnOnCloseOtherTabs", false); + // user_pref("browser.tabs.warnOnOpen", false); + // user_pref("full-screen-api.warning.delay", 0); + // user_pref("full-screen-api.warning.timeout", 0); +/* APPEARANCE ***/ + // user_pref("browser.download.autohideButton", false); // [FF57+] + // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] + // 0=light, 1=dark: with RFP this only affects chrome + // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent + // user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] + // 0=no-preference, 1=reduce: with RFP this only affects chrome +/* CONTENT BEHAVIOR ***/ + // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" + // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] + // user_pref("layout.spellcheckDefault", 2); // 0=none, 1-multi-line, 2=multi-line & single-line +/* UX BEHAVIOR ***/ + // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing + // user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+] + // user_pref("browser.tabs.closeWindowWithLastTab", false); + // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+] + // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+] + // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] + // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] + // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] +/* UX FEATURES: disable and hide the icons and menus ***/ +user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+] + // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] + // user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] + // user_pref("reader.parse-on-load.enabled", false); // Reader View +/* OTHER ***/ + // user_pref("browser.bookmarks.max_backups", 2); +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+] + // [SETTING] General>Browsing>Recommend extensions as you browse +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+] + // [SETTING] General>Browsing>Recommend features as you browse + // user_pref("network.manage-offline-status", false); // see bugzilla 620472 + // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) + /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1] [1] https://github.com/arkenfox/user.js/issues/123 From 47be7ba42fc48c2cca79675cd9b608084b558e6e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 04:08:49 +0000 Subject: [PATCH 383/657] 1203 is a reset not enforce --- user.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a3d87a3..0dcf02d 100644 --- a/user.js +++ b/user.js @@ -44,7 +44,7 @@ 0100: STARTUP 0200: GEOLOCATION / LANGUAGE / LOCALE 0300: QUIET FOX - 0400: BLOCKLISTS / SAFE BROWSING + 0400: SAFE BROWSING 0500: SYSTEM ADD-ONS / EXPERIMENTS 0600: BLOCK IMPLICIT OUTBOUND 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc @@ -64,6 +64,8 @@ 2800: SHUTDOWN 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) + 5000: OPTIONAL OPSEC + 6000: DON'T TOUCH 7000: DON'T BOTHER 8000: DON'T BOTHER: NON-RFP 9000: PERSONAL @@ -598,7 +600,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 * [4] https://www.ssllabs.com/ssl-pulse/ ***/ user_pref("security.ssl.require_safe_negotiation", true); -/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/ +/* 1203: reset TLS 1.0 and 1.1 downgrades i.e. session only ***/ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] * [1] https://github.com/tlswg/tls13-spec/issues/1001 From e31a6876e6ff45f2ece15c218be6c3256d0de1b7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 04:40:29 +0000 Subject: [PATCH 384/657] section 6000 --- user.js | 57 ++++++++++++++++++++++++++------------------------------- 1 file changed, 26 insertions(+), 31 deletions(-) diff --git a/user.js b/user.js index 0dcf02d..2a7d2af 100644 --- a/user.js +++ b/user.js @@ -231,15 +231,7 @@ user_pref("network.captive-portal-service.enabled", false); // [FF52+] * [1] https://bugzilla.mozilla.org/1460537 ***/ user_pref("network.connectivity-service.enabled", false); -/*** [SECTION 0400]: BLOCKLISTS / SAFE BROWSING (SB) ***/ -user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); -/** BLOCKLISTS ***/ -/* 0401: enforce Firefox blocklist - * [NOTE] It includes updates for "revoked certificates" - * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ ***/ -user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] - -/** SAFE BROWSING (SB) +/*** [SECTION 0400]: SAFE BROWSING (SB) Safe Browsing has taken many steps to preserve privacy. If required, a full url is never sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real PART-hashes. Google also swear it is anonymized and only used to flag malicious sites. @@ -250,6 +242,7 @@ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] [2] https://wiki.mozilla.org/Security/Safe_Browsing [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work ***/ +user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); /* 0410: disable SB (Safe Browsing) * [WARNING] Do this at your own risk! These are the master switches * [SETTING] Privacy & Security>Security>... Block dangerous and deceptive content ***/ @@ -661,9 +654,6 @@ user_pref("security.remote_settings.crlite_filters.enabled", true); user_pref("security.pki.crlite_mode", 2); /** MIXED CONTENT ***/ -/* 1240: enforce no insecure active content on https pages - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21323 ***/ -user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] /* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/ user_pref("security.mixed_content.block_display_content", true); /* 1244: enable HTTPS-Only mode in all windows [FF76+] @@ -725,13 +715,10 @@ user_pref("gfx.font_rendering.graphite.enabled", false); // user_pref("gfx.downloadable_fonts.fallback_delay", -1); /*** [SECTION 1600]: HEADERS / REFERERS - Only **cross domain** referers need controlling: leave 1601, 1602, 1605 and 1606 alone - Expect some breakage: Use an extension if you need precise control - --- + Expect some breakage e.g. banks: use an extension if you need precise control full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port: https://example.com:8888 - --- [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); @@ -741,17 +728,13 @@ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1602: ALL: control the amount of information to send * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ // user_pref("network.http.referer.trimmingPolicy", 0); -/* 1603: CROSS ORIGIN: control when to send a referer +/* 1603: control when to send a cross origin referer * 0=always (default), 1=only if base domains match, 2=only if hosts match * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/ user_pref("network.http.referer.XOriginPolicy", 2); -/* 1604: CROSS ORIGIN: control the amount of information to send [FF52+] +/* 1604: control the amount of cross origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); -/* 1605: ALL: enforce no spoofing of referer - * Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) - * protections that some sites may rely on ***/ -user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] /* 1606: ALL: set the default Referrer Policy [FF59+] * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy @@ -1059,15 +1042,6 @@ user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ // user_pref("extensions.webextensions.restrictedDomains", ""); -/** SECURITY ***/ -/* 2680: enforce CSP (Content Security Policy) - * [NOTE] CSP is a very important and widespread security feature. Don't disable it! - * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ -user_pref("security.csp.enable", true); // [DEFAULT: true] -/* 2684: enforce a security delay on some confirmation dialogs such as install, open/save - * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ -user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] - /*** [SECTION 2700]: PERSISTENT STORAGE Data SET by websites including cookies : profile\cookies.sqlite @@ -1327,6 +1301,27 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); +/*** [SECTION 5000]: OPTIONAL OPSEC ***/ +user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow"); + +/*** [SECTION 6000]: DON'T TOUCH ***/ +user_pref("_user.js.parrot", "6000 syntax error: the parrot's 'istory!"); +/* 6001: enforce Firefox blocklist + * [WHY] It includes updates for "revoked certificates" + * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ ***/ +user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true] +/* 6002: enforce no referer spoofing + * [WHY] Spoofing can affect CSRF (Cross-Site Request Forgery) protections ***/ +user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false] +/* 6003: enforce CSP (Content Security Policy) + * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ +user_pref("security.csp.enable", true); // [DEFAULT: true] +/* 6004: enforce a security delay on some confirmation dialogs such as install, open/save + * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ +user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] +/* 6005: enforce no insecure active content on https pages ***/ +user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] + /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); /* 7001: disable APIs From 05b7d61735c85a1b02e61ff4f4bc48a60a637570 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 04:54:49 +0000 Subject: [PATCH 385/657] 7000s: non cross origin referers --- user.js | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index 2a7d2af..1c4bf51 100644 --- a/user.js +++ b/user.js @@ -722,12 +722,6 @@ user_pref("gfx.font_rendering.graphite.enabled", false); [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); -/* 1601: ALL: control when images/links send a referer - * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/ - // user_pref("network.http.sendRefererHeader", 2); -/* 1602: ALL: control the amount of information to send - * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ - // user_pref("network.http.referer.trimmingPolicy", 0); /* 1603: control when to send a cross origin referer * 0=always (default), 1=only if base domains match, 2=only if hosts match * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/ @@ -1368,6 +1362,10 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/ // user_pref("dom.securecontext.whitelist_onions", true); // 1382359 // user_pref("network.http.referer.hideOnionSource", true); // 1305144 +/* 7007: referers + * [WHY] Only cross origin referers (1600s) need control ***/ + // user_pref("network.http.sendRefererHeader", 2); + // user_pref("network.http.referer.trimmingPolicy", 0); /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 9f08c7c0f4b79bbd8b37b5ad3321760d44866265 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 06:04:19 +0000 Subject: [PATCH 386/657] 7000s: referer policy #1235 and re-number 1600s --- user.js | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/user.js b/user.js index 1c4bf51..be73125 100644 --- a/user.js +++ b/user.js @@ -18,7 +18,7 @@ * Some site breakage and unintended consequences will happen. Everyone's experience will differ e.g. some user data is erased on close (section 2800), change this to suit your needs * While not 100% definitive, search for "[SETUP" tags - e.g. third party images/videos not loading on some sites? check 1603 + e.g. third party images/videos not loading on some sites? check 1601 * Take the wiki link in step 2 and read the Troubleshooting entry 5. Some tag info [SETUP-SECURITY] it's one item, read it @@ -722,23 +722,14 @@ user_pref("gfx.font_rendering.graphite.enabled", false); [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); -/* 1603: control when to send a cross origin referer +/* 1601: control when to send a cross origin referer * 0=always (default), 1=only if base domains match, 2=only if hosts match * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/ user_pref("network.http.referer.XOriginPolicy", 2); -/* 1604: control the amount of cross origin information to send [FF52+] +/* 1602: control the amount of cross origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); -/* 1606: ALL: set the default Referrer Policy [FF59+] - * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade - * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy - * [1] https://www.w3.org/TR/referrer-policy/ - * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy - * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ - * [4] https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/ ***/ - // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] - // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] -/* 1610: ALL: enable the DNT (Do Not Track) HTTP header +/* 1603: enable the DNT (Do Not Track) HTTP header * [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/ user_pref("privacy.donottrackheader.enabled", true); @@ -1366,6 +1357,11 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] Only cross origin referers (1600s) need control ***/ // user_pref("network.http.sendRefererHeader", 2); // user_pref("network.http.referer.trimmingPolicy", 0); +/* 7008: set the default Referrer Policy [FF59+] + * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade + * [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/ + // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] + // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 3697bd8d3a3a011ecfc82e2b345dd7d6bf1880fa Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 06:26:45 +0000 Subject: [PATCH 387/657] 1603 -> inactive Yes it's pretty much useless. Yes it's fingerprintable, and what that entropy is, who knows. Since it's sent regardless with ETP, which we enable in all windows, then who cares. And if you don't use ETP in all windows, then I don't care either - just saying --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index be73125..7bbfc9a 100644 --- a/user.js +++ b/user.js @@ -730,9 +730,9 @@ user_pref("network.http.referer.XOriginPolicy", 2); * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); /* 1603: enable the DNT (Do Not Track) HTTP header - * [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref + * [NOTE] DNT is enforced with Enhanced Tracking Protection (2710) * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/ -user_pref("privacy.donottrackheader.enabled", true); + // user_pref("privacy.donottrackheader.enabled", true); /*** [SECTION 1700]: CONTAINERS If you want to really leverage containers, we recommend Temporary Containers [2]. From 613e55ae8c28337eb0183c6887cc3f3bd1172d3a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 09:42:21 +0000 Subject: [PATCH 388/657] 7000s: add MOAR; renumber 0700s, #1235 --- user.js | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/user.js b/user.js index 7bbfc9a..a823c21 100644 --- a/user.js +++ b/user.js @@ -343,38 +343,16 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost * [TEST] https://ipleak.org/ * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ user_pref("network.dns.disableIPv6", true); -/* 0702: disable HTTP2 - * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to - * enhance privacy, and opens up a number of server-side fingerprinting opportunities - * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites - * [STATS] ~46% of sites (July 2021) [5] - * [1] https://http2.github.io/faq/ - * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html - * [3] https://datatracker.ietf.org/doc/html/rfc7540#section-10.8 - * [4] https://queue.acm.org/detail.cfm?id=2716278 - * [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/ - // user_pref("network.http.spdy.enabled", false); - // user_pref("network.http.spdy.enabled.deps", false); - // user_pref("network.http.spdy.enabled.http2", false); - // user_pref("network.http.spdy.websockets", false); // [FF65+] -/* 0703: disable HTTP Alternative Services [FF37+] - * [SETUP-PERF] Relax this if you have FPI enabled (4001) and you understand the - * consequences. FPI isolates these, but it was designed with the Tor protocol in mind, - * and the Tor Browser has extra protection, including enhanced sanitizing per Identity. - * [1] https://tools.ietf.org/html/rfc7838#section-9 - * [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/ -user_pref("network.http.altsvc.enabled", false); -user_pref("network.http.altsvc.oe", false); -/* 0704: set the proxy server to do any DNS lookups when using SOCKS +/* 0702: set the proxy server to do any DNS lookups when using SOCKS * e.g. in Tor, this stops your local DNS server from knowing your Tor destination * as a remote Tor node will handle the DNS request * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ user_pref("network.proxy.socks_remote_dns", true); -/* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] +/* 0703: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] -/* 0710: disable GIO as a potential proxy bypass vector +/* 0704: disable GIO as a potential proxy bypass vector * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64) * [1] https://bugzilla.mozilla.org/1433507 @@ -1362,6 +1340,17 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/ // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] +/* 7009: disable HTTP2 + * [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1] + * [1] https://w3techs.com/technologies/details/ce-http2/all/all ***/ + // user_pref("network.http.spdy.enabled", false); + // user_pref("network.http.spdy.enabled.deps", false); + // user_pref("network.http.spdy.enabled.http2", false); + // user_pref("network.http.spdy.websockets", false); // [FF65+] +/* 7010: disable HTTP Alternative Services [FF37+] + * [WHY] Already isolated by network partitioning (FF85+) and FPI ***/ + // user_pref("network.http.altsvc.enabled", false); + // user_pref("network.http.altsvc.oe", false); /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From b177c73f0d185954a480e5632a4a1c242b307dab Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 09:47:34 +0000 Subject: [PATCH 389/657] typo technically it's "or" - FPI overrides network partitioning --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index a823c21..ebba09a 100644 --- a/user.js +++ b/user.js @@ -1348,7 +1348,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("network.http.spdy.enabled.http2", false); // user_pref("network.http.spdy.websockets", false); // [FF65+] /* 7010: disable HTTP Alternative Services [FF37+] - * [WHY] Already isolated by network partitioning (FF85+) and FPI ***/ + * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/ // user_pref("network.http.altsvc.enabled", false); // user_pref("network.http.altsvc.oe", false); From 269cf965bd51022ca69823f8f66a8e402280d856 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 23 Aug 2021 10:03:13 +0000 Subject: [PATCH 390/657] renumber 1700s --- user.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index ebba09a..d944193 100644 --- a/user.js +++ b/user.js @@ -713,19 +713,18 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); // user_pref("privacy.donottrackheader.enabled", true); /*** [SECTION 1700]: CONTAINERS - If you want to really leverage containers, we recommend Temporary Containers [2]. - Read the article by the extension author [3], and check out the github wiki/repo [4]. + Check out Temporary Containers [2], read the article [3], and visit the wiki/repo [4] [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers [2] https://addons.mozilla.org/firefox/addon/temporary-containers/ [3] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 [4] https://github.com/stoically/temporary-containers/wiki ***/ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!"); -/* 1702: enable Container Tabs and it's UI setting [FF50+] +/* 1701: enable Container Tabs and it's UI setting [FF50+] * [SETTING] General>Tabs>Enable Container Tabs ***/ user_pref("privacy.userContext.enabled", true); user_pref("privacy.userContext.ui.enabled", true); -/* 1703: set behaviour on "+ Tab" button to display container menu on left click [FF74+] +/* 1702: set behaviour on "+ Tab" button to display container menu on left click [FF74+] * [NOTE] The menu is always shown on long press and right click * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/ // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true); From 51748ea25a33295fe7cd6d2f4d8867bf9fa176f3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 24 Aug 2021 03:09:33 +0000 Subject: [PATCH 391/657] leverage cve keyword --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index d944193..daf5555 100644 --- a/user.js +++ b/user.js @@ -677,7 +677,7 @@ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); user_pref("gfx.font_rendering.opentype_svg.enabled", false); /* 1402: disable graphite * Graphite has had many critical security issues in the past [1] - * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ user_pref("gfx.font_rendering.graphite.enabled", false); /* 1403: limit font visibility (Windows, Mac, some Linux) [FF79+] @@ -852,7 +852,7 @@ user_pref("javascript.options.asmjs", false); * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new * hidden pref is enabled, then Ion can still be used by extensions (1599226) * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT ***/ + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit ***/ // user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] From 69132b588f7975fcc40bdcb95f2769bc04212d95 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 24 Aug 2021 05:43:38 +0000 Subject: [PATCH 392/657] 7000s: mathml, svg, #1235 --- user.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/user.js b/user.js index daf5555..7c92f58 100644 --- a/user.js +++ b/user.js @@ -387,7 +387,7 @@ user_pref("keyword.enabled", false); user_pref("browser.fixup.alternate.enabled", false); /* 0803: display all parts of the url in the location bar ***/ user_pref("browser.urlbar.trimURLs", false); -/* 0805: disable coloring of visited links - CSS history leak +/* 0805: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] @@ -917,14 +917,6 @@ user_pref("devtools.chrome.enabled", false); /* 2608: reset remote debugging to disabled * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false] -/* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] - * [TEST] https://arkenfox.github.io/TZP/tzp.html#misc - * [1] https://bugzilla.mozilla.org/1173199 ***/ - // user_pref("mathml.disabled", true); -/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] - * [WARNING] Expect breakage including youtube player controls - * [1] https://bugzilla.mozilla.org/1216893 ***/ - // user_pref("svg.disabled", true); /* 2611: disable middle mouse click opening links from clipboard * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ user_pref("middlemouse.contentLoadURL", false); @@ -1350,6 +1342,14 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/ // user_pref("network.http.altsvc.enabled", false); // user_pref("network.http.altsvc.oe", false); +/* 7011: disable MathML (Mathematical Markup Language) [FF51+] + * [WHY] Fingerprintable, breakage, threat model + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml ***/ + // user_pref("mathml.disabled", true); // 1173199 +/* 7012: disable in-content SVG (Scalable Vector Graphics) [FF53+] + * [WHY] Fingerprintable, breakage, threat model + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg ***/ + // user_pref("svg.disabled", true); // 1216893 /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 35ccaff58e5aae76299a6ce41a81cdc3fb871099 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 24 Aug 2021 08:52:12 +0000 Subject: [PATCH 393/657] calrify password prompt, #1241 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 7c92f58..9b7c775 100644 --- a/user.js +++ b/user.js @@ -457,10 +457,10 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); * There are no preferences for this. It is all handled internally * [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ -/* 0903: set how often Firefox should ask for the primary password +/* 0903: set when Firefox should prompt for the primary password * 0=the first time (default), 1=every time it's needed, 2=every n minutes (0904) ***/ user_pref("security.ask_for_password", 2); -/* 0904: set how often in minutes Firefox should ask for the primary password (0903) ***/ +/* 0904: set how long in minutes Firefox should remember the primary password (0903) ***/ user_pref("security.password_lifetime", 5); // [DEFAULT: 30] /* 0905: disable auto-filling username & password form fields * can leak in cross-site forms *and* be spoofed From 778421cad40d1436ca0fa2833df76bc8fd45473d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 24 Aug 2021 08:59:11 +0000 Subject: [PATCH 394/657] #1241 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 9b7c775..11ae8cc 100644 --- a/user.js +++ b/user.js @@ -458,7 +458,7 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); * [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ /* 0903: set when Firefox should prompt for the primary password - * 0=the first time (default), 1=every time it's needed, 2=every n minutes (0904) ***/ + * 0=once per session (default), 1=every time it's needed, 2=every n minutes (0904) ***/ user_pref("security.ask_for_password", 2); /* 0904: set how long in minutes Firefox should remember the primary password (0903) ***/ user_pref("security.password_lifetime", 5); // [DEFAULT: 30] From 7144f8b7f86a72462636fc1d86bd3d0993a642c8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 24 Aug 2021 22:51:48 +0000 Subject: [PATCH 395/657] cleanup continued, #1239 More minor tweaks to come. This isn't final - 0102: ambiguous that the clearing was related to PB mode - 0900s: - get rid of 0901, it has no pref, stick link in header - 0905: values on multi-lines use spaces = more readable - 1000s: - rename as disk avoidance and remove sub-section headers - remove the outdated section header - 4001: it will never be perfected, it's doing it's job - 5500s: optional hardening - legit security measures, but commonality in caveats, so I made them a separate section - this flips graphite, asm.js and wasm from active to inactive: these are overkill: exhibit A: hundreds of millions of Firefox users - e.g. graphite and wasm are enabled on Tor Browser - new CVE keyword links - 7000s: don't bother - two more items added - 5000s: optional opsec and cleanout 0800s header - re-number - 0900s, 1000s, 1400s, 2400s PS: I need a new parrot: "9000 syntax error: I ran out of parrots" --- user.js | 360 ++++++++++++++++++++++++++------------------------------ 1 file changed, 166 insertions(+), 194 deletions(-) diff --git a/user.js b/user.js index 11ae8cc..dd9fd25 100644 --- a/user.js +++ b/user.js @@ -50,14 +50,14 @@ 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS 0900: PASSWORDS - 1000: CACHE / SESSION (RE)STORE / FAVICONS + 1000: DISK AVOIDANCE 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) 1400: FONTS 1600: HEADERS / REFERERS 1700: CONTAINERS 2000: PLUGINS / MEDIA / WEBRTC 2300: WEB WORKERS - 2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT + 2400: DOM (DOCUMENT OBJECT MODEL) 2500: FINGERPRINTING 2600: MISCELLANEOUS 2700: PERSISTENT STORAGE @@ -65,6 +65,7 @@ 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) 5000: OPTIONAL OPSEC + 5500: OPTIONAL HARDENING 6000: DON'T TOUCH 7000: DON'T BOTHER 8000: DON'T BOTHER: NON-RFP @@ -90,7 +91,7 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); user_pref("browser.shell.checkDefaultBrowser", false); /* 0102: set startup page [SETUP-CHROME] * 0=blank, 1=home, 2=last visited page, 3=resume previous session - * [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804) + * [NOTE] Session Restore is cleared with history (2803, 2804), and not used in Private Browsing mode * [SETTING] General>Startup>Restore previous session ***/ user_pref("browser.startup.page", 0); /* 0103: set HOME+NEWWINDOW page @@ -116,17 +117,6 @@ user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // /* 0106: clear default topsites * [NOTE] This does not block you from adding your own ***/ user_pref("browser.newtabpage.activity-stream.default.sites", ""); -/* 0110: start Firefox in PB (Private Browsing) mode - * [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed - * [WARNING] The P in PB mode can be misleading: it means no "persistent" disk state such as history, - * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). - * In fact, PB mode limits or removes the ability to control some of these, and you need to quit - * Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide - * a temporary self-contained new session. Close all Private Windows to clear the PB mode session. - * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode - * [1] https://wiki.mozilla.org/Private_Browsing - * [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/ - // user_pref("browser.privatebrowsing.autostart", true); /*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!"); @@ -232,11 +222,11 @@ user_pref("network.captive-portal-service.enabled", false); // [FF52+] user_pref("network.connectivity-service.enabled", false); /*** [SECTION 0400]: SAFE BROWSING (SB) - Safe Browsing has taken many steps to preserve privacy. If required, a full url is never - sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real - PART-hashes. Google also swear it is anonymized and only used to flag malicious sites. - Firefox also takes measures such as striping out identifying parameters and since SBv4 (FF57+) + SB has taken many steps to preserve privacy. If required, a full url is never sent + to Google, only a part-hash of the prefix, hidden with noise of other real part-hashes. + Firefox takes measures such as striping out identifying parameters and since SBv4 (FF57+) doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) + FWIW, Google also swear it is anonymized and only used to flag malicious sites. [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ [2] https://wiki.mozilla.org/Security/Safe_Browsing @@ -361,13 +351,7 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] -/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS - Change 0850 and above to suit for privacy vs convenience and functionality. - Consider your environment (no unwanted eyeballs), your device (restricted access), - your device's unattended state (locked, encrypted, forensic hardened). Likewise, - you may want to check the items cleared on shutdown in section 2800. - [1] https://xkcd.com/538/ -***/ +/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); /* 0801: disable location bar using search * Don't leak URL typos to a search engine, give an error message instead @@ -412,22 +396,10 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false); * [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions * [1] https://bugzilla.mozilla.org/1642623 ***/ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); -/* 0850a: disable location bar suggestion types - * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/ - // user_pref("browser.urlbar.suggest.history", false); - // user_pref("browser.urlbar.suggest.bookmark", false); - // user_pref("browser.urlbar.suggest.openpage", false); - // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+] /* 0850b: disable tab-to-search [FF85+] * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ // user_pref("browser.urlbar.suggest.engines", false); -/* 0850c: disable location bar dropdown - * This value controls the total number of entries to appear in the location bar dropdown ***/ - // user_pref("browser.urlbar.maxRichResults", 0); -/* 0850d: disable location bar autofill - * [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ - // user_pref("browser.urlbar.autoFill", false); /* 0860: disable search and form history * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] * [NOTE] We also clear formdata on exit (2803) @@ -435,120 +407,66 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); -/* 0862: disable browsing and download history - * [NOTE] We also clear history and downloads on exit (2803) - * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/ - // user_pref("places.history.enabled", false); -/* 0870: disable Windows jumplist [WINDOWS] ***/ -user_pref("browser.taskbar.lists.enabled", false); -user_pref("browser.taskbar.lists.frequent.enabled", false); -user_pref("browser.taskbar.lists.recent.enabled", false); -user_pref("browser.taskbar.lists.tasks.enabled", false); -/* 0871: disable Windows taskbar preview [WINDOWS] ***/ - // user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false] -/*** [SECTION 0900]: PASSWORDS ***/ +/*** [SECTION 0900]: PASSWORDS + [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas +***/ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); -/* 0901: disable saving passwords - * [NOTE] This does not clear any passwords already saved - * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ - // user_pref("signon.rememberSignons", false); -/* 0902: use a primary password - * There are no preferences for this. It is all handled internally - * [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password - * [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ -/* 0903: set when Firefox should prompt for the primary password - * 0=once per session (default), 1=every time it's needed, 2=every n minutes (0904) ***/ +/* 0901: set when Firefox should prompt for the primary password + * 0=once per session (default), 1=every time it's needed, 2=after n minutes (0902) ***/ user_pref("security.ask_for_password", 2); -/* 0904: set how long in minutes Firefox should remember the primary password (0903) ***/ +/* 0902: set how long in minutes Firefox should remember the primary password (0901) ***/ user_pref("security.password_lifetime", 5); // [DEFAULT: 30] -/* 0905: disable auto-filling username & password form fields +/* 0903: disable auto-filling username & password form fields * can leak in cross-site forms *and* be spoofed * [NOTE] Username & password is still available when you enter the field * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords * [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ ***/ user_pref("signon.autofillForms", false); -/* 0909: disable formless login capture for Password Manager [FF51+] ***/ +/* 0904: disable formless login capture for Password Manager [FF51+] ***/ user_pref("signon.formlessCapture.enabled", false); -/* 0912: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+] +/* 0905: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+] * hardens against potential credentials phishing - * 0=don't allow sub-resources to open HTTP authentication credentials dialogs - * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs - * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ + * 0 = don't allow sub-resources to open HTTP authentication credentials dialogs + * 1 = don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs + * 2 = allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ user_pref("network.auth.subresource-http-auth-allow", 1); -/* 0913: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] +/* 0906: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] * [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single sign-on for... * [1] https://support.mozilla.org/kb/windows-sso ***/ user_pref("network.http.windows-sso.enabled", false); -/*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS - Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001) - *and* memory (1003) caches is one solution; but that's extreme and fingerprintable. A hardened - Temporary Containers configuration can effectively do the same thing, by isolating every tab [4] - - We consider avoiding disk cache (1001) so cache is session/memory only (like Private Browsing - mode), and isolating cache to first party (4001) is sufficient and a good balance between - risk and performance. ETAGs can also be neutralized by modifying response headers [5], and - you can clear the cache manually or on a regular basis with an extension - - [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags - [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/ - [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache - [4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21 - [5] https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor +/*** [SECTION 1000]: DISK AVOIDANCE + [NOTE] Cache is isolated with network partitioning (FF85+) or when using FPI ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); -/** CACHE ***/ /* 1001: disable disk cache - * [SETUP-PERF] If you think disk cache may help (heavy tab user, high-res video), - * or you use a hardened Temporary Containers, then feel free to override this + * [SETUP-PERF] If you think disk cache helps, then feel free to override this * [NOTE] We also clear cache on exit (2803) ***/ user_pref("browser.cache.disk.enable", false); -/* 1003: disable memory cache - * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/ - // user_pref("browser.cache.memory.enable", false); - // user_pref("browser.cache.memory.capacity", 0); -/* 1006: disable permissions manager from writing to disk [RESTART] - * [NOTE] This means any permission changes are session only - * [1] https://bugzilla.mozilla.org/967812 ***/ - // user_pref("permissions.memory_only", true); // [HIDDEN PREF] -/* 1007: disable media cache from writing to disk in Private Browsing +/* 1002: disable media cache from writing to disk in Private Browsing * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB * [SETUP-WEB] ESR78: playback might break on subsequent loading (1650281) ***/ user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] user_pref("media.memory_cache_max_size", 65536); - -/** SESSIONS & SESSION RESTORE ***/ -/* 1020: exclude "Undo Closed Tabs" in Session Restore ***/ - // user_pref("browser.sessionstore.max_tabs_undo", 0); -/* 1021: disable storing extra session data [SETUP-CHROME] +/* 1003: disable storing extra session data [SETUP-CHROME] * define on which sites to save extra session data such as form content, cookies and POST data * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/ user_pref("browser.sessionstore.privacy_level", 2); -/* 1022: disable resuming session from crash ***/ - // user_pref("browser.sessionstore.resume_from_crash", false); -/* 1023: set the minimum interval between session save operations +/* 1004: set the minimum interval between session save operations * Increasing this can help on older machines and some websites, as well as reducing writes [1] * [SETUP-CHROME] This can affect entries in "Recently Closed Tabs": i.e. the * longer the interval the more chance a quick tab open/close won't be captured * [1] https://bugzilla.mozilla.org/1304389 ***/ user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 15000] -/* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] +/* 1005: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] * [1] https://bugzilla.mozilla.org/603903 ***/ user_pref("toolkit.winRegisterApplicationRestart", false); - -/** FAVICONS ***/ -/* 1030: disable favicons in shortcuts +/* 1006: disable favicons in shortcuts * URL shortcuts use a cached randomly named .ico file which is stored in your * profile/shortcutCache directory. The .ico remains after the shortcut is deleted * If set to false then the shortcuts use a generic Firefox icon ***/ user_pref("browser.shell.shortcutFavicons", false); -/* 1031: disable favicons in history and bookmarks - * Stored as data blobs in favicons.sqlite, these don't reveal anything that your - * actual history (and bookmarks) already do. Your history is more detailed, so - * control that instead; e.g. disable history, clear history on close, use PB mode - * [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/ - // user_pref("browser.chrome.site_icons", false); /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) Your cipher and other settings can be used in server side fingerprinting @@ -613,11 +531,6 @@ user_pref("security.pki.sha1_enforcement_level", 1); * 2=detect Family Safety mode and import the root * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/ user_pref("security.family_safety.mode", 0); -/* 1222: disable intermediate certificate caching (fingerprinting attack vector) [FF41+] [RESTART] - * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only. - * Saved logins and passwords are not available. Reset the pref and restart to return them. - * [1] https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/ ***/ - // user_pref("security.nocertdb", true); // [HIDDEN PREF] /* 1223: enable strict pinning * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing @@ -672,25 +585,14 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] /*** [SECTION 1400]: FONTS ***/ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); -/* 1401: disable rendering of SVG OpenType fonts - * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/ +/* 1401: disable rendering of SVG OpenType fonts ***/ user_pref("gfx.font_rendering.opentype_svg.enabled", false); -/* 1402: disable graphite - * Graphite has had many critical security issues in the past [1] - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite - * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ -user_pref("gfx.font_rendering.graphite.enabled", false); -/* 1403: limit font visibility (Windows, Mac, some Linux) [FF79+] +/* 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] * [NOTE] In FF80+ RFP ignores the pref and uses value 1 * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ // user_pref("layout.css.font-visibility.level", 1); -/* 1404: disable icon fonts (glyphs) and local fallback rendering - * [1] https://bugzilla.mozilla.org/789788 - * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ - // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] - // user_pref("gfx.downloadable_fonts.fallback_delay", -1); /*** [SECTION 1600]: HEADERS / REFERERS Expect some breakage e.g. banks: use an extension if you need precise control @@ -813,58 +715,30 @@ user_pref("dom.serviceWorkers.enabled", false); user_pref("dom.push.enabled", false); // user_pref("dom.push.userAgentID", ""); -/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/ +/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); -/* 2401: disable website control over browser right-click context menu - * [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/ - // user_pref("dom.event.contextmenu.enabled", false); -/* 2402: disable website access to clipboard events/content [SETUP-HARDEN] - * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress - * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website - * [WARNING] In FF88 or lower, with clipboardevents enabled, if both "middlemouse.paste" and - * "general.autoScroll" are true (at least one is default false) then the clipboard can leak [1] - * [1] https://bugzilla.mozilla.org/1528289 ***/ - // user_pref("dom.event.clipboardevents.enabled", false); -/* 2403: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] - * this disables document.execCommand("cut"/"copy") to protect your clipboard - * [1] https://bugzilla.mozilla.org/1170911 ***/ -user_pref("dom.allow_cut_copy", false); -/* 2404: disable "Confirm you want to leave" dialog on page close +/* 2401: disable "Confirm you want to leave" dialog on page close * Does not prevent JS leaks of the page close event * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload ***/ user_pref("dom.disable_beforeunload", true); -/* 2405: prevent scripts from moving and resizing open windows ***/ +/* 2402: prevent scripts from moving and resizing open windows ***/ user_pref("dom.disable_window_move_resize", true); -/* 2406: block popup windows +/* 2403: block popup windows * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/ user_pref("dom.disable_open_during_load", true); -/* 2407: limit events that can cause a popup [SETUP-WEB] ***/ +/* 2404: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); -/* 2408: enable (limited but sufficient) window.opener protection [FF65+] +/* 2405: enable (limited but sufficient) window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] -/* 2420: disable asm.js [FF22+] [SETUP-PERF] - * [1] http://asmjs.org/ - * [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js - * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ -user_pref("javascript.options.asmjs", false); -/* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN] - * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new - * hidden pref is enabled, then Ion can still be used by extensions (1599226) - * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit ***/ - // user_pref("javascript.options.ion", false); - // user_pref("javascript.options.baselinejit", false); - // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] -/* 2422: disable WebAssembly [FF52+] - * Vulnerabilities have increasingly been found, including those known and fixed - * in native programs years ago [2]. WASM has powerful low-level access, making - * certain attacks (brute-force) and vulnerabilities more possible - * [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3] - * [1] https://developer.mozilla.org/docs/WebAssembly - * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly - * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ -user_pref("javascript.options.wasm", false); +/* 2406: disable website access to clipboard events/content + * Requires user interaction. Applies to onCut/onCopy/onPaste events + * [SETUP-HARDEN] Will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress ***/ + // user_pref("dom.event.clipboardevents.enabled", false); +/* 2407: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] + * this disables document.execCommand("cut"/"copy") to protect your clipboard + * [1] https://bugzilla.mozilla.org/1170911 ***/ +user_pref("dom.allow_cut_copy", false); /*** [SECTION 2500]: FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); @@ -967,22 +841,12 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] user_pref("extensions.postDownloadThirdPartyPrompt", false); /** DOWNLOADS ***/ -/* 2650: discourage downloading to desktop - * 0=desktop, 1=downloads (default), 2=last used - * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ - // user_pref("browser.download.folderList", 2); /* 2651: enable user interaction for security by always asking where to download * [SETUP-CHROME] On Android this blocks longtapping and saving images * [SETTING] General>Downloads>Always ask you where to save files ***/ user_pref("browser.download.useDownloadDir", false); /* 2652: disable adding downloads to the system's "recent documents" list ***/ user_pref("browser.download.manager.addToRecentDocs", false); -/* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN] - * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) - * in such a way that it is forbidden to run external applications. - * [WARNING] This may interfere with some users' workflow or methods - * [1] https://bugzilla.mozilla.org/1281959 ***/ - // user_pref("browser.download.forbid_open_with", true); /** EXTENSIONS ***/ /* 2660: lock down allowed extension directories @@ -1137,7 +1001,7 @@ user_pref("privacy.sanitize.timeSpan", 0); ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); /* 4001: enable First Party Isolation [FF51+] - * [SETUP-WEB] May break cross-domain logins and site functionality until perfected + * [SETUP-WEB] Will break most cross-domain logins * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ user_pref("privacy.firstparty.isolate", true); /* 4002: enforce FPI restriction for window.opener [FF54+] @@ -1255,8 +1119,115 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); -/*** [SECTION 5000]: OPTIONAL OPSEC ***/ +/*** [SECTION 5000]: OPTIONAL OPSEC + Disk avoidance, application data isolation, eyeballs... +***/ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow"); +/* 5001: start Firefox in PB (Private Browsing) mode + * [NOTE] In this mode all windows are "private windows" and the PB mode icon is not displayed + * [NOTE] The P in PB mode can be misleading: it means no "persistent" disk state such as history, + * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode). + * In fact, PB mode limits or removes the ability to control some of these, and you need to quit + * Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide + * a temporary self-contained new session. Close all Private Windows to clear the PB mode session. + * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode + * [1] https://wiki.mozilla.org/Private_Browsing + * [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/ + // user_pref("browser.privatebrowsing.autostart", true); +/* 5002: disable memory cache + * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/ + // user_pref("browser.cache.memory.enable", false); + // user_pref("browser.cache.memory.capacity", 0); +/* 5003: disable saving passwords + * [NOTE] This does not clear any passwords already saved + * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ + // user_pref("signon.rememberSignons", false); +/* 5004: disable permissions manager from writing to disk [FF41+] [RESTART] + * [NOTE] This means any permission changes are session only + * [1] https://bugzilla.mozilla.org/967812 ***/ + // user_pref("permissions.memory_only", true); // [HIDDEN PREF] +/* 5005: disable intermediate certificate caching [FF41+] [RESTART] + * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only. + * Saved logins and passwords are not available. Reset the pref and restart to return them ***/ + // user_pref("security.nocertdb", true); // [HIDDEN PREF] +/* 5006: disable favicons in history and bookmarks + * [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your + * actual history (and bookmarks) already do. Your history is more detailed, so + * control that instead; e.g. disable history, clear history on close, use PB mode + * [NOTE] favicons.sqlite is sanitized on Firefox close ***/ + // user_pref("browser.chrome.site_icons", false); +/* 5007: exclude "Undo Closed Tabs" in Session Restore ***/ + // user_pref("browser.sessionstore.max_tabs_undo", 0); +/* 5008: disable resuming session from crash ***/ + // user_pref("browser.sessionstore.resume_from_crash", false); +/* 5009: disable "open with" in download dialog [FF50+] + * Application data isolation [1] + * [1] https://bugzilla.mozilla.org/1281959 ***/ + // user_pref("browser.download.forbid_open_with", true); +/* 5010: disable location bar suggestion types + * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/ + // user_pref("browser.urlbar.suggest.history", false); + // user_pref("browser.urlbar.suggest.bookmark", false); + // user_pref("browser.urlbar.suggest.openpage", false); + // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+] +/* 5011: disable location bar dropdown + * This value controls the total number of entries to appear in the location bar dropdown ***/ + // user_pref("browser.urlbar.maxRichResults", 0); +/* 5012: disable location bar autofill + * [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ + // user_pref("browser.urlbar.autoFill", false); +/* 5013: disable browsing and download history + * [NOTE] We also clear history and downloads on exit (2803) + * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/ + // user_pref("places.history.enabled", false); +/* 5014: disable Windows jumplist [WINDOWS] ***/ + // user_pref("browser.taskbar.lists.enabled", false); + // user_pref("browser.taskbar.lists.frequent.enabled", false); + // user_pref("browser.taskbar.lists.recent.enabled", false); + // user_pref("browser.taskbar.lists.tasks.enabled", false); +/* 5015: disable Windows taskbar preview [WINDOWS] ***/ + // user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false] +/* 5016: discourage downloading to desktop + * 0=desktop, 1=downloads (default), 2=last used + * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ + // user_pref("browser.download.folderList", 2); + +/*** [SECTION 5500]: OPTIONAL HARDENING + Not recommended. Keep in mind that these can cause breakage, performance + issues, are mostly fingerpintable, and the threat model is practically zero +***/ +user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!"); +/* 5501: disable MathML (Mathematical Markup Language) [FF51+] + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml ***/ + // user_pref("mathml.disabled", true); // 1173199 +/* 5502: disable in-content SVG (Scalable Vector Graphics) [FF53+] + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg ***/ + // user_pref("svg.disabled", true); // 1216893 +/* 5503: disable graphite + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite + * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/ + // user_pref("gfx.font_rendering.graphite.enabled", false); +/* 5504: disable asm.js [FF22+] + * [1] http://asmjs.org/ + * [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js + * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ + // user_pref("javascript.options.asmjs", false); +/* 5505: disable Ion and baseline JIT to harden against JS exploits + * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new + * hidden pref is enabled, then Ion can still be used by extensions (1599226) + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit ***/ + // user_pref("javascript.options.ion", false); + // user_pref("javascript.options.baselinejit", false); + // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] +/* 5506: disable WebAssembly [FF52+] + * Vulnerabilities [1] have increasingly been found, including those known and fixed + * in native programs years ago [2]. WASM has powerful low-level access, making + * certain attacks (brute-force) and vulnerabilities more possible + * [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3] + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm + * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly + * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/ + // user_pref("javascript.options.wasm", false); /*** [SECTION 6000]: DON'T TOUCH ***/ user_pref("_user.js.parrot", "6000 syntax error: the parrot's 'istory!"); @@ -1342,14 +1313,15 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/ // user_pref("network.http.altsvc.enabled", false); // user_pref("network.http.altsvc.oe", false); -/* 7011: disable MathML (Mathematical Markup Language) [FF51+] - * [WHY] Fingerprintable, breakage, threat model - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml ***/ - // user_pref("mathml.disabled", true); // 1173199 -/* 7012: disable in-content SVG (Scalable Vector Graphics) [FF53+] - * [WHY] Fingerprintable, breakage, threat model - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg ***/ - // user_pref("svg.disabled", true); // 1216893 +/* 7011: disable website control over browser right-click context menu + * [WHY] Just use Shift-Right-Click ***/ + // user_pref("dom.event.contextmenu.enabled", false); +/* 7012: disable icon fonts (glyphs) and local fallback rendering + * [WHY] Breakage, font fallback is equivalency, also RFP + * [1] https://bugzilla.mozilla.org/789788 + * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ + // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] + // user_pref("gfx.downloadable_fonts.fallback_delay", -1); /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good @@ -1387,7 +1359,7 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan Non-project related but useful. If any interest you, add them to your overrides To save some overrides, we've made a few active as they seem to be universally used ***/ -user_pref("_user.js.parrot", "9000 syntax error: this is an ex-parrot!"); +user_pref("_user.js.parrot", "9000 syntax error: I ran out of parrots"); /* WELCOME & WHAT'S NEW NOTICES ***/ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch // user_pref("startup.homepage_welcome_url", ""); @@ -1468,7 +1440,7 @@ user_pref("browser.download.hide_plugins_without_extensions", false); // 0105d: disable Activity Stream recent Highlights in the Library [FF57+] // [-] https://bugzilla.mozilla.org/1689405 // user_pref("browser.library.activity-stream.enabled", false); -// 4616: disable PointerEvents +// 8002: disable PointerEvents // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent // [-] https://bugzilla.mozilla.org/1688105 // user_pref("dom.w3c_pointer_events.enabled", false); From 6077d09b9fc1ef613f674074e3cfece3fde85a92 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 25 Aug 2021 14:04:50 +0000 Subject: [PATCH 396/657] window.name -> don't touch Also FPI FF65+ patch is not part of FPI, it is part of 4002 which is a separate pref --- user.js | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index dd9fd25..06a76a1 100644 --- a/user.js +++ b/user.js @@ -831,11 +831,6 @@ user_pref("network.protocol-handler.external.ms-windows-store", false); * for these will show/use their correct 3rd party origin * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/ user_pref("permissions.delegation.enabled", false); -/* 2624: enable "window.name" protection [FF82+] - * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original - * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks - * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ -user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /* 2625: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ user_pref("extensions.postDownloadThirdPartyPrompt", false); @@ -992,7 +987,6 @@ user_pref("privacy.sanitize.timeSpan", 0); 1344170 - blob: URI (FF55+) 1300671 - data:, about: URLs (FF55+) 1473247 - IP addresses (FF63+) - 1492607 - postMessage with targetOrigin "*" (requires 4002) (FF65+) 1542309 - top-level domain URLs when host is in the public suffix list (FF68+) 1506693 - pdfjs range-based requests (FF68+) 1330467 - site permissions (FF69+) @@ -1246,6 +1240,11 @@ user_pref("security.csp.enable", true); // [DEFAULT: true] user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] /* 6005: enforce no insecure active content on https pages ***/ user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] +/* 6006: enforce "window.name" protection [FF82+] + * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original + * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks + * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ +user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 9f43d48a3222ac6f8980c4f3b1b23b7e45b0bce0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 25 Aug 2021 14:09:39 +0000 Subject: [PATCH 397/657] targetBlankNoOpener -> don't touch --- user.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index 06a76a1..d69ab34 100644 --- a/user.js +++ b/user.js @@ -728,14 +728,11 @@ user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_open_during_load", true); /* 2404: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); -/* 2405: enable (limited but sufficient) window.opener protection [FF65+] - * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ -user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] -/* 2406: disable website access to clipboard events/content +/* 2405: disable website access to clipboard events/content * Requires user interaction. Applies to onCut/onCopy/onPaste events * [SETUP-HARDEN] Will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress ***/ // user_pref("dom.event.clipboardevents.enabled", false); -/* 2407: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] +/* 2406: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] * this disables document.execCommand("cut"/"copy") to protect your clipboard * [1] https://bugzilla.mozilla.org/1170911 ***/ user_pref("dom.allow_cut_copy", false); @@ -1245,6 +1242,9 @@ user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: tru * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] +/* 6007: enforce window.opener protection [FF65+] + * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 677b81765f652432ef0f150d794c0aaf4b06cb53 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 25 Aug 2021 15:36:15 +0000 Subject: [PATCH 398/657] tidy webgl --- user.js | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index d69ab34..a895298 100644 --- a/user.js +++ b/user.js @@ -755,11 +755,8 @@ user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab user_pref("browser.link.open_newwindow.restriction", 0); -/* 2504: disable/limit WebGL (Web Graphics Library) - * [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy, - * especially with readPixels(). Some of the other entropy is lessened with RFP (4501) - * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ - * [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/ +/* 2504: disable WebGL (Web Graphics Library) + * [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/ user_pref("webgl.disabled", true); // user_pref("webgl.enable-webgl2", false); // user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] From 76c8ecd10d19a6f61ead3e7525c13b0087f898d6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 25 Aug 2021 15:56:57 +0000 Subject: [PATCH 399/657] tidy --- user.js | 73 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/user.js b/user.js index a895298..57b9bb0 100644 --- a/user.js +++ b/user.js @@ -233,27 +233,27 @@ user_pref("network.connectivity-service.enabled", false); [3] https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work ***/ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); -/* 0410: disable SB (Safe Browsing) +/* 0401: disable SB (Safe Browsing) * [WARNING] Do this at your own risk! These are the master switches * [SETTING] Privacy & Security>Security>... Block dangerous and deceptive content ***/ // user_pref("browser.safebrowsing.malware.enabled", false); // user_pref("browser.safebrowsing.phishing.enabled", false); -/* 0411: disable SB checks for downloads (both local lookups + remote) - * This is the master switch for the safebrowsing.downloads* prefs (0412, 0413) +/* 0402: disable SB checks for downloads (both local lookups + remote) + * This is the master switch for the safebrowsing.downloads* prefs (0403, 0404) * [SETTING] Privacy & Security>Security>... "Block dangerous downloads" ***/ // user_pref("browser.safebrowsing.downloads.enabled", false); -/* 0412: disable SB checks for downloads (remote) +/* 0403: disable SB checks for downloads (remote) * To verify the safety of certain executable files, Firefox may submit some information about the * file, including the name, origin, size and a cryptographic hash of the contents, to the Google * Safe Browsing service which helps Firefox determine whether or not the file should be blocked * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override it ***/ user_pref("browser.safebrowsing.downloads.remote.enabled", false); user_pref("browser.safebrowsing.downloads.remote.url", ""); -/* 0413: disable SB checks for unwanted software +/* 0404: disable SB checks for unwanted software * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/ // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); -/* 0419: disable "ignore this warning" on SB warnings [FF45+] +/* 0405: disable "ignore this warning" on SB warnings [FF45+] * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB * [TEST] see github wiki APPENDIX A: Test Sites: Section 5 * [1] https://bugzilla.mozilla.org/1226490 ***/ @@ -267,7 +267,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit) * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit) * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\" - [NOTE] On Mac you can right-click on the application and select "Show Package Contents" + [NOTE] On Mac you can right-click on the application and select "Show Package Contents" * Linux: "/usr/lib/firefox/browser/features" (or similar) [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html @@ -313,10 +313,10 @@ user_pref("network.dns.disablePrefetch", true); /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); // user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] -/* 0605: disable link-mouseover opening connection to linked server +/* 0604: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ user_pref("network.http.speculative-parallel-limit", 0); -/* 0606: enforce no "Hyperlink Auditing" (click tracking) +/* 0605: enforce no "Hyperlink Auditing" (click tracking) * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ // user_pref("browser.send_pings", false); // [DEFAULT: false] @@ -371,7 +371,32 @@ user_pref("keyword.enabled", false); user_pref("browser.fixup.alternate.enabled", false); /* 0803: display all parts of the url in the location bar ***/ user_pref("browser.urlbar.trimURLs", false); -/* 0805: disable coloring of visited links +/* 0804: disable live search suggestions + * [NOTE] Both must be true for the location bar to work + * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine + * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/ +user_pref("browser.search.suggest.enabled", false); +user_pref("browser.urlbar.suggest.searches", false); +/* 0805: disable location bar making speculative connections [FF56+] + * [1] https://bugzilla.mozilla.org/1348275 ***/ +user_pref("browser.urlbar.speculativeConnect.enabled", false); +/* 0806: disable location bar leaking single words to a DNS provider **after searching** [FF78+] + * 0=never resolve single words, 1=heuristic (default), 2=always resolve + * [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions + * [1] https://bugzilla.mozilla.org/1642623 ***/ +user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); +/* 0807: disable tab-to-search [FF85+] + * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search + * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ + // user_pref("browser.urlbar.suggest.engines", false); +/* 0808: disable search and form history + * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] + * [NOTE] We also clear formdata on exit (2803) + * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history + * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html + * [2] https://bugzilla.mozilla.org/381681 ***/ +user_pref("browser.formfill.enable", false); +/* 0808: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] @@ -382,31 +407,6 @@ user_pref("browser.urlbar.trimURLs", false); * [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use) * [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/ // user_pref("layout.css.visited_links_enabled", false); -/* 0807: disable live search suggestions - * [NOTE] Both must be true for the location bar to work - * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine - * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/ -user_pref("browser.search.suggest.enabled", false); -user_pref("browser.urlbar.suggest.searches", false); -/* 0810: disable location bar making speculative connections [FF56+] - * [1] https://bugzilla.mozilla.org/1348275 ***/ -user_pref("browser.urlbar.speculativeConnect.enabled", false); -/* 0811: disable location bar leaking single words to a DNS provider **after searching** [FF78+] - * 0=never resolve single words, 1=heuristic (default), 2=always resolve - * [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions - * [1] https://bugzilla.mozilla.org/1642623 ***/ -user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); -/* 0850b: disable tab-to-search [FF85+] - * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search - * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ - // user_pref("browser.urlbar.suggest.engines", false); -/* 0860: disable search and form history - * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] - * [NOTE] We also clear formdata on exit (2803) - * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history - * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html - * [2] https://bugzilla.mozilla.org/381681 ***/ -user_pref("browser.formfill.enable", false); /*** [SECTION 0900]: PASSWORDS [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas @@ -437,7 +437,7 @@ user_pref("network.auth.subresource-http-auth-allow", 1); user_pref("network.http.windows-sso.enabled", false); /*** [SECTION 1000]: DISK AVOIDANCE - [NOTE] Cache is isolated with network partitioning (FF85+) or when using FPI + [NOTE] Cache is isolated with network partitioning (FF85+) or FPI ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); /* 1001: disable disk cache @@ -1353,7 +1353,6 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan /*** [SECTION 9000]: PERSONAL Non-project related but useful. If any interest you, add them to your overrides - To save some overrides, we've made a few active as they seem to be universally used ***/ user_pref("_user.js.parrot", "9000 syntax error: I ran out of parrots"); /* WELCOME & WHAT'S NEW NOTICES ***/ From 881a2d22eb0f977995e5b360ca06df8644ad2d6b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 25 Aug 2021 16:14:59 +0000 Subject: [PATCH 400/657] cleanup tags - there was only one perf left - warning is down to 5: two in section headers, 3 on inactive prefs: no need to mention it, people will see them if they read each item/section --- user.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/user.js b/user.js index 57b9bb0..7994c4c 100644 --- a/user.js +++ b/user.js @@ -24,8 +24,6 @@ [SETUP-SECURITY] it's one item, read it [SETUP-WEB] can cause some websites to break [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related) - [SETUP-PERF] may impact performance - [WARNING] used on some commented out items, heed them 6. Override Recipes: https://github.com/arkenfox/user.js/issues/1080 * RELEASES: https://github.com/arkenfox/user.js/releases @@ -441,7 +439,7 @@ user_pref("network.http.windows-sso.enabled", false); ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); /* 1001: disable disk cache - * [SETUP-PERF] If you think disk cache helps, then feel free to override this + * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this * [NOTE] We also clear cache on exit (2803) ***/ user_pref("browser.cache.disk.enable", false); /* 1002: disable media cache from writing to disk in Private Browsing From 5ec4fef4ed6dc17db4f3f8d04d6d1d394e9145b2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 26 Aug 2021 05:40:59 +0000 Subject: [PATCH 401/657] dedupe 0808 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 7994c4c..ffed34b 100644 --- a/user.js +++ b/user.js @@ -394,7 +394,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); -/* 0808: disable coloring of visited links +/* 0809: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] From 64e8dfad0a25806d6af480fb5e9f21f5934da6e9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 26 Aug 2021 05:55:11 +0000 Subject: [PATCH 402/657] 1004: remove setup tag IDK if this is true: no one has ever complained, and I'm not interested in maintaining/testing it --- user.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/user.js b/user.js index ffed34b..369b801 100644 --- a/user.js +++ b/user.js @@ -453,8 +453,6 @@ user_pref("media.memory_cache_max_size", 65536); user_pref("browser.sessionstore.privacy_level", 2); /* 1004: set the minimum interval between session save operations * Increasing this can help on older machines and some websites, as well as reducing writes [1] - * [SETUP-CHROME] This can affect entries in "Recently Closed Tabs": i.e. the - * longer the interval the more chance a quick tab open/close won't be captured * [1] https://bugzilla.mozilla.org/1304389 ***/ user_pref("browser.sessionstore.interval", 30000); // [DEFAULT: 15000] /* 1005: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS] From 498a25c759edc7a28ade958b6bb1d66d75df152e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 26 Aug 2021 06:04:57 +0000 Subject: [PATCH 403/657] 0806: remove confusing line --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 369b801..40f63bf 100644 --- a/user.js +++ b/user.js @@ -380,7 +380,6 @@ user_pref("browser.urlbar.suggest.searches", false); user_pref("browser.urlbar.speculativeConnect.enabled", false); /* 0806: disable location bar leaking single words to a DNS provider **after searching** [FF78+] * 0=never resolve single words, 1=heuristic (default), 2=always resolve - * [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions * [1] https://bugzilla.mozilla.org/1642623 ***/ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); /* 0807: disable tab-to-search [FF85+] From 80f69a6f3d1d34f49496064d9199d885a28c6c4f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 26 Aug 2021 06:26:41 +0000 Subject: [PATCH 404/657] 2406: remove This doesn't achieve anything. AFAICT, it's an old gecko only API, not used on the web: superseded by the Clipboard API (added in FF21+) --- user.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/user.js b/user.js index 40f63bf..93c1926 100644 --- a/user.js +++ b/user.js @@ -727,10 +727,6 @@ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); * Requires user interaction. Applies to onCut/onCopy/onPaste events * [SETUP-HARDEN] Will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress ***/ // user_pref("dom.event.clipboardevents.enabled", false); -/* 2406: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+] - * this disables document.execCommand("cut"/"copy") to protect your clipboard - * [1] https://bugzilla.mozilla.org/1170911 ***/ -user_pref("dom.allow_cut_copy", false); /*** [SECTION 2500]: FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); From 38dc90a947cd07f57992eabf0f56807119a44afe Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 26 Aug 2021 06:27:32 +0000 Subject: [PATCH 405/657] dom.allow_cut_copy https://github.com/arkenfox/user.js/commit/80f69a6f3d1d34f49496064d9199d885a28c6c4f --- scratchpad-scripts/arkenfox-clear-removed.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 5120643..d53e6f5 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 22-August-2021 + Last updated: 26-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -15,6 +15,7 @@ /* removed in arkenfox user.js */ /* 91 */ 'alerts.showFavicons', + 'dom.allow_cut_copy', 'dom.battery.enabled', 'dom.storage.enabled', 'dom.vibrator.enabled', From b5a3b54d3f9555aae97548306a56815b2f7fc9fa Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 26 Aug 2021 06:43:28 +0000 Subject: [PATCH 406/657] clipboard to don't bother --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 93c1926..b4dc10b 100644 --- a/user.js +++ b/user.js @@ -723,10 +723,6 @@ user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_open_during_load", true); /* 2404: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); -/* 2405: disable website access to clipboard events/content - * Requires user interaction. Applies to onCut/onCopy/onPaste events - * [SETUP-HARDEN] Will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress ***/ - // user_pref("dom.event.clipboardevents.enabled", false); /*** [SECTION 2500]: FINGERPRINTING ***/ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); @@ -1309,6 +1305,10 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] // user_pref("gfx.downloadable_fonts.fallback_delay", -1); +/* 7013: disable website access to clipboard events/content + * [WHY] Fingerprintable. Breakage. Requires user interaction, and + * paste only fires on focused editable fields. ***/ + // user_pref("dom.event.clipboardevents.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 4ac17eaf787b6145f3e44759a2e0fd13660ee88c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 26 Aug 2021 06:50:46 +0000 Subject: [PATCH 407/657] tidy last commit --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index b4dc10b..b94104c 100644 --- a/user.js +++ b/user.js @@ -1305,9 +1305,9 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [2] https://gitlab.torproject.org/legacy/trac/-/issues/8455 ***/ // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] // user_pref("gfx.downloadable_fonts.fallback_delay", -1); -/* 7013: disable website access to clipboard events/content - * [WHY] Fingerprintable. Breakage. Requires user interaction, and - * paste only fires on focused editable fields. ***/ +/* 7013: disable Clipboard API + * [WHY] Fingerprintable. Breakage. They (cut/copy/paste) require user + * interaction, and paste is limited to focused editable fields ***/ // user_pref("dom.event.clipboardevents.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: NON-RFP From 08395de18871590730ba7139c5de631a0aa82b03 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 27 Aug 2021 10:37:54 +0000 Subject: [PATCH 408/657] 1273: remove inactive pref --- user.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/user.js b/user.js index b94104c..7b88ae2 100644 --- a/user.js +++ b/user.js @@ -574,8 +574,7 @@ user_pref("browser.ssl_override_behavior", 1); * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/) * [TEST] https://expired.badssl.com/ ***/ user_pref("browser.xul.error_pages.expert_bad_cert", true); -/* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/ - // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true] +/* 1273: display "Not Secure" text on HTTP sites ***/ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] /*** [SECTION 1400]: FONTS ***/ From 2a9cf32f45d0aabc4a6ac70f3a4a0b8f8e25a1ad Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 27 Aug 2021 10:39:40 +0000 Subject: [PATCH 409/657] security.insecure_connection_icon.enabled inactive and default true --- scratchpad-scripts/arkenfox-clear-removed.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index d53e6f5..ca7b2f4 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 26-August-2021 + Last updated: 27-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -23,6 +23,7 @@ 'gfx.direct2d.disabled', 'layers.acceleration.disabled', 'media.media-capabilities.enabled', + 'security.insecure_connection_icon.enabled', /* 79-90 */ 'browser.newtabpage.activity-stream.asrouter.providers.snippets', 'browser.send_pings.require_same_host', From 3b5255714339cf9726d77853d6166e5a0bc6eb36 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 05:19:13 +0000 Subject: [PATCH 410/657] start removal of section 0500s - I am no longer short one parrot - move inactive screenshots to personal - move FORM autofill to `0800... FORMS` - can't find it now, but this is slated to cease being a system addon and instead be "built-in" - the rest will get swallowed into a revamped, split QUIETER FOX --- user.js | 54 ++++++++++++++++++++---------------------------------- 1 file changed, 20 insertions(+), 34 deletions(-) diff --git a/user.js b/user.js index 7b88ae2..904db6c 100644 --- a/user.js +++ b/user.js @@ -41,11 +41,11 @@ 0100: STARTUP 0200: GEOLOCATION / LANGUAGE / LOCALE - 0300: QUIET FOX + 0300: QUIETER FOX 0400: SAFE BROWSING 0500: SYSTEM ADD-ONS / EXPERIMENTS 0600: BLOCK IMPLICIT OUTBOUND - 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc + 0700: DNS / PROXY / SOCKS / IPv6 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS 0900: PASSWORDS 1000: DISK AVOIDANCE @@ -141,7 +141,7 @@ user_pref("intl.accept_languages", "en-US, en"); * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] -/*** [SECTION 0300]: QUIET FOX ***/ +/*** [SECTION 0300]: QUIETER FOX ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); /* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS] * [NOTE] You will still get prompts to update, and should do so in a timely manner @@ -257,21 +257,8 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); * [1] https://bugzilla.mozilla.org/1226490 ***/ // user_pref("browser.safebrowsing.allowOverride", false); -/*** [SECTION 0500]: SYSTEM ADD-ONS / EXPERIMENTS - System Add-ons are a method for shipping extensions, considered to be - built-in features to Firefox, that are hidden from the about:addons UI. - To view your System Add-ons go to about:support, they are listed under "Firefox Features" - - * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit) - * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit) - * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\" - [NOTE] On Mac you can right-click on the application and select "Show Package Contents" - * Linux: "/usr/lib/firefox/browser/features" (or similar) - - [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html - [2] https://searchfox.org/mozilla-central/source/browser/extensions -***/ -user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!"); +/*** [SECTION 0500]: SYSTEM ADD-ONS / EXPERIMENTS ***/ +user_pref("_user.js.parrot", "0500 syntax error: section is going to be removed"); /* 0503: disable Normandy/Shield [FF60+] * Shield is a telemetry system that can push and test "recipes" * [1] https://mozilla.github.io/normandy/ ***/ @@ -283,18 +270,6 @@ user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+] * Defense-in-depth: currently covered by 0340 ***/ user_pref("browser.ping-centre.telemetry", false); -/* 0515: disable Screenshots ***/ - // user_pref("extensions.screenshots.disabled", true); // [FF55+] -/* 0517: disable Form Autofill - * [NOTE] Stored data is NOT secure (uses a JSON file) - * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses - * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ -user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] -user_pref("extensions.formautofill.available", "off"); // [FF56+] -user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] -user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] -user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0518: enforce disabling of Web Compatibility Reporter [FF56+] * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] @@ -318,7 +293,7 @@ user_pref("network.http.speculative-parallel-limit", 0); * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ // user_pref("browser.send_pings", false); // [DEFAULT: false] -/*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/ +/*** [SECTION 0700]: DNS / PROXY / SOCKS / IPv6 ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); /* 0701: disable IPv6 * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming @@ -392,8 +367,18 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ +/* 0809: disable Form Autofill + * [NOTE] Stored data is NOT secure (uses a JSON file) + * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes + * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses + * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ +user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] +user_pref("extensions.formautofill.available", "off"); // [FF56+] +user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] +user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] +user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] user_pref("browser.formfill.enable", false); -/* 0809: disable coloring of visited links +/* 0810: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] @@ -1344,7 +1329,7 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan /*** [SECTION 9000]: PERSONAL Non-project related but useful. If any interest you, add them to your overrides ***/ -user_pref("_user.js.parrot", "9000 syntax error: I ran out of parrots"); +user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!"); /* WELCOME & WHAT'S NEW NOTICES ***/ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch // user_pref("startup.homepage_welcome_url", ""); @@ -1376,9 +1361,10 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux] // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART] // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under] -/* UX FEATURES: disable and hide the icons and menus ***/ +/* UX FEATURES ***/ user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+] // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] + // user_pref("extensions.screenshots.disabled", true); // [FF55+] // user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] // user_pref("reader.parse-on-load.enabled", false); // Reader View /* OTHER ***/ From 2cf20c56a7d13b7c334b5b6e3f5180444c446bbf Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 05:48:54 +0000 Subject: [PATCH 411/657] standardize cross origin/domain --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 904db6c..aa407de 100644 --- a/user.js +++ b/user.js @@ -581,11 +581,11 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ ***/ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); -/* 1601: control when to send a cross origin referer +/* 1601: control when to send a cross-origin referer * 0=always (default), 1=only if base domains match, 2=only if hosts match * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/ user_pref("network.http.referer.XOriginPolicy", 2); -/* 1602: control the amount of cross origin information to send [FF52+] +/* 1602: control the amount of cross-origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); /* 1603: enable the DNT (Do Not Track) HTTP header @@ -960,7 +960,7 @@ user_pref("privacy.sanitize.timeSpan", 0); ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); /* 4001: enable First Party Isolation [FF51+] - * [SETUP-WEB] Will break most cross-domain logins + * [SETUP-WEB] Breaks some cross-origin logins * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ user_pref("privacy.firstparty.isolate", true); /* 4002: enforce FPI restriction for window.opener [FF54+] @@ -1261,7 +1261,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("dom.securecontext.whitelist_onions", true); // 1382359 // user_pref("network.http.referer.hideOnionSource", true); // 1305144 /* 7007: referers - * [WHY] Only cross origin referers (1600s) need control ***/ + * [WHY] Only cross-origin referers (1600s) need control ***/ // user_pref("network.http.sendRefererHeader", 2); // user_pref("network.http.referer.trimmingPolicy", 0); /* 7008: set the default Referrer Policy [FF59+] From 5ac8fd8f70f3e9ab60b264a572e2ad9974ac7362 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 05:57:19 +0000 Subject: [PATCH 412/657] 0906: tweak, #1243 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index aa407de..2b33426 100644 --- a/user.js +++ b/user.js @@ -413,10 +413,10 @@ user_pref("signon.formlessCapture.enabled", false); * 1 = don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs * 2 = allow sub-resources to open HTTP authentication credentials dialogs (default) ***/ user_pref("network.auth.subresource-http-auth-allow", 1); -/* 0906: disable automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] +/* 0906: enforce no automatic authentication on Microsoft sites [FF91+] [WINDOWS 10+] * [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single sign-on for... * [1] https://support.mozilla.org/kb/windows-sso ***/ -user_pref("network.http.windows-sso.enabled", false); +user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false] /*** [SECTION 1000]: DISK AVOIDANCE [NOTE] Cache is isolated with network partitioning (FF85+) or FPI From 4043467ad9e726244e2395f319d021b0bcf824c7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 06:03:13 +0000 Subject: [PATCH 413/657] tidy --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 2b33426..78a4499 100644 --- a/user.js +++ b/user.js @@ -796,9 +796,6 @@ user_pref("network.protocol-handler.external.ms-windows-store", false); * for these will show/use their correct 3rd party origin * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/ user_pref("permissions.delegation.enabled", false); -/* 2625: disable bypassing 3rd party extension install prompts [FF82+] - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ -user_pref("extensions.postDownloadThirdPartyPrompt", false); /** DOWNLOADS ***/ /* 2651: enable user interaction for security by always asking where to download @@ -816,6 +813,9 @@ user_pref("browser.download.manager.addToRecentDocs", false); * [1] archived: https://archive.is/DYjAM ***/ user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] +/* 2661: disable bypassing 3rd party extension install prompts [FF82+] + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ +user_pref("extensions.postDownloadThirdPartyPrompt", false); /* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ // user_pref("extensions.webextensions.restrictedDomains", ""); From 4b437771fa3886173182fce273f145a65babfc3f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 07:11:44 +0000 Subject: [PATCH 414/657] oophs, thanks @eleius fixup https://github.com/arkenfox/user.js/commit/3b5255714339cf9726d77853d6166e5a0bc6eb36 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 78a4499..61d0fab 100644 --- a/user.js +++ b/user.js @@ -367,6 +367,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ +user_pref("browser.formfill.enable", false); /* 0809: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes @@ -377,7 +378,6 @@ user_pref("extensions.formautofill.available", "off"); // [FF56+] user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] -user_pref("browser.formfill.enable", false); /* 0810: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing From 6df03e1a74863e889dc756f3a8a6f90ba78b6126 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 08:30:12 +0000 Subject: [PATCH 415/657] add removed from arkenfox section - this helps mitigate the need for scratchpad for those who use prefsCleaner - in future, if anything was active during the ESR cycle, then it goes in here when removed - similar to deprecated items: clean out after ESR EOL --- user.js | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 61d0fab..a4569ef 100644 --- a/user.js +++ b/user.js @@ -729,8 +729,6 @@ user_pref("browser.link.open_newwindow.restriction", 0); /* 2504: disable WebGL (Web Graphics Library) * [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/ user_pref("webgl.disabled", true); - // user_pref("webgl.enable-webgl2", false); - // user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+] /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -1213,6 +1211,19 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] /* 6007: enforce window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] +/* 6050: prefsCleaner: reset previously active items removed from arkenfox in 79-91 ***/ + // user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); + // user_pref("browser.send_pings.require_same_host", ""); + // user_pref("dom.allow_cut_copy", ""); + // user_pref("dom.vibrator.enabled", ""); + // user_pref("media.gmp-widevinecdm.visible", ""); + // user_pref("network.http.redirection-limit", ""); + // user_pref("privacy.partition.network_state", ""); + // user_pref("security.insecure_connection_icon.enabled", ""); // [DEFAULT: true FF70+] + // user_pref("security.ssl.enable_ocsp_stapling", ""); // [DEFAULT: true FF26+] + // user_pref("webgl.disable-fail-if-major-performance-caveat", ""); // [DEFAULT: true FF86+] + // user_pref("webgl.enable-webgl2", ""); + // user_pref("webgl.min_capability_mode", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 7e80231ac583f67883c6403e9e3c06a888fd289f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 08:38:31 +0000 Subject: [PATCH 416/657] was 6005: remove mixed active --- user.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/user.js b/user.js index a4569ef..d14d564 100644 --- a/user.js +++ b/user.js @@ -1201,16 +1201,14 @@ user_pref("security.csp.enable", true); // [DEFAULT: true] /* 6004: enforce a security delay on some confirmation dialogs such as install, open/save * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] -/* 6005: enforce no insecure active content on https pages ***/ -user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true] +/* 6005: enforce window.opener protection [FF65+] + * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] /* 6006: enforce "window.name" protection [FF82+] * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] -/* 6007: enforce window.opener protection [FF65+] - * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ -user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] /* 6050: prefsCleaner: reset previously active items removed from arkenfox in 79-91 ***/ // user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); // user_pref("browser.send_pings.require_same_host", ""); @@ -1220,6 +1218,7 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] // user_pref("network.http.redirection-limit", ""); // user_pref("privacy.partition.network_state", ""); // user_pref("security.insecure_connection_icon.enabled", ""); // [DEFAULT: true FF70+] + // user_pref("security.mixed_content.block_active_content", ""); // [DEFAULT: true since at least FF60] // user_pref("security.ssl.enable_ocsp_stapling", ""); // [DEFAULT: true FF26+] // user_pref("webgl.disable-fail-if-major-performance-caveat", ""); // [DEFAULT: true FF86+] // user_pref("webgl.enable-webgl2", ""); From 908638c9dc8f1d66c373617915220c126ed05147 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 28 Aug 2021 08:39:44 +0000 Subject: [PATCH 417/657] security.mixed_content.block_active_content default true since at least FF60 --- scratchpad-scripts/arkenfox-clear-removed.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index ca7b2f4..f202cae 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 27-August-2021 + Last updated: 28-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -24,6 +24,7 @@ 'layers.acceleration.disabled', 'media.media-capabilities.enabled', 'security.insecure_connection_icon.enabled', + 'security.mixed_content.block_active_content', /* 79-90 */ 'browser.newtabpage.activity-stream.asrouter.providers.snippets', 'browser.send_pings.require_same_host', From a264eebcb5ae86b958329514daf590bf5618f6cb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 29 Aug 2021 03:27:46 +0000 Subject: [PATCH 418/657] screensharing etc --- scratchpad-scripts/arkenfox-clear-removed.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index f202cae..bd99cb5 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,7 @@ /*** This will reset the preferences that have been removed completely from the arkenfox user.js. - Last updated: 28-August-2021 + Last updated: 29-August-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -22,6 +22,9 @@ 'general.warnOnAboutConfig', 'gfx.direct2d.disabled', 'layers.acceleration.disabled', + 'media.getusermedia.audiocapture.enabled', + 'media.getusermedia.browser.enabled', + 'media.getusermedia.screensharing.enabled', 'media.media-capabilities.enabled', 'security.insecure_connection_icon.enabled', 'security.mixed_content.block_active_content', From 453fcd32cb6fdc981684d2587764f23b4689222f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 29 Aug 2021 04:10:48 +0000 Subject: [PATCH 419/657] remove 2003, fixes #1245 --- user.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index d14d564..8c42710 100644 --- a/user.js +++ b/user.js @@ -626,10 +626,6 @@ user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.ice.default_address_only", true); user_pref("media.peerconnection.ice.no_host", true); // [FF51+] user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] -/* 2003: disable screensharing ***/ -user_pref("media.getusermedia.screensharing.enabled", false); -user_pref("media.getusermedia.browser.enabled", false); -user_pref("media.getusermedia.audiocapture.enabled", false); /* 2020: disable GMP (Gecko Media Plugins) * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ // user_pref("media.gmp-provider.enabled", false); @@ -1214,6 +1210,9 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] // user_pref("browser.send_pings.require_same_host", ""); // user_pref("dom.allow_cut_copy", ""); // user_pref("dom.vibrator.enabled", ""); + // user_pref("media.getusermedia.audiocapture.enabled", ""); + // user_pref("media.getusermedia.browser.enabled", ""); + // user_pref("media.getusermedia.screensharing.enabled", ""); // user_pref("media.gmp-widevinecdm.visible", ""); // user_pref("network.http.redirection-limit", ""); // user_pref("privacy.partition.network_state", ""); From a308878b118cf8e78406f38bec188e6535d38118 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 29 Aug 2021 04:50:36 +0000 Subject: [PATCH 420/657] finish removal of 500s and cleanup of 300s --- user.js | 86 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 46 insertions(+), 40 deletions(-) diff --git a/user.js b/user.js index 8c42710..50126b1 100644 --- a/user.js +++ b/user.js @@ -43,7 +43,6 @@ 0200: GEOLOCATION / LANGUAGE / LOCALE 0300: QUIETER FOX 0400: SAFE BROWSING - 0500: SYSTEM ADD-ONS / EXPERIMENTS 0600: BLOCK IMPLICIT OUTBOUND 0700: DNS / PROXY / SOCKS / IPv6 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS @@ -143,6 +142,7 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIETER FOX ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); +/** UPDATES ***/ /* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS] * [NOTE] You will still get prompts to update, and should do so in a timely manner * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/ @@ -156,23 +156,41 @@ user_pref("app.update.background.scheduling.enabled", false); /* 0304: disable auto-INSTALLING extension and theme updates (after the check in 0303) * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/ // user_pref("extensions.update.autoUpdateDefault", false); -/* 0306: disable extension metadata +/* 0305: disable extension metadata * used when installing/updating an extension, and in daily background update checks: * when false, extension detail tabs will have no description ***/ // user_pref("extensions.getAddons.cache.enabled", false); -/* 0308: disable search engine updates (e.g. OpenSearch) +/* 0306: disable search engine updates (e.g. OpenSearch) * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ user_pref("browser.search.update", false); -/* 0320: disable about:addons' Recommendations pane (uses Google Analytics) ***/ +/* 0307: disable System Add-on updates ***/ +user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] +user_pref("extensions.systemAddon.update.url", ""); // [FF44+] + +/** RECOMMENDATIONS ***/ +/* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/ user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF] /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); -/* 0330: disable telemetry +/* 0322: disable personalized Extension Recommendations in about:addons and AMO [FF65+] + * [NOTE] This pref has no effect when Health Reports (0331) are disabled + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations + * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/ +user_pref("browser.discovery.enabled", false); + +/** TELEMETRY ***/ +/* 0330: disable new data submission [FF41+] + * If disabled, no policy is shown or upload takes place, ever + * [1] https://bugzilla.mozilla.org/1195552 ***/ +user_pref("datareporting.policy.dataSubmissionEnabled", false); +/* 0331: disable Health Reports + * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/ +user_pref("datareporting.healthreport.uploadEnabled", false); +/* 0332: disable telemetry * The "unified" pref affects the behaviour of the "enabled" pref * - If "unified" is false then "enabled" controls the telemetry module * - If "unified" is true then "enabled" only controls whether to record extended data - * [NOTE] FF58+ "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease - * or release builds (true and false respectively) [2] + * [NOTE] "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease (true) or release builds (false) [2] * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/ user_pref("toolkit.telemetry.unified", false); @@ -184,26 +202,26 @@ user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+] user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+] user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+] -/* 0331: disable Telemetry Coverage +/* 0333: disable Telemetry Coverage * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/ user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF] user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF] user_pref("toolkit.coverage.endpoint.base", ""); -/* 0340: disable Health Reports - * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/ -user_pref("datareporting.healthreport.uploadEnabled", false); -/* 0341: disable new data submission, master kill switch [FF41+] - * If disabled, no policy is shown or upload takes place, ever - * [1] https://bugzilla.mozilla.org/1195552 ***/ -user_pref("datareporting.policy.dataSubmissionEnabled", false); -/* 0342: disable Studies +/* 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+] + * Defense-in-depth: currently covered by 0331 ***/ +user_pref("browser.ping-centre.telemetry", false); + +/** STUDIES ***/ +/* 0340: disable Studies * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/ user_pref("app.shield.optoutstudies.enabled", false); -/* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+] - * [NOTE] This pref has no effect when Health Reports (0340) are disabled - * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations - * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/ -user_pref("browser.discovery.enabled", false); +/* 0341: disable Normandy/Shield [FF60+] + * Shield is a telemetry system that can push and test "recipes" + * [1] https://mozilla.github.io/normandy/ ***/ +user_pref("app.normandy.enabled", false); +user_pref("app.normandy.api_url", ""); + +/** CRASH REPORTS ***/ /* 0350: disable Crash Reports ***/ user_pref("breakpad.reportURL", ""); user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+] @@ -211,13 +229,18 @@ user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+] /* 0351: enforce no submission of backlogged Crash Reports [FF58+] * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/ user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false] -/* 0390: disable Captive Portal detection + +/** OTHER ***/ +/* 0360: disable Captive Portal detection * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy ***/ user_pref("captivedetect.canonicalURL", ""); user_pref("network.captive-portal-service.enabled", false); // [FF52+] -/* 0391: disable Network Connectivity checks [FF65+] +/* 0361: disable Network Connectivity checks [FF65+] * [1] https://bugzilla.mozilla.org/1460537 ***/ user_pref("network.connectivity-service.enabled", false); +/* 0362: enforce disabling of Web Compatibility Reporter [FF56+] + * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ +user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /*** [SECTION 0400]: SAFE BROWSING (SB) SB has taken many steps to preserve privacy. If required, a full url is never sent @@ -257,23 +280,6 @@ user_pref("browser.safebrowsing.downloads.remote.url", ""); * [1] https://bugzilla.mozilla.org/1226490 ***/ // user_pref("browser.safebrowsing.allowOverride", false); -/*** [SECTION 0500]: SYSTEM ADD-ONS / EXPERIMENTS ***/ -user_pref("_user.js.parrot", "0500 syntax error: section is going to be removed"); -/* 0503: disable Normandy/Shield [FF60+] - * Shield is a telemetry system that can push and test "recipes" - * [1] https://mozilla.github.io/normandy/ ***/ -user_pref("app.normandy.enabled", false); -user_pref("app.normandy.api_url", ""); -/* 0505: disable System Add-on updates ***/ -user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] -user_pref("extensions.systemAddon.update.url", ""); // [FF44+] -/* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+] - * Defense-in-depth: currently covered by 0340 ***/ -user_pref("browser.ping-centre.telemetry", false); -/* 0518: enforce disabling of Web Compatibility Reporter [FF56+] - * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ -user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] - /*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/ user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!"); /* 0601: disable link prefetching From a1b4aa6000b691930df59bc214d40d2f89c6ca90 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 29 Aug 2021 07:42:24 +0000 Subject: [PATCH 421/657] add DoH rollout pref, closes #1027 --- user.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 50126b1..64dd2ba 100644 --- a/user.js +++ b/user.js @@ -44,7 +44,7 @@ 0300: QUIETER FOX 0400: SAFE BROWSING 0600: BLOCK IMPLICIT OUTBOUND - 0700: DNS / PROXY / SOCKS / IPv6 + 0700: DNS / DoH / PROXY / SOCKS / IPv6 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS 0900: PASSWORDS 1000: DISK AVOIDANCE @@ -299,7 +299,7 @@ user_pref("network.http.speculative-parallel-limit", 0); * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ // user_pref("browser.send_pings", false); // [DEFAULT: false] -/*** [SECTION 0700]: DNS / PROXY / SOCKS / IPv6 ***/ +/*** [SECTION 0700]: DNS / DoH / PROXY / SOCKS / IPv6 ***/ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!"); /* 0701: disable IPv6 * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming @@ -329,6 +329,14 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] * [3] https://en.wikipedia.org/wiki/GVfs * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] +/* 0705: disable DNS-over-HTTPS (DoH) rollout [FF60+] + * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off + * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3] + * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ + * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy + * [3] https://blog.mozilla.org/en/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ + * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ + // user_pref("network.trr.mode", 5); /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); From 283bfd744ac1d7cb102e542b92b12f98d1a095b8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 29 Aug 2021 14:32:37 +0000 Subject: [PATCH 422/657] fixup missing 1022 reference --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 64dd2ba..cc7eb7b 100644 --- a/user.js +++ b/user.js @@ -935,7 +935,7 @@ user_pref("privacy.cpd.sessions", true); // Active Logins user_pref("privacy.cpd.siteSettings", false); // Site Preferences /* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+] * [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803) - * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (1022) + * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008) * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ // user_pref("privacy.clearOnShutdown.openWindows", true); // user_pref("privacy.cpd.openWindows", true); From 524823fd0524277d59aceedc3b7b051baf4e3b13 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 7 Sep 2021 13:35:32 +0000 Subject: [PATCH 423/657] proxy direct failover (#1247) --- user.js | 73 ++++++++++++++++++++++++++------------------------------- 1 file changed, 33 insertions(+), 40 deletions(-) diff --git a/user.js b/user.js index cc7eb7b..8c27326 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 30 July 2021 -* version 91-alpha +* date: 7 September 2021 +* version 91 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -337,6 +337,8 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * [3] https://blog.mozilla.org/en/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ // user_pref("network.trr.mode", 5); +/* 0706: disable proxy direct failover for system requests [FF91+] ***/ +user_pref("network.proxy.failover_direct", false); /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); @@ -432,9 +434,7 @@ user_pref("network.auth.subresource-http-auth-allow", 1); * [1] https://support.mozilla.org/kb/windows-sso ***/ user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false] -/*** [SECTION 1000]: DISK AVOIDANCE - [NOTE] Cache is isolated with network partitioning (FF85+) or FPI -***/ +/*** [SECTION 1000]: DISK AVOIDANCE ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); /* 1001: disable disk cache * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this @@ -992,17 +992,14 @@ user_pref("privacy.firstparty.isolate", true); [WARNING] DO NOT USE extensions to alter RFP protected metrics - FF41+ - 418986 - limit window.screen & CSS media queries leaking identifiable info + 418986 - limit window.screen & CSS media queries (FF41) [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - FF50+ - 1281949 - spoof screen orientation - 1281963 - hide contents of navigator.plugins and navigator.mimeTypes - FF55+ - 1330890 - spoof timezone as UTC0 - 1360039 - spoof navigator.hardwareConcurrency as 2 - 1217238 - reduce precision of time exposed by javascript - FF56+ + 1281949 - spoof screen orientation (FF50) + 1281963 - hide contents of navigator.plugins and navigator.mimeTypes (FF50-88) + 1330890 - spoof timezone as UTC0 (FF55) + 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55) + 1217238 - reduce precision of time exposed by javascript (FF55) + FF56 1369303 - spoof/disable performance API 1333651 - spoof User Agent & Navigator API JS: FF91+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux @@ -1012,7 +1009,7 @@ user_pref("privacy.firstparty.isolate", true); 1337161 - hide gamepads from content 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true 1333641 - reduce fingerprinting in WebSpeech API - FF57+ + FF57 1369309 - spoof media statistics 1382499 - reduce screen co-ordinate fingerprinting in Touch API 1217290 & 1409677 - enable some fingerprinting resistance for WebGL @@ -1020,34 +1017,30 @@ user_pref("privacy.firstparty.isolate", true); 1354633 - limit MediaError.message to a whitelist 1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87) Blocks exposure of local IP Addresses via mDNS (Multicast DNS) - FF58+ - 967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction - FF59+ - 1372073 - spoof/block fingerprinting in MediaDevices API + FF58-90 + 967895 - spoof canvas and enable site permission prompt (FF58) + 1372073 - spoof/block fingerprinting in MediaDevices API (FF59) Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" Block: suppresses the ondevicechange event - 1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) - 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events + 1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) (FF59) + 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59) Spoofing mimics the content language of the document. Currently it only supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. - FF60-67 - 1337157 - disable WebGL debug renderer info (FF60+) - 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) - 1479239 - return "no-preference" with prefers-reduced-motion (FF63+) - 1363508 - spoof/suppress Pointer Events (FF64+) - 1492766 - spoof pointerEvent.pointerid (FF65+) - 1485266 - disable exposure of system colors to CSS or canvas (FF67+) - 1494034 - return "light" with prefers-color-scheme (FF67+) - FF68-77 - 1564422 - spoof audioContext outputLatency (FF70+) - 1595823 - return audioContext sampleRate as 44100 (FF72+) - 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+) - FF78-90 - 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+) - 1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80+) - 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+) + 1337157 - disable WebGL debug renderer info (FF60) + 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62) + 1479239 - return "no-preference" with prefers-reduced-motion (FF63) + 1363508 - spoof/suppress Pointer Events (FF64) + 1492766 - spoof pointerEvent.pointerid (FF65) + 1485266 - disable exposure of system colors to CSS or canvas (FF67) + 1494034 - return "light" with prefers-color-scheme (FF67) + 1564422 - spoof audioContext outputLatency (FF70) + 1595823 - return audioContext sampleRate as 44100 (FF72) + 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74) + 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78) + 1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80) + 1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82) FF91+ - 531915 - use fdlibm's sin, cos and tan in jsmath (FF93+, ESR91.1+) + 531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable privacy.resistFingerprinting [FF41+] @@ -1160,7 +1153,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow // user_pref("browser.download.folderList", 2); /*** [SECTION 5500]: OPTIONAL HARDENING - Not recommended. Keep in mind that these can cause breakage, performance + Not recommended. Keep in mind that these can cause breakage and performance issues, are mostly fingerpintable, and the threat model is practically zero ***/ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!"); From c9956d85b198ed400cf3b15a3254e1184d6722af Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 10 Sep 2021 04:32:09 +0000 Subject: [PATCH 424/657] 92-alpha --- user.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 8c27326..1711cc3 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 7 September 2021 -* version 91 +* date: 10 September 2021 +* version 92-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -781,7 +781,7 @@ user_pref("webchannel.allowObject.urlWhitelist", ""); * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) * [1] https://wiki.mozilla.org/IDN_Display_Algorithm * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack - * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ + * [3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/ user_pref("network.IDN_show_punycode", true); /* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME] @@ -818,7 +818,7 @@ user_pref("browser.download.manager.addToRecentDocs", false); * [SETUP-CHROME] This will break extensions, language packs, themes and any other * XPI files which are installed outside of profile and application directories * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ - * [1] archived: https://archive.is/DYjAM ***/ + * [1] https://archive.is/DYjAM (archived) ***/ user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF] user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15] /* 2661: disable bypassing 3rd party extension install prompts [FF82+] From e5c128804cd4c89b2a624eb911edbc6de1b4ebb9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 10 Sep 2021 05:09:05 +0000 Subject: [PATCH 425/657] remove locale in link --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 1711cc3..89dcba1 100644 --- a/user.js +++ b/user.js @@ -334,7 +334,7 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3] * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy - * [3] https://blog.mozilla.org/en/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ + * [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ // user_pref("network.trr.mode", 5); /* 0706: disable proxy direct failover for system requests [FF91+] ***/ From 76c1aad4be7b4f7fa462b8d93f3069c2c77c2bbd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 10 Sep 2021 13:07:04 +0000 Subject: [PATCH 426/657] grammar --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 89dcba1..81abd79 100644 --- a/user.js +++ b/user.js @@ -615,7 +615,7 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); [4] https://github.com/stoically/temporary-containers/wiki ***/ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!"); -/* 1701: enable Container Tabs and it's UI setting [FF50+] +/* 1701: enable Container Tabs and its UI setting [FF50+] * [SETTING] General>Tabs>Enable Container Tabs ***/ user_pref("privacy.userContext.enabled", true); user_pref("privacy.userContext.ui.enabled", true); @@ -680,7 +680,7 @@ user_pref("media.autoplay.blocking_policy", 2); user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!"); /* 2302: disable service workers [FF32, FF44-compat] * Service workers essentially act as proxy servers that sit between web apps, and the - * browser and network, are event driven, and can control the web page/site it is associated + * browser and network, are event driven, and can control the web page/site they are associated * with, intercepting and modifying navigation and resource requests, and caching resources. * [NOTE] Service workers require HTTPS, have no DOM access, and are not supported in PB mode [1] * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for From 278336196c1d72bc83f3abd685d8ec78a8fec7a7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Sep 2021 05:31:21 +0000 Subject: [PATCH 427/657] nit --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 81abd79..d513b1f 100644 --- a/user.js +++ b/user.js @@ -1306,7 +1306,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] // user_pref("gfx.downloadable_fonts.fallback_delay", -1); /* 7013: disable Clipboard API - * [WHY] Fingerprintable. Breakage. They (cut/copy/paste) require user + * [WHY] Fingerprintable. Breakage. Cut/copy/paste require user * interaction, and paste is limited to focused editable fields ***/ // user_pref("dom.event.clipboardevents.enabled", false); From 1c6d63314411d2a0496f5547f4a1b46705dbc06a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Sep 2021 05:35:39 +0000 Subject: [PATCH 428/657] more nits --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index d513b1f..e5710f9 100644 --- a/user.js +++ b/user.js @@ -245,7 +245,7 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /*** [SECTION 0400]: SAFE BROWSING (SB) SB has taken many steps to preserve privacy. If required, a full url is never sent to Google, only a part-hash of the prefix, hidden with noise of other real part-hashes. - Firefox takes measures such as striping out identifying parameters and since SBv4 (FF57+) + Firefox takes measures such as stripping out identifying parameters and since SBv4 (FF57+) doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) FWIW, Google also swear it is anonymized and only used to flag malicious sites. @@ -787,7 +787,7 @@ user_pref("network.IDN_show_punycode", true); /* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME] * This setting controls if the option "Display in Firefox" is available in the setting below * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") - * PROS: pdfjs is lightweight, open source, and as secure/vetted more than most + * PROS: pdfjs is lightweight, open source, and more secure/vetted than most * Exploits are rare (one serious case in seven years), treated seriously and patched quickly. * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. From 044e3e76e8690934c5c89ce7969257b44bf38a6b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 25 Sep 2021 01:47:54 +0000 Subject: [PATCH 429/657] make 0706 more cromulent --- user.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index e5710f9..02221bc 100644 --- a/user.js +++ b/user.js @@ -337,8 +337,10 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ // user_pref("network.trr.mode", 5); -/* 0706: disable proxy direct failover for system requests [FF91+] ***/ -user_pref("network.proxy.failover_direct", false); +/* 0706: disable proxy direct failover for system requests [FF91+] + * [WARNING] Default true is a security feature against malicious extensions + * [SETUP-CHROME] If you use a proxy and you trust your extensions ***/ + // user_pref("network.proxy.failover_direct", false); /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); From b37df0bcfe77ffb6521ec393a4087223fe9c4c3a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 25 Sep 2021 02:32:48 +0000 Subject: [PATCH 430/657] embiggen 4500, #1218 --- user.js | 48 ++++++++++++++++++++++-------------------------- 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/user.js b/user.js index 02221bc..ccbb827 100644 --- a/user.js +++ b/user.js @@ -34,7 +34,7 @@ ESR78 - If you are not using arkenfox v78... (not a definitive list) - 1244: HTTPS-Only mode is enabled - - 2502: non-native widget theme is enforced + - 4511: non-native widget theme is enforced - 9999: switch the appropriate deprecated section(s) back on * INDEX: @@ -55,7 +55,6 @@ 2000: PLUGINS / MEDIA / WEBRTC 2300: WEB WORKERS 2400: DOM (DOCUMENT OBJECT MODEL) - 2500: FINGERPRINTING 2600: MISCELLANEOUS 2700: PERSISTENT STORAGE 2800: SHUTDOWN @@ -720,28 +719,6 @@ user_pref("dom.disable_open_during_load", true); /* 2404: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); -/*** [SECTION 2500]: FINGERPRINTING ***/ -user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!"); -/* 2501: enforce no system colors - * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] -/* 2502: enforce non-native widget theme - * Security: removes/reduces system API calls, e.g. win32k API [1] - * Fingerprinting: provides a uniform look and feel across platforms [2] - * [1] https://bugzilla.mozilla.org/1381938 - * [2] https://bugzilla.mozilla.org/1411425 ***/ -user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] -/* 2503: open links targeting new windows in a new tab instead - * Stops malicious window sizes and some screen resolution leaks. - * You can still right-click a link and open in a new window - * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen - * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ -user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab -user_pref("browser.link.open_newwindow.restriction", 0); -/* 2504: disable WebGL (Web Graphics Library) - * [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/ -user_pref("webgl.disabled", true); - /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); /* 2601: prevent accessibility services from accessing your browser [RESTART] @@ -1076,10 +1053,29 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [1] https://bugzilla.mozilla.org/1635603 ***/ // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); -/* 4510: disable showing about:blank as soon as possible during startup [FF60+] +/* 4506: disable showing about:blank as soon as possible during startup [FF60+] * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); +/* 4510: enforce no system colors + * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ +user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] +/* 4511: enforce non-native widget theme + * Security: removes/reduces system API calls, e.g. win32k API [1] + * Fingerprinting: provides a uniform look and feel across platforms [2] + * [1] https://bugzilla.mozilla.org/1381938 + * [2] https://bugzilla.mozilla.org/1411425 ***/ +user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] +/* 4512: open links targeting new windows in a new tab instead + * Stops malicious window sizes and some screen resolution leaks. + * You can still right-click a link and open in a new window + * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen + * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ +user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab +user_pref("browser.link.open_newwindow.restriction", 0); +/* 4513: disable WebGL (Web Graphics Library) + * [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/ +user_pref("webgl.disabled", true); /*** [SECTION 5000]: OPTIONAL OPSEC Disk avoidance, application data isolation, eyeballs... @@ -1398,7 +1394,7 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1] [1] https://github.com/arkenfox/user.js/issues/123 ***/ -user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!"); +user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!"); /* ESR78.x still uses all the following prefs // [NOTE] replace the * with a slash in the line above to re-enable them // FF79 From 5cdea955e779ef17df66187c6b0b4eb7f4aeb5cf Mon Sep 17 00:00:00 2001 From: a1346054 <36859588+a1346054@users.noreply.github.com> Date: Mon, 27 Sep 2021 15:23:12 +0000 Subject: [PATCH 431/657] Simple maintenance improvements (#1255) * Use direct check for existence of file * Fix shellcheck warnings * Unify codestyle in scripts * Trim excess whitespace --- README.md | 4 +- prefsCleaner.sh | 6 +- .../arkenfox-clear-RFP-alternatives.js | 3 +- scratchpad-scripts/troubleshooter.js | 3 +- updater.sh | 62 +++++++++---------- 5 files changed, 37 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 39ddaa1..1522a3e 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ The `arkenfox user.js` is a **template** which aims to provide as much privacy a Everyone, experts included, should at least read the [implementation](https://github.com/arkenfox/user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `user.js` settings. -Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services. +Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services. Also be aware that the `arkenfox user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser. @@ -23,5 +23,3 @@ Also be aware that the `arkenfox user.js` is made specifically for desktop Firef ### 🟥 acknowledgments Literally thousands of sources, references and suggestions. Many thanks, and much appreciated. - - diff --git a/prefsCleaner.sh b/prefsCleaner.sh index 60cf70e..497ebde 100644 --- a/prefsCleaner.sh +++ b/prefsCleaner.sh @@ -20,7 +20,7 @@ cd "$(dirname "${sfp}")" fQuit() { ## change directory back to the original working directory cd "${currdir}" - [ $1 -eq 0 ] && echo -e "\n$2" || echo -e "\n$2" >&2 + [ "$1" -eq 0 ] && echo -e "\n$2" || echo -e "\n$2" >&2 exit $1 } @@ -36,7 +36,7 @@ fFF_check() { # this isn't elegant and might not be future-proof but should at least be compatible with any environment while [ -e lock ]; do echo -e "\nThis Firefox profile seems to be in use. Close Firefox and try again.\n" >&2 - read -p "Press any key to continue." + read -r -p "Press any key to continue." done } @@ -48,7 +48,7 @@ fClean() { if [[ "$line" =~ $prefexp && $prefs != *"@@${BASH_REMATCH[1]}@@"* ]]; then prefs="${prefs}${BASH_REMATCH[1]}@@" fi - done <<< "`grep -E \"$prefexp\" user.js`" + done <<< "$(grep -E \"$prefexp\" user.js)" while IFS='' read -r line || [[ -n "$line" ]]; do if [[ "$line" =~ ^$prefexp ]]; then diff --git a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js index 9d251d4..4821fc3 100644 --- a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js +++ b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js @@ -7,7 +7,7 @@ As of v91, section 4600 is no longer recommended, and is all inactive. This now includes the old 4700 section. You can reset them using prefsCleaner. - + For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] ***/ @@ -69,4 +69,3 @@ return 'all done'; })(); - diff --git a/scratchpad-scripts/troubleshooter.js b/scratchpad-scripts/troubleshooter.js index be64708..bd86786 100644 --- a/scratchpad-scripts/troubleshooter.js +++ b/scratchpad-scripts/troubleshooter.js @@ -1,4 +1,3 @@ - /*** arkenfox user.js troubleshooter.js v1.6.3 ***/ (function() { @@ -194,7 +193,7 @@ const aBAK = getMyList(aPREFS); //console.log(aBAK.length, "user-set prefs from our list detected and their values stored."); - + const sMsg = "all detected prefs reset.\n\n" + "!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\n" + "IF the problem still exists, this script can't help you - click Cancel to re-apply your values and exit.\n\n" + diff --git a/updater.sh b/updater.sh index 6f761c9..a1f7070 100755 --- a/updater.sh +++ b/updater.sh @@ -41,9 +41,9 @@ ESR=false # Download method priority: curl -> wget DOWNLOAD_METHOD='' -if [[ $(command -v 'curl') ]]; then +if command -v curl >/dev/null; then DOWNLOAD_METHOD='curl --max-redirs 3 -so' -elif [[ $(command -v 'wget') ]]; then +elif command -v wget >/dev/null; then DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O' else echo -e "${RED}This script requires curl or wget.\nProcess aborted${NC}" @@ -51,7 +51,7 @@ else fi -show_banner () { +show_banner() { echo -e "${BBLUE} ############################################################################ #### #### @@ -103,13 +103,13 @@ Optional Arguments: # File Handling # ######################### -download_file () { # expects URL as argument ($1) +download_file() { # expects URL as argument ($1) declare -r tf=$(mktemp) $DOWNLOAD_METHOD "${tf}" "$1" && echo "$tf" || echo '' # return the temp-filename or empty string on error } -open_file () { # expects one argument: file_path +open_file() { # expects one argument: file_path if [ "$(uname)" == 'Darwin' ]; then open "$1" elif [ "$(uname -s | cut -c -5)" == "Linux" ]; then @@ -119,11 +119,11 @@ open_file () { # expects one argument: file_path fi } -readIniFile () { # expects one argument: absolute path of profiles.ini +readIniFile() { # expects one argument: absolute path of profiles.ini declare -r inifile="$1" # tempIni will contain: [ProfileX], Name=, IsRelative= and Path= (and Default= if present) of the only (if) or the selected (else) profile - if [ $(grep -c '^\[Profile' "${inifile}") -eq "1" ]; then ### only 1 profile found + if [ "$(grep -c '^\[Profile' "${inifile}")" -eq "1" ]; then ### only 1 profile found tempIni="$(grep '^\[Profile' -A 4 "${inifile}")" else echo -e "Profiles found:\n––––––––––––––––––––––––––––––" @@ -150,7 +150,7 @@ readIniFile () { # expects one argument: absolute path of profiles.ini [[ ${pathisrel} == "1" ]] && PROFILE_PATH="$(dirname "${inifile}")/${PROFILE_PATH}" } -getProfilePath () { +getProfilePath() { declare -r f1=~/Library/Application\ Support/Firefox/profiles.ini declare -r f2=~/.mozilla/firefox/profiles.ini @@ -175,8 +175,8 @@ getProfilePath () { ######################### # Returns the version number of a updater.sh file -get_updater_version () { - echo $(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1") +get_updater_version() { + echo "$(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")" } # Update updater.sh @@ -184,14 +184,14 @@ get_updater_version () { # Args: # -d: New version will not be looked for and update will not occur # -u: Check for update, if available, execute without asking -update_updater () { - [ $UPDATE = 'no' ] && return 0 # User signified not to check for updates +update_updater() { + [ "$UPDATE" = 'no' ] && return 0 # User signified not to check for updates declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')" [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed if [[ $(get_updater_version "$SCRIPT_FILE") < $(get_updater_version "${tmpfile}") ]]; then - if [ $UPDATE = 'check' ]; then + if [ "$UPDATE" = 'check' ]; then echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}" read -p "" -n 1 -r echo -e "\n\n" @@ -211,11 +211,11 @@ update_updater () { ######################### # Returns version number of a user.js file -get_userjs_version () { - [ -e $1 ] && echo "$(sed -n '4p' "$1")" || echo "Not detected." +get_userjs_version() { + [ -e "$1" ] && echo "$(sed -n '4p' "$1")" || echo "Not detected." } -add_override () { +add_override() { input=$1 if [ -f "$input" ]; then echo "" >> user.js @@ -235,27 +235,27 @@ add_override () { fi } -remove_comments () { # expects 2 arguments: from-file and to-file +remove_comments() { # expects 2 arguments: from-file and to-file sed -e '/^\/\*.*\*\/[[:space:]]*$/d' -e '/^\/\*/,/\*\//d' -e 's|^[[:space:]]*//.*$||' -e '/^[[:space:]]*$/d' -e 's|);[[:space:]]*//.*|);|' "$1" > "$2" } # Applies latest version of user.js and any custom overrides -update_userjs () { +update_userjs() { declare -r newfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')" [ -z "${newfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && return 1 # check if download failed echo -e "Please observe the following information: Firefox profile: ${ORANGE}$(pwd)${NC} - Available online: ${ORANGE}$(get_userjs_version $newfile)${NC} + Available online: ${ORANGE}$(get_userjs_version "$newfile")${NC} Currently using: ${ORANGE}$(get_userjs_version user.js)${NC}\n\n" - if [ $CONFIRM = 'yes' ]; then + if [ "$CONFIRM" = 'yes' ]; then echo -e "This script will update to the latest user.js file and append any custom configurations from user-overrides.js. ${RED}Continue Y/N? ${NC}" read -p "" -n 1 -r echo -e "\n" if [[ $REPLY =~ ^[Nn]$ ]]; then echo -e "${RED}Process aborted${NC}" - rm $newfile + rm "$newfile" return 1 fi fi @@ -269,7 +269,7 @@ update_userjs () { # backup user.js mkdir -p userjs_backups local bakname="userjs_backups/user.js.backup.$(date +"%Y-%m-%d_%H%M")" - [ $BACKUP = 'single' ] && bakname='userjs_backups/user.js.backup' + [ "$BACKUP" = 'single' ] && bakname='userjs_backups/user.js.backup' cp user.js "$bakname" &>/dev/null mv "${newfile}" user.js @@ -295,19 +295,19 @@ update_userjs () { past_nocomments='userjs_diffs/past_userjs.txt' current_nocomments='userjs_diffs/current_userjs.txt' - remove_comments $pastuserjs $past_nocomments - remove_comments user.js $current_nocomments + remove_comments "$pastuserjs" "$past_nocomments" + remove_comments user.js "$current_nocomments" diffname="userjs_diffs/diff_$(date +"%Y-%m-%d_%H%M").txt" - diff=$(diff -w -B -U 0 $past_nocomments $current_nocomments) - if [ ! -z "$diff" ]; then + diff=$(diff -w -B -U 0 "$past_nocomments" "$current_nocomments") + if [ -n "$diff" ]; then echo "$diff" > "$diffname" echo -e "Status: ${GREEN}A diff file was created:${NC} ${PWD}/${diffname}" else echo -e "Warning: ${ORANGE}Your new user.js file appears to be identical. No diff file was created.${NC}" - [ $BACKUP = 'multiple' ] && rm $bakname &>/dev/null + [ "$BACKUP" = 'multiple' ] && rm "$bakname" &>/dev/null fi - rm $past_nocomments $current_nocomments $pastuserjs &>/dev/null + rm "$past_nocomments" "$current_nocomments" "$pastuserjs" &>/dev/null fi [ "$VIEW" = true ] && open_file "${PWD}/user.js" @@ -319,7 +319,7 @@ update_userjs () { if [ $# != 0 ]; then # Display usage if first argument is -help or --help - if [ $1 = '--help' ] || [ $1 = '-help' ]; then + if [ "$1" = '--help' ] || [ "$1" = '-help' ]; then usage else while getopts ":hp:ludsno:bcvre" opt; do @@ -363,7 +363,7 @@ if [ $# != 0 ]; then r) tfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')" [ -z "${tfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && exit 1 # check if download failed - mv $tfile "${tfile}.js" + mv "$tfile" "${tfile}.js" echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}" open_file "${tfile}.js" exit 0 @@ -382,7 +382,7 @@ if [ $# != 0 ]; then fi show_banner -update_updater $@ +update_updater "$@" getProfilePath # updates PROFILE_PATH or exits on error cd "$PROFILE_PATH" && update_userjs From 6381b1aeb9e7e4e485f4f6e7faa37d7f00b7970f Mon Sep 17 00:00:00 2001 From: a1346054 <36859588+a1346054@users.noreply.github.com> Date: Tue, 28 Sep 2021 19:24:54 +0000 Subject: [PATCH 432/657] prefsCleaner.sh: Fix invalid regular expression (#1258) --- prefsCleaner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prefsCleaner.sh b/prefsCleaner.sh index 497ebde..7db9ef0 100644 --- a/prefsCleaner.sh +++ b/prefsCleaner.sh @@ -48,7 +48,7 @@ fClean() { if [[ "$line" =~ $prefexp && $prefs != *"@@${BASH_REMATCH[1]}@@"* ]]; then prefs="${prefs}${BASH_REMATCH[1]}@@" fi - done <<< "$(grep -E \"$prefexp\" user.js)" + done <<< "$(grep -E "$prefexp" user.js)" while IFS='' read -r line || [[ -n "$line" ]]; do if [[ "$line" =~ ^$prefexp ]]; then From 8404e8a59c6c54142594f6a856bb50b46227b130 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 5 Oct 2021 03:04:14 +0000 Subject: [PATCH 433/657] tidy, closes #1260 --- user.js | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index ccbb827..f64d4a4 100644 --- a/user.js +++ b/user.js @@ -131,7 +131,8 @@ user_pref("browser.region.update.enabled", false); // [[FF79+] /* 0204: set search region * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0203) ***/ // user_pref("browser.search.region", "US"); // [HIDDEN PREF] -/* 0210: set preferred language for displaying web pages +/* 0210: set preferred language for displaying pages + * [SETTING] General>Language and Appearance>Language>Choose your preferred language... * [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); /* 0211: use US English locale regardless of the system locale @@ -495,13 +496,14 @@ user_pref("security.tls.enable_0rtt_data", false); [1] https://scotthelme.co.uk/revocation-is-broken/ [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/ -/* 1211: control when to use OCSP fetching (to confirm current validity of certificates) +/* 1211: enforce OCSP fetching to confirm current validity of certificates * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) * It's a trade-off between security (checking) and privacy (leaking info to the CA) * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling + * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... * [1] https://en.wikipedia.org/wiki/Ocsp ***/ -user_pref("security.OCSP.enabled", 1); +user_pref("security.OCSP.enabled", 1); // [DEFAULT: true] /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB] * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) @@ -527,7 +529,7 @@ user_pref("security.pki.sha1_enforcement_level", 1); * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/ user_pref("security.family_safety.mode", 0); /* 1223: enable strict pinning - * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict + * PKP (Public Key Pinning) 0=disabled, 1=allow user MiTM (such as your antivirus), 2=strict * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing * by inspecting ALL your web traffic, then leave at current default=1 * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/ @@ -566,7 +568,7 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); * [2] https://bugzilla.mozilla.org/1353705 ***/ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); /* 1271: control "Add Security Exception" dialog on SSL warnings - * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default) + * 0=do neither, 1=pre-populate url, 2=pre-populate url + pre-fetch cert (default) * [1] https://github.com/pyllyukko/user.js/issues/210 ***/ user_pref("browser.ssl_override_behavior", 1); /* 1272: display advanced information on Insecure Connection warning pages @@ -1066,14 +1068,18 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] * [1] https://bugzilla.mozilla.org/1381938 * [2] https://bugzilla.mozilla.org/1411425 ***/ user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] -/* 4512: open links targeting new windows in a new tab instead +/* 4512: enforce links targeting new windows to open in a new tab instead + * 1=most recent window or tab, 2=new window, 3=new tab * Stops malicious window sizes and some screen resolution leaks. * You can still right-click a link and open in a new window + * [SETTING] General>Tabs>Open links in tabs instead of new windows * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/ -user_pref("browser.link.open_newwindow", 3); // 1=most recent window or tab 2=new window, 3=new tab +user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3] +/* 4513: set all open window methods to abide by "browser.link.open_newwindow" (4512) + * [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js ***/ user_pref("browser.link.open_newwindow.restriction", 0); -/* 4513: disable WebGL (Web Graphics Library) +/* 4520: disable WebGL (Web Graphics Library) * [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/ user_pref("webgl.disabled", true); From 380a88ee57a3af1fd3accf023b31e7e46f9ea855 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 5 Oct 2021 11:14:16 +0000 Subject: [PATCH 434/657] oophs --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index f64d4a4..7fcd110 100644 --- a/user.js +++ b/user.js @@ -503,7 +503,7 @@ user_pref("security.tls.enable_0rtt_data", false); * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... * [1] https://en.wikipedia.org/wiki/Ocsp ***/ -user_pref("security.OCSP.enabled", 1); // [DEFAULT: true] +user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB] * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) From 412c8f9f94fcc058b9bf5f7dfbd824a1255a51a9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 9 Oct 2021 07:14:20 +0000 Subject: [PATCH 435/657] 0807 urlbar contextual suggestions, #1257 --- user.js | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 7fcd110..2d470a5 100644 --- a/user.js +++ b/user.js @@ -375,18 +375,23 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false); * 0=never resolve single words, 1=heuristic (default), 2=always resolve * [1] https://bugzilla.mozilla.org/1642623 ***/ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); -/* 0807: disable tab-to-search [FF85+] +/* 0807: disable location bar contextual suggestions [FF92+] + * [SETTING] Privacy & Security>Address Bar>Contextual Suggestions + * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/ +user_pref("browser.urlbar.suggest.quicksuggest", false); +user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); +/* 0808: disable tab-to-search [FF85+] * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/ // user_pref("browser.urlbar.suggest.engines", false); -/* 0808: disable search and form history +/* 0810: disable search and form history * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] * [NOTE] We also clear formdata on exit (2803) * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ user_pref("browser.formfill.enable", false); -/* 0809: disable Form Autofill +/* 0811: disable Form Autofill * [NOTE] Stored data is NOT secure (uses a JSON file) * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses @@ -396,7 +401,7 @@ user_pref("extensions.formautofill.available", "off"); // [FF56+] user_pref("extensions.formautofill.creditCards.available", false); // [FF57+] user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] -/* 0810: disable coloring of visited links +/* 0820: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] From 535346df87879d5526d7f6325db3f84baf6d7b33 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 10 Oct 2021 23:55:39 +0000 Subject: [PATCH 436/657] Delete arkenfox-clear-RFP-alternatives.js --- .../arkenfox-clear-RFP-alternatives.js | 71 ------------------- 1 file changed, 71 deletions(-) delete mode 100644 scratchpad-scripts/arkenfox-clear-RFP-alternatives.js diff --git a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js b/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js deleted file mode 100644 index 4821fc3..0000000 --- a/scratchpad-scripts/arkenfox-clear-RFP-alternatives.js +++ /dev/null @@ -1,71 +0,0 @@ -/*** - This will reset the preferences that are under sections 4600 & 4700 in the - arkenfox user.js. These are the prefs that are no longer necessary, or they - conflict with, privacy.resistFingerprinting if you have that enabled. - - Final update: 10-August-2021 - - As of v91, section 4600 is no longer recommended, and is all inactive. This - now includes the old 4700 section. You can reset them using prefsCleaner. - - For instructions see: - https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] -***/ - -(() => { - - if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!'); - - const aPREFS = [ - /* section 4600 */ - 'dom.maxHardwareConcurrency', - 'dom.enable_resource_timing', - 'dom.enable_performance', - 'device.sensors.enabled', - 'browser.zoom.siteSpecific', - 'dom.gamepad.enabled', - 'dom.netinfo.enabled', - 'media.webspeech.synth.enabled', - 'media.video_stats.enabled', - 'dom.w3c_touch_events.enabled', - 'media.navigator.enabled', - 'media.ondevicechange.enabled', - 'webgl.enable-debug-renderer-info', - 'ui.prefersReducedMotion', - 'dom.w3c_pointer_events.enabled', // deprecated FF87 - 'ui.use_standins_for_native_colors', - 'ui.systemUsesDarkTheme', - 'dom.webaudio.enabled', - 'layout.css.font-visibility.level', - /* section 4700 */ - 'general.appname.override', - 'general.appversion.override', - 'general.buildID.override', - 'general.oscpu.override', - 'general.platform.override', - 'general.useragent.override', - /* reset parrot: check your open about:config after running the script */ - '_user.js.parrot' - ]; - - console.clear(); - - let c = 0; - for (const sPname of aPREFS) { - if (Services.prefs.prefHasUserValue(sPname)) { - Services.prefs.clearUserPref(sPname); - if (!Services.prefs.prefHasUserValue(sPname)) { - console.info('reset', sPname); - c++; - } else console.warn('failed to reset', sPname); - } - } - - focus(); - - const d = (c==1) ? ' pref' : ' prefs'; - alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset'); - - return 'all done'; - -})(); From a764149520fdd2082b3efa5b74f1d5250d4b9ac0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 11 Oct 2021 13:56:38 +0000 Subject: [PATCH 437/657] v92 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 2d470a5..6e436be 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 10 September 2021 -* version 92-alpha +* date: 11 October 2021 +* version 92 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 85438d00e457bff692303af519da618c6372476b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 12 Oct 2021 08:23:46 +0000 Subject: [PATCH 438/657] v93 deprecated --- user.js | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 6e436be..4e297a5 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 11 October 2021 -* version 92 +* date: 12 October 2021 +* version 93 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -1272,7 +1272,6 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS - // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES /* 7004: control TLS versions * [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] @@ -1406,6 +1405,14 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", [1] https://github.com/arkenfox/user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!"); +/* ESR91.x still uses all the following prefs +// [NOTE] replace the * with a slash in the line above to re-enable them +// FF93 +// 7003: disable non-modern cipher suites + // [-] https://bugzilla.mozilla.org/1724072 + // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES +// ***/ + /* ESR78.x still uses all the following prefs // [NOTE] replace the * with a slash in the line above to re-enable them // FF79 From 7d68a3297147d7878a14defe0d10a560252d7fd3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 25 Oct 2021 17:41:16 +0000 Subject: [PATCH 439/657] start 94-alpha - and remove obsolete ESR78 notations - note: we leave the deprecated ESR78.x section and item 6050 until v95 so users upgrading to ESR91 can easily reset those prefs with prefsCleaner --- user.js | 35 ++++++++++++++--------------------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/user.js b/user.js index 4e297a5..7aa3002 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 12 October 2021 -* version 93 +* date: 25 October 2021 +* version 94-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -31,10 +31,8 @@ * It is best to use the arkenfox release that is optimized for and matches your Firefox version * EVERYONE: each release - run prefsCleaner to reset prefs made inactive, including deprecated (9999s) - ESR78 - - If you are not using arkenfox v78... (not a definitive list) - - 1244: HTTPS-Only mode is enabled - - 4511: non-native widget theme is enforced + ESR91 + - If you are not using arkenfox v91... (not a definitive list) - 9999: switch the appropriate deprecated section(s) back on * INDEX: @@ -104,7 +102,7 @@ user_pref("browser.newtab.preload", false); * [SETTING] Home>Firefox Home Content>... to show/hide what you want ***/ user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); user_pref("browser.newtabpage.activity-stream.telemetry", false); -user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false FF89+] +user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false] user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); user_pref("browser.newtabpage.activity-stream.showSponsored", false); @@ -127,7 +125,7 @@ user_pref("geo.provider.use_gpsd", false); // [LINUX] /* 0203: disable region updates * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/ user_pref("browser.region.network.url", ""); // [FF78+] -user_pref("browser.region.update.enabled", false); // [[FF79+] +user_pref("browser.region.update.enabled", false); // [FF79+] /* 0204: set search region * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0203) ***/ // user_pref("browser.search.region", "US"); // [HIDDEN PREF] @@ -321,13 +319,12 @@ user_pref("network.proxy.socks_remote_dns", true); * [SETUP-CHROME] Can break extensions for profiles on network shares * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] -/* 0704: disable GIO as a potential proxy bypass vector +/* 0704: disable GIO as a potential proxy bypass vector [FF60+] * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64) * [1] https://bugzilla.mozilla.org/1433507 - * [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044 - * [3] https://en.wikipedia.org/wiki/GVfs - * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ + * [2] https://en.wikipedia.org/wiki/GVfs + * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] /* 0705: disable DNS-over-HTTPS (DoH) rollout [FF60+] * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off @@ -729,7 +726,6 @@ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); /* 2601: prevent accessibility services from accessing your browser [RESTART] - * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower) * [1] https://support.mozilla.org/kb/accessibility-services ***/ user_pref("accessibility.force_disabled", 1); /* 2602: disable sending additional analytics to web servers @@ -981,14 +977,13 @@ user_pref("privacy.firstparty.isolate", true); 418986 - limit window.screen & CSS media queries (FF41) [TEST] https://arkenfox.github.io/TZP/tzp.html#screen 1281949 - spoof screen orientation (FF50) - 1281963 - hide contents of navigator.plugins and navigator.mimeTypes (FF50-88) 1330890 - spoof timezone as UTC0 (FF55) 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55) 1217238 - reduce precision of time exposed by javascript (FF55) FF56 1369303 - spoof/disable performance API 1333651 - spoof User Agent & Navigator API - JS: FF91+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux + JS: the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux HTTP Headers: spoofed as Windows or Android 1369319 - disable device sensor API 1369357 - disable site specific zoom @@ -1001,8 +996,6 @@ user_pref("privacy.firstparty.isolate", true); 1217290 & 1409677 - enable some fingerprinting resistance for WebGL 1382545 - reduce fingerprinting in Animation API 1354633 - limit MediaError.message to a whitelist - 1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87) - Blocks exposure of local IP Addresses via mDNS (Multicast DNS) FF58-90 967895 - spoof canvas and enable site permission prompt (FF58) 1372073 - spoof/block fingerprinting in MediaDevices API (FF59) @@ -1072,7 +1065,7 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] * Fingerprinting: provides a uniform look and feel across platforms [2] * [1] https://bugzilla.mozilla.org/1381938 * [2] https://bugzilla.mozilla.org/1411425 ***/ -user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true FF89+] +user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true] /* 4512: enforce links targeting new windows to open in a new tab instead * 1=most recent window or tab, 2=new window, 3=new tab * Stops malicious window sizes and some screen resolution leaks. @@ -1215,12 +1208,12 @@ user_pref("security.csp.enable", true); // [DEFAULT: true] user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000] /* 6005: enforce window.opener protection [FF65+] * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/ -user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+] +user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true] /* 6006: enforce "window.name" protection [FF82+] * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ -user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+] +user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true] /* 6050: prefsCleaner: reset previously active items removed from arkenfox in 79-91 ***/ // user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); // user_pref("browser.send_pings.require_same_host", ""); @@ -1291,7 +1284,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies /* 7008: set the default Referrer Policy [FF59+] * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade * [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/ - // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+] + // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] /* 7009: disable HTTP2 * [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1] From 094356e0739bfeae95775384d45cb01f7132c9f1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 25 Oct 2021 20:56:18 +0000 Subject: [PATCH 440/657] 0706: add reference --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 7aa3002..553bea9 100644 --- a/user.js +++ b/user.js @@ -335,8 +335,9 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ // user_pref("network.trr.mode", 5); /* 0706: disable proxy direct failover for system requests [FF91+] - * [WARNING] Default true is a security feature against malicious extensions - * [SETUP-CHROME] If you use a proxy and you trust your extensions ***/ + * [WARNING] Default true is a security feature against malicious extensions [1] + * [SETUP-CHROME] If you use a proxy and you trust your extensions + * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/ // user_pref("network.proxy.failover_direct", false); /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ From ba92918d38757e858ed0dd98e2f6367dfe87b51a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 26 Oct 2021 10:16:42 +0000 Subject: [PATCH 441/657] don't disable system addon updates, closes #1251 --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 553bea9..e1476e7 100644 --- a/user.js +++ b/user.js @@ -161,9 +161,6 @@ user_pref("app.update.background.scheduling.enabled", false); /* 0306: disable search engine updates (e.g. OpenSearch) * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ user_pref("browser.search.update", false); -/* 0307: disable System Add-on updates ***/ -user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] -user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /** RECOMMENDATIONS ***/ /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/ @@ -1311,6 +1308,10 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] Fingerprintable. Breakage. Cut/copy/paste require user * interaction, and paste is limited to focused editable fields ***/ // user_pref("dom.event.clipboardevents.enabled", false); +/* 7014: disable System Add-on updates + * [WHY] It can compromise security. System addons ship with prefs, use those ***/ + // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] + // user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 15158974496806e8ee9564d0b36fe0cbbb0f869f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 2 Nov 2021 16:07:42 +0000 Subject: [PATCH 442/657] default changes --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index e1476e7..7133ca4 100644 --- a/user.js +++ b/user.js @@ -1294,7 +1294,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies /* 7010: disable HTTP Alternative Services [FF37+] * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/ // user_pref("network.http.altsvc.enabled", false); - // user_pref("network.http.altsvc.oe", false); + // user_pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+] /* 7011: disable website control over browser right-click context menu * [WHY] Just use Shift-Right-Click ***/ // user_pref("dom.event.contextmenu.enabled", false); @@ -1355,7 +1355,7 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("startup.homepage_welcome_url.additional", ""); // user_pref("startup.homepage_override_url", ""); // What's New page after updates /* WARNINGS ***/ - // user_pref("browser.tabs.warnOnClose", false); + // user_pref("browser.tabs.warnOnClose", false); // [DEFAULT false FF94+] // user_pref("browser.tabs.warnOnCloseOtherTabs", false); // user_pref("browser.tabs.warnOnOpen", false); // user_pref("full-screen-api.warning.delay", 0); From 0f8217ad60c7284b8b0539246260088e982edf98 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 4 Nov 2021 16:18:35 +0000 Subject: [PATCH 443/657] cleanup sanitizing-on-close prefs --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 7133ca4..dc5a65c 100644 --- a/user.js +++ b/user.js @@ -898,7 +898,7 @@ user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins -user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences + // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] Site Preferences /* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History * Firefox remembers your last choices. This will reset them when you start Firefox @@ -910,9 +910,9 @@ user_pref("privacy.cpd.cookies", true); user_pref("privacy.cpd.formdata", true); // Form & Search History user_pref("privacy.cpd.history", true); // Browsing & Download History user_pref("privacy.cpd.offlineApps", true); // Offline Website Data -user_pref("privacy.cpd.passwords", false); // this is not listed + // user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] this is not listed user_pref("privacy.cpd.sessions", true); // Active Logins -user_pref("privacy.cpd.siteSettings", false); // Site Preferences + // user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false] Site Preferences /* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+] * [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803) * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008) From bd59131d3e56b9fdafe7aa7b5889106bb9f484a9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 4 Nov 2021 22:38:16 +0000 Subject: [PATCH 444/657] default changes, missed one --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index dc5a65c..f2b2ff4 100644 --- a/user.js +++ b/user.js @@ -1055,9 +1055,9 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); -/* 4510: enforce no system colors +/* 4510: disable using system colors * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT: false] +user_pref("browser.display.use_system_colors", false); /* 4511: enforce non-native widget theme * Security: removes/reduces system API calls, e.g. win32k API [1] * Fingerprinting: provides a uniform look and feel across platforms [2] From 17beb468f1ce5acf1438e17f7ed9490a5377f45c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 4 Nov 2021 22:44:23 +0000 Subject: [PATCH 445/657] tweak 1510 default info --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index f2b2ff4..bc2d1d5 100644 --- a/user.js +++ b/user.js @@ -1057,7 +1057,7 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] user_pref("browser.startup.blankWindow", false); /* 4510: disable using system colors * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); +user_pref("browser.display.use_system_colors", false); // [DEFAULT false NON-WINDOWS] /* 4511: enforce non-native widget theme * Security: removes/reduces system API calls, e.g. win32k API [1] * Fingerprinting: provides a uniform look and feel across platforms [2] From f8932dced142ec5ea633bfb163bfc7579ac38a07 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 7 Nov 2021 06:48:45 +0000 Subject: [PATCH 446/657] remove ambiguous line The point was that google have said (stated in policy, but fuck knows where that is located these days) that it is anonymized and not used for tracking. It's an API used by **_4 billion devices_** - the API has privacy policies for use. If a whistleblower or someone else found out that google was using this to enhance their user profiling, then all hell would break loose. And they don't even need this to fuel their ad revenue. It is provided, gratis, to the web to help ensure security - they wouldn't dare taint it and get it caught up in a privacy scandal involving **+4 billion devices_**. And in all this time (since 2007), there has been no such whistleblower or proof it is used to track or announcements by google of changes to the contrary. Anyway, a quick search brings up - Here is their policy - https://www.google.com/intl/en_us/privacy/browsing.html - it's empty and points to - https://www.google.com/intl/en/chrome/privacy/ - and if you scroll down to "Safe Browsing practices" it doesn't say anything about privacy policies for the API itself (or the owner of the API) - it just spells out what happens in chrome - I'm not going to bother to look any further and find a history of policy changes Anyway, this is Firefox and hashes are part hashes bundled with other real hashes - and we turned off real time binary checks. So this line can fuck the fuck off. It was meant to reassure those who want the security of real-time binary checks, that privacy "shouldn't" be an issue, but I'm not going to expand on it --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index bc2d1d5..68d5560 100644 --- a/user.js +++ b/user.js @@ -242,7 +242,6 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] to Google, only a part-hash of the prefix, hidden with noise of other real part-hashes. Firefox takes measures such as stripping out identifying parameters and since SBv4 (FF57+) doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity) - FWIW, Google also swear it is anonymized and only used to flag malicious sites. [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ [2] https://wiki.mozilla.org/Security/Safe_Browsing From e2e7f9c64704ab75a22a5efd911af3845a0fefdf Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 16 Nov 2021 11:56:20 +0000 Subject: [PATCH 447/657] font vis changes (#1275) --- user.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 68d5560..ec57b4a 100644 --- a/user.js +++ b/user.js @@ -582,12 +582,15 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+] user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); /* 1401: disable rendering of SVG OpenType fonts ***/ user_pref("gfx.font_rendering.opentype_svg.enabled", false); -/* 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] - * [NOTE] In FF80+ RFP ignores the pref and uses value 1 +/* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+] * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed + * In normal windows: uses the first applicable: RFP (4506) over TP over Standard + * In Private Browsing windows: uses the most restrictive between normal and private * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/ - // user_pref("layout.css.font-visibility.level", 1); + // user_pref("layout.css.font-visibility.private", 1); + // user_pref("layout.css.font-visibility.standard", 1); + // user_pref("layout.css.font-visibility.trackingprotection", 1); /*** [SECTION 1600]: HEADERS / REFERERS Expect some breakage e.g. banks: use an extension if you need precise control @@ -1050,7 +1053,9 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] * [1] https://bugzilla.mozilla.org/1635603 ***/ // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); -/* 4506: disable showing about:blank as soon as possible during startup [FF60+] +/* 4506: set RFP's font visibility level (1402) [FF94+] ***/ + // user_pref("layout.css.font-visibility.resistFingerprinting", 1); +/* 4507: disable showing about:blank as soon as possible during startup [FF60+] * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ user_pref("browser.startup.blankWindow", false); @@ -1405,6 +1410,10 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is m // 7003: disable non-modern cipher suites // [-] https://bugzilla.mozilla.org/1724072 // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES +// FF94 +// 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] - replaced by new 1402 + // [-] https://bugzilla.mozilla.org/1715507 + // user_pref("layout.css.font-visibility.level", 1); // ***/ /* ESR78.x still uses all the following prefs From 2f88ca2e40351211d95e21a52aec0eae364a26f8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 18 Nov 2021 01:28:21 +0000 Subject: [PATCH 448/657] misc - move DoH so it has room to grow - tidy privacy.clearOnShutdown, privacy.cpd --- user.js | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/user.js b/user.js index ec57b4a..048cc8d 100644 --- a/user.js +++ b/user.js @@ -322,7 +322,12 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] * [2] https://en.wikipedia.org/wiki/GVfs * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] -/* 0705: disable DNS-over-HTTPS (DoH) rollout [FF60+] +/* 0705: disable proxy direct failover for system requests [FF91+] + * [WARNING] Default true is a security feature against malicious extensions [1] + * [SETUP-CHROME] If you use a proxy and you trust your extensions + * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/ + // user_pref("network.proxy.failover_direct", false); +/* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+] * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3] * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ @@ -330,11 +335,6 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/ // user_pref("network.trr.mode", 5); -/* 0706: disable proxy direct failover for system requests [FF91+] - * [WARNING] Default true is a security feature against malicious extensions [1] - * [SETUP-CHROME] If you use a proxy and you trust your extensions - * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/ - // user_pref("network.proxy.failover_direct", false); /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); @@ -887,33 +887,33 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" /* 2802: enable Firefox to clear items on shutdown (2803) * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); -/* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME] +/* 2803: set/enforce what items to clear on shutdown (if 2802 is true) [SETUP-CHROME] * [NOTE] If "history" is true, downloads will also be cleared - * [NOTE] Active Logins: does not refer to logins via cookies, but rather HTTP Basic Authentication [1] - * [NOTE] Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) + * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies + * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ -user_pref("privacy.clearOnShutdown.cache", true); -user_pref("privacy.clearOnShutdown.cookies", true); -user_pref("privacy.clearOnShutdown.downloads", true); // see note above -user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History -user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History -user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data -user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins +user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.cookies", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.offlineApps", true); // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] Site Preferences /* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History * Firefox remembers your last choices. This will reset them when you start Firefox * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog * for "Clear Recent History" is opened, it is synced to the same as "history" ***/ -user_pref("privacy.cpd.cache", true); -user_pref("privacy.cpd.cookies", true); +user_pref("privacy.cpd.cache", true); // [DEFAULT: true] +user_pref("privacy.cpd.cookies", true); // [DEFAULT: true] +user_pref("privacy.cpd.formdata", true); // [DEFAULT: true] +user_pref("privacy.cpd.history", true); // [DEFAULT: true] +user_pref("privacy.cpd.sessions", true); // [DEFAULT: true] +user_pref("privacy.cpd.offlineApps", true); // user_pref("privacy.cpd.downloads", true); // not used, see note above -user_pref("privacy.cpd.formdata", true); // Form & Search History -user_pref("privacy.cpd.history", true); // Browsing & Download History -user_pref("privacy.cpd.offlineApps", true); // Offline Website Data // user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] this is not listed -user_pref("privacy.cpd.sessions", true); // Active Logins // user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false] Site Preferences /* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+] * [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803) From 34bd3c5a0409bc21f339794e602aa343afdd50e7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 22 Nov 2021 05:40:49 +0000 Subject: [PATCH 449/657] consolidate/simplify sanitizing, fixes #1256 move all sanitizing on exit prefs into 2800 switch to cookie lifetime as session - now users can utilize exceptions (as allow) - session cookies still block service workers (which we disable anyway) - we still block 3rd party cookies (until we move to dFPI) - we still have defense in depth for 3rd party cookies with 2803 - we still bulk sanitize offlineApps on exit: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) - i.e you get to keep the cookies only IF you add an exception add `privacy.clearsitedata.cache.enabled` --- user.js | 74 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 35 deletions(-) diff --git a/user.js b/user.js index 048cc8d..3176eaa 100644 --- a/user.js +++ b/user.js @@ -16,7 +16,7 @@ * There are often trade-offs and conflicts between security vs privacy vs anti-fingerprinting and these need to be balanced against functionality & convenience & breakage * Some site breakage and unintended consequences will happen. Everyone's experience will differ - e.g. some user data is erased on close (section 2800), change this to suit your needs + e.g. some user data is erased on exit (section 2800), change this to suit your needs * While not 100% definitive, search for "[SETUP" tags e.g. third party images/videos not loading on some sites? check 1601 * Take the wiki link in step 2 and read the Troubleshooting entry @@ -55,7 +55,7 @@ 2400: DOM (DOCUMENT OBJECT MODEL) 2600: MISCELLANEOUS 2700: PERSISTENT STORAGE - 2800: SHUTDOWN + 2800: SHUTDOWN & SANITIZING 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) 5000: OPTIONAL OPSEC @@ -85,7 +85,7 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); user_pref("browser.shell.checkDefaultBrowser", false); /* 0102: set startup page [SETUP-CHROME] * 0=blank, 1=home, 2=last visited page, 3=resume previous session - * [NOTE] Session Restore is cleared with history (2803, 2804), and not used in Private Browsing mode + * [NOTE] Session Restore is cleared with history (2811, 2812), and not used in Private Browsing mode * [SETTING] General>Startup>Restore previous session ***/ user_pref("browser.startup.page", 0); /* 0103: set HOME+NEWWINDOW page @@ -380,7 +380,7 @@ user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // user_pref("browser.urlbar.suggest.engines", false); /* 0810: disable search and form history * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2] - * [NOTE] We also clear formdata on exit (2803) + * [NOTE] We also clear formdata on exit (2811) * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html * [2] https://bugzilla.mozilla.org/381681 ***/ @@ -398,7 +398,7 @@ user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] /* 0820: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing - * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5] + * attacks. Don't forget clearing history on exit (2811). However, social engineering [2#limits][4][5] * and advanced targeted timing attacks could still produce usable results * [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector * [2] https://dbaron.org/mozilla/visited-privacy @@ -439,7 +439,7 @@ user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false] user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); /* 1001: disable disk cache * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this - * [NOTE] We also clear cache on exit (2803) ***/ + * [NOTE] We also clear cache on exit (2811) ***/ user_pref("browser.cache.disk.enable", false); /* 1002: disable media cache from writing to disk in Private Browsing * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB @@ -838,17 +838,6 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/ user_pref("network.cookie.cookieBehavior", 1); user_pref("browser.contentblocking.category", "custom"); -/* 2702: set third-party cookies (if enabled, see 2701) to session-only - * [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and - * .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones - * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ -user_pref("network.cookie.thirdparty.sessionOnly", true); -user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] -/* 2703: delete cookies and site data on close - * 0=keep until they expire (default), 2=keep until you close Firefox - * [NOTE] The setting below is disabled (but not changed) if you block all cookies (2701 = 2) - * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/ - // user_pref("network.cookie.lifetimePolicy", 2); /* 2710: enable Enhanced Tracking Protection (ETP) in all windows * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content * [SETTING] to add site exceptions: Urlbar>ETP Shield @@ -859,7 +848,7 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 2740: disable service worker cache and cache storage - * [NOTE] We clear service worker cache on exit (2803) + * [NOTE] We clear service worker cache on exit (2811) * [1] https://w3c.github.io/ServiceWorker/#privacy ***/ // user_pref("dom.caches.enabled", false); /* 2750: disable Storage API [FF51+] @@ -876,52 +865,67 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); /* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] -/*** [SECTION 2800]: SHUTDOWN - * Sanitizing on shutdown is all or nothing. It does not use Managed Exceptions under - Privacy & Security>Delete cookies and site data when Firefox is closed (1681701) - * If you want to keep some sites' cookies (exception as "Allow") and optionally other site - data but clear all the rest on close, then you need to set the "cookie" and optionally the - "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703) -***/ +/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); -/* 2802: enable Firefox to clear items on shutdown (2803) +/** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/ +/* 2801: delete cookies and site data on exit + * 0=keep until they expire (default), 2=keep until you close Firefox + * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed + * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow + * If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com + * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ +user_pref("network.cookie.lifetimePolicy", 2); +/* 2802: delete cache on exit [FF96+] + * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust + * [1] https://bugzilla.mozilla.org/1671182 ***/ + // user_pref("privacy.clearsitedata.cache.enabled", true); +/* 2803: set third-party cookies to session-only + * [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and + * .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones + * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/ +user_pref("network.cookie.thirdparty.sessionOnly", true); +user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] + +/** SANITIZE ON SHUTDOWN : ALL OR NOTHING ***/ +/* 2810: enable Firefox to clear items on shutdown (2811) * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); -/* 2803: set/enforce what items to clear on shutdown (if 2802 is true) [SETUP-CHROME] +/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME] + * sanitizingOnShutdown is all or nothing, it does not allow exceptions (1681701) * [NOTE] If "history" is true, downloads will also be cleared * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true] -user_pref("privacy.clearOnShutdown.cookies", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.cookies", false); user_pref("privacy.clearOnShutdown.offlineApps", true); // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] Site Preferences -/* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME] +/* 2812: reset default items to clear with Ctrl-Shift-Del (to match 2811) [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History * Firefox remembers your last choices. This will reset them when you start Firefox * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog * for "Clear Recent History" is opened, it is synced to the same as "history" ***/ user_pref("privacy.cpd.cache", true); // [DEFAULT: true] -user_pref("privacy.cpd.cookies", true); // [DEFAULT: true] user_pref("privacy.cpd.formdata", true); // [DEFAULT: true] user_pref("privacy.cpd.history", true); // [DEFAULT: true] user_pref("privacy.cpd.sessions", true); // [DEFAULT: true] +user_pref("privacy.cpd.cookies", false); user_pref("privacy.cpd.offlineApps", true); // user_pref("privacy.cpd.downloads", true); // not used, see note above // user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] this is not listed // user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false] Site Preferences -/* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+] - * [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803) +/* 2813: clear Session Restore data when sanitizing on shutdown or manually [FF34+] + * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811) * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008) * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/ // user_pref("privacy.clearOnShutdown.openWindows", true); // user_pref("privacy.cpd.openWindows", true); -/* 2806: reset default "Time range to clear" for "Clear Recent History" (2804) +/* 2814: reset default "Time range to clear" for "Clear Recent History" (2812) * Firefox remembers your last choice. This will reset the value when you start Firefox * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown, @@ -1117,7 +1121,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow /* 5006: disable favicons in history and bookmarks * [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your * actual history (and bookmarks) already do. Your history is more detailed, so - * control that instead; e.g. disable history, clear history on close, use PB mode + * control that instead; e.g. disable history, clear history on exit, use PB mode * [NOTE] favicons.sqlite is sanitized on Firefox close ***/ // user_pref("browser.chrome.site_icons", false); /* 5007: exclude "Undo Closed Tabs" in Session Restore ***/ @@ -1141,7 +1145,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow * [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/ // user_pref("browser.urlbar.autoFill", false); /* 5013: disable browsing and download history - * [NOTE] We also clear history and downloads on exit (2803) + * [NOTE] We also clear history and downloads on exit (2811) * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/ // user_pref("places.history.enabled", false); /* 5014: disable Windows jumplist [WINDOWS] ***/ From c9e4cac618acc2ed935676f73b0933378d923596 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 22 Nov 2021 18:08:07 +0000 Subject: [PATCH 450/657] tweak webRTC webRTC will be overhauled... but not today... in the meantime - remove dead link before @dngray has a hernia - correctly refer to the type of IP leak --- user.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 3176eaa..84de010 100644 --- a/user.js +++ b/user.js @@ -632,11 +632,10 @@ user_pref("privacy.userContext.ui.enabled", true); /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); /* 2001: disable WebRTC (Web Real-Time Communication) - * [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not - * in your threat model, and you want Real-Time Communication, this is the pref for you - * [1] https://www.privacytools.io/#webrtc ***/ + * [SETUP-WEB] WebRTC can leak your private network address from behind your VPN, but if this + * is not your threat model, and you want Real-Time Communication, this is the pref for you ***/ user_pref("media.peerconnection.enabled", false); -/* 2002: limit WebRTC IP leaks if using WebRTC +/* 2002: limit WebRTC private network address leaks * In FF70+ these settings match Mode 4 (Mode 3 in older versions) [3] * [TEST] https://browserleaks.com/webrtc * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 From 6b351a9458a307bfa37d0e61c7434a616f4de006 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 22 Nov 2021 18:15:53 +0000 Subject: [PATCH 451/657] fixup trade-offs anti-fingerprinting doesn't fit here: it's not a major component or priority of this user.js, and only a few prefs outside RFP (as a robust built-in browser solution that defeats naive scripts) have anything to do with it --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 84de010..10f9857 100644 --- a/user.js +++ b/user.js @@ -13,7 +13,7 @@ * https://github.com/arkenfox/user.js/wiki 3. If you skipped step 2, return to step 2 4. Make changes - * There are often trade-offs and conflicts between security vs privacy vs anti-fingerprinting + * There are often trade-offs and conflicts between security vs privacy vs anti-tracking and these need to be balanced against functionality & convenience & breakage * Some site breakage and unintended consequences will happen. Everyone's experience will differ e.g. some user data is erased on exit (section 2800), change this to suit your needs From 58d0161b67540dbf418e9bac39e2eaa2becfc169 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 23 Nov 2021 07:05:01 +0000 Subject: [PATCH 452/657] add warnOnQuitShortcut, closes #1270 --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 10f9857..80d0bf1 100644 --- a/user.js +++ b/user.js @@ -1365,6 +1365,7 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("browser.tabs.warnOnClose", false); // [DEFAULT false FF94+] // user_pref("browser.tabs.warnOnCloseOtherTabs", false); // user_pref("browser.tabs.warnOnOpen", false); + // user_pref("browser.tabs.warnOnQuitShortcut", false); // [FF94+] // user_pref("full-screen-api.warning.delay", 0); // user_pref("full-screen-api.warning.timeout", 0); /* APPEARANCE ***/ From cbfb8abf1544c3e87f412f64a9747bd1dea4a705 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 23 Nov 2021 07:11:43 +0000 Subject: [PATCH 453/657] 94 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 80d0bf1..c8f88fe 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 25 October 2021 -* version 94-alpha +* date: 23 November 2021 +* version 94 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 6027aaa45ddaf3072d7675364a58bea9bb08440a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 23 Nov 2021 12:02:50 +0000 Subject: [PATCH 454/657] fixup warnOnQuitShortcut --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index c8f88fe..2be91c2 100644 --- a/user.js +++ b/user.js @@ -1365,7 +1365,7 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("browser.tabs.warnOnClose", false); // [DEFAULT false FF94+] // user_pref("browser.tabs.warnOnCloseOtherTabs", false); // user_pref("browser.tabs.warnOnOpen", false); - // user_pref("browser.tabs.warnOnQuitShortcut", false); // [FF94+] + // user_pref("browser.warnOnQuitShortcut", false); // [FF94+] // user_pref("full-screen-api.warning.delay", 0); // user_pref("full-screen-api.warning.timeout", 0); /* APPEARANCE ***/ From 4b393b9b1220481bf544153893995ba2e4bff7d8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 24 Nov 2021 01:09:10 +0000 Subject: [PATCH 455/657] start 95-alpha --- user.js | 88 ++++----------------------------------------------------- 1 file changed, 6 insertions(+), 82 deletions(-) diff --git a/user.js b/user.js index 2be91c2..639e164 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 23 November 2021 -* version 94 +* date: 24 November 2021 +* version 95-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -442,8 +442,7 @@ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is m * [NOTE] We also clear cache on exit (2811) ***/ user_pref("browser.cache.disk.enable", false); /* 1002: disable media cache from writing to disk in Private Browsing - * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB - * [SETUP-WEB] ESR78: playback might break on subsequent loading (1650281) ***/ + * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/ user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+] user_pref("media.memory_cache_max_size", 65536); /* 1003: disable storing extra session data [SETUP-CHROME] @@ -1219,23 +1218,8 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true] * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true] -/* 6050: prefsCleaner: reset previously active items removed from arkenfox in 79-91 ***/ - // user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", ""); - // user_pref("browser.send_pings.require_same_host", ""); - // user_pref("dom.allow_cut_copy", ""); - // user_pref("dom.vibrator.enabled", ""); - // user_pref("media.getusermedia.audiocapture.enabled", ""); - // user_pref("media.getusermedia.browser.enabled", ""); - // user_pref("media.getusermedia.screensharing.enabled", ""); - // user_pref("media.gmp-widevinecdm.visible", ""); - // user_pref("network.http.redirection-limit", ""); - // user_pref("privacy.partition.network_state", ""); - // user_pref("security.insecure_connection_icon.enabled", ""); // [DEFAULT: true FF70+] - // user_pref("security.mixed_content.block_active_content", ""); // [DEFAULT: true since at least FF60] - // user_pref("security.ssl.enable_ocsp_stapling", ""); // [DEFAULT: true FF26+] - // user_pref("webgl.disable-fail-if-major-performance-caveat", ""); // [DEFAULT: true FF86+] - // user_pref("webgl.enable-webgl2", ""); - // user_pref("webgl.min_capability_mode", ""); +/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF91+ ***/ + // placeholder /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); @@ -1404,7 +1388,7 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR) /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED - Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1] + Documentation denoted as [-]. Items deprecated prior to FF91 have been archived at [1] [1] https://github.com/arkenfox/user.js/issues/123 ***/ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!"); @@ -1420,65 +1404,5 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is m // user_pref("layout.css.font-visibility.level", 1); // ***/ -/* ESR78.x still uses all the following prefs -// [NOTE] replace the * with a slash in the line above to re-enable them -// FF79 -// 0212: enforce fallback text encoding to match en-US - // When the content or server doesn't declare a charset the browser will - // fallback to the "Current locale" based on your application language - // [TEST] https://hsivonen.com/test/moz/check-charset.htm - // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025 - // [-] https://bugzilla.mozilla.org/1603712 -user_pref("intl.charset.fallback.override", "windows-1252"); -// FF82 -// 0206: disable geographically specific results/search engines e.g. "browser.search.*.US" - // i.e. ignore all of Mozilla's various search engines in multiple locales - // [-] https://bugzilla.mozilla.org/1619926 -user_pref("browser.search.geoSpecificDefaults", false); -user_pref("browser.search.geoSpecificDefaults.url", ""); -// FF86 -// 1205: disable SSL Error Reporting - // [1] https://firefox-source-docs.mozilla.org/main/65.0/browser/base/sslerrorreport/preferences.html - // [-] https://bugzilla.mozilla.org/1681839 -user_pref("security.ssl.errorReporting.automatic", false); -user_pref("security.ssl.errorReporting.enabled", false); -user_pref("security.ssl.errorReporting.url", ""); -// 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin - // [-] https://bugzilla.mozilla.org/1581678 -user_pref("browser.download.hide_plugins_without_extensions", false); -// FF87 -// 0105d: disable Activity Stream recent Highlights in the Library [FF57+] - // [-] https://bugzilla.mozilla.org/1689405 - // user_pref("browser.library.activity-stream.enabled", false); -// 8002: disable PointerEvents - // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent - // [-] https://bugzilla.mozilla.org/1688105 - // user_pref("dom.w3c_pointer_events.enabled", false); -// FF89 -// 0309: disable sending Flash crash reports - // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] -user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); -// 0310: disable sending the URL of the website where a plugin crashed - // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] -user_pref("dom.ipc.plugins.reportCrashURL", false); -// 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+] - // [1] https://bugzilla.mozilla.org/1190623 - // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] -user_pref("security.mixed_content.block_object_subrequest", true); -// 1803: disable Flash plugin - // 0=deactivated, 1=ask, 2=enabled - // ESR52.x is the last branch to fully support NPAPI, FF52+ stable only supports Flash - // [NOTE] You can still override individual sites via site permissions - // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] -user_pref("plugin.state.flash", 0); // [DEFAULT: 1] -// FF90 -// 0708: disable FTP [FF60+] - // [-] https://bugzilla.mozilla.org/1574475 - // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+] -// 7001: enforce no offline cache storage (appCache) [FF71+] - // [-] https://bugzilla.mozilla.org/1694662 -user_pref("browser.cache.offline.storage.enable", false); // [DEFAULT: false FF84+] -// ***/ - /* END: internal custom pref to test for syntax errors ***/ user_pref("_user.js.parrot", "SUCCESS: No no he's not dead, he's, he's restin'!"); From 27977a16ad4a65c5e54e212c1d89dd111df039c6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 25 Nov 2021 06:49:38 +0000 Subject: [PATCH 456/657] 2652: browser.download.alwaysOpenPanel FYI: https://bugzilla.mozilla.org/1738372 There is a small privacy issue with shoulder surfers, but in reality, this just needs to happen IMO - we already prompt where to save, but even if we didn't, we also know we clicked or initiated a download - unless it's a drive by or user-gesture trickery - which is why we prompt - the download icon is shown (if hidden) and the throbber/accent color go to work - users can always click the icon to show entries (and open folder etc) - this maintains the current behavior in FF94 --- user.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 639e164..8c3b0ae 100644 --- a/user.js +++ b/user.js @@ -790,7 +790,9 @@ user_pref("permissions.delegation.enabled", false); * [SETUP-CHROME] On Android this blocks longtapping and saving images * [SETTING] General>Downloads>Always ask you where to save files ***/ user_pref("browser.download.useDownloadDir", false); -/* 2652: disable adding downloads to the system's "recent documents" list ***/ +/* 2652: disable downloads panel opening on every download [FF96+] ***/ +user_pref("browser.download.alwaysOpenPanel", false); +/* 2653: disable adding downloads to the system's "recent documents" list ***/ user_pref("browser.download.manager.addToRecentDocs", false); /** EXTENSIONS ***/ From 47de4f520bdc7ec80f440f66731df15338e74a29 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 28 Nov 2021 09:01:39 +0000 Subject: [PATCH 457/657] tidy 5505 --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 8c3b0ae..2a7387e 100644 --- a/user.js +++ b/user.js @@ -1181,9 +1181,10 @@ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!"); * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/ // user_pref("javascript.options.asmjs", false); /* 5505: disable Ion and baseline JIT to harden against JS exploits - * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new - * hidden pref is enabled, then Ion can still be used by extensions (1599226) - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit ***/ + * [NOTE] When both Ion and JIT are disabled, and trustedprincipals + * is enabled, then Ion can still be used by extensions (1599226) + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit + * [2] https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ ***/ // user_pref("javascript.options.ion", false); // user_pref("javascript.options.baselinejit", false); // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF] From c2ddfd60bfb486b5a7791bc899e2646c027a92d3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 28 Nov 2021 13:22:46 +0000 Subject: [PATCH 458/657] tidy 79-91 removed items --- scratchpad-scripts/arkenfox-clear-removed.js | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index bd99cb5..cc8d330 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -13,30 +13,29 @@ const aPREFS = [ /* removed in arkenfox user.js */ - /* 91 */ + /* 79-91 */ 'alerts.showFavicons', + 'browser.newtabpage.activity-stream.asrouter.providers.snippets', + 'browser.send_pings.require_same_host', + 'browser.urlbar.usepreloadedtopurls.enabled', 'dom.allow_cut_copy', 'dom.battery.enabled', + 'dom.IntersectionObserver.enabled', 'dom.storage.enabled', 'dom.vibrator.enabled', + 'extensions.screenshots.upload-disabled', 'general.warnOnAboutConfig', 'gfx.direct2d.disabled', 'layers.acceleration.disabled', 'media.getusermedia.audiocapture.enabled', 'media.getusermedia.browser.enabled', 'media.getusermedia.screensharing.enabled', - 'media.media-capabilities.enabled', - 'security.insecure_connection_icon.enabled', - 'security.mixed_content.block_active_content', - /* 79-90 */ - 'browser.newtabpage.activity-stream.asrouter.providers.snippets', - 'browser.send_pings.require_same_host', - 'browser.urlbar.usepreloadedtopurls.enabled', - 'dom.IntersectionObserver.enabled', - 'extensions.screenshots.upload-disabled', 'media.gmp-widevinecdm.visible', + 'media.media-capabilities.enabled', 'network.http.redirection-limit', 'privacy.partition.network_state', + 'security.insecure_connection_icon.enabled', + 'security.mixed_content.block_active_content', 'security.ssl.enable_ocsp_stapling', 'security.ssl3.dhe_rsa_aes_128_sha', 'security.ssl3.dhe_rsa_aes_256_sha', From 4dc53722573a2bcf0052acdebe41951e94f217a1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 30 Nov 2021 13:29:19 +0000 Subject: [PATCH 459/657] 0603: network.predictor.enable-prefetch make active for Nighty users - see https://bugzilla.mozilla.org/show_bug.cgi?id=1506194 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 2a7387e..5ca13db 100644 --- a/user.js +++ b/user.js @@ -285,7 +285,7 @@ user_pref("network.dns.disablePrefetch", true); // user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true] /* 0603: disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); - // user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] +user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] /* 0604: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ user_pref("network.http.speculative-parallel-limit", 0); From cf0102f71ebe3db5287d913db818d6a814c4c96b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 2 Dec 2021 09:34:34 +0000 Subject: [PATCH 460/657] fixup: from being flogged to death by overseers thanks @dngray, also save some precious bytes .. polar bears know about scarce resources --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 5ca13db..af8b477 100644 --- a/user.js +++ b/user.js @@ -891,7 +891,7 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+] * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/ user_pref("privacy.sanitize.sanitizeOnShutdown", true); /* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME] - * sanitizingOnShutdown is all or nothing, it does not allow exceptions (1681701) + * These items do not use exceptions, it is all or nothing (1681701) * [NOTE] If "history" is true, downloads will also be cleared * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache) From d1d20b897a1c648dfdb5c34e86264f10cc84bc38 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 4 Dec 2021 09:36:09 +0000 Subject: [PATCH 461/657] wiki cleanup (#1289) --- wikipiki/concurrent01.png | Bin 32476 -> 0 bytes wikipiki/concurrent02.png | Bin 106194 -> 0 bytes wikipiki/concurrent03.png | Bin 28466 -> 0 bytes wikipiki/concurrent04.png | Bin 28727 -> 0 bytes wikipiki/profiles01.png | Bin 33003 -> 0 bytes wikipiki/profiles02.png | Bin 26989 -> 0 bytes 6 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 wikipiki/concurrent01.png delete mode 100644 wikipiki/concurrent02.png delete mode 100644 wikipiki/concurrent03.png delete mode 100644 wikipiki/concurrent04.png delete mode 100644 wikipiki/profiles01.png delete mode 100644 wikipiki/profiles02.png diff --git a/wikipiki/concurrent01.png b/wikipiki/concurrent01.png deleted file mode 100644 index 60e0c4a33c9f493409c4bc1018d7066529936223..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 32476 zcmW(61y~%-ZVx^Da46El-K|jMkmBxI+>6tqg~Q$5T?@sbxE3!CMOr9coZ`;ofBAO4 z+1;6yNis<$$wa6s%V43uLI(fg?)dW&6Pr06dp-G^{l>_J~BTS1%+K!r{pZ zPU?hUsJcWHoFIXonFHY1Vr(otnox}uGZK9fb&IMnHmE2( za`b-Pr^tSx<9g@EQ`1k;-Kz7PhDp>OFlMSOj~X8wvqFLr_fOE!z~K58J1hX5))|0+ z8!V{Y9%(?pji0bE3v~}_*UNxrF~C5NQdSQqdDt_~zC?y02p$aTaZh-o0EQC)Fz;B2 zQUE3mg6E{uYXJF3fXSG-*(RXM2ADAT@5}=5oSO_E5MYo@MF`4I0HFAm;ZlIjTcB!E zJMtZ%%Lx!zDGUe#i);X=oQ{<&P}>6ZOh7Q|0Wc=OsTLl>1R(hUCc`u|o-4y*~t-&@u>cm5AI?+W5umzK7-wie|FBn(VPbv{2?_Zj!-Jbt+K z6Mne9{L{5T8^CQ8AcJ)Cr*Hg1v4ngw5iQv4*G`VK*9@n z*Mr87-VTtMadU;~%Cgcd z;Kku{Kzza_2Lx#GA|$yPTH_Jq>WVdI@MffE9Mx&|SSzx4Wna-GjVxQ(*P{w1vqD*h zL$-3Z`nPzt$hN4?4A67TU@pZs8XJu2qjvJ7+mLPEZ4}FNZgH)mO!eR81)8{garzR~ z1S(P(kv2G5^GWqlA3hIQqtKd(jiSw0j`7e-3*)zCoNs(W@cZ)gi-Vq`4svT zGG-3ViptW;)k+MlbFDGWxQh20pTA0L@n~#Tpv|Rz(W=Z*JtQeMSYE=xoE%G9(}-7m6V z)V|0Zbn<^aD$6PDeAljbAAl`BB+p>TAY&ajft<6ev83_4484pQSq*L!%bqEp$bSLf~>`Dczt%}0m3vP&6EU6ck)T9g&c2@>J&d@fGH6dXe< z|I{Rn`eBkKrYWXr>%j@F)51mb(lOFF(YAwzo3xt_gARj5^eFUH^a@J*O2?V%O0A_# zrEeAADh~Y^|55m3A%ibVgzG2wZq{zr&#bi;6Mav8*5>l&Z&>{bTL}@p1I7)YRKw4DqpEN z=0CPQ4*Qii&YQ=StHZA*zq z<+bSvvFMekYu={lrm(;&_o|-pxIj z2N)pS-+22{b;pVctyo^wFCB?T=eLRzipK?32X6OPQ`rn3##d8a@1{>AOxR+FsQUd~ zm_jw(F^%f?!(<2v3(*M`i**jyeKpOM#^*8pOVVvk>P{+EYBkH6OGU7TO`eZgw36LU zcv+y0w@qx2-AZqKUN=Wq?t=okAUpF{e#Z}8YY#`~VH-Ic7@I!C=^VpG&Rzu*eHS5R zL>26KtU{?U#c<^}$*1BF=5nHFx-)zax>$6tK8ikTYL03C>F`BKLuN|lGg)RO@5IA| z4n8m1?>r@}+pWP274aR4Sc<>1gmQ^8KS3S1MT9!Jf)W$rT_h^0l#-gQ_pNuVK8;mb zhSWcOcZ_P`piDs>v2Td4Le^tLZ7;%2 z>!kNqvJZIQI~v&A1hPNC&_dr1`F!x}=aG?$E{EP)lj&V(4w)!nMC4b372-5P|3$`M zp4(($PNUr!zmgj(z6`WlOj^xY?d`0x>s{H?>XY-HlcTQSXI%?r&tP5$GV-%X}JZycwO$$UDlcn{}S3_7kKMMt_; zv_M))^H%eg_j30Q*J58ID)(+u?;VV)l^tA;h7e~EA5m$rn}4>>%~Q;XXsX98upG!> z554Ys$~p01!{W!%ipd__pmCP++S^MvoX>vjx4%qQ3Y&d) z%_r9EaGXxsAnxlk@1CP}-*&v6Fg*L_epbJ-jj!`fC$mP#*kRv&U-&6$R%NI?yFK%3 ztD$}Cv3F;akJa@aS+2mu?~6{ae?-p<^SOc|zdO&povy!MU#=1T_H$);oEU3g@?bcw z?ojD4zJMKxFG>Cmn-?>9`n7oS%ipfYBmaE*m&`RvNYLa{!etzeBywCv+*l}9=t1rq zQ9;2CG1tevhcd}Yi%I%i;-|u=v9H8L9DX)9ehh3_j?XVYgPvP z1}VEnJbAd@UufSS^?LmBpg1X7!%^Ath59o-+uYV&YD|^gCy^#4JtHBepFf!Mu&un< zn^1FEbtM4srUL+Y5CGghztnpG@R1V$_DujlC>;QZof3_|O9OyAs+^R#rswkEXCD*7 z`KD`qpB>r`G*D9{7*9^EP9FE@sG3@$$gE<4dS2Uc9!B^LyzfBRDvDd%B+5wWfZX)X z;oa%GIt1c^nwl0ZOuI_WH?SsAM=A)l*|1>4!u62fc&^({cD68->Nt-}(dz1Oslocn zX+huTsLA=1cw+6RYIoUFlFDozO0VDICA(CBbAE5kYx8yyL+27hXR_M-E9XtDiE=`N zDSr}wIuyX_4M~rcaGkVM_Vyl$BhND5P0r zK_8M5j{SJ#o80m+}PHM4=2R z35|IuPpmY1+Q+HYp%2~oSK147<_14vI)2vcK-{{(HZgWa%x?MS?tnQ8oypFd@aW<6 zB5lz4VlyL-`Jl|IK(<@wdHVeX*=wQ2j`bA$&vzGH`&q;fX4}j*s5i&AyAKZ;gx9MA z&kPuT_18HnW1-QZ$18DXV4`&Z@{yA|J4r57woIq3R8HK}u-aS=n^Z@&I|-IBu@7 zP;UIX54?~OksepXa4oOGTGMe%_&6=96$B|fzj7AK!pcknCMDHM3?d096@Q=01T~|k zZxxGo&~PxDC7`FKM!`lvKq!R=Ahv4oQwGTW#?ecOFW@=|sD0{xn8>HUJd!{%nOoy& zMFffG15yMCAY^nY5P%7W0!X!}fD|P)H%;JFQ$f5)fCTu<;3)zCKZ8KQNCDx2xT>CT zcrHT;B9$-!0wi4=jA<~&dSF3Mg~Un2@=qR$&;Z0MNgx44tSZyv8KSRs)q1#;K+QX;Ewx*V~PXu&iot<_a7J)XQgK8NfqKLt zlKN*kqJ~9x{Po>oN!pEgBn!O}LI@`nA|8$RA6!l-__7m<0yP1_#Q&gy;Abi*CJ0h6 z6$p>K91cje4o?18F&Kdqq6;8GL0~`{0<)9C=i$bfJIS0erHyM)??ptv=H!9b@(NkZ zrF>D}=}h^>AV30uBIrKmwgg-o5;FjjCie4uuT#)4Tl3Yca6`piMb-u(d3s|S{(O@X2B2TP--yMIKw-OsIfCdik}+D z<-FwfS`n6{CG+N`tme&|181snJcuEZqYWr=-&4Uo1U9K4t9sF6MG#eBf_?Z!4=tVQ zaGm@B7zQgJ$T($7a1Evfk0`k={#7xfzXb8%^0>fky#f=QlX;7!IIVWvA>~%MB{P&f z$ROlBfJ=!nJP3{mp*EpMPqwiXBH$Y{m{eKS3C#>ZKqn6AP(S*CbjB70#j$5QIu=ndrbKfC|!s81I@5 zmV+QE1Ws+S=P}Ar(+K*h#R%X@lymD#@|}T`gwUl^6WDMgL+0TGB&H59BeF4+fqg@& zvaQwTkJ6>Q#j|^%C@SaRm-!daGtAm9;ZLdB&{5(YT1u)u8iluj@aSTlT91jc?~s5) z5P+bbh;0VpEW?GU0cP`qE#3T9?kzsYkAGe}-8_tZwQU*yRa>VIrV^$Kh5;&I0tsEI zAc=Agt>~($aymY{1x(|GaHx6SxC;vIfa>{XC07G}TI1KZIq^rV|Yb zeF@V-vkftxKn#f*v4qr@fVG4~JurscE;t$*4}!v|km|^T8PgH8U*X7pO^DM)8pkaD z7Crx${*fy!krIjmNPy+i)D;knbR7$yywQ-b5vVR%-_b?OU)5hwc%{aVCWmJt#S?fy z(Je~ID^Lth_+OF6_fz#KZDf9^jtqq6C~HWH0C3gFM3^ih0LOs<=tgzI@?hZfLG0?` z_W5cA@%fWfniKiT!IDFh|5LZhMebK(N(1@CVhEbVSMh3TxmFZX@PF@tz|}wELIgA) zk23dWcgH(di1+T!2eY61oPOSP?Rw=xB*5!l^3~eZ%EJOS7#~T|EtK^J@qD>Q^Iz>} zn|CqJ2BKZr45wTFiQj0bmR0;PEsrwIY0szmRMhn@lJ7#`eG*vB1SOX;F_NP=_TBz0 zvSL+aSzjzsA9X|l3S|<(M4(15P9!J}YCJ&|7m_WT zW#ULtMt!ee3`GV*kbnUYnv}FS0TAR+Q#U?VMVN6qBAvYCEQTVLNSOle30JQ)p;eVk zi{I+>O4Nvf4h*YvgOEa@P%0!E9%Kn@wURir_>CanGkFUWC?pq5qFSjSU#Nzcr70K! z!`8J&WaQIh)8V4#)_;u(Pz7iHp-o-J1Dj4`(Rhy+u+x$uhJUbEfvdyOGLYF;x~9@eCtWT3)A9f27D{1?PxiW_V_{-HlKa#`b3wtw#dLg z9B;2ze7ZhqS_7K;c(DBLAdt=KbQ>X}tB_Jfa%vU?@^o2~>Ga-nJzMbH7kE>s;zT99 z?$xzUs)8mU0j8S5M~D$hDPiNYEM;;#4y`Z7iRSTenJdPC(D7Mi8FF$Xhf>ki-FeGM zu{d;(WPjt*N7AqnE{u<0Om^S$P+1Ni8CKM$+o3KV)bS+V=}XAaZ~R(rNoPr&s7b@2 zvYx}mREjpU=gv&=GSS_Ia^&x+=~Q|10ayq0Di`!6zA`ddBR)M|)#2~5ZU!%j?kJ1C4GgSX zsSQVxsHMe~`U5o)Oc7TEayKxm?LkHHc9;tDa(c~8C5B)x-NcY&ft2c$LsJgAH>s~( zq3@_iKhdD_GF=ihAQNfx4nWGJx7Ue%-r6kYEgN?~Z+4!oiXaiFyPAR+0b$#wcc*hA zjPtghD&*JIUuYXxU#MVZP(OZ(m+)j!(>R8-%q~^MC|!>OK}oa(BCmgAi4aAem z`&>#P8H?htoeNLm@28!Hls(~>7n5tMD|OjgjGxT*@zZ@*!gQPHW)-Kml3t@G9Cxn; z?`D~mhJwa}qgKo4GUGwfqL%Cm7Mir$5@8wg)I})jHr>-f6ZQXGhxuHzKWZaRmRk=j zyj#+B$WY9BQM(jK;><^78hedv@$zU1cwjiADxBAW8w$uta*-0_n5k0hN-3zH>2>^$ zN#5_j+oX|!q6dt#N@Re-WubT|`POJ6Fn|_nK@hGuo~WP9^$ttF`V6260^*k=U$tXO z9E=S>b<6#xE@ewi=&e9AiZn_y@@$EPVkq3rV0VwEMFu_pEhx!un`Aybpq)Q zU%6P_>~KhCF=i{0U*Up*c$DNFQ?rsZE;Q~LC5S47B$uljm`Woi$c?W|q9t#Q2+u7g zQ{q`nXM3|?)8C4e6^(Wlo)g8!9{vi|Rq#}*6rD=}ubz+T56QdO7-;Vw(wwNn2w zE@cu*+mr=sm#XrvRlrsQ>kG@#CgHm1Hy`9YB{G7!pbLTi$pb(`E4@PF^w~#zCH~RF zJUdSO8Ae&zgNS6y;7k&Uk=E3N^$y430FoExC3=34arM}~_H(vt`O|T%h!vn6l?;<2 znr7TH!pA~Xg*xyOjs4BN*yc&9Of2&chDaP%JdF&ze%4#F*;YyOU;p7U>;LIiMaTbf zaqwgD(PW<6(IhFo$i*S@5I^@if%$R7w-hgF?4`$1k+sgtXAq!x_wSq-6Bu;hh|cO2 z^Ly$8wf;Kd%(8rQRi7=`@C6(qLN$3aH0r{0D-##D$1ygi{afJ3gJ#Fr&2`e57Y}gG zXA_Qu2+vW+iepwkVO|hm0O@TB6te&C&C90Anyr?didZBUW7++tT*n?7+`& zhfU>|aFtGI3h@tC?ydR&JsC-VJ(Sg}LxHl#!!<{rjV05Pj-w@~_oq!`{`Ia^4~Ap5 zs{JUdTr*o<9t zE`b*WkcIYDXdHL#4^TclEq~dW@VzY!lfF*rhm)vH^fO0DPK4p{Y}|K0|Klty*FzR?}EE(T(>R|iMYqecK zWQMhy*{!hN#>B=eUPB=F*un~m87#yeeP*}wc^-)z5nOQSf(hM1m;2MiA!S!GqDl3WRNwFZv}Sd1f?Ot?!B{ zhI}d0_5SWrSbhzR53pz`i6$+QX2S3Y6%EnDh7u$abD`tP^I~Cz>lcDxR5_(!r1(!C z#ibB<+R=d1`+k+GQ zO4@hx$fw@35lwC0fWK%B7ve&wMP<8eG|aNmuV_3d*V;8(b@Uwv*YkGt!Fpn;3<=sy zEl)d{d7p2a8D1tn6T+XmHBYPWPThX2W&`5*KQ1^2=f@x}F#^@~6e74W=4GnqmHWO6 zX3&G#Z3d-It3e8aqFJ|@$gj$Hl{|uD;d9q>w#LC*$09T82yn(nt(e1zotH=>fGF?H zXe;bKt9s?_@LeiEVsu2pi#eZ@w>Yo)x1?h6XZvIkEwtBEgrq;Sh6lQqbJjP@c2@O9 zsML{Zr8g6lBJ(fR%#J?G(i$1S(-BMIdR?vTHIeCykT)4F8)&qv4TXqpglI%U>a5EWFtA+asd1sX;PZQudN%j|8X=5G;1^Ags|r^YW9)O#ySfg;sW|5PbKLHz zSfXB`Y4<{l?ZMw3zi(P75&iscBI-$OmL%u#7Y;|psL%;=uW|xeSuk#-l`&D#bd?uo zdJXvNu4=^YuJ+Zs+qN}*x5LspE^fb=Oi%g={OfHZ?mMeXA|5r+@mKyF4=T;Op3<@6 z=v@ECCf0FLDmJ=5k$xVfSC-~z^mNJO-+mjBrE=71-~Y?$x9E*Ehp)LwsFZo5?B(RK zk^e4_48>0w?~fr;v=Cs`({DUFj1>54cslbl4jKNt=J9mq?NdIx*ExsNof#8w`1NkO z#rh!U`7tV^Up~O}U=-u&92W&%^Ki{!g?)g$^8RM|W7J&r!%Zv39b&*sfE5f#5J=da zQoH+C`fM_+-B0I%fG(bspS$FeKK$(IpRS(~fF4_(o#$OSk!#K8!%Q*k4g$Z&FFG8p zo7To6`rxgpT3S_(Ls)R9|NU*u^U0!9-|U!xq40UHTCL+~N14`Z-_24~nTyBWlP9-T zH_X$1+ew_9vqz4{li&WLj|(iy1d(&WkdGrJ4SD4#0DLm8+f}if`Y{J4S>w$t1-=LY z_dvo6Nqih+Ec)IW2s8<2@DS114q4*OP!=hw&cq-Kx(iz-;!DE|^n-@=uM)7^U`V;D z8)a0oj}_JfIn*|o_1EPwaO2_3tM)d zT<6(J+MnhPM2Rs%Jkg0}#bLzNL16MT zv~{!letc5f(0%&h3uW7mhk^gn$;gV=1PA-8@M+2|#gq5Jzn>rQ$^Bg_F0&;c9&mMU z9!3LJa>bkmHEOa2-8_%Z*SdnN#oAmwIbPUpqH{wmxAR$G4ZhpWlXc>0@x7uGuoL+8 z@w-P}yVLjZ%-2u5rCDjhZgv$NzmBmyjIOV$qw>U>h)zaW_ zF2g5Xp7U`ikAEZf9#dW)iM?;zIo`Aq6Rm#jc65MYCH!yjv&J1_&zJ61*B_tb-p@-a z@AE8=GW6woJU5yyrg7|p1^}|$)w?{gyS?JvkMlTd7Z=~ih+~D&;m@s~27iU&u@E8dJe#Gy!w}f|9oVGxl`NL|#7#P5uQWy;>u>#(B_n1U zyRxbMAl0TKAQ%e82_V^y;jEP7>I_DUK(J*%K_c+}4ma$`4-u%NW^XLAG^6&CHGLHbT$kA)so^!O4wc46_E=6~| zzPOyXS8g}MmHy91J9KNW{n80yP2xm)WPb7AUZ}%=8)!d*{I0_kWHKJ#di(>5J~{pV z7S1sF`u$7xNl8C@Mzls{vk~vaa|$`kzy%0Rb3_~ z%?2)4O1>vg7^vJma1LJ_|EKqCXa-3Cc?OQew=4aA!PY0!F6@N+;r`JW7glxY4RV#V(I?yFT(SC10C+uz$K3T zsMlQ{?rV5HZHnmFb_?0#)JV2!Sc@IVB+5k0dkXhsB(KL^qLe9W=qV&dMkZ~UGn1&5NXRretsqQ zb`DVv%Fu=z2q-qB!DJf@l|pTqjzHY7Oc($^iTY|Jtd@-X2kuZ<02eXMh7dR$?CD8B z#$^k-4c+;QG{X;d99u+WOn+!OmnziY#?9Bg@Ap4lnHS^C#U9LX>>>U-z@+djw1FDg zV761e=o(%}%NTt9bKp70M$NeQAv18(lI8F6So?n6Ufk}L!Ti7L zoc6&B7Ldt~$jLM5X!kUJdU~AbNiWZi@#iI+^%b|gH@W|*r8>7*eipp+>%)aFjh7t> z|E|dRZ^PE!7PRY+kk+~nV1!5X=<`ol`59&~6hFcny$gRZA_0U+);I@AFILx{ds_ij zihLP@I`)K}OXUXROa6jgwJ@v|iNK2O0(a4GV7} zGzVm=dcT`w@~(Ii$Jj#ZKZLRjs42T9z(73&wWtzg#)8lnlRQ2=1OmdZq+;V>M-WMm zhyX=Y)3vJ)^uUoLrM7+goOZZm!P!}H)g3b3d5Nz*) ztvWamiHaL81EZa~%l6D^SKFl&Y44OkTwS8cHP zr(d3T9~OfzE{@?zH3MO#VhthT;dbvIFN1{lwm?z_d7a+V1E{atDULl)IoiV`5YR6w z0(f`0aKAWE@0fSH9%T5p9j#0{S+>qt|73B?RjI@n30&6l=!rHTUJerL|s$FD;6SM7bxN4=+wD1; zcI4#LDDaD8*DM}`Jt82;-Fbj(cVi#*`JzDokd5M0Z#5d5NZd+`2w7Z+g3~}bB12<- zxQcwA%kZ0JRp$q=jJH(7HqVH*FeU|dP#^N9)n~wsmOQ}sNzsKxbo8^C4Xc748`=kKp#l!vc!>^-2C zBkz6pyY1utLiIP9mW^YP$hND~_Kzy=2dRHo8_Iofx?c{1mJP?>c)#0jjoRtjJ}S8% zWd2=Xn{F~FG-#1(ar|!7PWbUadrs+5Z>~CPt=gbaX0q^Dh?GmrV+1K)_h)3ms@N1^%r^Cdz0!I9|ePNf=7^uhIA19*oRNDNv z>*$>2wjDIs{XeZY5M%QmU`l#rA6}*#avu&_`*YtE+U|-JUSzHi{qE`bp-nk=u>5?` zo!w;H_tAWw&dK|*?+Np?$@tgBmH)#}l?{ zcAI5KYt-npBqOTSzm7Ovm*;Wt;UctKrPI4Z*n8QZEqggG;^uc6d;2yT3h?IW&ZmrA z>DTp+LSDya>R4Xl_TXBZv!;h!!19K1)QXrOyM zJvv<0i^2eV)LTw^fNu~R!SZw2{GH5pOAl;@7VnjPAKVDDhki?W@Q%qcDrHk+(9Z-v zPe!hAhD`VCvIRJ>XS@cZL2CReQ=(TEN^H$dBOhkeYM3Qn6QTM3LTDe4Ch5HrJF<)c zKU%n@4Ow%i8AE+f1XTwB9`#% zdLIBSQ$Xg&yD0cak~ICsS8$`vGJR-++;@|v_xoV$xH}NbN)cRsRw{NBzpjI@K1ZWA zAlt7EN4B>FBx&tZ(b!G1gNk?ta9g&@;yC1rD!UM6j!7m_3bFw5PIv1y~2dStkOwE_! zvz6)1U>~G1Dh!Ux=$ndl*r#odj!u3%zG`{uy6k^mv5o8f@|9fd?|D#)6h2b%3d98B zNBRbfb@7};4N_l=@Oug50=2dw4Si$Rr+5|aK{z<>TBpD!N#lP=&D{JGWL1UM7(shs zwEdSWawfK}|J3ARZ` zi6HD~rT`Uj#}|&)_rcW*;qvx1$&RvYE_eVOfi(=KiIHOAjz*85;*C}g@D&W1z(yrw z!&NDt}sb;QN zi*UxA-Nv7a1OMoVYC5i3aKtJDFd1GUB@dcd$(GDY2TYwHwqnYZ z@zIRMm~RRV41L=mKj>^gF04}JAJimeX|O;(-NIao7d&72Ks2^=9-HcHo=TWtsNis4 zObS8;Fzw-~#>1+KY@Ng6B@^8BI7w$D&D3+XN8>5;IW{3pAX%1PTG^7BJ!p=d?2CKD z9m31Y%h+c7f3`+wYBWISD*h_ z|8z6oZ5i?*@DyhtCmMBgGLv&5diNZouGNb8&NPvZ)CUw@-Hpxd?bW##kW^L*Xxq|90tKQ^# z&9Ik6DZ<9v7k_AjrGkwSBHIL`hZ5l_vZ~NbQ2i>`mv=to2@paUf=_PICKbRO z0e!@-xS6MY2C=?qO9S&Gy20#XJo1GJy-UK>llYWse~@!e5jalWd09;{zBU(Ic6}gM zApU21VK%6!+{9x4;%fWTTRwPW>Rk081+#)EoQ zh3rO2ESh-Uq|jV}M7^1+K^E>2FX~oy1MtYD9bX+3Y+Xf_4}`c_TGG-@$@)`oYZsAf zz%i{u6j_Uvht~I%DP$zR2CL)NY6ibA3E$IWAgoen^iuIbNM~}U>VrjDDPig>i>$vw zX3^FEHo{3g>F*QINrkuSN8Bxu=#{}i`NK-DG6&C`_?yJmLBw+_?3cUl3tl9Ei zzq^{lkwVCICI7y~-9rVFLLufpd;cx?J?cyTV*IR=fWq@G8OiR~qBzN0n|TW_OLCR>+a<~ecr zAh8n^43m(to1IgC*&7AJ+C;YtZh1h3=NF< zPN&(C&Wq|gf?(su14W<2ummp*Qku}81#{$u#7pJ(jWAhCmw%&neQY^HP2`SpjR);T zRRskXzK>(?1NYMhenF?Gmc(EYBXii8PGuZUhHMM9Ij5-2%}_Ts8H}V$3{jfl$54#7 zi4lb7dXH=kDPF2sJ*YNsF@;+#Mp&&#uuTKSGqzOm@L&ivY~41Bk8!h!_q)M)CaJh= z{Skjc3KHqM6>h^1;SX;Uts(_KRBhqji-$H8r|iNDHR#FFUa~6&`=t)wV>*g zzegB4W6c09g{G83W%29qi~^^$A|zE9nq+gLo!BM)v;=BCW#LB4sv#g`%}dtzha8om zrrOhUa|J+fJ8>n~%)WnPmT0}&Z!9Y$RWpHB8^#18_| z(a{q5?koRSCf7?4ld*X8Qw$XxDS6bw)<@ZBsimkMgEWUtRjHO}o@Q}N^eoD;g}C9LnCo}K zH5o7@U#ytIX?hgizS5&AG#eT0+M!QUG8>BcA88d82K5;%e!>dr8eP4|%P7bJmD_#%Fvck_q7=GrE^ zUj6cFT8skTS1TlD^tG3+;DU|-OojO9RmT!?UhOdW((IBQNujC4MJ8tFSMBP$KbSO? zbVo2A6f22M(2#))R<%O>a)HIXXe3odnkT0q?bao`hom+ znhTzF@J(DO0-774Gp%OXqY?0Sr({Pn@~_82bgYQ;54vzk_8m?h$>y}6M^?^E7Ti7( z7Hu81xov^6Jaeizc9uvx_8N4H`+l&EL)g_D7NxXY*T`?Lt;b|YFJU(n3xm70cU6jE zHbW9o<8omdUZl62)glELkrW6_7nHoOaysQ1@tnTP0ho>hHEy}kekxnqB z+v0PvcS15kBz&IwU1ewOMQL;rh$uFHk_@`_M0>VIb9tdTua#Z;-^`*6->EYdCU^yI zX|YU*x;?g~z4mz+iM9c_W_Wke>xRgmm5Jk7s1n6+(3$d5X5Xx~wz(igzxH{FX0nzF zWTrX@(|5>jrdX7k%CK-!4-{iN{E~UA<9gO-m3b!GDIJdT0U5n-9*wk2`bPx)M;&P} zZulLZnW8TL#K*Pt=Q@Im%pKw6U5uO*2jM6&*ZI&Td1fol#0UoK!ukO8Y1sl6+kt>S z?}A_$soSz-LB9=^*_>47?#Irp4UEZGg8SG0%kfmPHxRTu(D+of!tM~|^L(m+F(N7| zYFO!?IgS`nr*RUiiK)>`~6C+#G@H6}$qGB1Gfc{MR?a1v4pl z@DCBA(wDN7V3J!HULsC3E9ot){*ML*i%;$JUnBCyLE_cC5Yd{erOl(-8vTVIM_0c^ z|Jo&YE-=0Qth-JkWGz`e&{koo%Ky>m=%q#$j{K)U&sxn^e%Sk3Fy_}gd%iAs7IUK* z&N5(!Q#9l#{r2z+;-hz?y&%2MhW?TbHE#5&$%G>gg)dkvOtS4C_VMK#m|@T-qFEa= zMU3jZCOwgAi>*dm8U^{%YHhRXfyVh-Z~c)QI#oXV^e2)Knf{r5)g76+uZ&ePxv5$z zPgVmD6h6c_!klb#SY%GVgYR@ySV(Vs?6jc4n+8F*ft5&FJDD&EJ zjAhH8%1vbI;j{X13^{EEN)gv2?X;9453`wL5=%`cAL~yFZ7rPlng;Fp2-+%S%^$Mo zYE%01E@;+BqU| zowb^%1@`iC&dWLW^6)PV{yd4(%dTsGO6!_lK!HK?N1H#NChx*cbQA(?zRIh%yt(<) zUNGIJ0(~F#7k&U9iCmASz`&Yu4ddP{tr8F&3Mu>%1=Vk0=OAk^#U9Tr54H6D5wE59 zseiO|BD>ZiWG9hOfqpz&U)v^Ri6Z4O-12-;+M>o zyjzND44;U(yS7JAr88aYKCA!9^5u-?t~%oh`Bz~1=2A6vnoA)|p06N={s22H_H7F$ z0BvnuKApay)5-a|QzS7kT{ZCPFzZz(G3KUBm9}Ri6Ly!26%gpk?f5aQk@Y!< z=VebU^Pn<(|HlaZd(DMf8@r53@sk#NjliKBx?9#9L5}1aFD|}=!E|}o1w#_%LAz4D z&O+~r=*UuS8xPH2G!xHf1W$8`Szj)@>MM8{c<+R^_v%VJSC(YX^Rj-QrKM^qrQ4GE zX5P}jrj3xMS9sYG+AH*mWiudWF*pCFIV9QOg})t+sM8k>ak-YGQx_KG-RL$=D<1A} zMAG>f1aw+PEt##xD{^13eB0BpuQ*{-E%QsBLq);3%upn?+lx)mo3V35NLUC#zoL)E zk5^5t>{5;21{_@Pb2v??f1ceU<%g-GLWZMYpVoJi?#GhV=GdQIkdb$C+Sfs; zwaJ&*;o<1FCY@5)$jc8m?T2jGf7QQAY^3ODtg`D{j5Op+!=kJdtNWtEIzL(jggsNOLl0!dtewa3dzVHf) zD%YpLI%KP#v${Oo_Vzo~+nqKbgn$pT14@#iuN-Lmcb2O#zRzI-l3^b*%a8RcO6vI1 zlyU@3BYw3a(8F>=LCG&y79)wZ7#KC2VYhsD;SKL|hb7~j)DM&ND_?Qq4l0FrYCl|j z{uIY|^xN@REen>4J^j73n*EQG<6AK#{-}l@he^|01;H#S7{_~}Pp z^sCEGmLaTHyl>nWXCv|3E>W?6khPpwrXZhBk%V1OR!07Fe_=7wOsDpaZvGD36z_@A z8wc_$*cVM-XNoIwA*7*ba{e!Nf3vX;MzLc`M~~1H>>DhTBaxd3DK-ikf5!}1@?Fr4 zdG^sz^G#zps+CA4{a=R8#r~SZ?iWQ3u?8R^OR3$y)q-`((?68+U(|>V+N_0JxDz(W zHFd4_KLL+VSQg!sL^Pcbq0UZnZA*H&g;6f8D@7x4G`~`wMD-?Ou(!8hDO1B8B=EA+ zBjfYCm(2C$Kx9fx8YLdzh-Dd)WJC&`ipK#5p&QPG!an7{Q(SFARj?viDc!=DL>nY( z9usYo$xo;IO*}Fc&I=nojYp8o9@|T65xJSRLhvuA0ix^Nnd`a$`B^q z8~ztfCI1v6Le&`azplPAAdaA0c5x>VAh>HFxVtUx?iSqL-62?TcXtl~f(LikAVGsW z!QYU3-@D&^{cCrmcWlq8uBy``-WZEU6Vh$wdE6haPD`=(_1VpAKx!nm9&;eJ;cyH? znMROz?_G6LSH-b~j$?h)CAiH>zKLF@%j!l*rFu;)CMaY6KZzmYk+biqpBTB<4P#3SKaPSoH=Z{4d?m`PsiP$ZZ)T_f3tJbqL50sNg7SK zde1qdzw5F}-0L5I&LC7w=F_0*K~%np#rH9Wh9GD&m(iAY2o%I=8vN$dkc;T3Ckh4V zxXeL?1BUb`Tm_bQ1gs53CQA*DQCU-)QxnImpfBJgDNXS2X?TUau~v~CiVU|nw@&$< z(8z~q6%@p=EVTsmTg5yOG;Bf+TTKf9Z!(72tO5fOYq1e9wmgFZ1NqUSV=dp7%dth| z?BiZgsb-@o!9!=ic31syd4p&bdm$wEU}ar}r2Zi1 zBejI>o{k3oWKpWr{2eh$^9WOSeASA9Lgw$>fDQzvJw(z#yV9-+q@%tYaAvsdnr$fU zFK=iL7W(t|Bq{vQKDgXuTaN)Gzk>Mp8}bv~fq0;UXr@rkEtjBpJv5m5xp? zj+={%E!{i-CMe!wN|McK^o~E-PE6jOH|H%3#0rT*PTz&5t0R`Spif=#nJv(!INWc) zotzlkCyb%`0-UA=9@4)#g9&;#Xz_&80N!K^x0HOCCK&-cj<_m#!g}Wneu<@+<|^TC zx=4g0cFx|M(*ACCxeJp*K?RMOqu4X-ng!qCr30U$-vf$}jI}`ZUGv#?A=AGbkWd@W zX!HHJNQxR-D3SVe7)nMW+ouSP>#^ou4&4GCov*bD0lld*dJ-9)hED;3ZA`x450fUa zpN>G;<3jr2EpJuj5lVRP#d@rQde?1F8>axC>qxwudN#CI=hSc6w8cna1&Mq`zMY5? z<2+g|RbhM1e;tL^T-7lv>=EAKT_zZj<79 z(!A(*^AjW2=fN^pKqAX;rH*xiuTdh7sHT>HWvazJ)y!fIxrofIKst;>#TE$`1pQXk zL)}lvc{Jy!q@(i~eCGd}y_4db>(gexkt6tYaVL}V6cnL5$<>5dl&>K&7+0wN9o zE`5mFMC*~Orp?;-dNX(1xSH$dpg_PWS;u+{3v2&aB`XfZ%=7gB%&R7dU@d&^$~@)w%oWRsbur8_-u4NRs12IJAN**n~WvoeYt-Td@eWz zdEA6tIrGj1C@&#hzcxMBP0F$+bvsCW_!uW zwfe7p*pymHuZJ`4Y3ZJnYhGt&0oc?j2L6}QW_#3I8c|5L+Aoz{1n(hHB;5`3Q&gon zj0jmZ<#_5oEmFz(9M=yDJe~JFKi;*MCd2jj_e&6Y?(C)-tVcUr-yVBiw+d=#ba<=Q zzh0bXgTg(Z#iQ}OjUY;Mye1PDQ6K}DvDJEysG|v?tsWQTGL4XJya@I6bYmAs8UE~jIV#Z3%h1ozsroSsI?|w$1wZbuJ7c`nX4B_!3jT?-iU;uh?{&iyM-`R z(EAl-tq-ftbysOl{B(O#QC|M^awj7#eS5OHpQBEcl#-(F^{3cb z=bZ|I)n3oz6^k2HUe7U$`u^JnylzBK3xH}gGcyC&&+qas3p+bIo0`~?tupNYUYct- zv=p|vo$0Dle8C`tKsob-iWN8=^**w?Ee(pXKeNy(9Qfq5PxQTWjRh`FtEs{1;yxl` zBTR;_G3`&=>b#NQ`mKRAC_Qj)_m_j_IBiwxQqn^Jot2r+m#Th>oVQ1xf0dK{*nX)c7pedjaVAS1PzyH<9%mhI?AJU;{af{& zEa;6OKoJOlH;CpddQdZ1l)}HIT6T*f11dyIFs=T@z3cV)^>JHpV=a;F)8)na3_bg*Ob{H}nqdoI&kI_pwo zKE-h@){Z;MxXP0fU8x-Rkz);_FsZ&&|EuI?71)~e^~ajY7JVHge>=H+KSyD-9ku zpYisYH>XTe?sF^N$rEX={FsG8jDQc2;@!R1{xWUHW?Rv@({Z~HnrKIKd6az@w@@6L z&3C_K_U)TctK0`(x67E+Up|ZWiHS(YF)AZ)1FGv(3BSt{<8*-p*QMPx4@2#4@m|*9 zau1o|GZid_2quXswr!!285Jb|%^Xpr*^$ho&C>)*VMEl@WOSb&{6-*k4%dYS?5j?hI_Iad@h7|F&{8W6@c)9E9;U!a*pE5Q4_FeeE<|Rtz21cZ z1-S6&X{37RxZ3+VD8Kd@OCQVh475Df%2B}y{X$Yv@b?;9*|~%O9hvKUY~Yuwp>mzX znp~oSGzA-NPJJ~5+$EeGD~?~b7X&o8L5GL>Y3XX~6&z(7IvN^qtJssizl-XvALr)h zO?8h_F8haf%^_?Ie74FO&vY`CJezBJRGS6vb~6HM^z`Z+!*54eL3vr`Xy}1br!hFe zkr9EbXVmvvjcpSVF#hRK??H_Fn^UA*w!7lg{VY%QJt^dFFxctpcR1%HyO_mMK@{!%)_CS*&`F%G3n3lLxSoIw zh&hYRd7M=PweFosRwc)7;MhptdoQR<-P6q;Q(*_LIyQ3ZufingfzsttK@N28XTCeX0L(4TYv83Y>*UII(NrO2XD;xY#D1k5@W_G z&F|6F>zA^h;ZVa$HEK2J(_gRqvB+5_SXRBrADvc-?!$iMAIGd&NWE+S1dj^mgN&hw zM#C~)YyBNsSYASkRW7rc=@s99;8?B_HkP;ahwcmaPMF$g(hs4-IaagUHlsCetlcXR z$Z&0v;}`cu*!{k0(qu5{_5ezJ{{#-d-HaNrdf?e+Hk-U*B(4sIa>PdIw%NouY^}~} z85fNC(eT^2xcU`U{Ch7h>q2yA9oDS|5-x(jfwExaAROq!P*}e(n(1{t%Ljvcn^~-B zJ@V5vHZq04B@B*V>7~8jt&rN)n*x@gVhXARvKo z|C&~{PA+tN{;h0{8f#0#iiL{7{AxjopoM4yd{YD+kRIjZQi1IRwrcXmWBzv$=` zI$y#Wd!sNW!;@=uIm_k~D7l*aPo!$9z_y|B9C+~9Jk7RqbkuT$iu2`^T4)T(+z1@z zlzc;ImJ_Kij)(jSp6UX@9)7#hL>S(7tck$h&IQx2!=KzTU!S4D|E3>?LRl|V$@=KqeH*q59{Lc#&{aKB! z5|H4;E3a^_( zcGHn0s%%qpVKjtzNzNbpD1Q&Tg=?!G`(6?XIqiO3R4c(Ou$fKs-XSwCJ}B%;V|*qU zSaX=H-re=!&(hZNtVnRs@7m86W3rgyZ%KLAbq73Cqde|o1fP~CngFZ>q-4j@rfx;HJ$#Y~0awZsnr-jha zSQE2coJ8cpga5574@(OQ=m-dEiq_AIfK?i2AJ)t{c&O<6*QF*~;R23ir9HSHepZg+ z)smcd+>^b}O9tbfas7zk-j3fkEJMh@7$O$!QS_^(56YEfR81$V}J}!$_e~HdBuK z4OZ&$xOd*JSU+C>+0IcVI$mqNDhJ^0d44#Rfp0S~Aaj#s%@dtLg8>I-!{ndzO&$LS zRCJb#xXf>Ax}K3??07tF*VEu?(g+;L&?m#n($(yh2bb~;0ZyOd;^Lc|n^W#x3144d zOUrU+YZr@Jp<<$V1p8uJwyHjGT5_^&>2fP>Z4l3hYmlfnwv`DLx57Bf@Ywe}tuWAv z6HE)f2pq)Qe>2bwSI7{U+RO~P(F-4hF85%&FEJbVFU}y>kb;CrT5Dz`*+8_){;TvA zF7L;C0{>md0cH$l536a6Fwg9!P_Q|vRpx@2Xl+%-0^QFhHCr6$0lVR$TszC(p5*>* zrlSfH6&Ml;t}U`KzD#6HXD`P5*rI9HX;;;@<2%nslon@7~< zMv~)-<(nSwR|griy;#%mT$P3T`Jb1tn#sAMiR znI~9GaPS_#7AP!LAg)FX-yi8(ls$7E-mbeynKgN~F3CJfs{qnm0J>ab0|_wmWsPCu zv{3;r%I`!<@C?3*nXrc=8EV&^zM4`QdaDUSIMZ-Q7|trHaj6ceX|W}_vjb0dO_ZSl zBFDPZgHbr4+mg{_PPXn#wty?p7-jjN|1eu84x6yFa!q~nZ}6zCi8BOti1f44uyppLn}6R7Cr zeAq~oU3b)e12kR5K8`HuvQ&%f*8|1o8+QXhZ`g6+iFVp__;yxI_?`@lz|kg zDK?rf#`)Jf-GsTfV?Gj}t+$@dK8KnMf8QTIf`#Z#i=y4Sk;}A=-}ABF(HVX(-?0yy zxGp3`nW-PHQOl@7-SMzsrq=k$+-id1gHEO>ZC(b7%n$>vjjX>N&RK9N)0JVw;3}PX*u0ixX5}%~q?VO>WahjZa_KCSp%G(Pp z=QWb}*k5b#V7pstyYlS!;4Jx^o!evkXzz|l-UeeM(SBPlmkG~!fF?lm1g9|Ls2%XD zk1`aSJFLR9FT0_)R=#2_BImfDkgujaz9T?ZnDjT%v8i|PeoWyECs@o)Z|V5)TP}H% z6gWCU73X8h-)^_WTsS%U9XaXgE&MF6f1>EbciKLmj@o+f;0N1j6Sq%)#*Y~bQuG3A zb@jFT*GLrnZIUWg(00+^rGJh+0E_kM|J{y~t6|Q#BEblT&8@;BOFpWtW}gNnj`+$DK(pKCQe7e@4ORLfBm)okX=g8Ae&!AnWV;j18$z;~-eG!sZ zs*6CCxk8t-hWMIN<9@WC-iF8iiC(|ya0OP^58s9(&2Y`JPU{!;L`KFshx`4wTvqdm z6ZbJWOxMfjkaLX5PtUv9U0h==k!9n39xHBN06u}Vy<5k=W0%NB6nHnGUm+eUkY=uAi>-p;SQ;)X@jruzrEdmm>(?mfeQ=o*0p|aWr%Nw}c z{VyF`$cp}ihX57Ljv#5mP{Tn(Z*sU6IHKR8em&gTbYNnqR#$}zY7&CV2V=zBfZlzR z;)<6%UhinP-{`da{Za7Y=BNc2vV+OC+IsV|Sz_YxzD9fJ)P4_LVbf(20_qx484dg{ z`mu@K*Bno^c6)O8y;B$s*4y3f-*UTl6)72-2(&UJXU}k8dNbE7EPeaKVI?+$E|>p{ z5B5fv(sZpxt-eZ$EHIPil%1=0lr=?W$n2_@5@l05_W}wLTzISqdvpYd1&uqPqfB{( zW$d7&g%Gd#;Xv9N;gZoH7&Ed2~qM@{09Df5?@9@vKtM5c5mPAvO zLV+C!GTwpJ|ER;$*F=7*2;p#r_5KfzE&M+@wo~9l`DNH3<0C@OSt4N3R})PCe*)~| z|3`qW+=PkpVp)TB8Mia`%@G7_jgi;YR8;Pt&j2;@c(rAczm$)Lp1uP>BxjwEcK@zS z8H709*POcIYz`ZB+GJXK`s&(RcLf^3!=ob^8JTRILQ!69OA%=!nF7mqN7riwBfY!; z3hB$gsd->F2{{P+3Y;Tdue;vn=B9&?3-ytLpy(INtEBIz=-gZ`d=avER_!or%YW1h zG})^)BH{&qCA65VZ^!g?s;g8a?8iL)Nud`cESI!touS{C@ux$Aer*MqMt}w1E=P3#IzL}jQ z1)gR*|FvO3AtNEnK=UGNg#Jdk;UKUCBfjyv$Sd#p#A%JksP#Ah@8?1J&WnbaQUA=H z-U*&!AH%DfCFt*WOZgp9tXe@)78>da0}^S=0=HRF@}54SCK)@u)4miXwZk;H+)ZX) zxiUoIF)djoNM^Y>-t^5Kz>?|N(m3_dKIh#HquoMmD$}jdVZIng@b;8Z{Bz1f%z-8x zI#AJ8!=OOb==%}=@GgVQ`v^+%q_VP7NAT*pbg)W}ff!Whw-kmWluZG75aS4^Bha~(`K*E%EE)Ty~J zb-ov&g%h3jC(iC*+SOjj>H){=bd#hOz!H;X$blmWCDU5H|uy|0my&NGfspl{S0 zVVtS4w3&2wF@n^5Is1xFO5QtN-2Y7!Y!%fP!X7vePI4iEK(MM4ID+o;w+GA17CTO; zsD$EjXaI%-~hr%{P*OpRUTJgBGFnU3?Ye zHjUOIkL6y5c@2Rfao$0zkxs-e@vVNNTr2)|f+n|%YMT=JHB%ps&EH~Q{9vtAP5)Vq zeH1^B33#(pK?f#2{?~Y0X38sqFM@d9)mi&B`jca0t3>}Z>~FjPfwTd75W1H;Dnb(`@IHv1-mchJ zD?2&HsJ0%)qZyodV*$2Kq;}sL7TttF@yh31({IikVNwYE%lH#<16xxIIa6bf<`wek zJnHRz5xktXZLGJFuXHK4ZN2M``z7eDsA5*bJXXng(?b(!&L@y&-r&=LXw7fK$8mOC zz#&4$RO66BuE?PECjYV(=kOf+@E@aeUAS;Jvx4C)wM!HP+yP5Ex){}LC&KEQ8arA} zS5+=xNS$phA3-K6>{R(LHfgwuh_Z?QurvT~oB0qDp!!yS)S>Tn1GCwkE|klo5(Zl} zf&0XLFJtO3JcHl0rBnUCh21z418~TLy`6; zbI*Q1a?(EB9L`&hBz=6_lzMnbOgH`Njl*r);l6-f3kxcH6R2-h#gMpAcCC4vy%Bf;3~99`>zP8z!vk zCwgpujXdFxAR=1VX5gc(OPC_#rg-vp|uE zCl41_lSHIAJaJkYf)Y-oIL{?1ljNnN?lvGi`V^qkgbW@dQSAvyv!oECNSouA^1Z2! z7$QI&FJEqY8ozMPT5bn)kJ6jsc~vgHVxj3VMueo0VahfgQa`-x7y~SKR-*=kF+0yA z(w7P&z{Vda9g;i<+KRxw~iyfB(2o`yQs9Mw^m_1SMGdCvcfi<+gEgZxQ*?e#(ka@&Y|1|A`L##X}8Tgby<8 zA|&1-XmuyJRpmokfp3ZH(~P7&Uf?H14<0%Z99X(6Z>L|oz!{Q7idQH`un>g|f9aml zB!6`m$9ubqU)bWA(50==aqD>r`vGCJ>8mB?FU^&Bhl&K?e2xNpB3ROr%im{znsvMw zDvbM}d^|!|k}4DVnBILyB{yQQx&Kb^*lRd{J`Gmw6F+(9f$o}!*npFj zszm>xtN+Mft;Uzv>epF=m#0M(ZiRGp7Tf0M#UZ$ai@{4>4yO;8ZsJmrJRjEhN9!Znvz#?;XU^r1jYt2@kEeP^^A6^l5v%XGc!48q#w2P; z_wNF5sk~VB7mR+f$dI$$Pud(F7B^-e`6&#vIZP%9mP}rP9QRWQ(_m2vbw9M9I7CRY z(zbH2GBxUUjQ8G*nMZyGa0@mzC6Bwb3xm81tvn{>Q$fL+<&V(`Lby?Vz-x)?bDBpg zqh19IlC-P9W06!Ax(tk`MAS~z{=Y^(vXS{iOG?W074^MVz4khCHUWb3FiyNTTFQFI>yezxf9uYGrQKkAsS6ObpO3wIgk5u`x4A)mHwfzQ1 ze5-#8dil&pEuk`un%xrM10tZx=@GsrD)lyua$(3xfa57LCdBl3u-_UM7Ula$Fxhmu zN-3YYT6A`uNxzk5$LHa%!loe8V54Q3;hjCJ;u#7~jo<k3hb18o`@G8d}pr>7PQ-)z`vQl}! zxtXTZbib58?h%$ANn=Qc2w4}?W0CNi$FZbPnhl|gX6vz&QA_-N3>w+iK6QrkU{BRW zqY$p?C@hK=i**X~R1yjv6PvbIue zW5`0n-LhcIy(VN)@&d%f!gSOq`F=58x8t>DYxk2Jeph1uA9slg0?RFDi3+!#`hKP3 z4bFoo&20H!>M=kf@@1NJZ*Iwix5jltquTSq2B+myUyaT|tDNwgWliXh`~<<8x~yn7 z7!wU0CJ^~oq`qTmjGCH3u0yd>rd_Mw01D??-Tin>%`6Wrk>~Za2w(88_t4=f+etAw5N?WcZB+3UIT^D1py_vS=`u1j@8i(}Ouhh?uZ&Tr-thQ+d7I9Uo@v7Ju`0KS}JDIbVn znqXZ5>{+hGxI*G}bL6OM)SRs+z&cvlVECajpDWD8h_Cug;yXZycd$Uku?emvMrhxc ze6w^Fx2dGPs9Vbqh;RSa1EO|Q7zH^i$48NA-9mL+q~tIdQr@b64zXD_Dl-zr0wBFM zfrH_@Gpw^*-l9K2j*)S8eKkw3g?!meJq`OP;6Tn_Rz^7>$;s;lr^zPEJHFXgJ`RI5 z2kIgfXV=THXm0*(Kej%v4ak z8oY=jvKfscDr$`6d3@cE3(M8s5Qi;0y@r4!dl-F6U}8KCb(x0IaFkVo*KvdF=}U{8 zA3nq92^Y$uv8(kn89L^a#5mlx&Fiysu`!iQ3TpJGcnhQNkWavrc%`h|m{isqwX9u# zD3<@LXC5f&e>U6hB>PZ(%3DPsx|wO51bvB4F-d*bxJ(~pD)aeNtHq~}AdQ`wPC@_0 z#KZIgQ6_d(skI4Yc=P2j->qV*fy&Ls#;yz5L}T6wKZXM5+cHJlg4F#9_sKA6SFz#w z6y-wZYDkl<=>De+ZP?IaAG#;nI{mlBYeZ?3fyx!!ZO;ZK6!-THN9D z%Z=~S@Y?)#C9=|M77bTRv9?BjoqH-VTDzF`g-QeX5-g}&bh*qNCcPu&M^@I@JzyEC z+&q)G6*C_k=d9JHO15T*aXSYmXIE=i`x^YzkCPg;Wkl|F{jJ-EDh*0GmI~r{=|jUf zmJJjc4!>8K<-&W(;{>#a6h2KO<0+eBhRy@F$cBa=z|CthnwSE-x*v*dt&i7&Y7%_Q zj@KMToi*@P{HD;VodDk#b|sG#miUNtdh2OMJTl`(OlmeSYKmNz2LI_A3k|Qk?#-7+ zPWE*3-4{nFsBP@91hBNLvQgXiFClCXzN1TLH?lkl8mL9%Zn>!3sWdrkE6$Xj z%K@yJ*s4qPksrGZ|AZu5P|AS9Cem3UQcRDiL^eJoGtr~7>-VwTJND~Y((UUwHx zkLn5)IN}Cp=UE6lCY($Z9CYRCV^(*%{+c%D{z{~lBchya{?Rq1Y@5kb#--~mq5Cf;W z0$n<%hp07IuZv68b*RezcqXs==`XM)BIMpR>*Oc?-6Rzs`rbUszg#Y|Z-{}u>v#R& zb;n)2DSLBnR)_Dtl0*_mc~0~XM~3#qVEPfJQ3JG69?KQ!&IVrgJ~O83PfTL667v&zj{%r-F?4jfdMj9_i1P zP7aqdYHvUd+T$rj_m;K|Jqj)PDp$g+Y4N3}Y;R|%q;M;u@A3E-oWIXa$0VWtLs#vy zvBWs_bL`cx2G~1qLs5*C^BTfIDVRCuJ?97iKdev`7P)Ex|d5lPqg0tIK=pltN`5W z4s85I*7!Z?60A|Ski6#+cg~->r7nN}mYV*;PUYBu2oK?YDfmwzl7C|@2(&dE8z}Jh zG$RM{`+D!dCpCoI6OX;i1`PPm$-?ITo>PO~cYc?{0+ZGV(SL0eU0_7_$8cG!wZaViubuK8Ht;CelV(vtS4pkBXI*ATqvw*zZm> zS!PS(x*_~xtboO`fGh@iyhxU5+E5jc?rnb8nQn9ZMA0Xd8HpW866{nR*!?{&#B4jH z(>GNTq8WkWusa2f5tHn}%QnkpTnE&}N)>-|>m$I0prgW3!|I+|z>Qx{jiSyt=3uK2 z>(!q1f~XNt;VZ=8WnN85BLHvz#DjZ-nh8cvi9me(677N&Ej@x1wLl+w0VB7+6UUgm z?bNz7U?s|GHG~C8Yac)t4yj5#l|P)!iLy_M2jm`*BC|2-7@oSaGK=Hv*Zgmvm04^S z(0Ix00Wh(hfG&s_^zm1&Y%|5k7Dv$t1Q~-5&sVrzySyuxla^Qhvmcx`U0DuRVLq-z+ z(T+M705S+@ECJK3O^Kr;8NmK&<1SYuB7N8b$g=J?n|aR`33?31o5NN+*@DHkC)VWc zBbJealN93wCQ!fR&>cZVJI<9pkT1k{w<2iZ^BnxnO7KJy81PH&GgA}0ZehnU)II%= zvf0&lE#&BU5f3=^?srp(X@KLQA(;H}u+GSF!tgTk=U1EiAIUql$BRyh*GnFB0~f0< zaU{Y2rF703c^U3cWGevPo8Wi+Z1;zinO+P>TsaoiQ*Hp2%_mM~T-G7+n8Yc#h*&KUk(vOMZ!Urz= zy${6}8QclKbp`)g)C)hs)@y&-$axS!Ed6gM+e7Re6d;ZQ5^1?=#WK5zVq~r-lW|{9 zK1gZ#MriOTBxOU%rbIfnA<7sJPJ*olLmP?aH`b@Of&U(@-10dkej&OQ!8n)CUUQh4 zB#nGQ9Ft zRr4vmw-?99Jv-;HHhwih>Br_q|PGP79PmWREo_$mnB(Eu46r7|`i#VJd&sXYH7zjO!cF zkw2O>f55wM>Ahxe>pu81D{=Q{wp5|X1l|}C@ra;<$ugH0P(J|~6txnymM%*Bty=7B z`D7;*XE3HVR=jkh4&CeU@%loCpEEsMM1-Lq2x3}eO%7S)u9h4>JSbki6p$6G2upv( z>$d;xoqg91Gr%Z6!F$xi`@g764fhqo;T=MN?lfCod#vHBcIy5gCbRn?U0q6V3s~@D z_qxvx0`%4OR7O~_tEHx9f~Vy)w7gW1-^|wO9u#oH%J}2#e4lL5*J$rgOA@0zgCLUO z<8LI1Y~PKQecDvU8iw}$(6g+@!d_qECgH;Q7oB(tjLcq$53`LtOqi*+R%xXxFO1zr* zLZmC$SmpE)1j=$rTycHVBrnxHX5_4ME29|;CV%Dl;IHfQRM^z4@xNqAmY)o_7(GQd zsvem|=eAq%b_X=>(dz?hC%2#DW!3Fc46ggH2_0+TP6C`2sShb1bYMVdF%KzD0$3jXlC(yDuokE%&jVc$}!Ye8vn&){Dm z{TvWQyw10XEK+bYU1&u3^Y-PKj$?3dW-hWq{3zr7-G){pdNF3IA5OUyS^*! zd?hw$KXZTKobW4~eIz_vsHr*2^t;{N(B&td)CH*Lhnq}x>jgj} zTqtUc72MisKW#gzA%6a;fa$F-;vuH+^!a6q5%nq_LKrU?1`-OREuA{NB!cavpKogA zZoY&gLljHIL&U?cAn`mZMA9RY3z=4ZM( zIcNtTg_u>!)9_6)ij#(%D|skIicfq+hhq7j438>@UZ z#vJ|}iN`@d@!@=utk=*&BF~c(_i#dgxqV~a zxftKJTm$dNCq@D_$>smeP4mdYy}f4Y{&Kg&`_7JKIsgQ`V<=RylFqhZS_FkOkQJ5} zGa^d<1e>YrZ4B!GGz5mTjj+e1Yl0 znvF|9vW6A;z@r*Mju#%}aB*(TK;$=O{sSX}m4uf@@mWMsod`8jJha4!WC|%e3;Z_r zx2a&B0{>oxGmUUE!KUp6Xaq{b0QjiCVV`kuu==5 z&GP_IL6AW{1HypeVJwqun*cVY-_JmPABh(XARq#5aTZXwEGSQ1l?4=#i{%QLE%}cfuVL2ruEOny z?nJbN&3C&yjVG7Larhkx>W&B)iU@#2(}EX*5ILx7GyE-QqSt?pW&VMtsGPoQ`BTUi zW17-rRlb{ns_;tBC$9eBj|YxV8w7GoqOxFFSr&0ziG4Jk*DEv~LbF@M!*Xd{43H8@ zo={)_e2x&Q(7|^Ir&2}A8#>i)HEv@h(l{EsjzpZ*ovM~^0e+ifW@%Z{U;;D@VIf%v zxSzrx2g zk>vA|tZIb{PxdzjkLMW9&g){vZ1;7~u`e+=Y`@@#S;#VacyqKe*kIAfDAKkqu6W1m zkZF%FO&sOSOx&V7K5;nF$>ASev{YjJ2zHcEWa}G~{VDtN=g5p%Te>qxfU)*Ot3gE? z#0SPJydVe=bf6ap1WN0W{d+{{{PMv%S%P%uTlR5VqZ+qNOJs}dKUjaCHwl7c$Uhav zWRDR*%ToA@=6QxoX7>?L@-LH<+`}l&)U8a-k&ou(7uDtJK-&B!UW2DBoX>UwMt+0# z>h|iEJ0MVe1X}kU-&rWOJ`S73)Sf%XXrjLFZnDP9g9a>#8LSB@PJF20B$QxJ&O1Ly zK81wXF>EYO5zY43&>(P4X=E!bF;towx)vkO-rwHCD^<@q1w7LNI9QVp$U_0qLBb%C zJor}eXO1&0Gk-|@D@Ym|JlE6D)2%(eY(cy&A(3qXO$8e$M zYA74kmL#oNJx5pUZ=hHji6|l>NT9tS`QItRZ}f%4ArNB_c?nSQUHhKHASxhmU4lW~ z2gR%pDO@7%INErPM10!1!M77-$R?*Gc0*+1Ufq7-Ts|%Hxw4n(Am(D_xhbJXd<%c5 zV&%2330>S%xVXF6_|rolS<-68aOgtzJrR;DD}WiR;tqxb(jsyQ3@Q?Z*_1FxFSfdo z|DYOE@QX3q+*Wg2O27Bo zz$;|#d#^gcBA8f4WTfvqB`Lu1jPC^=h!EfLWe)eflN4|HsYsFe4o!3kE5M>U&1lp* zm>wad?-Z3Yn$6-BM_G}v$*piPl=K>9dN48_A+5Nr=$eX*L@(fEnp#mM^89^{!A@oF zXN6~m5BiXlaDhVCz0{~_I^uNEMw%TC1g}_ZzIjPbyr?V^ls3yB3V9AWRXcG-;&3Rd z^q6j|?yvUU50%M$Hfk#?SKC~VV6b)382N^~(Yr0aQ&A9pgEyFoAxhukO)s7qJbKa$ z$T5kJ>y-UV*hn|cgC6wW=qm`9q8}cT;#^Z%_HUsr8*Vk$*VT6TtCt-t6EcwydI`-- z1ZR&$kaU4KW&}wHW(#ZQmZ#0fL(34% z(8M}5cA^TPseI0TuYIri&J`<^q8~!d=`9W+h!(@EY|U-n!9^u-71WtK$2&&c^&9r#<{k?lO^`@4Ju4ST8o8{66A1WL^IsoOj{ylzB(0ze^}h~MjYsUBdn)>@rQ$8!i`@v4~-ixa~+x)eJ_ zWH_3|w4x(g1435}m}ETX-hs9yynoIGRsHQBVv&rn8G>m5r*WxaWty^$5KR&oo4^Y) zCUB$~N0XPSaz9tIhvB;tHBw4y&nN`OOgNZp1%Wz$?*8SdmNI$Nx*qc=C}fD8L^ zKhLCWx@62klt#`5?%(Of? zjvXX$mK7E41IhyLPF5ESCE_e+OJeXj8Dv}+iJ|BRt@|PKrgl>3v(UC6ZFIBr))1Q} zzWrEF`x^ph#!yv%$aVKY$6)4@jHZCKGhNGyAAa-q3h41M!9GT)4@<*qJRPx~s16ud zaab4ieXYc&So`@kqe2qTK3Ll*44S?|rk#0*kLM)VQ|{S~fHj(Q?-C#) n3mCH7Z*MWOp9>~l{Xx~eULyRQpI?BNM}VZnC4DRl(!7U-UyA#~q-2;K(t|55v-~oc$&v&2iLv^3k z-K(nlSXJ$_BUO}S&{2p{002Ojg-WRb04(8K6G4J~dvY6|*8g@xc82P@0RSq_e+>r6 z%zpap8hD=7(fc6G9{b+7~g@0A>NYYp{7e39FYe-iQ$0V(oM zYIsOsHHqi|+(bGiN@S2+1ZBZ8o@yVKv@|@)NPYxdTwFj5o+=Ak6v{8eUCP3^;G&4A zvBxc+BKx1+xBHVXElZ*Y)mJ%9(}>@Z(9)pXs=NVc6%yoFzk`PdhPHOu!~;=ioBPb`S5_rxVhO5pu!56(EIPt0|7aA89p$8ehMWXOnxE&#<7f$0&IkU z>S?VgX+Vbqz_pSefB?T(0S;MhD=1Lk27I3ap*8|YXaI+5L?|Nw?*o{OP*ZyYAsGPf zhf8hY3+7tT0n?kNG8%#|{_c1G#6N`+(&;4R5VN)Yc$ud*)Ym7nd8z?fvko05+#OYH zmpG}+m@BRlsz`|>#zES-SBvdUmPa_zOEsr*2u`u8ON`UqLRBarsJ zTkAu8GT{r6pc&|w07;-&1dzI#FjfaiFoaFklQEgFFNl-zd{?yzOLoR!>(^|@5OKzQ zFh$DkW9SYftr9&NuM351BN7)C3$Bw1}k4E6CQpqRsLOIo$R%kx+1U5ryIQB zu>+;QBlE#~Nq|ks-$Qj2bd-KU%fX~HJXkBp{K#-2s{Qm-$>s9Rbe&lD1B7N=oZ&i9 z7V4ka@i^=tp9skTej4mZNiO=11X$UIVvRZMxes%WYSf1;6A+1WYGDqcDokZQbLa02v(z@J9 zL#)_O_c;6 z%8CMrB)1&5c9Yswij^4RPP)row!0GY0Yll>E5E1>+;hflMv_t&G$4|Y>IZ$6#UoS%`!&ej$ysl-dv@ank z=#uj4bu2qe&+Rb^$W?GE+xYbD;DOYa{aNGr<3riC44Mu?6B-S|D%upG@F1^?lQ0?k z@al!Cq~Q;7$r964)2~}0i5;`TMT;L|KVZh#4jJsw?0g*hI8;Q3Ku1X@uXv<*mZ_%L zQOZ~qp(dw>_Ged3R~c4Whf=aqRqjvgAN3clqpcNfMD=^W5LRnjKeqasTALAA zw++_*I7|MP?Az%Z`z(Tp9=?oGMW#pQ=hp0sE2t&7kvWxpCgwZ%FYS=sT4x$G{fm32 z6=$4rz&1xcYhK2hz`DaN_$negQa)&$?W-tT7Rk{1$hTcN_iGo!t!&5EJsrE=JBR{JSSDhFD(98j~HvnOiTEY-J_ zcvaq-o)d`Ph`Q$Oi0%mUZ*Xns8c*HC=cj`w))Mjsj;svRa4=NzF!Jj?l&*K2l7(rr`fK`KpZBg>jo8B)h8$IB#I z$z~_K!r#f$DK^Arr8}{xlcOW+AWsTmW2)tIbm-Z9I=u?t&e=xY@gYcOA2D?PR4~>5 zFSHE5f(@HRFil(`LP;Ry?|TqaIerZ7C5{(u9LlGDvVLnS_F2B!h+mQhOyo+JP$tFC zNhgWjyq{qAp~tYqgxF|pscqFe894??tIB1bJe_D7 zTTS54KF@nS#qP)6N@^_$lh&;k8X|AXm=&+c!nzK6G-(bzv$4IOEy8ji!5q){38GTc$`SkimdX@d_ zB*SV~aI0iTQLk`&w`JMr)TEG@MzO{}jRy_Bv$^#a)1^Dd*)tNK?i-$y#Z~?8+h@_y zo>fg4O~pm4MaxIo$EI7c+Q`boyR^rThBZnbT~3GL=HQ+YsWDoYIu;hm=0r5q;(sz9 z%U}#s^t|Mpd$FSPp=-uw4{cLBOMTisyhYx;B}W%r@r?1Q-a?$G@FcS)W4DvYyv+QN zrJnhyZ>Ha=JRv&!^JwGqlgugwW;Tzo?kBk`jZxc`!=U+O>&xkwoYWj&Keqcdlhwjj zp9Ax$O*>4d^G=Za)|~Wf^np;f(3HVtyZdG1>K=}EyLM)spz+5e_aot#{`*eZ-`g1WCBC`JN>a)}B;O+G${<@zl{qxj#*RmJ= zSxvWcxA8ym)A!4g>*0%H`Y&t0&e#0yzI)|g&92GZB7_D{za(DAV@ke@&xjunLk~O7 z6%d6$w#8hZ51+~;r!A)GatU4vU&d<*@Y((D7LS*vX47X2zFvM!?)~_s zQ2!8l&!{&yr_n#H$J0KqH7~OBqD@TY-7jE&hF6>WhHLeivd3hiThXCNg0RTrP03etS00d4+#)BUKnB-?!srMS*D<{5Q z0i=Vew^c`Hqe5B9{dRcop%U1t79b)E5X5}y7t)TK09q@D2?+^BBTQC&6X(c2#*X+9 z*DMVY$9u3iEHVvzlGdkWK84(~+RvL5i|g~;^EiBr;$rcG4vND^N4HhCJ_Se?s3rf7 zjb8=Zx1*SSTAwcB{oRF3^ZOxQLZ&oQQ(uzzhK7dTq2f;nKN++c8@O0vel_6`aN6j0 z7tDFZp|s%W6i@rgZtVAORz{|1RzgN{An6o>D11`?L#<-L@tiGw*lpAIHkO$8sIB+8 zruO*kjtC2U;Vs;@<|@yEuixRiCs`+BcSPT1xbrrCql4ehMQv?uDzi2URUekTD`*hQ zqk1eq!duC=Xg6*Ij_7n05|U@(!m++^L>(vst~ z@hLVoR_uOMSwqt!e1-!B4<}sTv7_XzgFyo0wMNV6RmR%(#)D`>YPTsjD9Hsg)e8Uk zebcUK^a&IR>tQ{P!811R>L5UgKjNbtig|Tcm(TUlqLAlF`(B#9g|6pYpKzlukLMK8 zgBxG26x)Q}6m#C6L?vMQoZ-Zbt34n3m#$YeUz)OKd^VlIY%RsVOfr#w^9wh2Bo7~7 z=Z-a@G(y1r)d4EpGM=`=vZEq&NUmKYF~Ft8pSTDFBtO(wq%=P_1}nq@XLrVgaJF&9i!pR(T>&vroItyZTHJL>AY-q^pBHK3)e_E`lykq_|kU81g({nSUVAoLxB&rhdbfKjBF+ z8rB1~)1nxwbY^xvl76**|UmqpE5GY{7{M)gRCllW2p=k9MgN!KaI z=;pMTA0=k@B3pm+S?872F|OD8r>onZSGRGU2IE{*v@QxLLrJale}PtExcw*L&*>@I z%)r_#NggI)8@t}0Uq%+0P6wNpaGfYQ4YdWd2Fu=$g`wMbOY8f&;37)m!{#Z%!*kG0_@Wxa(~^hZi4~YpJI6X;OJr?fwT-GGHd^cre_>(l@QW-G zD3rg~kzhoJhh=4Dz3}et>|7z^qo$!gqJDqn9}xgR*YL&+7=vry7l;P{Sg)`F_6!Gd zlhx;}{-e;0p3nLbF|PkCczAdwvLW+{B@8{;vXm8db({XL&t#@1 z`7saRpInKS8KAk<)yKDVk>|N$%dA!HEHh;UPh$l}R`00gEahB)fl2II$Y7=o$DqVT zf=Z>)guWdighNy$B2eieTrcT)4tf_^npIkyL!`WZqFx$E2-WOAQF``RqW13Wr_yfU zhRc_c7)|49D6XuOvxAtgcPa}C3a*(pX#fJ$OUve0rZ%85%I@=NQ}IjZP};&q>;y}Sf~2?6)r1~odNlxdyV=%a zZtXA`=GYc(NR;3lmt9m^bwTs*A3Y41w6gtZ8%IoU^=3i-+)eT7ff=dbw;jB;0n4)6 zzWEvpnPM9NHg}c6`Z8OQ|AA zzw>@HBr2|S6*9F5v|yP2FpnK^6lzVLs*t<^ojcXl4%7ZjJt{@aCVa&pr8$pXE9g8p zn8c2s0EXpKjLi|f1?S8*S9Yx*jX|M$mV!lBN&--I^8hphkKb=GPM3gI+wL!j_p!33 zvaUvrSIdUGl)mVc;-8Z*>MWEtveh4C{~A!?a?9DSR$5M6RaI+eTPa^gb=EzHr`^MV zk4$xtSvrIvVq!<7If4Jaw85RCF(vot9Z))?)2Xa{>%zJvil9CARZ33G`6sSotXplz zhe+ny6J)N1Y7F>=#oh8D!QM^nZH0~cV)*p52(KDg@j%lMrp8`(((c6Ues@E4EC{7W z8lJ4ygm6nxKV&C6QUzU(R&L!)$QWMLV!C{&^K66Wnz{Hy<@an)E0ZNX@XxkoRjtO6 zzw<3r;b=xYSUEl2^VjRNd;UB8&5fk)QlH>v_2SmFjVs!agg%hI2okCcSGj__C<{fq&89Q=jUyui>Fa z|7E*Qf4bj~MK{b}ZIoEY{?9qePTkLu+M9Yc$4s4;JvUGyvC@akXw2)!7)b0iv$5Mn z!On0>c^yG*xrE6`Itk**o5@KN&_)6yBRX>{Yic!ig93`_eE`+i^Lmv59Adok^=TYp zOLA#t89qwwmf|Zj-k8H={o~CqUe}v>pF%-@A7H0@{@wH>>p%E(na^&xGZmC3S6HxQ zM3g3R^5!Ve6#}5>8+R`U`2p&f!`3QI^-&$FjXVV@Ue?Ks+T+S!(qDLZ2i+By7TuXl zn{900$90%nhU_jBl>y)Vvwib7=^wiyb}Up;3iegZ9wK|9#M)y^+K%)w323ZM zWPuGDmgNOhzge4Q>n{S_Et2v1E7$Ir=$yw0_uod=xv$@DU$Qd9Doo&{@mB2l5tYLG%S)cI&}&ny5M8_z zLNMp!*J+B*t;~5?KTM#zX}hV+=!F4{4~bNz47ICXY=`D zc3vsn?eM*o^f-QY{@7q~R<*b%o(DFp(+0fShg1yA%V(DF8 z(|5x{WgSytROcm?CrE|)?l}Y`n`9}SNTZu%DKXMYw%%C^^W9wDNP*V;)%$F*W>tvf zm`Qz908o*=@%F_|1;9BK4)udUs~^4E=()}pE&KHSq)WPqL3mpN7L$@Ag| zz;QeByvq0Sqhoo;i#|cII`WV^|9AI+aB!*}$6+i%+G$*@+tJn;TKlA332tL59z*td7#G3 zbYIk-z8l|pHR~KA%Hpo#CHyP$xSjRWio8w?x3;3P8UV0{cCH_S@D_W-kpKbi#(WP& zba>{V0z0gplFARf9C>1dXqqU$ABLOiUfd45#O|h}bG`rG__OP`><;3YK_E+Da>nR^ zG6Rg(F;E&!$PSbDjzr_cI!-5m+d}VIt9bpfex=1*rh5mj3=X7wQ*G3B zpZ>$TOg+-3xU9GCIK{lw|I(I(%3Ih75OBWXkvp`dCnZLCAP~E2uJ#7RlN!@(j4s!z zfWI|$d6)n_na}s~(iJh`yJi|yAi-jgq8cf*>YcM{7Wr_ z-n}dBCCzuyiX?F8pBtBO?385MBEPfpwi?EMY@-gPSE-|0vGk9HivdwF=l1sgg)x5! zzFngsHuit~;q!VfnGXo2f`&0_>Fp#=@K=)d@aR?G;Lnekk`L28C!H$~s@Ywl zNmwc2U%UObo{IeMyXb>bCnFf1Xfatok>$f%>JeSuKT+1$hYt^rPt&>V$usv)o;^Ts z7{Kpg%a1EED>JEbJ%PVV3hw~9ij%rnFF&O8nv_UfyI;mPn)l1a63hzFBvK?z(fjFJ z3h%p64X!CjS;_+(-d3evUvY2yzZw~Ge?CH#$KcdH70dd<%hpX%qWBxmQXk=$s@g78 zh}I%c_jO-biPMW9`LVUat#@}p6tOY*?v#YU-foNn?eR%-wI?KW0GOT6&46;lRu z;32r6ewsoJx3249aAfo*XC>arzr5g6cDWD;iU0ZTCcM&)_{$5ncp-zDqUGMf!v|QT z07spiw^iR#JSZYF4ddY(uV%rvzM7o^9<6dZCreoc5QoT5@YkQ8 z@lsoos%dakOYM`2?}G6HO+srcU~QiQRirfyEj10ngg5t+q#4r$Gaiab7810PYO-48 zG`5G$?4UVb%?t0~0=f9%X~?{XW)kk;j%K%C9eY5wo0Rm$!xPNl4yvX`WQw;}bxgwD zQ$gu0ai3mY?6PSjt;#=q!i+IAuhB$N|S5#AWf4C@Tz z+^Q5D+(|7Di7;{k65&7+NChb%31mw@e5BA&Me5Ngn$Z!6j1n?!%4dOtmwY5#a|IbG z*`xuhv)`-SB~*V%78mMmAC;spzVbj@OY{umBi>ZXDIOFMQ&BOpdw~f5B$pwiN(=r} z1&CjU0OB`qi?56YdqGLOI1;5);lf`#3#+=uFQ=^jasyPFys>y&#QtFQPqIm581l4` z10?Z}i%q>LpQnNL6?t?itI+yPePZE2ZroX)nE2P zs9#>5s!{^BtMa8>A#B=FKO!G<-v^-%zJefJBB_5=7yk?%WdBlG0!5arpE09R zB7qwTX9v?0)0)SIVjR0oUR>fuo-<_>@17Q=l8_7F2P(DM%G+Th)?Q#;y;LKyV3XGT z4$xo%xra1{G(>V1I`}GDUjFSU?=#%Ws5@@r1%Xh-22dCxBG@*$`sWB_7nT;D5Adu- zAM3pM95>i-q;DQ*MyX}V^RZzh)&@CyPn;OrdMjf(bcd*sX~OV#g~?Af76kx?C~GzQ zE5Br`7$U=_;u2_S6uIO!KcuDjTqJuR#$0d*T(~Lw|Z28R=KIYADTVmL@X;8b&skusWWxMCu zh0a#TwsDk#2pF<#RO-xVcG7p8Hb029KghYG|EzV=#ues~+VqXsObkpBQU`a~>F%eX-@C=kx z2B{zkM&2GQ2_#x6TxRMNH3?)a;{o=4?J5B6?M=ae4c;n_9M>z>E3dNE5D%6FFcVcL z!@=g_R4y0tQ*3`T{k7{9xxL6!TNs2Wdv+Afk#2S2zk4$C%mfibfZ$~J2{A8C2t7(n z4VpOtg{umNKtq>)p5A!o{eUf4OJ zz^+s2zZ-cp7dy&=Ce|~-ssc>UN z-{QHTN=#b71R`W%W9Hmb%X+7laF(8hl2b{0#ChEnzfH~ljkL+EJYKn(JpTFR?S$K^ck#BhvLy@N zRGNP-N5QHrlESDr%Nzm;!#fw6Rbnp=&!2|~tsTZveA8HT=jP{|%m$;fd)mxpryRQO zj_8um*;c;gAGkn3#Q9t0TUk|pBI?%Wnb~tl$8GuZpL_J9j28dpQioy|_y&S8k)i(b(|IxEpFN+W6lN@j9_SZQU~4 z4?F&9h65}jgDl#_WA1rjv5TPrLG^?zW8*iMAoav%zW)1slH;?xGM-*(>q zWi&8DR0!9Sy&gU&GfsGXc4qYLvxk$@IqO>i;A)azNaiD68uXic1Z#m^gBqRs;K1OX&onLoE+4ukii)tLZu*NhGkru#UfrRKO~YIf#L%oJ|>=c zZ3jo0UMEFr&7WQqUr$N`*R&|maIB_Acg6Oh5^_O9B^>9LJV~9l4ah}YvuAEpvgBBq z6n)~=NzY^YLHK>U8h4)@`Klg<%oGWA#y>Rm<@fSP;8rZ;eENyGf8*+V2%&rJX#_4= z2eCv*|vj%~q3e9xfM$J!**u^56w=A|U+Uc0>j7are^dCdIGLD)#8PIL#VpaA zwx*^ zaa-AJCon+ehevWeI?d}M-5xhX>1Q^x#+0pk23+A-4F(Qz)znOC84P$;4)?HdBnFTj zJZ;1b91IP-ye`i2biFY9yL}=oxDNUWF(@T$4F@W}dozQ?3*M~KT8sz3TZK59yFHjh zoq*;hj@G7-X|%)8yot;(>sG|&Us;_K`cH2RALcObVMS1_;Bsaea|A};$ zqYxc0*VAMDrJf!}vZb<|pN$V4t(@pPf#7`Ga}X*62&kxsGGK#we3k_ZqRDt&r zu*jH5ln}}N0>d*FY?}{s?I{d{Pz2y(YS~dGFRw*h@;joaY*ep`!0=o7eP)0JO1fai z!4Ir=3C>f1F^gO^BRE5|Ci6Pm@-W7)%SHi{Kr( za-lNL*>_OaUHo@PeT#Q^?8dG$^QLWvQrWmkRV>H)Detp)sF(U-ur#Y}PGWBkZsFr) z!B7tip4FSjQI!;|38I7_b^vt@6SN#IQM8%cC4J&uxsgQ=UYG9mX@ zoKc$%p>Ff0mDI*EL$JU~zI0LP9XK1Jktk6~7UsM2=Xu&kxC8^Vah1a6L-{6iGtR@S z8&)*nzy^-Smb|8CQz2r;v!BeOo*Z8}=?7CtRv1`aa-c{uG(Rl}7-8fBRr2YwLBNHR zX{vG81&XLI_ zsUbhXV$uyB&Z>9$WEq7Lo_f8ZG_u7kuBxJQxD5O~g?dPj#Lianf|y6VSO`N4po*%{ zr*l9J0OxNB6>ESx@4wslhhA+BybSgu%NQPwxT8}mYfhcbLJv9!SU@8eZ@Sgpd>17} zog=vr;^E=pD(WB+IF}w<&>p9TVwbP6HIaJWON^$awBhAhfUc&3BYWcg`izH2F5tsn z))w+(9VAgc5a;W>sy z*KJLMH2N65c{`yMs11rp!`J(+Ai;bacYk`kz%POtO_xBq@pXdlL*u9iO++>bIWgMV z3Sr=1UMA&y&`J_gqC&J3A#Db=8F{pmo(mwJErHHC%*><08(Y#>`1`*8OOs7Vb+SRx zTsebG0v0@gK$<}1D#t?WD2$YB&@#cq`S--FfHZ4{5Tq9c^Zl*p*0G&ukMmr?`N(T@ zmz>N@!UW{^GT+>>8*TjCY85YW+LwLI{ydqer$=uSZZHvQY+9s-3__O9w6<8j?xCKv z^vc*>WiIaKVKF8BMZ2j+gwJw#w#K4lZ5l}?Jy0j;vsnN$}x8fGo(cC(%Gi>UvZ7Gy4+LSPVB?xEThu04bc2KJTVQQf;q!KlBMuQ`PGVfX zBXbWs8gAgsZu^p`$-g##dAS~j`F`wwpYNtfb5e(_iKt%||Ka<~6d^2sQQwUBl$K2+ zA#RFVBrG)BZ6pk41a)Sttb=8W#rkoZ4M+ar@p16$w3zR(U3T+yftC-Jrump@kr9M{N8eEOf2zZI z>f%`AzK1iHw;Lk+e~O|F3s)#sF57|nhHShUz` zH@TXBeG?WjaDbjHiFjlNuNfh6gm?%YyyPM^B}4X(Rwfk)43$>E!j?z`whSixXE@A| zXd{BA8y_K)4Q%byb}k>SvcI33H{TIjWYUx?$zy>Cn{sgSyB>Puej|J($j<_3Xr z2I+8ve($!||3i}Qhfw0OUXA^$wRXVDgun|L5OBJAO{iNt<|Y{QV(O`aFvz6FK236q z)(IPZ1deh9r2Ww2nurr@rDs0ug0bNx62a1r3X`W=&3H4Wd69&eLFuMM@D3Fk5rB%O z>eaozKBkDz(C&{RB~b^5LiU+`WK^tOy+W(XQwr(c)S_qX4Lmu z9ClDpAedHzOA8+y0*VeERSgbFXxJ&ehufm^O;C_({iv%Rf$z54jzWuvFUv=YFTnUI zs?XBcDu8Afl1$N}d8pk+e}v5H&Hen%uuALc(VigBOkyr;7V}bHn0S| z-L0nR!0ayWv_xW1;qb-WsPO*Z-LL4PVPAC~1pe2W*5k~(_UPovvUA7__Awq!sn{yo z@mPpd=4433A+efjV_twoQd>6c`#?yTD6gb0dO8Tntdd*`V=Wz~=;D&nb$*BHWg3Xk zJsyXpQ9@H2&Ws~6@|K&B6>M8*sX&vHzT2gWEGcVBRw5N1+$T$~4mV{oiF-ea(nv(+K<~D1H=t4^Vi>TCWkk0NV7{#aM1>!u7$yIKR`Y%|S8eFYs}M*fan}9Vlbh=q2ah`BmDsE#X7GIYGEY`X&C|`vE_jiZ z7`choEJkAA0kuihc*d%DpzbzwTBz>q>wV71LELD1M8l@m5 zNe4+(FgQ{*mza73d+Cf{`=#q#sIiStlv&1dK|CWc&2;rP!n|h6*ZaT#l06q&znmGp zRt=t6C~dILhd34Ur!27aL;}Y|?rYNa*szP066rHKozhCSoUV?UB%%*hZ@qd*7(I|} z5hMDekTWXQ@)FcA)3{DEJjPKr$EWlIr5(;kA@eYqGq6VB`l~tLFU(NBsfq6(pIjBA z8Td3H0ERKQ4^W}QR?SDyn_Wx+(S+dOw&1m6&253I#Zl<+tX`^X%l(hy{Ec0#Eq(1< z7CRqWuCYth=qUiKQJhabs(uveF0ECIxk2(C{rPmzy1Zf|ZdrZ|llY*lTp zRtZ>H;5nol6%b7M7kHaP-l!SI%_^j?524Wm6>s9-H^H^uBEK}Uot-E<*|PDa8pGzf zvKK^(g4=O9$NhHXANlCDc6AW`>bHAwfSlEkpgLFg@SGzAlgAINbVV((T$q+{!b#zv;)`>wwHO54pTasO7Q5r52kYLI&h?W%NGlPVm<%xXUlkOfh(gBVkDCP=Dpc??c@X( zplh7*WnvGJxv}|S@tXbhf{eYc+{vbS?IdGCxjDj092}xnkRm`IGBY7`pwY&e2u)GG z#O=eDAJf&Uir}MQNc+z~|8ZyLNE|z<=QdrQ`=#5~Ka&A#p2r^iYwj`_32586Q;Ys? zEZFe_*p=aMUQ&t5S}#Hr(&S(MT#OwJwN7id`1Xu(*xM18o%wrDoiTZ9@aAHwrqYEV zRTz89x^FLvq_*j@Hn80a=pH<_4OS?or}7i8gI3py7|xFd(@~Ab~jz1P82; zep#O`%PxOPRX;(p=Gt36&m_t;=^m!TvBsR?MP@Oz%J8t9(BAwE`(dH(xzeFTo#lY9 zVXv{sjj2c6iyLX8UPhrMPgMZ2OcADfsB>MU66W((D8{xoixQuBT8w!G#SXGH zTpeCXRxi`iS2qO)wR$QYtwV~Y8_6NcFaTgh$JrhoVeU14IazlCfm2^9ZEFz0+eZgt zeqN))NPkkFi;nevyi}4VaEAv%u&~UvEy{!Pb)j)>q*#o+GqmK#_h&6)%yaya-t41p zO9zDfHz&z2JvStdOr_Qjk1O)nig0TG5??TmW8N+>BwF$Xe>Y)r`iY>fmy5JfF<8Tm zbg+wI1+*s=zUphKI(uigAm(d1qIXI2J!QbQOeF$YYx#}Bpva8?I`LmjD+@bb{r?rw+ zLy!j=Hd1=xtqsZYu1_q7v2Z zYZE@>ib&g}L_2~zF)q0&N_un$k{Nq2;xdr{(Jg$#J6L_adDqSScZ^D; z3FanD=cnVS1&kgvNJ-WIx3eMu6Qy9Mn_Qc$KGG=woj zdzu_2upk9}uVQ3%tG^7u*swg`E2!xMf2*O^VjSg!0PI&xENlDSS-`<5Xw);Yn_No; z!i?cqM;oU;TKC269r<5-`>7Wh-of%wu=wq9*DV}uD2Y88A9gs|XxA=GeVV(@%5;o7UE`6^{xZzMerd~9D9h!)m#Y^z%GDijDq@zOV9!wRpP3}2!~S;M0kvB z&M5)y`9ljm#VUmZL8`5h8iV+lY3d*I5#1mADTU-oW2J<7o`DZYE<@b~bc+e9Kf`WX zH0(332gaSZ%+gS2Uxsx2t=G+_aAzjwc}AU7?W5hS`XY!_SeE6A6BHm8Bc5)neUs#t z4yf?0H4cHT{?Y61v;A!;YI2b>s!v8v;NMrDeN*0uk7+ol)r2iEeVJuR;fo|(CgPm) z{!;t&go9NA?&BdQS8v73 zI9=#D=DHw1Z)|0OH&Y?wwwB4;h4&ywqfUK>W6C zH%uhm`}gm=jL$vN7Nc3lp(RT&z@b5ElgRQ@rQaPo@ZH)^(daYTasz1==011bzo*i$ z>F!1rr!F1NM7M@ZHiG?-(P|J%2n;lY14EpFiZTS|odlBf%%BY%UG{a%;C3Wbn36H~ zxm1B%$kD;Wvb~UMR~1(}tuOVPE|1|7j|g$>?Xa1CtK(+B!o?o%`<;}t_&%;Q+h)7#hw88l zmorAu%`5ljg5B$BtMs0p0JH`Q5Ltg-9F!Lik&vkYgOxP0W{Kf9}m$0 zqVcYeg9LAM&)&_oTZV&^iTU_8(rdA9+u8Z)-V_pu%6hs#JaRhA`291HljtNYHUM2D zpY58)eA9lEDwdHyJK#)9>LiMOH3q`7Yj`a-GWn6!ZG6?+lv#lru&6L;J8jkK04KPL z%V)4u_|qngiL$h`zB1Rj3Cid?RWz!>gI!TwDe89SvZJpLV&GpN6AY^Dun#&rrBc!rvhCCMcFYRyKM#eDLU}3Nl+3RJV^=-h zu_YLti#29+#a{ND{NGY$l~&Cda>baL`_iElaqbx>GTY`9zr9!w=Y~5mpyAlA?Y-jRA5EOg znVzBBF0FS}ZuH%Gi*-24_%Qr6dJ8}J{9(!C@ci2Qyi#`hNpJLaOoz|#t{4=U^$wx{ zDhL5lsoLoWB*=w;VVL9usfIUtp#D65W25v6t4_wT1!JBfm}g_PCSe23!7#81s*^=i zSz@0jtw~<5hlEC*I}3V@U=wJNqbn~0H9IIcog$&BlXvUfTR&S95R(YD5dlD`^Dz^{ zk(}E)=J!>3>VgfX@`R_Q=}=1=o`kK}&~n;}gm~NtOh>8hs*o499Ke`vx$iNQRI%W{ z-p#NXD-0IV|B}TLGU6O$GHrr|SZ}%FR*zT6`E?#=0I^NN<@?_<*KxkxY<+n{=cxfB z(oa?mP)E&iDaTOiOdc0LU;8h-V^@^jw=X`PxPedQtiyQNLJx<c$K2DYVS{U5{Kzh%nAvKptCfz~ z{J!XhP#1e-3pcb>6zo$>ch9XaY8r2fBWE5vCvFSlFzRLag$%Ipqi6iJE854TEIk@U zMjGxGhYy-*;kMI~f@?}bZ$K2aSXZ~wg**!C-JHhGmEZ9FetO*~15C4j9OoPLUHP`|-ninO3dkSsq1AZ1;4@vCA zFL8%a2*D;+BIkOg5VJ`*VZB8mZd3w3+xGFySVHT%mDWPqyI=@2P3!Iap*gP?|ZkU z*Pb2rsxZ4vCTid_S+xA}@81u0ZDn~WvjZdAxcR5@er>L~v>tRux&3!e`1G*wk6+p7$F-TMXLgSY0DAUBcz-NoMBi;J2` zG&Gg0>8$kBDiAlc(mG@XmbEgS59PX31s4Zg!Dm6fdgCy70D)b zIq6hcx$^QB1x7r|oQx<}n?B$aHWhiu2rz46L^AlB- zyFaQn)BM)qGfwSKIM%L=!%=+Y7XN77k_#np3bcyK6Cq`13F zvEo|X-KDs@I}~?!D{jTzDemrCytoezXTRU!SD0(|OeV6DwX$+QLXOB}!Rxpp6B~+! z1w!J1xDd^_tZ)$x!+9$j?R6USjaBnzJvQ@IQa0RTZFZRRr3#ZI*gqvj?J&qBiUxkT zl+7%M)C+|s9FCz}uzpfaSHnWOqX16 z;V?8mJ`h-A*9abi1FN!(45iv+&a1aX6w<4~6dbYA!VH$#0R(=|mwQ>wHVPEGA1{B& zU(Wnx^P4 z=ilJ;u1-TK(4v1_F)kZp=N-HA;O&!&oec^Pj#T?u<~Ye7M2WTUpkyYJeDJMrTTb)q z_?TlNv4b5Wlbj?Ke}svKcLNM3eh30Qms%9<{-Yz)S~>~^UD!RLiwjqGd5h*7xP9n4 ze=L+b*B29>|86C!(kcs)@k5}5PF;zg2LtKv7WZ}YgjLE5+I(NP84v4_T8_@2_yTQa zjtT_axFucwDW{Z3&rcd0RmSF*p5~KK$~MnW3zW?E+Rc+SkNow^_;*mks&z+u|H#b+ zH@#NUYhDjLG!Xq+f>E7jAm;Nto(D54tnQv@iVv7x5WfacDuu%Hlziq)R+hO?_UK*ecA&$$GWaf7UDV<$Y#M4CcWcH>h^Ozg4^KLl*fN zmf>obDUMt7^9Cw9@OVSAE(wf^QXeTQVxfn4v8CPwZ z&1kd*lTJ4?hC_Lvj_kpoPjjj`P8rcU<4~DfjYry#ym!7M;Hng=dF-b1+rZwHUk&J- zJfcYuhQ*F~*uNKXl(3{qTGkceDU@9orOH}e7ZE9(To+-<03|F1ON48CX$6WVQDvE; zJ5lK<%6Y=gE=ERU%t4hEEYD(pYyVzshDPCD{FCjCkGtX;jK{Z-%it98J?EKSInN&Z zcJFHAm-qocFrD zvDu`|K8=CCE>k#8q1og|Ba<^Ux%dfLZ=?&qy(mkz78u4DQlTg_BzHv`nhC~`8Z>f* zcO8@y?yap!n@>qY1Xk0|U#+jZq6bmJ8L1|3G!=~;yud~VxYTfUR#3uBis`O=Y;aJ< zRT0tT6b<@~N-C?NY;NB0WAw?&`^!${jHH&IYpO$yODnTFJk9yI!m$fUaqKJRa`l%U zO4HukTas2RM8{dC*h`9=TnIQyEcx&hOmTE7f72dLsLyC~YB2mvSD$~I-A|u2j(imR z*4?BPv;bbgiq*}JG(ZUEGX#Z~Clsa5w2C7jd(tJ^Q+24{FHM)Z@k~tQ)p%W2IMzPp z27T^+yinPCl~=b7aNO3ydzunL-5olv-0HB>9c7G3>MQ9unrd~j+<$NDey|zyy3bn#|<3C!TG+d${brseE{Un|Gh`+f63Z*mjy^ zX43T76Xf(QMZ&=mFYcLk@wmE``|3{MgK%)5@qrBT_dXkqn&#E+vYb#FZ$=@%_cqL{1IE}foIsF+2+a7-Ck0wIxUpOvn_#qS=?8^)D58XgZl0}7(MP`W-Ch-UZi z6y?;1n+}bdSv-mdyk~P6+dhx4_5wcdhG|occt@KKF3JjbHql4}wOs#rHHa5*x}9h{ zuX3)0qd1!w1^R}ByIf57(A@1|HNBcf74_aAdl9!0roEvBIz2-lRTO27g6Pw*cot>i z1e~s!tMSsDm0!AtJk#`T^#WQck_OwKVFH>5C000_zj^HN?gU|NI~PA%Uhvy~yO3$z zc+1(8{;B7+rPYhZ^?sf}{SF@avio9sl&9xY<3OXRh88=p+degBo-LBENQ1%p&JIiK zBx>gS>FgiP;5SrJ+(;k6shN?M!zD=mK|xUp4-hu%H!&Ht8=c;yg(W^H~ zr`>Rrx2%qN?v=Gc5uS6GNO+lhk1u7(HkE`l<46C*nmcTC)Sv)_%Tz(#qd*cBjnkh` z$k*MikBMgr+ny&uIvTDM*)7wY#5^b-@gXF4Ws zqV<)hpY_q<{yooiWBt=rA37*tsnXBObMFiDhVSkusP--bj`^{C33A4%X34SUj|F4* zPFDx{v{2}p*A6cmQKv(S+agy$T6MO!!up1_wypWg)gkWKBnXryh{3&T)hPd*gS(yg z9^8B<`p1{B(PPnDBggqkY!_1B%jF(P^UY>mZMo6T4=lX$;plOE#5wIzvNxHOV|Uu0 zCHO2RvG3<`JT~O)*L|1ya)l6$R z4WCq84cY3r0$zs}MU?-?$M4G+IXRHSHovohd;T)!etdAb~TQBQ|pr~YogZTFU&-_M2{1h<`d z%$HW~^h-pOL+Sbm2vs)3QTWUp!GhDNH}8(ET3<`PAcqahVf*`!@&wSbl~z5wuw}nK zeIeF=oF6BCKUT@A;oi&h4?+A``t;R#ZToO?^P{17xsiv<*p6$p)vxs$Fnrhodi;A+ zaPkwio*mvZAg9;?JR#F_wQbcjALc>!9Hq8!acj%T-}+24?4>Y{AhbVRMoLebC!aza zg#558CmH@pthcgFNtVm0Ex#R44Y!3t zXXj!vJh65g9}my1eI_JJ~Enx|pQ>bXTepOW?jzEKYme z^6`uY()5Sy9V->QAL;&~_N&)WHb-AXzT0j#Mq^|C8-ks#@8}-mPZAzDqDTwpeA{cZ zBc5}or|*YM^L5A%HUK)Z0;suX;`UYrFS!K;HZ7t=!dD-S=KD(BstH zi2Ju~XGP=3e#G3F3jxO(T$TvYn`sn&B+!KHyziAgik{nSNT71mv#Oe^mkDKx{Agrp zc-Hd%7sEV8BLn+K(<(89k|RkdqT*@iX?}DpO_XI@&CL=*&7(sPQ(QuL}FvnYHhE{nuj9 zeSanR+uK;BUXalbnHF<#um8Kxtd4vS!Ta+q?>o;e70b23!_F|9nLK2GoC1F*ox$ZL z8zE8WqLU0pwjj7`H|{Umx1oY8&q;@)Xe@7aMVN%VU9-DvK5QHJUDgc3XQ66O6q zKap2GG-y$6N0iS{d@=RCNR6?|D#Wiz*_2R#AOLDjFk@G%|BW*M{=cTmBm(8R*`(Gi33l`}RS76rnms4F8P-gWkbuKMut(yGd2f=edOQ-Fo7@ zC+mU6`Zl_XK(N_~&-(V&ZmaNv;}BeG?^RfARWNm5XwPj@W@W#Di`^F#H^H_2l~um; z>FDY$s9$<-kXW9x!Zerf!)Scf?`E^|A~+<;cI#1Bpo--;`;^C(2%Pu7{SJ-Iwr2us zsQ%xU+;2{rFhAd|xZiFT{a#HN%9RG0X%wkl_?p@;u+E@5FTE;c^T>w29rc)#q<2yS?4z-h|jG1n~W|hI@Nr>;m=G>Sdm7DFn;r_u2k8WroFI-5cInl5hJo;Q<0mCuat4?TiNAoCp8K(-uJ zdCaY@G7mIb7yNWuafW}8e*?s&+@S54Rs!2-RC2!d! zgKx7TZ^Q{bZV}C8mtEO=Sd_$bS=OfKICJ$S4FIn=W1KtAF`BLq(eCeWEA#YUFwvY#)Kq zmncf7zNma$5MId8b^by;-ReAdk^4REfMz5KxMI}>Ub@j_K>JK@W?{jS;eQxHlDfgL zM*-7$HSmW+K#@{->>|p^jn=Eo2$6P8dU}1KX_N>9Ch@lz;rL_u3|@O`7DdM$P8~jp zn;t{`$BhMwbqKxu8E34x7vHoENPSVvh+CAk=Ped-bA(=RQ7iBzdZ4Z>4em*0OU;2S-@@5ft~@RbC!32T|0DqG_Cl zTNnbf=#F+^K$W7A*p4rm+1>QF`dpz>lf^89N{og<0%h#ivOK4Cvw1X{w+j~DewJ;H z=+`Bh#thYs8+TGX7s5KOgx|%^v(czu7Srn|*%=g<1(|~gCl3Y*9vsT6cG5(eZ7)m^ z(6}$pFYO3<4}U>D;Lp&Wn5*X94~*Jr_?Mf^4b*+1ZnW8Kw%u59)Z(7(=kbWDG16>q zQmhYh7}HBYwlK?a-K zlp~p?gZc;QTKV8eNE--Pum^*k6>?np)kSf&aS=_Gb=39Wg^VLjBbHR3=|%M8$RGkL z>MR(#8U#nX_vr^xKl#*^h+cd6vl4v_`M*hg{p*ZbOg}hydY$cfQ|JEnKJ91ltGipj zU@l;OV=Q|$tvA|GtI$2Yw5o01+(-vPGxz}S3=4|Q4V~5RjDc7xAEPgy!9%U=YZ?jt zS7ZJaEhhSz`Cf#EXCz2G`b(!NWY$QXwQblq+`Dh;A)IeV(DiMM#&VA~-(bcI+X%|4 zAf$|K%Xk z#MTal-f-<|Bg+Ku=tmp{6>ex1Dw@Wec5;-aj#yD!cb~$GyAOCYJr!Yb$MIc=BqO{f zdi!WwChz!iZDob0qpjOXLgP**mhy*=9D_BXa<$mYOTp+rly3K@ov?{rrqX}Xt4&}s9E$9~^(%9cbhilI~u;#X0Kv(+bN zQJ^x5+8)q+hg%z)ML>bkVGYzt^$rTin3q3Ohd!bj4#6GoPmQFKjx+xWGouYlW!$P+ zE6!SGnV{=-$zz5kv%f(yb90=u`>Jm@JLEKEWNbU4@Uq8mOP%8@~7vwq4^c}S8!6X7tijMoa#}v&_7w&U5TZwgMu6*g7r5^u}p@ABGc6%3R za%ZK1lt6fibbjAF$7SEWx>6wRrr{oq|_L9eQgck^j}F7m`4P}#t) zD5q|8H-DMBm{Mhh5K6c`ej)BW+`}w<;C3@7UTk=y9Ep2cCs)yF`OWwD#D8S#*Kg=> z3aA@ryXQFT(thuU&E~%u4aELlC2Cf7dorAP-Vbfy)R8a+!k0qKM5p~OfByGg5+R%Z z^CNK1%k-Pu`%bKN?!9C#h;;blJmH%6F5J{;ZD zb}%kU>hfjI`oO1GK%jrk_>F)PHku0lG8QWE4CbGM0)ZqfxR~=Ar~J)#AnVFsO(+5 z@XcX)P%Dr=Ye64`*W#$Vp=mfxQio#Z~oy)HClU{Yj-hmk>| zD(b>cLP8xp0_`&vUtYB)?eB6l#Ii>lFUwOE&o5Cb9q*5~g5o`XpB-{9)K!F;Q{cs* z_q7#xa>XS@E5Nia)vBG}0C-elnB`v{N%x1?JYDzI=<=j^RC=fcN6AyB&{kFo!i*&r zRCw7OKD)JKb!TLac*=^l`6T9ci_8+5F*|Nod;k68(!7`R%^t9fSb0^V5Wq9I*l0DL z__xa2Tzz?Ye0H&7B!R{fx7uymFIAfN@jPcFt&2Psgp%V6UhR3B%n`^ufXjy}Zsv%PGcl1I`c> zr655fCWH7lAt%1me$C(3IzN!{jFCVA>B8~464e=KOCa4Zm>2CtTI&CFM{su~#pra{ zEyTF^UYk@l<6ayE4VF-hZ8&pt#+Qgd}{Memtr!jsTx&=6avqg1t%atWohV;sM*e&WcT zUQbOz`)=bJ=kZ+RE0Ul=1SJCFgi4~*UI>Th=$d`Y*6)g{^%NdR9!z)B4>QGK^heus zMp>Kd$oDNll$CK@8Sq{neS=YJ3P3{I^QcNHP4AK}<_ZSAmsJ%=^JuZ!ZvQdvWM`j< zuoZ<#?WHPrdC$%i)H&sglIBr0GBnEnHVO$H zPci!Oe9}W6mfMZu(|!g~BE?E66fly3jFGpGAXz^=11@7@tSXlGyc*483%M4NpweYFolNCQ7pkx}mgma&huxzou+ zzed-`+Tnd=DWL-r=pThHPvoTWHUWV~zf)R0N>)RG!u=j6lmz!dK$YKaOP3*qb~ig}+Fn_hMydI)CJeto zQ0cqwX%OqV>=nnwcwTf8chx;gfKcD=u&LjKm0#->2NET2Xkw38zu-$?$VzKcWZzC* z5J?rt#kkf}q%{73C*6ruB>8)Je7Zfmx~ZtKmq}IKdUH@OxnkEWN$^QUS(?}rICrz} zT9h6$mn%)yC3T!@U9+;cxsUX3kxf@$=Tcu@s3y!>aA_t5$-RSuets#% zL|^WDZRvSG{vh()q-b(DZN5kOxMW5o6j5uM%HiKptgRE$SfS)Jw5_>K;S?IP$N$9!q2Qydp(cUa%00PqsI$)af zJo{_&VQt%yo$kZz35vb~HIM`MGk;7|nfEGue%)<=(`NNpwpdB)T1~P(O*um{G8&1S zT(v+o6+>`Y4J2eT@x{ao4@5D@JgPtXB_2bNQ`@JWnub}wFOhN+l^^682R zU$cTtj&)iq>)FjhCH*aaVciPu@RSp;`GY_RzwlX;N%Tq2U=%dhSSTa^IuF_2uxu{3 zqxwt@i3nf0+rz-NZX0>k3Cul1iU}ns(m=Hxy%b~ILuvolW6bGwC|gQXICSuem93O2 zK+g!L8P!)Jo+ukWK!_yMPL>WH3s$^M2dXIwQEm7gjrn7OuhqDzVNcmeaIj!==w|?hp)(~Y8_>pG(qGTR{yKYIwwvvXzQ4UoTH}UN_$BHqK0f((&{~3|+p78+y2>SWtR}T7qrGYjv>FLz6K%As0IlA& z%cR>TPqGxe`3=Pzi#(s#>m^2=@0gh3kE`Z+a@kyU;gZ^4ZfY9ZeX@lHQy zv|WZ-FV#FgHUOKn?l2Rei2)QQJZ#V~vA>Us$`?>$OAE7JyUSoCCNeT|wH_-4KN~d4 z=o7a7)linbQaSsqdQoI$Kz{vcMMa5n zxh4aEzjb{>Zt>t(Rx6%9ITIprUkwl?JGk|dUL#v?w!MW5s%JQD-&*6TE-o(KX9Iik z`zpba>|`JP8Yz*>0tt0)0l2iYl{#P;B7}$>IP2QVU~P5C`s6s@7d%z<&lCdxS7&qZ zg{=|pdOUT!R=kb`#`5JR$UIS`G$Yz z=|qLnK1KI4kc=%-LEznF9c&vYB&m+E@AKN~Xgm~68|HXNC(XB`$XVRd(o$bPXBV}9 z@$WuVBp+B4*VfjY>>BJ>^&a{bqp*PMW$X2(YW;KWzUQ`ba>Ez$Rf4Z+Ju;WH3h3o` zh&A0wvXv@S(K&41+G<=FF_gKlN7iq%kAJEAVPq2lG_xX&Nq%@dFe?;k78V!p#fas- ztEKwT+yb|GTPzAsNpK51`0EQKF-e)z1<>;h91EKHC>1Gi5;0LAghT{%di)ko7G;-X z)V`xt(9y^7JX=unU7h`NDoezT8iZc|A@z<_*WTXV)zzg-VriepHm=xL<$Q>gMrCK8 zqt;}dI}dM>(e0M*Y@@~<(;>U%by?`a+BO}WsuIhs+UV1I*s%3JB9yW+(=>tY!*z~M zgS+9Z<#T!Yas4pNohsQb4*KM9xO$}Tde1rDNnypR~@Q(TUjYpN(S6_rA;X^{u4^m*0-b zB~OSApX~&@uXTVtWJEpj?fMR)0Q$og<}re$4U^eEQ!W3j4h*jP{`38BQ|@a{-KG$F z{5`H|=#2Pl&5lEHTps?{M?KqmZ9WH?XgnGKoEdz+&dbAdCN2dS5C$xK4y%P+&g^c6 zn_a}|xU8?Mr?)B4i7s?aF2~~sP!TZHQwR}EI7ng?5z^?_o~*(761YMpjK&kE_oMYj zPjv94$;$DVFR${;3#9tyPw6|ahtp46i|2^gj5eJ2{!f?9Y+|L`_l3Tu)9Lkk7?I)l-#?Fo6b;ai zzF-9J6^Cc^(YB-97MmyUM2duhZwQcdMANTN=E%>YPO&g2Mx*fo!OGHQWac-grnH0`oNhy zrBDKIO}1o!?56v6leOS^oVckLl@Ql%@X}If=<{zw)gJ_aKXaxCO^fkKj4a{#`I$^( zYkeL66LKx2<7wS(7LmnePzAU-yJhJj$U>)W;&E$vYssV)$tee;Iqz3Zm+cfo$K2$a z=BwfMR<~B{%|D$Eq(j}=Oy@Bq--||>K=PwadHKRtlVR~;;|s_PF1x!I;;N_RtjiqV zHC^uxfcn6IA{3KC4Xk<&z$`dftP~U3EmJC_l1;w?NJz!X<>tAbW?P+}gLNip$faGF zvalf(9Yd?1Q{x5(6AdBJjpCKuNJg>Z$V%0!9H76hx^Md~`8``wpeLE)f|h^l6;_=5 zn=O>d<*%|LE$vs=(6C>rB_;T*BQ6ztogiOoT&F4Zsc%0nwb$p5c8%WB7EjM7&@bOr zVEk&`_JF|x0dy8RPM7t-gs-f}Y_)~5hP8Y*X~4dTh4mdL(wyV*S5n(Xm(Z}fFkP9p z;O=f{lCRT?+?JQ$t5d9XoCJS^2ewhuDk)!)1L2x!2QDZAVm{b6AZ{a+i__bTUYNe z8ut?=MPF~!w{~TC`LoUR`F#Dn7D04m4d^I>A9=pur@MLA1Pj?jiordd1~*2?SR($C zM^EDjQR9Z7?tB1Yf8f6tJjP?NKb!eYYEHUbP?6J&2T{UNhX zqs0z-R8(0eoBvdwH#QSgI-9?rip~WR;V-Kx%-c)!Fw4xID{r~xyql(KTjRZCTba~@ zY1YacCUSGCb*uBa?tvfsw{CR?Mdu^`8}EB8?ty^UXFkpQK3l4<`|>o@lxIH?Eflv) zKj!@T=NcUa2M5RP;UxV}$__s+-}17m;+jrA%e*%qKYu9_DaxdpuJ;=Haj3*sE!Ovw9VgGF);o)2GdnI~7>Pr=~XNn~Y& z!I(V1b|$ z=`0ufKTwiciRJt$n$LpbmRf9&;|73pcwk%T(fh8#h~neuc~|@Z$UB+I@9|#xd%Q=$ zA^%hM_VR*GC2$%cZ7`d3%G(T}_@H$;TiMdw>Qj&7znO_d(V&w)_6({hK}qL0?L=gv zJF0b#<16Y@uiq=lvU9qX6vwh5SQW{eUMG%F(@@9Q_8m(eJzer$B94J1t*Y9K63ls* z{GHFLXcFYW#ZdoweSQ6044+yy{V$g7E2NAmm&;9E7>XC@D6U=D0>Lm1=ycP=iHwUc zxX&s=G#VOt{(nNS^*xj_sCUCV&%#c18TO?D=BK&iQ!`=AQrtYy*;T z*$h_C+f>HnnO$cEJ@ac1pS1<_TNPQIxc+i)<`i#55Vze@!pVZPN05D1whU_9U5N${h`I;Batn5ISRYk*M+>v;t|zY33=80+G? zS(a4-S?fToLGkk(c0^!q?$+90a49{Y7;sw4h%e)mb6zdRs;ieBxDUxMjZjrteQ~xm z%1x|$;b`w~vR7iu-{o5=VC&qmnPP~Yx11#CMN8`McgWb{>~^HG!e-Myhp5xW+G%D< zdi~s4D8bR>?p8dfttY2OyX`IRlH>YtcPyL7Z*0JMIF^!t-_B5DG4u!SOhIqUs6`-T zGnPDf<#1GeR^0p809!t^IBon=T>7}IWT^XnWQmY4Wk<1!GKiNjI%28nDVDGqLPqRY`&wV~E@5x5UDAv^zO6OHz1{3e4|;rkPs{ax9#Hu+i2mOf#-UHO zrJM-;*>4M{wSzmCR#J)J)b~EvxMjY3h617{RI=F{8+_7SnGx4f)!FKr`T8$E{K1tO!obOM8FM#)C_ouC* zf}fv1KQc1qvWuKI4M?OrImxQOe?IG@$6ved>ZqAp&(7+n{BM}IJB&}rv%h1ozbGOTm+W#`JWRMzfOnVQlx$ zI;C4al?br5D6g;m_%(tx8}t@WW2^J;uV-`hfQ-PA6ENVqe`$&k`a7F0<5DI!U#?8K z5Q1=w0V=1anwqPc8V8wtM*SrO9I>*M>3otxPcL-Pq=FzqTHcJ&$9=_CHA3!lTjl=u2Fn@B24^KKR_%IQSkR*c`aPy25^ z9I#4c-%9G@wri3)QYvMTH_NBD?!Fx~m=S+3y$Y}f7AAT z%dDP?EuS~TXpqtFcKVk6aHH(ubWiy3IxSS~dONS+$9LP#kiKeu!u|q#y3{){uM@iW z|4oi415c{8kZK(pt;meMEqnC!wD&traizesgZYCzv`|3%^APRJ+1|AWC_p(=mO@pH z|L1Os`|<5W0tmf_(ql%TYeA|DAo8OMjnb?tT{3fdKuzU$4<| z{^Kcu(*OVMm+aRtol@?Le*U~3R+%;)X0nRUb-dtt?DCw`vd!)Wm)`wxHa1pKadJ{; ztTSizoIF1r-xY`sm+3tpGtbmvCv3fi0&Et?@anYfGM{t95$wGGwzB0yLkY&d=PB3+ zpT=5W$=hA&w>`)DzfF&t=8Xd;=ZW=%M}+omKJUHJVMpXNZ0wE6^0VFgsoinN@JC~m zx8gE@1yECyD^{-4{9RdjdeL#I-|68fAraQJD)@1~bbO?%{HjQlVe@P=={)_q7tbB0 zkj+P#BJ101C#T@VY%=ZpH5Twg0GgK2rGRBJ1%z`61FJ$%*c4x0a2Q_E0zGHogQHX%SM z=Q~Ce5dmsJ84|)hq1)ZH1fe%%F$kVO_^9lpj14&91jZ%*XP_U|PqM5N&R9@jNve$T zbXOeyJ3zo=7_E9g9s8>7^B1Y_@HLZUicLkTE!ZY(ZRjyp}^VfDd?II*M`DVN(6 zLZK-&L)8aDjG%G>4KOU{7=p`)gw3L09T|4y-rg1~iO!{Mga(IrNl`@aXX z;ZZ#Vip&xqmZ_#Tf6Q*okRu<(oLPOEnJQm88}rX~Fl94}6xL6Z3Lc$g2`QtsWb_xt zueT1QABuWQ_SyIhf_Mw+T3(9Fjgg915tJVuR|%AbnRtMUh{}Q(K z;{T`u+^%jbS6Xh&=74~suG6%^eklCaz%D0KIv*hlgf0KI6UB%d1IN>{^Qv<5N!MJE z&SC$d$-kwf!O%emppvA+P*+>BN|KDaHm{TaY|C9@SM!KE7y1b=Hi0B3_i%Sd;Pe+_ zGA5>;!QI`x=jvweLGU$wZbBfs4&XotIuG5k6lU2!zqg3TSY2FPEG^vCa<#X2bhvkk zkp+mVEt;^dZg1CA9Ov-5gYUqsL+l(?$6gFr2fy0-rvRFLhp7nC#IIcg2a^7I1dht3{xAWAUQ*aOb(#< z3ys7E)158E3UB`6*Kp)PYRkc--6#pG)0tFJK~Pk&uy(mw>!38qHp*iT-C@lo@XLv=06NTXWbqtY#!+7(#`^MwEP(j*0zuWHJ5z)(F*A(-StKSYU zxD6q!)N7QwQed1UOl}ju;k2{OM0g19m+S5dCcR*|TWMO)o8cBL1!6(uUef9ukK;rn zCb6jd$tB}U8P2LI`hIB81is`$Z%xV{qcf*GpJXh~An}^wtKEmt894tDvS3&LK-JV}?);ddo9RN9YvL(F z1uk@p1G_>k8dl%uJInc!|Khq0=F{)~AD15oKcwu$XwaI9Ew#xKxBwP6r;UyC;wBSn z+OiX=TNzCsOPHY$TRMjX)E7u@rul3^#7w?JD(Mskm`KcnJ%o~n24M}{Q53jh%-~0) z8s-wNI3qh58wYzrh=BXNX5YPvn(gPLbxeSljW!bvCC=$40~-Bri~Ig`q>#Z{3>;=$ zKD_vJFY9}sryIxCO^Y}wZjX@XC-PY>lr84{h9PUSFQ@m0ANYAnLR-*{#)xSndbM5$ zZL9Q>y#IAAq?SU4I~`B$)5!k>;!52B9_O#Tln@26b98I_-NGf@>8>9TFuC)Pb$`^O zNQxS|UgG=BNm-N+!VQ16ZJ~X~F-GCL3h4J3Z#H#CM=x&@`~DrOU_IqO~kPOIQc<+xL#?5kI!UAi8xdnXLvL`iN&LB zBJB^K<3Le0HKnJ~ijN}8%*|~(Vo6}fJXL_6W&xn@`Sls#h5MOEQ!ODu@RA6w**EKQ zNd#=g;SupHF!cb!(Xm-3lA7(vcBFs?f)`M@+kNDw=_{1S*6>?Cc#jyUmC!9T5$Z=d zkDy|==4;yo)+q1kbsJ_o6I>keeDeJ#DyeSsj>kmqRM)xf|Nc-w<>$1g#`e?8tl#T! zPy@x#R9-g_vF@@GL&&}sSyU60IrE@MVb|+GLj1fls%8TqbE{dlu0{WbN|mM-!WJWaqzmvpj9&a87Kk;8f+O@ zi%gONnOzh@NrFCqJz$H_bt(6)E*M7&HN0e+9{_EIqAA@hVKLeeeQofopgdp@)Q0{F z8%epqya}MSc8dVG7Mwyopjg*_zH|!u3&_=V?3D15j735e(nBQ!A!NC%Z|56r^IPc# zjdj4vI#(nG9Dj^*$^o1QUkspO(i{-s2P$-o(y7AB1{W{&UmD0>>WkDR-^^efG6nxR zzJ+F8(75#m+iiCRSpL*1Gd-a*m!Tj1&2~d!j0Qc@h=KIsT4z#Q4@_xp=fj1Cg_S&G zx|Cgl0WUH#s@57HR`fg#9lzqquuS&fuTvFu6z}8ulF$u12{Y3}X|-U%{)x*h#gY9z zI9dgoMJC@IZ8P}4yFu1nUSQp(m5uqaSkZ>(@H#)$Zarn8`v&;>@Z4?X_L0IQKnzcs z*7f)|*&MJ1QG`ar-6P<3lBG}vEG7567HdkhXaV4^gJZ$j++jF$|M|aTTh#RwGOQ_> zQp>KNH~P>;0#FkpZmGE=qAfn?c}M8hss8HHzz;9VG%RrN7)u#`{}f6O(Y@l<9D^ZN zf}TL3v7FNAIN7K^#eGy!aoj$|Wy~W(rIKxWGJ3>3ARpry>07cx)&dOMRb|}jleoKB zqV+SBM|jF;w%bkEsRmZYucrooH`LKrZlX0yB9hE#6HSf$oYiGRZrJKSb6vThzA$18 z6G)c}{xlT}{q7Nm(C`pt z94w=}m++VnuVk3tgS+;5!aSJKSyF{5;i2PO=d*0M&F^ph&jd}@q5*TMHO?|DYEJbM#9PP#35lhy~Ty&Bm!62geKWBH02?p zdNMW>e*R5j-^P;#6$Q-kmR44V_@wWuWAe-owOtK;u?HYY%p!DhkSL^($iJCI)2H>b z`Y*_KS^OtPkv0wV%&_q)B+wbre|KbeGT{Qk*Bq)rpkB`A&KHkXaFUv}YxTMs9n7ax z35xIhIFFF4{}TFr-!9)!xTlnsA=xPTLo5W6VH@*Smi63-AdCeyi%Uk9#ZCgog_kp+4TlrWS% zQX#&-M<5Lg!#ckHd1Id&-ahq0fpC#iNgCann#v_SUthM@eb}kcESjEnA)coY9%+Yk zxEP)e>gZL#U4C-=wI-H;h7Pgg6sX}TIS7RcpGHANJIS~wpW%KYFb|FrBddFVcOjc? zc4M4(ox-72SdI^*p<-QOe29;ExI)}YSr(#<7^^?K1>&!<+va1}*tsp&NeWwj&re&E zS&*`~EL3gxjJmjgG1ibj6Co5*WUbY&c6>i`fG!v(+C|Lu-Dzt;Nnflp9Us2zIy#)_ zU?tg!b{x8M;o00KwzY>7p|iGP>ICyz3uw08?F=`Wbp9+yZw(s5#FlX@B~5HH12jN! z*(0H?ta@C}{bMbyG&`J3x2JN#FZO3s@+$%!r*hWSs|hw29A+PS%%%eduYH0 zQdT47asT)H5T0<71h$G5M}!4`?;s^gELYyZd9IYmj*1zWhe~N%dkWV}!yY93L@#J9Zi>cIl@KQZT5A%UM?ygW z-J>?9grH7t14_}U#>o{97ANR=Zcd6sC(3}2;tNI(^ox(4XaePw?r*FFNBWzi*(5n` z;Plw{>#Xp^*Q#<7+i>wYm8NEhC;{VB+j3A_ho;-V)1;2*Lj~Tt@CYBxj)%4 z?-QSLYN2%Md#SFoFaKo$<>xf;XJ(l!O}Dx$Wx40arf+d=a@n;G)?Z7VCvJ#PiQGU} z?zDsTb!<&)2`tAr3~1B9{7_<6B;_~n5|PP%WIj|eNhAKeeI(4|_sPu1VQGfXPkVo0 zeYKGH{-j9Rd^&n?|JH=L#95hf+~p0_wZq0COe{9X$dGax8Wtkxn8xKq~04 za)k(Y%_;Z3jyY|O<(Lb1f*ge?i7~hFUO(5FW;WXi%H&p=VBZa^%WN@y* zO;g^-AdnT9C}M48t(17dkEt#t@1~2z6q4FFiR9dz1%f019U|#uN~oZzt80N%;!g1c zylp4letgc43=0Y%LBTfs5Ge&FJ5N=_cdd1t?V|Lja4%Q?Gg3(l4Hm+;nt`))yX`U&cD-<^CsnHQEp;d2;khUCGV{`P$V5Xr)z>S<&F?l zMUg00A)gSDBcmm}6?=nr5`PbO#E%l;JO;_DBSwUN{fwjq>pgMY54mN!>;;?QJ4$C^ zXg_JFs>^l08%xXe*wfeZI(_c>dKAF-Yb^jK;PaX2vZQitCxsmPUZ=UDQF46OozivP zUK^#dbpoHP0Py~Q_i5W> z+(mQCR_Zcq6uPtNfkH`rSBd;q_q`T|mT%Naw1q>bct>Eu_ z0dC{y`vG|_G7ZJs$)Y%|EKgLjgJ*SB_25&`J8G%f<9knDK(8$CEY`hu7g3)4OBCxC zXU@z%OeTJ28NS!a5JhgQ-CW^_p8w|*hW^J0!B_A7vXi4J<`52S&f7l0hW62x(}Z)& zX5r92nOm}{K4CFg5%ZnUjF@JN9WXv|{SEIL>afdshX$7M0ldjmYjT62%EEm};DVYJ z74YxDeZ*O(DNCD4MBN&c+3=yRb^36jj|!X%R|ut5)_C;Tf~m!EsSE;7$;v9SQDjL8 z9v_QQ^lv7IQs9WVE5Cl@iNSDPcHRs9yCJx06;35JOjspJ{JxzP1~^RhhXNe-*39Fq zEMNEW+{58WrNH#;LwD>otdgl4KC%ctEgqo=R903fR8`F0q(}Ul=+dnS_}Vn$M2aGX$C7~l*Pw*=6ZN(U zEMOC80g?<@Qu(cdJl*xlmso1Vt3@dzU&y+9&-d5k_Iuk^T}o9nvwi2h1{&N%3S@Vv zEYI&n-XHeO$FGj#7t%bb`mEQmE(MZ~k>g7?%?{-&r|NY9j6vKZQ z6_Bm(IO6Oo(y*~9AjAhbMLDl>F3}(+C zJ$b`V9z9%!O{7B8^n6rwpS^jxjU#D)`|yjVA}N~76sjbc#?ii`ih79fHe9Hp#?k)% z@Jm3xj?F?!3>aB38u%G8pLz!DH}MTVKCAre`=gW z8x%_(z5p_}vDW2P)ird_$@mNkFaV#ft>n|mebp)}MYZ&5iFP&ANNB(dFMb>?lrO(` z4INVcVZ!0K!JpcO24cjU(FPGJV&JVHQi+961RRUvpAP0HIL=n0R;E@QM*^91AQ)qQ z_7J%aC)Q;yY0zAlz+?5!f3da_<5+Bdc7vENN!x|%e6!kJQs06CUc~{UD9phCU3G*- z!e4}wIN7XrE{r@5jhOh1ImOBV!3=l+YYuTcybRQ|)U|XtBW>~pDO<$+b&k6paY`j@ zs1VTB@w{Y^vF_kv62ZtWPdIJX<{-JDeo>X%yVZk+nmh)l(QW^Tn@w`7;STr^^&2s$ zYZO};w;hF_J;vE%DJyF$f1xQ%cYg9c{kVH{fxn$fBcnQaj`Bf@D{S>Tkfv;YY~H76 za;b^oC`GYbE(hMkQXSxsUHCAdbEXX7m9gATu}b53-1EeWXZIdLe*Uw^Njjis6I`N+ zha?CBr0C^mXwpp16NSZ-6#-J~al*Wp&r-`@_Ylnt~x{1TazFU+C4H5B-fe)WV;9e0CJ*r}XM>87GzN z%%!gv(lh#ZH%S#9{x#TXAmOi$1kY(-p_8aZuF}OO?vnu!Hbhzm4C@*vC5+uj<1oJ@ zk3`HG%+I1v?~igO6C=8>?4FsDXQ_x^Q5wcIj6ql!^>-4O{nkx!uE(u0H$jZIwtxy^ zbzk?ssF|)N%f}Hv-N&LU({?CDA-PFL*pUJF+aEs--IWXOCPTkdF7`~(xMo@5u3nZ0-%}c3&Y&V*n4~9I*-9%K*HVJ#`UgW({gt@in@Fk zj%HS>t+jg;*+?eFW@~*yuH2vXmI$BL=`eU(zp9s;BdmhJoTh6eS**(P9GAt1$w*IyGkqkrw0-&(LP@6=UUF(-tJ7jnwf)75G3qpT8o8FdE~YL(^5Is9(|fjL{t-=^vG(wEPMk^LXPX)-h2 zYV`$ZHGTxQrzJw+&Q98d=Lm$yK=~pPOOCGAUe8!C%kI^)$cUtI@kP-kyL@sfmP}v}GLcG%nPj-#ndP6L_ z;CD+w9E|qq0$dXVoGkR5(MWL-^7(zPtaWEF+KS{iL(yAOGgAp za>E@lMO3;R{L>L#hkQ4;asc-P>a+y;9(lY&Jr^kQ{(T8pq6KTFTv^c^B>*}~giwkX zza>CqfmKzNETVY60{EYClVv7(*1D{Qd$x0N2#FM^xxwflJ^VscU@+ehBEsH_GSR|H zg8+DS)Y9%y&nEt@ft@TgmLegRUZG`+25HAFxQIUgJvluS&qmjNUGVzZ3}JqlQ0LqX!=pyf`2IMi@s0$}XAfesJHO&})3q^|(^SvnpT78wRPbe(3hrmhGAsIW*r zZ_kt&=H@BN$r<3RUoZLy#KQa~A~M`I-A2hnAWv?5`T&*1jwRiLcur^}i&?b}01*-~ z#h4>jlVs{q5(-eD?gk@DRuHOqQMCD0J|_eN(I|@C5kV>|L`g2-8Q&+Jp*NF+3t|P?eu(~z36HOQ()qgmUY5g`=X_vMJ_wXEC{4bKat4G1Vilp?EZvD+IwI$bEj!^5*) zVV1=ayQ(6+W+l9{66{1DBX33&ywU6jpTpeP-st$-SXEeg=PmHk7ubl9pS+GB9?rBq zr|?@MfDl9^zZ6OVyoUr7(a2965R_g*3-@V>ABnh&8vyFyj6v*2){6vf@)xCw!B{Pj znr2mI_jgJ5kj<2&w88cddDzd8U^RJDj?__P!q5qwEN%-%_0ZtXo_=4h$+zgAhQijw zfn*4W2OkrBsi!okzv0wX`TZ|Pk}@d}CbkNc-Lb!s_jevI^9Y#c5=px{KDLVD_^I)w13vAdV#bxAe4cX#;01JKt3r7I_fUzl z(u8c}u^~$Fq>@jgk%g4_Yb4SQ;;Cq&YNXDv)|IFSr5XLKvLa5F;ViZFpQv+K8_OH-j_%J0==8X{>Me~$`=2X%!qY%#Hz*8|iiJN@3%c45 zBQsTTAr>-r7$(G#mn2y4;Rd1r>{EAeL|N~F%y2>wBW$7J*XjY{LQZa?w#c82VO-eJ zo3jS_llqs?8FeJg_xiU2BF6k7qn^1WQjF-O5Rf4XiM}9%em&{m=tnLRM~SfZFkG!! zw?zq^-V}1&0lNWx<_>~;<@@19l@n{oQ?+Py0U95&A#Kh`dQt4CLQ;2eQrKF<7PlVU z$W(>OP-Rm{aPr(OL$6K&CcO1#k7apvJN-yp1Cq+a0^f^0N=R>G;^zQ3t0=R;@FZQm z2O}+tSl#-&;8i)>*A0TB50M}0JCshN%P_|L8n3^q#r^Hq#KCfsHSXo4!f7WGWymt# zz_ugDBgZQhOjUt%pc;x;(5fmbDv-Q-2#CUEjMJi>skP@3BFw;$fl{wQtEa7;BvUHK z`7Z=GH=u3TR?^j_JDnLFVLFyTGM|VZQBA1~Tzlz~b%8I;#xAPqd#^zi_m=ey99%Z5 zc|~zsk8?W1%;+#kZ zCglO>6D!vloKKVYKv074bfDq^E+?pYdQymWTtG`QN=bSg@mgAg>+$mN_%N$7k2i~? z&Er2WO(nMnyO!FpR`h z;+|>=EH<4rwDvjc?(9|Pk##Il1+&oe8@6UVx{ zyP>}B(iY@-=&+*R!G3KJ)qJr^QsC5?#&}v;T4hZ{nIQcD&;AlAxTzS5!o<;>LrW)` ziDn`S+W=XyKH)wlRw>(OK4aWyuT z8t?1F>errm&b)W$jiq_qRLeOU&+A9>`qt7T&7X1v-($`=Bg@SJ34i2f`PIn<5vdTV zU8vX~c}+OaqSx6*u*aBW8!i%=QG0wbsANh6>zm;{66>MivE{0rGfL4UfW7c3mePb` znEMl7()AUBt@)j8)Vds1u4d9DO$!U3Zof~C?pru6@7_pMXhk~072GQTG=e6 zt}e0>&xBMLd;90%m^zYa;KKY;=pp05`VEN;wz@URjp{+%skqT%$7iryU4z5^5(Lu0 z+;>4?8e>234KyAMvNcPtM}`JPz7J)g!zNBHv0%bI4#P)PgVJ&fvphG6CNg}=x5Qk- zgBX;X+vuDn%_DOsB^u8XKbE^7Qr9%TA_Br~7TEfSTr^f7e#}5j8Fj0Oq*l->OOgZg zQV1#0UG1wtxEyI_^lZ-&4Ng)Ry!EkO#D32S+FfE(LJ5#WDCv>%ghboo0DFv@+Zn8) zWG7uHsRTqJOk~3Ba43_!o_xuCZ1KWHE1@j;SWIDLrFQPm2gwotcf@xH83D^gjuX?$ z?rX<=kY1bzTsO}p!?bGzKn{*utXAOJ3_%Bx!{0OM;o`Z;w|Q>h2qE#EvIM?aD?FWHgDkwI;bEYZ1$8!?M;|Dh=6 zYUu|Uvn-^Rt4BDi`Vn{11yD`^ec;ig1?!}o42S`X6*OvTHG(0 zi?=Q<*l9`GZ6fqrHVY4qeRbXp+?irHXaV$Kc|jCZ(~%Rk`qX219-~h$-JCtSh#-nI z@@Sc?5#cl2EJTNZaq3PEi4Zpd6b!sL8&DR)OpP=R0#Xibg+d-KQZ7PSqJrM-jv~$| zorZi)K(hFQF^$H(I7gzpu4GZ6(FapwTY@AQ7M8rk(F~9-o1)h5!897#E(UCA& zK}2o{9M*Yr5i1TjPH6=LLMU-j%sZFJ4d`^Z&Z7BhBVWtI?$Y0f5a26m=mrJ6br{QU zzU>{QXn&@3XHdxV9cC6ipt4Lk3YwcE6og16GmB7bn7S~c{26QySdY9JoHGth9Lp~i4u`16^fcnoo~(_JDi8fAuK`Md-0e0;Rhq;1 z!buaYTWr4Hmeh4UUQ5C;%ga69B6vxwKhOE!|I0Kzgx8mJd;);h#vS)WU;q(EGlB*UfuSf3p@^ z>RYxf;tK4pr3A&eLd+61at;9?ONEP6P}0lWq(*Hq5>2zJ$4-FX8Ouny+V^Ne(07p( zNq0@*SNUSfYC78TLZYq$16Hg5ZJo$_iuz}M|2cu`M)GAcgFT_?1v1$AA@9rhM~1xZ zQXJmY?&-b0l=WYE_W8rUl5PGbk`%)YecZpPW*nha_Ey{-(MQfu<6n;|a3Pl^W0DP5LKL`a8=nSL+G8LmzK?uQ=2vRB;x)wQa^PsI^gGJn&=Qk_9xF<-Die`H?0muYa;Np^EQ-Eok$V)cr@e>+ABshDtdC{JlN$T;=JVMc z-$BrCht1Ey)8s;(#FzoWr3cxXUz+zq<&mi3OxUOEdb#@jTJU&+=efi7nR~-F<8W>6 zWOR;lpf{aM1qL<=T=WE5BAJ*FgF72KW&CGcy{%B-GAGB~O2la(6e#W#Op*hm7LlPE z0STcK;;W{`{VfSbERrBR78u1qoTgzNDUD%Czy{a%=h(E7bM(X?H63AaR#zTm8u3B7 z;Y1nsvWmI{a~VVsYKiiaL!=w`zohKPLT^2&&T_7)RsO~--jEiIvsCaVmS z!sOx-qh!y}W80yGV|PyoQS3yX2!)fs^lZEhJrRQh!9xHAf-nw2$$&_ITcjVuxZAV8 zB)~7Nif6SlVQdX6R14N;)M_-J-8Pa3v_N|G5ATC#xO?`LlgWqPoImemHv}$nnZ5Ko zVhpuNGcwQ$LKLV!ey6JTabdtjB%1;B?oys&jx)(i5VaOqCtw|I2;3MGsG)D?{tsc) z$6H>!l^gsoXWpd3m^2@`SPhvmzBxyF6sRP7v#NmG#WbC^(UqhGdaw6qU?+*lw{y)~} zvi%mX_qrdvuW2_SmNNhT(zpU4v1&eM{DFdYw*uw-Tp!nrKmVMG)z(uigeT=)FPJ~< zyKh#9H@iEIbcZ_RhjPPyE3_at@|+8w0AWvm2;uc)z3(F0sN7l=4M&@%2gKdnPVjB1v$`Wd+0EjQ7oWlGoXV3 z2cQDrKg21?B;o-?*@OZ4;mlV@wD;^N!R*kN!VM=D!Rv&>x|y_TmMTazLl89%bVi!e zW>if1ghpI2WZ+Ye{78eWYXB@OvsJ_Dc!;Agq*w3kWN9xz;}4*@g^noL)UnpFmJUwS4U1_di6ifA z_6>GrL}G}`_-%~+-$XhWamn95#uIy!PoAX65l#xE+V4e*$YYYXJhf`t;2B{jffRnH zK(QnWMHf&mNgAWm<1lC2q6Y;4QcJhsIJOc>&Z3chG}+|vD2PQC144NTB>CShzm;!2 zTx2JpkU{_0X}_y}drl3h>)7pliF43>%*krTzt4@Q?7Y4$z2c_TTE_C>oOlg=na>o5 zCZyJxZN&kn1of{w82R71d=H6ivQzqA>*}aR5Q#Q+mV53HSKV-%UWtW(20zrUIgZ94 zCL;0WhHivp$&3+*#F2Me$^dFpCvNC}K#k*ct0^#*fnm%?CJJGM3?XFX@iQ1!mlt_z zKSdG!XEHX+Xy(IIVs!9l@@I&WQOO?8Z$WKOG}<+=!#9u`SoF23WiGScD3vjppG^s4 zW*UkX8aCiCzcO`kqY&-Lt&z12ahkG}-S7pp84ebMo6aWIedWNS)~T0O#pV^*+c-z# zYlw4waAWrkQqz`uA@?<*yJ_|mI zDIC^i^4qaHecd|eb-q8Vg3pq?YgrA4f~8>1G9Hl(*Az~5g(U+@z~}6KYJ(i~JE1i) z@>Tdgujip^of!Yo2$D3*NhqhRV4jtccJ{>^ z+c(5>C72RnHrv|~S)B#YCOYWqa-&ZimoD3FISzA~>n6q!$2NRdYi`Y@*PgR>*f(iZ z7uMFco<*=t#j#DzWQchdT7zeEf}5^uCBHu}0GEb+Qsrs~K^zY z1iv8PrQhZ+0Eo})4#)d4&h{#JtO_8rNT=fSCsX;`FkoM5|B3syv0CwbjHnr&u_qKX zG|yI~Lk^Szwhd!~6yh``8!AeK$qLynl1%JXWA5X6sx^U=gdhXEUW(;NAe2lGg{m$; z2q`EgvK5MKDZ`(!Fj4d@2ATztYT8xIIMYsT859JF(q{TPv1)~>3F>j#-8huh7Rj}) zB4x0%QaGVAN?f94+@#aiK#?dTGa3v-!@r0$DUBw!>buI>OUyF7N=1$Qn4b5-*S_wn zErJ4>YsB(UGKW}xB4F`&;0(j)&_*Imfs>=!Q3nZ9DoidqJ9L8x1(@AQ*Z>*F8%-~N z@&!8eCv2>%p`q@Q6&Ij6DF`)xi+FRw0D{Vcr2`3@OVvb@N%o$ckf9NGa!E-ujH?cl z9Vg+>2R;IK6k2LYC&Bvv5yd(Yz5k)F&H{d}P1;s*Dt@!!Yp8_-*Q)s0=ut>}7 z${aw^Rz3eoqu&`0c9RgEMz%AOYetI+o63c*sw=)B^XG-;Uqnswf8@;ODHPqTN^Z;) z#wB7WCmetSmwN@+;c3**pPU~fK4+m%1)(W5pkN2bbtb>R)8)Gq{0>CsUklt0DbTmW z^ z2yR*aHCAq6;L25jRX|jpP>GiI{dhN=g!J*v{W0_-80?^{Lo(_)o!KjbL3>Q(* zJ#L?7)m?-`O_zf%Xb>`$OhhZ%OwGS;{KP%6=`=q~HaOa1C%J`9&SfYoDre*ap)42% zWimR%szP@TGnt?bX73aV3*Z1}cI--J6T6^ddwQ{?Fny#(ZYiyvN8O}%IJ2FsXh!{0>cGYR^=Z_Gcnl(hIk0*c>Js&@of z$RG(fcFdrBa1dX+F(m9ie{!oC4ao3662E?ZzAQ#DcEIayyQ~+#aUD;}D4G033M_)Q zD;PzD24&jwl(i1fP^2mSIux^DI?iT!`M&UV55O~Bdghv$ymY@_wqdtzEKU#<0#yo9 z0)wVD0t5yG7=S$ZLhxIE07QWm(RYw;;zH;`B?wUBa6!ReKlz9PLsD(tN^QG3S|%r* zy9IKoW}39wv%nAd^#-=u7LGISc^=&b7anwgGA0XA;o}fUju7ify`2IVm+>vpE$+sx zUlL}$JM7P6m3&RTqK0aOVuhZ`bOzPaQL0w-+DPQr$aOnN5ZDb3@JFi9hYwsgtYHj+9tcECexhggF>f z@?-L~^k7bJVH;AZ>koiqu>wYm;wW-U5+o#xu(^24lgn#-jsn~JVcWI>(Bo`Pm_4(g zup0O_JeR-ElJG{5ECdnL-=IThnBJ zwxrL15o75U(T=a4v>(jWz7idOEXwDZ*}uos`JNX*5!_X0M~r~3XA@HYYT8~?99a_t z1-ym{w^R6W?Rb>0R{9NG_TysVy6U8xDrjvu{fn^|zU#2YE?xZw^{6((Kmn6Dm25y| z)W>yLiYsg?&8UE2cO`UU=A;l_feO0=3l^ru-fF*JJldQ`gOWz3OSbtxIB+(N#-_(BN6P7wqdBA!AnFvO-{EFIfh?yH4-{ z4FFH2jJ#{K_D>A2loxnitne)gwvQCp?_&6S zB7kL+3k7)0`Wk)kGmJ%5diUC4@_)_y}Pj`R7N$+!#O_E<%kfk;WfyJ7ghny+J-}&yY18IuJg~Y zEjTqEna<*@&k1l;{sEOExKd7@yptzvSUEq7YHeee+ay0y-@9VJ{?Y$q;;)OXwS`T& zbP1NSj*a+IRSu_Zb(~IP|&5*~@7V)L;&e_c{W0Ou#k&8q7v|(N=2r zb}y{BKLt8flL=r1a@%h`y`I1d=$b!JN;1#J2X*sE;QO7Lw|O%h*}~dInIudyiVKza zWAwPl*)*F3(0lFYp0yJMg;Av8I&-tUvjy2P|ArlEIvo#e4<W66^m-}T0ebKi|# zTCYIrStt|Bh27p;`%xN?J^OzQ(7=7g^$75LZ=MJW|FYTUwp4OfR^CpQ=Cl z0J70X1|6k#y%ln+%F60b0uX@$fj8B_Io@V z;J<}2n7rOXE}}{~5D|F)LNK9yokr;S{@26b?+bJ{7ga=le1yXHamY8-lDX_S4cLkC zyO-LacjVQ5gt|`us4?-TSeirQ~2w`PEcoc3H#`#qhRC z!wZ`*v0VQJ(dZsaJl@QC99am60CY$;j$Ry~(@Z6$t0v188l*ev!~X0`Aw0CW3?B{fsIaZU zj=i$of|pN&ApILRs{Coi&WbVxYJ=)%3==_XA_y-Ljtf4;$ep5S7euAI02Qf8V64WN zJ7vOh{0!;eeBuE>fN$7;=JA;E+mR+|FY7hS94#K~nSU^qLguh*%eDK2}CANBFY(>GHIej zY$%*%&LqUt-h~0~fk*)hg%DeQ$ZdG#Wq*nD)w_1oRqwt!DqM5ee_3E*L(7n!GeQQ* zAO||Xia=vB#)gcJ5wjSDZ$5;OATu|;FwE6riu73JvT-@B?(IQ(uj#9^D9|Iq60EiJI z6w?{bHjsvzPt73 zR}9*2JfI75=4n5Wg~7n+!#rKo!@R7N=OXHpa%4kLDR1Urf2}j4fhZvIrANCf*;0AA z2ZFp;S6g<1NrRN;O5PlfO*3zBq<=GwDMJ)za$sP=phRg_Z&}!Z{_G1SD21T-a1SR< zw;KHiNle3f&RWVkb^xIaZXkg|Tm`9!sF$#YUfn*d*4EdzlILwV{|luC*n3jt>z zIAF5rdTtBtv74@#;X(TcA0M!ez)e{}S<&7O`_A-pfWMr2#D7&SYI}p`+$gNpd0-Y6 zBB^pt%2HG)IOBo!h{e!JUf4PJ4Dxz?E=OufK9jkbHPS}=@BJD<=W17}f4Ms%67pk3 zsqb0r%d}xlW0uw4%V#VZ-uuP<+c-zZUt64ob=b;w8r@&+G^w0oFdQbS);G$K$u3TT zOARZc{CJoJ4isNOA`9fAD^n8Qh+r`t)$Eim_z!TwB_L|Ftl8{N-~b`6KUOd{*kGgw z(D13Nlgw_;DuiJc(7CFOl9g+Ot4EA1Sh`%qP6zBXNlW4yg*J>>v$#e)4X5CnR4=s~ zCYDfz9j1)&tE~IK@R0RA_aa__4Dxi#1@;;(H0&opIN{aCrolQ&7*gwWIu?u8a175u zyf8JwxoRv(2N<1H`crP49_3l48s?+)TS-S+hO4>RZ-t}?aZt>k_tu^!O}gupX;_(yW+lLGwKNWB1hlr< z`vczGVlPwmZ&4~~QbO7wRl%qw^XYl=IdVG`C!t~F4(*1~AB2LS@D|I&S(t;p7tGgE z%Ip#Nlki?aop6`z0?arSn%SdMH_@7uw!`am^UzF~jaW*eg%vZzL>08Ov(02*zAr~v z7(Vw|uYrMh=PT;xR1N-CcJ_HLv%d)VFaA_+N;Ump@i%$CUK>w}SED_6G;%Dj+li>q z6p0BLorEk_iVtDJk@#7d;|m6N>T;jXL=^f8dtxuc)<%XfTomEKT7NiX>rU`J zswwZ&NglhiQq;0<^ zPB5@OJV2SO>abk-%I~75Coevb*QEv0khA$(rkR9jdK7Fg} zot!MWUGpF>OgSzpe67tB1IO0Gm^8iTdr2C5=NC7)CQeCD^oIZUEsOc~cZa~{$3UJj zL_^0Q{J=8Sw%u=c5yv=)oCvwj(HJ9L9UAmT->$0+lSe=c)j@Sj^qL?LZrtsv{Y*rV zixWZCZ<|2z&i+KUfBFY4vEF6pt-B}t-6UN1ZnY#M>6*P~rrT^t8bj9QyZb84v(Zj} zSHD|Yn4dD+HP3AThJ@P1eS+)y5J{0lnf&^`U%HNUu?(p&#s1}z-~#~g^Epge(jrmG zi50`|*c|6|)hb32!s1X`1<4*}@-yphzVke{>1Pu-dQ#bchCrCR+pM?M(_*HpeQ)04imqr6H`IE5F{+LcAw z2gw#?p|cCkae*@$;k=+bR>Cb%c8t>qYgDJF%HauIHz2Y6%nLMVf5*#or1i* zb$CwZolLOGmlRp>7sp#;@IDWDC|{cGgj=nzT^Ho*)EZp2M~EnLf(dsfNPtbfKpC8+ zj`8UHT>EB^(}wy(bmkIf6Ap^N@{Y$1(eb9kd=I^Cnt!&(Y2uf3)vs_GGd0pax>+sv zflkdl{dxb1P9)U!rJQ>`%$#!$-q(jl^E^i@W+bS90-djEZvxJ%bQ11$isV%*n~m1Z zStUAkg*_P~T{@C*q? z3V!6PLhnhz{`foL4{zG&{(WKoJKJSG!93@2`3HlIPIKgYCdIh2yyB80i|{Z)+;UNhbTEz%B%G2TfI0?>IQJNp?AdzQj-x99>cW zcDA|y&0ai{!zKqp?sJK765MUU_Q&1t9i69}EPzA*n6p`4XPrjtfjR^4>q1&?+uQ5H z6;H*W_v+UnL2mO+WKT_pOC0qb%5x4(OHU*G(I=E9g6Rl~yZ{)$ebf7!%RHOBJ3LgM z^E(?^y9E0To4Fz|FtEIGy-nNn(2+VNF$cDT4`)^WN>C2mR0GOQ(JfW+^|RB4@Uh|- z4<^wM&Ig^G1(U^s*uP`yjD(*Yyf9M}U)T3B31Afck&N{s4$+w=I~HuRf1m@Vj;*m7jQ@7 zrs2!=KS(+`HIre>O1WrKNPA*oQmX>Ph=De_}si#?4Ve`436_n+;J(vqr4ez__ z_&!R<@gld;d9!!U_DYE*Q34kJ7HV?{A#V zH-5-}Jt=bemV4X!vxN=yrRh1{oJ=04^%|#{!FPM=9#0WO=)AQ)zVGJ|d?w&5gVDB; zGIOI~1VR>HVvhW`WxA**_kVzqh+^@zFm@#L3pZ>~p-rDg&k1bs5=u-g12Q z-Fx>m&sFoPYM0R!ZnraVn4NWKrBUg4Q@cM^e<#mKMm1UBXC%xp@EVcF% zr1Hd=>bz7V@tN=v`~ng*@VDSb54qYO9M;H1^^W)fT3QfKU&bFi)mu`ZaJ2s{38shW z!*bzD^5&wXQ2`0)bS)7`26+|IFGUC(vfb(&+;92tNTgmKJVyH}yx4o~;+9c^Ux^cD1U;W_fOKB(r(!U8Og>8`+5`(M0epa)&8EiaA@K91 ze*mFQx7+7=jlg@p`S5#hl^6ht1cgXeBG(*ap(QP+gA4~4q!6@$%5D4t`l!i&L zE)wytS|c+azrn8fT|C9m{GI0a++o=Agamw?U3jMnd>p-K7WF)xyhglX0uH<;SlzY# z_tD&ExWCU!P5<~Dg4o-4Revp7`nb+C-3+j|3Xke490w0@?4vj;b;Al{yvf~ z6uI8F=(iVq8#?G{$LVsPKS9tmMUjK@e!Y5fxJ|!1{dQ?ORG*5}fdDvs<$O}C|F{g+ z<36`$xn4-kCiKyV+UeXYiINlews8cF+i7${ul}$;7S+Gf_+Hug7a%aOzoNr-{;%en zo9Uz>RsV4vq2*}@G|u1e;dF)e^^WeoIH#`Xc2^i+cI6mFnk$jrvHKvf=~`z|I~kGJ zvKy_ztLHXQIy~7Pa}HO_VuY`(f&cwp#&dC9w6PA@#qj?~>N@C|;p(t?DN=GCoC?z! z7sSeCA~k;)_x^F_9fv4VZ~ASwjG0O2Ix5#l;chMU{ThZi|H9_wgZQUYlii8S z4W{6;rHt-Z$q{a37}B}ReHYX^e6Cvq{;;HHG!zLr!%Rlwq^*eu0 zpn7H7?=Xdrc5vrMEghD0>m!3Bu!v<*#KKbFZ@DlWe{n`sr7})9j@EosIy}Fb$$2aj5W9;hd9>>;b5Rf9 zel?Zi@RdT54iZN*^SZv*0w|r@_8-bR|2OD~b6Re0$=UU|e~NUEl5l~+*zpWCDm0ZjpN)bL zUQsPI@Gu{Ef-h4nuVkD-Cajz_3{8P~`^Pm>IfRzxPuU4rquU%)?Y2WR9A(1jfJc&I zwJO?WdE&@QB%Jymmd-jZZs&RUhdafJL*a0D*8)Wg6pFi3+^x74cXxMpr?|VjyA^kM z^7%f$yZn*la<6Q5C$l@VJM%`!5iXt_y_6@YlwjdjQa--9c2S6?86Dofwa*JCysMSl zkcffo<1s~q(k)vDaJLUk(a46aas8H7-dv9B>rOu*G1xRrAQ42#2com}{<)HKT90&6 zL?)EW@3-BIzF!~IlTi|TRZ97PTncr-g6^|G)n`mL;`6Shr0SFx+9v6bci&XCYz+^w znho|%-`5xk#fo|}-d6aJ+Mmd>P*?U|`9{U3sWNNz78X@HVSe00Q)bqJ1mBvRUMhjK zPK!3YFqNGL8BVr1>E5eipk_y@kAhPhepg46r=dfi^B@-X_?O-c7YHByY58@p!HmO< z4w97b@f+1Soix}X*oc9@$Tj?)?&AJ@G4cL*8La~S9Yp16PG|4d{tRH$T142N^|ufc zPRmT1;O$+C>n$jSM=q{!S?m0f>^ExCXRy-IwI|pS#7W67WgDrP#@?jNjJ)=Wu1P8E zz2S;Bqb|QwLpPK|!-U1Jfj=I27So-Fj_B-Sd4n%nK)vplY-@B>JVuHpxHBEK3zHVV z4MnwklWQn+N(VeyOC;B033S!$caZ?9pXOxcOZOjdhe_4U=0iI9*R9?zH$akGI{h9w zh)OKhsOrLYs@^aUd$TH^p0Z4IX|O(;61xN~?y*2>4^!H7etAbi)x8+{hU=m(70Ch) z8h;zZzHsg02{rEmad{x&L8&a?wuu&?3FOTFM8*l$d0a&$^#TVju`oKn?WWHXY?AnP z`aDf5A6F*7G_||ALrGeH%w~Y&|1D3_Kc1Ol2VXXQ98c5|nBWuOpPs@xxUn_|m&d=8 z6p1L%VR6*I-S1f^lO6Nr*dd<&q|DX-ve;odEkm_MmZA8l-r|qCP^p!4tSj+4jL_m_ zwx;nXEEHM&IL;8K@Fs}+5lkQqeeab|25wb#P-#>f_}k>?*UHiD(bnP- zeHoUH%`B|gWImi59neNFc)l@@oyAnA4#Cj#qXl-_G|AQPJX7Dp2d?T`^u8+{DVO1N zI40ddegyE6`p}0HZK4{px<$C#p?cKDC|A{z{jW@?D3*qhs zH)C2i(_``j@1w3u>&eo+*C^vu!t-)UJHZ=MULDl5DRBCIc8Ghs)MCrxj}bU;QeDs? z(X3%iXb`nA%e6PuLVsI{2LJM|C}KiP91h1L{l9annbuW$sT}87++S3DY`q)2cU}`* z=()7@qtdo-MX@zVRA=g2w>xhx1qFcazXdcQWMKmu4jG(;+QCV8aR$h$gP6b$Cz{aJ z<2B6`ki;UcauoG|))50uSb+|^VTaLeJLtT9HDTNz`OTIoC*JA|5w;l$sy0Y|V_^iE zv0rOKCoyU-cKuoi%W>0B+qMs8U%)S&Q7?r|Zy_07Jt5Y4z{eP*e%)iU9_`YhSJr1xZ!To`s5PM zQdk^{|Fj78iTuy+duz0pHw;UhPx8MQc!kmRhzuVXbvzb7UZVgvYZ;Mn>5;z4sG(7~ z9SD3hhAsDeBq87NT2`Q24JUNdw}8`>L@f#JlOxi29<5OHdgWS-QYGLBSP7$5gv+#v zh=#da%J6hp&67fRQB+x82Ri7# z7_5=uQ%12ac!q`K4;Q#^x=>~c%x73rpGI{M-I9z&WC~tpkNs5F= z{@H}kUD58P;6;@u!E1=_$&Q=n+XRDL@Yfh504D9nXi z9!3%5`e)CtgK1bE4J!RvMKuYduo$0DoVkPOSv{r~r0pFbBqNb52t-R4YaSvgAD6l@ z2Jy+ja`0nVyo|l#KnBqvKp50@7?_d$he(9w`l8k2qah?KVfj|ggIOV2{k2ehhOJF0 zSYFZ4Auwrl#Gq1Htb3MfW(!qoU+OYn`$P`~TP`*U0Ea8l5Pc{E(1Sa`z5@PCT&7lK_%~=f@#%uJM2IzWDiB6Xg?RiTTgGT%E4YaGKS2 z(YC@KglsejvJz2*7zPt7JR(;@NA(D$NGRP-4M?VA<4~PU$RgGHyIE*3KX|pQ3_o)4snODBAc{x z6zqwtjN^uhsfs<=|EF#Y6ZdhxQekILM%MMx3i5dv8=Ma_j zKQQq^!V;R*%}M_HBb|tENy7IHpNSdtpCdptFMFetm)eDy^pe{eAS>wSTG25Z1wn+f z?D*L)kmKAtQ{F%!3}ab-jsoJS_G=W+4cXty*V4hQaTzcj zd7eEGgDQh>g61l_B@Y>DZDC&mSj?X1hT|wJH*1};Y7BoUqnA-u$Le0Lhf$Dz4#QZ+ ziX3X&jrq0ri7&+jwaUqmI1vp0XF4y?ryq0$6aljYjXrv%T4Zj6yV<2 z-8s;THswjF152zWBpH6jg-`y9d(Sv_bG-M+cMxY7{%Ty;M4Zr=NNy zSi*_5_DhwkEeS~F=hK&~Gaw-B#YCz<_9bMTwDw%(S>3 z)A>3OIF~02!3ke6p*Qgba69?t%J~qgV9IGln};abU#+hsTRt1J@|;xogdKT{V34sK zstnRiOU~5um#=MB{|O+iWGJ1eUZ}6JvXTuR76T_u%Hy&f=rVP33(v87 zwU<(-EmXdd>;}v#jGY*UH}d|XFfwvlN@o-N*wkGz{ZQwyQzxJhKW)A$%5=V7ciAW+ z;apr~DI8j_EUjg$mbNIgkH%fjK;|m7X|WE5PeF_E37;D4i0^|Mtkxl|fLMV1M8bst|pu zT+OXM(Wq?J`@F|BA2HRhZ0?!gL-7#^(s*?{3v_)4Rh2r#XM3vsCTnFbt9Z56Ls zyhMrb^86xA)T~8{3U;wi^zam8ed;KqU4y&(wQowgoS`{pk3q5}rl=jZ+&ndch$dt^ zEjlK>hjHAU`!}UrGPK%dirr$&X`E86F>k!SWr}nIZp$PJDa`W=$q-gtCe;mn(MVd(Q1*|7r;g2dvQ^m%g)6P0H|395c_kRzrM((E&QZ!3@0jkeuP7?*8VQg)q#v$ zbaJx*SA2Ld`nMXi)mC;uuXA$yB4Ju1e8F7PyG z{0&6(*GKb`{CDONOzvUGMf>Ma+fyR3$%@tnP_`!DE7YBq3m(??f)JX3%q>%{X~?@R z9dNjb`4)Gio@*NX{yb;wW?HuWX`;m%H`RL2F;ADR@$fdnE!A;pTj=Aw>Qh;cq?HnP z7(8mS!{45=&P=@3#^2`y90Z&$=S$O@n^|8*%mUkW=>7DO4||_7AI}zMnUR^1SzY>l z31-lF@Y1=do{$dH3Ho^OV4D&(`v!BTmgpz8g1!coX^GO;EOI>zuWz3BrXYpT0{~kU z7Goi*ogm5Qeb~dk3a91>umNV#Q$+>^XpNDhM&toI7!5~uKr6%)65$+KAI;6O(Fk?> zjH_;F$k1-NgSo?rTy4PLJTkGdk?`+hjUilX8_yx1yZfeEn@UW2V{0XlubDh;i<8?#KfcLbQnO&O+J2X`#Tw*>kh?mOUx19we)=hx_q4y`F&gK%g5$>?7$LU1I zo4^11+gm8#t%R6nqm9seFj=PC`_p&BJP^ihOKiYf&SPRamp3YX+jErd-Tn>JY*m+z zpbToZR`cyT(m_-Ua{Vb0w1MrmRFX@($NJhOga_Q-ezqFyB|%u$hRyp=Qytf{H$8t$ zEPoYPv!)`gjjJ^$hbrhtbRV$WKqlQy~Zorn12POmH z$JOJ_7G5@0kwlrmm-f`Bs$6FYvde~vf!+6~1U%oEy4uf%2R}GVN%!ZPq32?3OYHvQr7vX|cJPSoFU z_0=CU!`&oap^f3=iY#k!C;u!#bP)5n#oiPnB z=}2}das@LbSfFqMw!(@Ug+-_8-(4@_z1xclRMTlJiCqOgIaHC zqhrZ`oVHQ^XiL~&Fytw#N{$9<(o>!%szyO^b~|ZP{){}Yzc2AL&sr%O8)OdeaCIy! z#Ry3L9iH^oBqqV&hIRd91ms{#KN58~AoQM7xQXPi6^z3ZFpmdC73ZEUb#{2$GMAS2 zi;({M(lMzWX%&o##)r0g)#y?_%kA<`sMh%C0s;YSWn|R0J(YE(`rjX(JdrK0$DPLx z-UfJRwZ=Xm_zu3rl$Vc({iR6m&!$>5%ZRjEk0GnAs4aUcE)7PPGov+7cDxghl>xks z1%6X)4tRfU75erk%KlgE`{lr>90K<@Li)q@ZYcWL&{N50_unT!X~3zqlY&yp45+Bs zb<0ry0pAQI7_;DfnieXx>x@TFoKEpiPk>8%?(;y@)_*X%E07}1h6o+j@pC!EREcIm zvxo1JwM)x)gYR8MtAc>me*eziYWd!YqMcUh!s_2Y@fpEJ$!92#t7FNzySE9*r0_1) zkV{g@{RA``hoe>NMw+-5v8XdcfjxE7<;Ce{V_uuZY9vZpljTx-0kCJq*V^{-{O39_ z)mN9G;i{W3*X4ZUwj}kd7h~on z_(_Y@0bI-{`@89*lL}4$3_}%5GO)7cRD}c8gP^C=ZcP^l%(Jn}gBI7J$`lhjR|w?m z@lyZc^n6#>*)vi(a|lE>pcPv#l8KtOo7Neb`bQ9<2B}-#!&E0f4xMm}vR%@Y1P$^c z1sr|AYtM(Lk;`@jUW3v{E1#pBDf}HaRu_fh>55BZT@rwy70= z4y%ZWC^4#K%&<1IUO+M248i16t(XbxXC|o`N1xZYzG<0#No44p4|NmUejZG^lS^?g z>rjR!LB!d(VJCFH`+2BQ6WtV|GV^Mcv^&VizDx0|Us44_0C=C*Jo|?31~(oZnbi7& zw)!NGu8J7hKp=e7jz}G<-ysJ!U4%kTq{X0^?Ltds!RP0?w6?~wQeNxtr^yS6t&X(B z5d-DO5o+WZQR1gFB`g&Ty94z=0;3iScU|wsd-Hj5D-T=P%~k9W?K^8K#WLc+6iij& zl0K?ByYW;<%DTnR8pB<2&@VIdm1?(}d=^9Ja_u&|aeQQ-Xe6OX z9DGpe&up*lVb>g3;lPW^Gon{&mcz+TGDKy&(>J+Po3>obIyy^jik`!AEu%nTC(Yg_r zOt}wNogL{AEeO_gX{FVXVA0u}j*VES*H@d2S0fh^3scP$0g?2rmJIK(iiz$k{0_ah zy8>BU-%JEjVbUBx+1*mFTd>+_H$PwTt7IDhJVv1Dv*EbKa;+zTCaB*SOcbFvgJBY) zO{pKgGm&7B*fhcjy`5+p4k1>KqA)_MLLN3)iB*I6X*^F1gq#&)WJ6qm@eR5+@|SP` zbK3n%>1wK3c{>o@Dy$3L$}bt$XX~&`#b5o97v|k_!opHFL7sq)At5%QYg$49P9* zs%vo{=$meEsp1q@)PZJD!YXifxL+X4?$DV(J83!^Ub%j1HaA=nRZuQ0ofhkX#o)ks zy>)+qQwroTnrRc{!e>1OR8rH~5y7mYt~+!?Oj6&c zilJv!#ENK1#6yt!&V>XxT|=!+w2ePEM2s9;hKna+*3ds_bL{lucrt&M_UEXEPgPfq zz4jq52{jgC9F;tRrmV3!Z-UO|Je!%8Lr90+1OU9NUA7bi6uK*ard$yL0fEI;!V3Hp zeF@^9{#K_`m2$Njt5r_WFDt7I4vU4p5KN0EJEJdOjc>_7psvoVq)%%uRbP#N6JVl? za-ZL_F}`1WD|<*+!UrdbZ=lA3{_43#XN&#IF3obbyQ$7{p0(~>AT2q@hMR&=EKy=7 zuCg(!(QPx57fu}2W90I(e2N|*uqj`ww{vJ^6iwgweR?hxN12q2?c`K4uGyFfihX~7 zw_0s1m_2T6Y*eF%1qF)a6cw3{r*c$ORHS^bSiFQYruV#yXo0)n^5gTk0))ZyP8lRw zG}~Hf15haeR3RL(>lW!BLdCXKcVqtRA>BdQH7e||B<;E%LmzKfU8?Zpv9bmRsX+ND zo8f%$vUm?YU3Q6IZZ031JB0!4ajOnJ_RW(AXWBZzK5b&`U{91}uWwvQ6}5lyk@$l< zvY!_NFDh>QWA9FufQ#xsR7^u|d;!eyHE9W=I?Zklj7k|X6nGAaFsbBlg*s#ZU@DXOi~7Is3kV3@ z-QCqP?BD^GL53V)T(NU;soJM>$W*lZLFbh?~7dDFvd5T0d+)jtFoGI|T_1Vl6j21v2DTslnnv%kpMy zSl3X$9m?fD6if9WJQDLr=!OTR<4Rc}yNemHa9~JD3+Ddn(WEp0ks{q$RQ!IslLaye z&6+7kfWV-Rw~ID9UGMcNr!oW(hY_m;p;NuLrV)J+O!bvfo%*%|z`BvQw6r`sIVr`G zY;8T5U`D8t}%Kl zZE}BpE=w?MqeU1Uj(d0$TY3Az+WyD>Mz-tsKVKmS+SL?X+`mO~FSp;4Jj_&m#b_l1 zQcW#XuXr$OP9?`Eri)F9DvH15b-%GLR;stz-5fZ!%0-BYX=Ttz1G5O?dG~x$Vxs=t zzm3`Pr$bY{-2}59lF4cXZ6uc;%{2LbG=xlgQ5kDZKM{n2~Fy7-axJ zFI|+Cmnthk608OH@0ybv4AP>-uyj)#{Bmn8Jl}CsiNx!^{8$@hI@W0ZrJqD0A6NuX znr|!)Un7GG78x{nUAA*uP(T@BRj206C=hC`j>{Bb*yDdD`jM=vU_rNx+AH((4Zr?( z@=~kaR-MU5qB)t)g;B?Kb>=upKFN9CPHnhodU|ypCZmZVjmf#q)#-Arh3E!n;?kq_ z{Q8Ng+myKeaO3Z2iAT<fvD;BP*{6)Uv`9dymyf4$2|ew_4HCJe z|BVHrWdwl(5VP4#{=<^kb9T7A_j7mwQ)fOkVq(1%JT*qdM3(o7WNTxwN@MG2@AgV; zqN{ZoegqbWK(vY7_1|szmQ}@qdqpiG|dOb}l;wT)%KnxZP z5YQuCxwc=^ohNtwnojRW!eQ(*ntqL(FqY9jo(YsOuJE!OqzDUOTxzj28%%#HoXxR% z7a{$d^gnSxUH*bzDKJ9kGM2L1P>!>bu034lCI|H!kPhAhUA>CM=>-s|qbx~e6-GbJ z5%&D)*axVCZDJstiGLxB=TurOv*(CZHSm|NVsmx`}y!Y0R7D=NkvupNWqXM_ zGi?NfvL0OQOV7b=_#8fOQ%Q_F6p95&ab1B+x9klaV0#OjQTyq`*V=tReC8|8Yz|`kEGSw(P=_8MqS7)f=ZOLZoHU-mV-E@+^=woMoaykqiq@&LUoD(8Extc(Q$?n_|FDpmO|0O{^n9PM z;B)r6P3|p{#eZ6f{O^N`qt@8aAn^LHm!jIJ>U;jDp~v$oo8Lz{aG>mR3nY*n&;A^f zmWR~78aOZD1O~5dU)k!+1TCuH;0+4O$>|uwdHmM1sO#wD=QlM=u)DZhq-}Bf#t~nfDILt?B4xa z5Qfd5W$8|ie=w2N_OCEd1_IdGTsWSeg1|q}VgBH)No#yUVzP`3O>}lVQy6b%%-}uW+r4l*x-8pNZ+p&Y zm{y~hI$*)1mqDSdXODeh z5k}^(14~U^Z|A2rkNsbOHG~!)n@q{Mxw)m%dlBCJ9B%R)riPf>_pq;V9>7S5ag(hbd zFca{w3&x9*P|xMXsf%r?%Nv7N^rnnoS2V5D*TC^yHNWD9`Vf7M?VCF~de;^ZKf) zN#9qv0ey;Zw(GrDJee=gf6&{;>LkO%QCb67CQHoj_h&1Z%l#6n@YT~fis6?BS818|w(>YsMxmgW?4q&8z z>?|L(W)cyu*@)vYB(N;3t!e4c>jSQX;BcUYS-bC7aF4qY9gq+^HLCT>8@(qLaz5 zvsFTxH5CH<1XI3enBW5bMyy)DH*~@~3YDYd)2I?=Yo!VS1FP`%`e>nsn#C{OIv-1z zU)6}m$R2|OZp!Y@oU0hXQPT|LZ%{x8AXJ-ub7v<6bA1X?MFSt;#Ze$|hg=bv^{zl{ z!jC+wO#8x)TdN=|yXt&q^u0ue>QBwC@7WZe#lpk=U6oo#qjQ>tA+!WP_T8jr(Bq#! zS!L_#0&Kt}j(e4Hn@cl|qR$ljcXO6lfgr$Wsc|iDaGHzESoaqd&C^JY53MUgo@lx} zT5#O;d3%Tm{2{y`4vfug!9rF8IbTw>ErvR%_Jg{QJA%k|po7!&wyi9U)hRgAj3!Ts zV(bjXA8zk#mgW+M^G{D_3by;U+HHW4;jD@>nWo4Qkk5pLd&+ z5-6r)k9(sD-y#5aD*kVKNdH#*;2U7n)`voF^!6jQwUg64@4xMSBUo$$^Rr>&r%@F0 zLhYV!VgFWUOaJd*(rEn<7|@U;K|^R*<^7WX{~zXgc!k(hL`82br{EyX=^a}oQ|2>8)(-2#fngbA} z^dq{gxa@n#ypIu6j^rUwwSV|G}8c-Zhf9NDiLdpR29EBs!i zFJ(0+Zq+W4kMEmuS|$xI+Jha!8cfrGJG}8VX1}W4b;FeD?D$-JvE`uuFv)&`%W4fC zbOlUWNPO7$3}y#W{I7;HtEGne(7`+wVUk}J{|2*?4TP^m;G@Hrq+1pyfBAj?Mc(Uq z45mh`)@lssz>6aB*i;naEuDQ>0Phl+1mWE+rZ?Rltbe1|nP$bGwZ_i5SZ^;1&O5rO z7S&+c2Ek1YjOu^!x-LOguS-oDZ+uu1$m%?LP5-;K;AiXF;5vo()j#Bt7k;TpBGiwn8Mc?S36r){z7g^!&>x=B8( z{RHc3o~_U%L>n8rcF#q(2d2j!ApxW&0ruTePm1E|Bpff+Ni9~xeHv^?H}StCq-_=d zlb{mWok~j_4K_&9Xg@3k;qKH2qbSs%=7WqT@hEF|!~M{~kNZW5FFJ$~;sO!kDpkMV z=4L0<7F&Xp<@M^WrdRd56Li%<4?_4xC}VuP>}s7R9j3=2LT<;0Y!{smS=&GY@zSiS z)&m@ZGQOni|GOz~uq%18W;(hkctX9R)^ie7?CA1T`)=U$!{d3lNu_Eh9SI9Pk?fE^ zQYK?W!d-r#4i6Pq;0D{$|?L~>B)9c7jo}C*8Otx<8^n{b97b6ZROqj@ig`y zk^IxhqN&&0=zMGG$VKCSufs;KKPH-88d*OQxv*F|n#EhieUL(r+G65(P$iU)K5n{0 zFEc(qum%o4owETD5cT6l@-_MHLxr6I+@X%rn_I(0Y z)EMmS?1=C@?|D>S2kn!Y4i`_d;m7T}t$s zW<3pJdVAmIz+J4HUSsKKHzf~x+09#&Rj#P2(GKd|;k)YPz0q;$)V&`1UX2D;c28gfgKmK0{DlcSMliJH_KBL?1fc{!kRtWGpqB;mVQX5+KTa3C~EYWy` zG31HMuexjkh(S?uK)j4(jolSfKO_{3?~i}GZh2tgvFdapKZhr##6A}XkBR{v9a z^0F9M^FXF$ZAc8dp-83Em}VDog`$w3CR(q$L`?La7ge7aF3vYfip_uiWMg*T2-G!- z5rYo}^d+#JEr0FfAx$RSFFoWU*~;aw;S|5lRQ(=rfL8msEkWe6$1=zUyJL5h9?E+x zj`HolPGYx1FPg;gm$En+{33P=1V(jnPPD76Nd(9qc~Vpo1e1Z-z^wegl2O5lLK{Jf zX+=~FJrDL_m8+AJA<$;-Wc**R)gar0h91+L0z-&qiNo+@-eeAaj-kp`^M5~cg)@)7 zg0?#qwL|M@UN#2RHQnFGXnuh}0C^TwEM4+n#$0tiP#gg&OpA@AZD|2$w&aVEmD(Qx zc5=|a5clng!f|o&Z3Z)y45o<&vIt`bT}eau?^SGcH4JS}3l_m5%6cs<< z2LAmRGbs1|7?Q=a`*ZVc_>RmV2`j8$;1fBdNN9ga00e+MwCBnXxYa!Y*P6Qf0+or`0m z=`lz1-Bn)V<*~7m6MS-c`5?Iw6a))$-Jjp*dVO|b7?0Q;h};h9euA$z9y`2oN0MZh z9X-71HvmHAaf4zeaqLBTw$Ew*i<-|g$LsiCy^31WehMR#p3{n}6G4$HMgL7{zT}@K z3@MyiXgA?R3D$3WT3EGM*Y z2=~QttG*--i1oISPiEF%ZL|uiBnWLhRZSi@dEk$RcS$TX3l!1+_1{Nww*Ks|FehL3 zaghE|U~b~%KD;?fxCJmS@|%kjhJopVYuU;-Nkx|V7sDss!vp81C0Inz9^8lKLq=8k z8L5%zr#`(j9X5dC#xqQ5y^SQ|18rrvEI3*(eeWBLuqO3mSatc|SYmEk5CVh|(g$1t zT-;!wFV>^IlkL6%Mi*A3$98DZ($&?iQCq43l03LXS>v`=e&!J1=3-~uXI~|^*_wj6ceU)2|>YO*{%C4GfqT4wNU;~ex249?|bqYupl6MXUq`rrIQi2 zU2nbJ*L)Cil@f!1(NKlUrkjk8)y0{o#2%te*W3L=PedlK)5_aJo7(&?{7sjwnib*# zV4d)JH8ne9mJ%uCeeEar_4NTkXU|E({1FH+9aSo@BAG^cud}EknrA)H+ZArgqo4X$e$h z<->@6v6i zYSXiCe^G$^D2BPP6GF3AU5V5}N)Xv)Wpo+R0H;^E6p~<}>g9NcLfkWn5$grk7e;^*u<8f}j-iXm7j0%d?W>z^IjuT3}2w%@ia5#EB z%Ojw>;Z7uaSkU6Z(Q9U18r!trtAsR(>d2|^lOW67r_8*c)T;h=+0%VoWSx{n-SFPR zO7OzqJ6qLp-PWxN5@^=0+9>`g1RhTf#-XKZOddn!We3Y-v|>gG zQdAT?^)&n{MUN`0Sln6>1`wtq&a?X0C&KfcAnGp}W1k>N*mNcBD-H=qJ+r57;1IEu zi&YVj&4=DtdNOU4PuWC3-$bk(92Cn#NJ#}CK|f1larXSBXfu3(^|!$jZ^A*9R1wsp zn^SH>e%USg$;i-|Q={~5PY{%l=xXkw!C1|n0N-US# za<8|HjZ9#&tMlZf%qtsLp)M;3p+<>K+6YSl%XlChFHa(>^C&mWy7S3IDA6|NS;oi~ zRhSlCHm#A#Zg*Z)C$c#7*B&u#H7;ydE9t2Nt2daX?)(_{1j0aBop|1yJqMvVGigfW z2!rsKj9U_kv+PdvjfA+)_@cuB#ci9mu=K#($t^dkGK4q+40!LIZ4^;qPc-x{gdQmX z6J#5I5OO$SOKXfrA`*Q-;5u)liX}Ozs)Gr2I8gb7s9n%$Anx{kMw;Gq9 zcwtjz{9P|ohhZtqXZqeoL>_q&opmqiE?8@!Ow$FhWbPn5gr0SXP;6h~aQMV` z7@TysgOu4qSqn?c@8lR)uCM=j!KNj?oP$D$OsIas7au#CpDnR4bv^Qzi5WI%p>!iU z{k1$4M2{-)R94oYRc>vkg%LTu1(LEesY}xZhS=xjkAkM(QlGLd@)5j)OQ8>{Uof3N zYFh7Ln2HNL*@Uh6G@;5-hWGcNl4E}hPl?1@ef?zbk7-Nsa6@(ZwJa<~i3kcoIk`A| z!|%$zuBPL24V{lfv!T zl80q9K<{|s%I1A!JohA$BuwsoEb8Md>k|?-VT0u#kR<)mT?+ImaBlXoV9HB}A+AGJ}z+FTMn!Y)w zNfUL^6A_RPh7(4yrjEv>akM$M0V0$djgQB5jMzh0hi%?g-Z<2`#$g58ZAy&!bNr># zzbDA$GgEoMK4Jl)kS&erAz$^H)WJa90TCt~2u$&db4ia($A%{%B(Qynvh%T@1?gWR z82kxgMzNu8mMnYv-V^S7+YdN8Fg3isjmcCQ@kn6-?~K&F1lcEt@s|EF*#*n^u}RXZ zqO`daWCVCAw%lk-3X=f-2WBX71m|7omyK?sx)O4wZX#UUbyK5zRISNWWj~Kdo*ogu zk9=Eo1W|WERdxl6Wz{SGBIc`e7FiF@8c)I(#vDEbqJp9J&Fg>kcJ!YK(gf7}I>Y-& z=5Cu?0=h{JL&CvNM1k50i~>pG!fK*1CpO^2bP%^4mH5uQG#0zxt%VUieMD{h!H$=_ zR%yn5I(haFVOk_yVu-Ob2!iFsQm_FEP!V*6aE8+a}gD z`sx`jXX4{4nG#eq?Pn+J54z+X1J=DG#s9sF z#7R$?TJRpq3yw}ozuI+4@5ici?^@D2Z8m>|#LW{BOb23?u+UH_(2h-vZxX11mR#o>`5xQ2;2hklUOpvThJ z%1e!eApQy4p0kQ(8itF3A;4=_YE<0+?f6SYdFknoF$4lmmK5V4A(Ix**E6@O(gqN> zlKSA^(mKf?QkBwKsh$h(Vq=wwT7>qjTKfpjrgC=QigCQekYP8E=bV}>AKZLAHZBxV z1ey2%MNZBOF4d$N5`|Hquo%sqocvlB%Bjo6{~iw)Styj zrQ)(g`Lm{vV(^$iz)L9#A<-C}gQQw|G!a`O^bs*>rK_EdReq*+;=Nql-`*~lZ+wB&n4aSeik=pyc>UQb73=L zsO?+@DGN3@_fx45Ffw6K#k9cqCX9haF<%czTkOdYM(HvGAZo=W?Yi7E&}v5LH-Gp> z!h^=nCmOpk{i^fZNgVjP%WBg_U<|04sZ|Pyc^5=zx(~yEXr4rFYqe*lGDN1H+Vb94 z@^BQ>P8Ep1IqIh6ydIzCOe=y@izkgR1R9o6Afe8k|imNkt@!*h*O$${HVBQQ&o?NX95=ia326Ozc_^)ix`w3L$(#iwXQdyU@UYv5)2l_d1g*0;)ZtL?0+xg5o< zT(imgVy#71R`%KfFvLt=oWRo=RZUHo>n@wbLSF3xRO8$smND>RB(|zHZfO0L5lz}g zSX-cf!Hoh{Skdu#!lb|JkdbphCJ?aC(x#=DQ~HdBirIQXFxFwoKUj|Q)~LyB5~80m z$keXbajPZ*`%B3*>0u(tAeMZjx2pK_{o);oo8?6YtG;nw68`4tOn;yngI?W#{wW3v zKNL-{cA$b*l)BDp)ZvnI!yNn&sAbLQSlfcg*U%%!Fg9>4V=EQmBy$<+sTG)Ea^8w* zzo|ZSNv|YQxWgq2O!$|mQx*&W1~W`3T8zFe5JrxIvX9dH-Q7}Oi>^WStBhvu>- ze9J8r%!ksz=Ykm0cW~JfV^$h5GN`;Jv;UL95T$NrP|2Ky@q~A`p9ej|8=sE5e@xaZ zPlKWSIe{ir11h{094V8hHs`3#1*8iUXG}T_>ZP)&{GJX%ZmUTsh#*M`77-7YskiL- zc7%j^o2;mxHU})X5OkX8(?Qh=DY|g6OI|VxCRf)T6mh$wLPsRB;ePMhQ|) zQ7H>hBi|T+GS(KJFLf)2OiHSk2Q;G{w-Q>lpW~`xRKM~nIsmfKP8G{pGcfi)-{6gn z9z0!@H}o{L(S2CDveM+V8b3r#cMwC8p+EHXfw1A=iwWVY)k6IhPofv{N{acy2azy< zfk-}fZzrpQ;mb5W{`tNf&#=bTajbd4*HZVVA)5h%ks_=NH9hXg-x7Py1kLwKHFlL<`bAl^k+^wT1aDa|wN1 zeH}sMb}Ieulju`$C8j~LE7_+qM1v(Ocv&P=Hy!ciC7%R!s-UjAh{3xi3u2lql4_a{ zWGE2nEA}w8NFiJqK4wV!)Mqp{LpfG`id)Xl>L%AOfok`SPljglm#emaZ>r9?9J**` zsle1=Mk}|KADl#JMx9o}7gs-ZNgBh=*K8K%^hQPz>$!!%>`m+!To&g4OcKtfFRSji z)kE$8{v~^Bn@cCqg+zIu8PX+nsEdZ7a~XW!^bG`?{9C>@&z2}x6U+_uFYEIKIciS_ zBl`o1)jU71O6=~o!Ge(OWQ(PP#qnUt%by*UpDLUc3*eywRhLF}8IFmMH!8;3(2*sj zgZr^Hq;#xYH4~Fn4u}orSuXYM3wb;(a7jsja-*xFW6g^?4F4UjYEXclGPtr|y%ybv=?!PN zx87f^fgg;T{)6qu>`X}C*O!Yro0rFhpy%lbln^!cTyc?6X`1#m_W1A+4<-p31o^Lg zdD`WfNbXm~J*N6eA<$GzGylrE%^orPmSscm_2Mf6L#+*4_(9+)M*&r8%hU7ah1I6( z^}DJHZLZ|epX4IwFt~`p-+G7rqU9q?#|n||{)RMxJV^#!as<8x=M5P92e}1{CJG5K zKt&@gc{kLQF=K!QSu01cogg#ms#b0kD1|btE=zKTE_^U-h!A)-Wc*I*tkd_?g%{No z(w5ddMkEd<($}W5M(Q!o^3!FhY4~Df-0Qy*XcH3z zg$QoH2s7q%Ud#*veY$0kYOf~?jH&@+fk#m!hu1uJD*68b`9KE06R$d!7Rr|z?33lg zw7iMe>JUfVuSJ~fMj@(fizkSE!PZya^iI^abA)kE{N}FGzve8eR<+5=g@LlkH534I0DVJktdV00g zbXDU^N#=zr09C1MieQ=j&~O{;f$cS|Vadp#i03U(C5cC5w-)Ez+r$YmyiJlR{aK;V zphhk|=Tr@7*}C-(jf98a)YTS{$p2;{FWJ93sP9k-rN7Aov}A;mvPLI!e6Jt~b-9t4*A+J7IVy0(VWQaP&r(R9dF{CYko+~ zj1>TOB^tUvoylSh3SL_Y%R;0P0TQehFQB^nP!WoNCk45h^JF!Cls)a$lCrpD*Ot`M zhY&Fm37aS;-iWuIa};_jan$q}u`kU3cuy`jq!rQEpTIeU!&BssYly!Tj|NOWQRYAb zw+g93vp_Vq1TIA{za|DIfpE zy$|Izjbf@lB_T}UGQcuo#iLAMB?_**pAbPGDbbp@3KtMk$P}tFB!pE1Om!}9483t7 zo(vuakVc*Y#_+sbWYTS^z83|N2&xKN5|Lp*A^+*)kINfI zPSZ^76RkWjs@R`Pp}y=eNr^$^>OPrYQWBu|27ug&)uP__oCbOI?Mh!ZmoKFPiwBX} zc?G7gDJa+xR@p`#hBTi>=GU`J)5c(k%*AkJ93`mm@5R-Dib}bCa>XJ1=Ssd!6;4TtC9)2Ip_e!yT z=AL9Q*^5OIungmV1{9!SnF~Y{i+KQ`QsCodL0F=-G&D{fJ@)PGT@;UdR>4s49vPPu zLY1VDyPHm*S6$at<;)zJRW@;5{Tg%uEmbX={CU7wPSq0Bp{dhL;NnhVKp zaiN27u4?+Rhs?fUdik$;#5z#SPoCuot`3~fAhaWKG-M?<&stSs-i%r6-0szA53O`4R zC@{<|v)jEiBV?I{0&TUHT$S|E1OfJPEk-h;h6%{&zv!9!VLoNA#wVrdsbVJjLI3g-)gsBQ5D?KZ?!3EVZG6ZCb zG!ZduwmBlwuE(?7TtQNUDsow%cXr#6^zySB0X;o1xS+`oJPD$J^8$(L*!E{31xSsu zZWAx}ZIJegeuy=-0%t33M}|DUGVU=I19r+H>iE&E>w0_1&Go`d)-fENP^U!{0C-C? z{*lx7fFK^Jx|3Zjv)F|TpxwK391baG0GoJu7h(-OcE5}oEekDqg< zY3*aju)vu|00u`QiYRJ6kGf&M)o4M4S}YpzxNs(52samTe%=v>AGQB}V##aozWc*F z?}?}DqKP;vsxR$|8@eHa0UteJ=9wR!d*?r%`P-|@)mRK|0xMZSN!ErHagib*=uio} zTu|Y!K^SwFwXqAA>;jI^SJuiV02F7#tsRxk2x7tKAZPAUAQNY)R}aIAUIM{Y>N{W& zC!ilcLR?!Ond_{tD(XJ%<2UTs&LQeb9|)Vb1_8jdi1O=S{~7=;zW8DRBqOJ|ho$F^ zkVYSNPpXW;RDIkkS*yeAb%HFa63p&Y3Q%j&^7kN|s6i8?Bz2nGeF2eE}3T93;Iw^J*An!kZ+-HwI;(LEyJebb|Kq?mh?iurc|Mau3Z`$NK zjN7Y`tV^n(6p38Iy5jyTa_V511rxL%r5d>xUWPG3Ko#mSLL89;htu*`2LLV(w-Bl! zza>;j9F9<$%23v?TpJ^)Jjs!D)qShcTV5V$TG}&!b7mMVO$`w>g5<~})0NBtfFk)E z62u0x_D*u?lpaf{g>js>&3FbK>0K zh9L?-6jc>|SVPx{a{yE#s-mih3^9m3(EVaKy;;a#neQr^u&X4XT#Y)}g(>KwRPm~F zHe<09W+325R*I$L+M*y=nD3ESr1nuIge+DPhr52r{`s><9{~X0{q+3r{dqAEeD{p` z0Pxvkj`-%E?sogQT-U28N^@iVmcap1m~-u6K;k3uEbS5*sTRLHgzOU4>Ix@4?HHtH#dw&jQGWmuE04S!CTv1bfePVer7RzTcawVW8cK8Vg%&bc$ ze){|0vxu5*YKo`QkG`_(%oC13^{6BN^4#TnB(53%#!$a5pv zzcEW|Lr6{?1;Tp8YFIL|_~E<(j-SiU2<2o{sEH6K%~0dfSVRG!z?a8}MhEK~Z6GP6 z)Amn=x;h(3vMr-5j$aQgDRR#H2M4)f#M9|yLqj5+QKMM^m^fxkVQ3HlJ~Va8G3S47 z!6!a;$ysN7bk3|3F8;5_fBnn<`ORxoN>Z& zmz;G*=jJVcS^7KxWa9Co&;Q)FzVNw^A9X};SJyW#Jin*E|MahYOVa`D9%KV5OWWW>Z!wf$Y( zRlRa&y6W~*?P>C0mhP}K3~#YqQDeFhuaEJkgV*9KBRGNOn;Fzwy0k!(Kg59>YD_J; z5_*#FDm_oKa?6M^sT2Y-rl?AUDT<=1h`6q+OEloReer{ZT<*@lKDuu6mT@gD#as>m zn4&~tanaIFD-=F{$cF&nM>pN9YsGv1{=~Y?TgEmw4fXW_z{5{HUCifxeDiMs;8RC_ z_}$KR6GpfG_`fgF@_DXnKmeS;>fb^E3@i3kbGOgSN-J;|lT*OpL|pWg@qf%J7IA1! zK!il1(!unRk;FpcZa(79uXJ*?c)#uA9?wePaJ&E*Uvxq7x&$->so}26X(pXOD6C6``>MO z7m3FbnYzaMjA&#H0FhWMURM`QCINtRL(Dcq*J7zuJe@|y5J4~I#et%UWW26Ue82P2 zNAG*;=|x}p@<0D@+uxTy|C`4im)!_~)e$8E;N+(ds*;V^TM6$l&A6Odm`(uTt)g-9 z#TR>Q5qZg5I){pxnmqCdv0QdawU!Mhl(qlTra)lOZlvXf-@WE>WXai&Ro@3HV=j2z zq#>Ov!!5INE7Zma4d%b=7_O1I2PmAH8tc=s1j>r11xDgiw|!eApSO>Z>g!GH+!@IZ zCU)+y{aOGJ9~!FP))kZ;_5d~`pAd1d?DB0KiJcA_R&W!d+RL#P-9U5IQ+ml z$k-Vt9G^+0e*XJE2sac{RHiES3Ela~qX4k*i=PL8(~dd1y>0Z*Z~voEdzq@l(#b@o zPP`3FVQMUT#jk$-%BoeP8XAg2Ij$E8xLZt1YPOWR;0+8o9845su(^!35<`YnM}PHf z$zR*eLSVU*7oDU;avb|L*DYWs-WL00GySPBk^v zGvR&-k*ZJUw43|#HxCqU9w^Am#gdx`i%%EyVF}oZFuU{vtxlkii1RAU5(@u#YEH%Q zOiO2CFc$o&=B}EAe&Hrv8EY@d;sF|QHLEt<9TEcpoGR%J&J8LQqltK1V;unx^NJQz z$;eP4UzdvaXBlw-NMy5+b&|L^vSKn38yeIS2`6TTD3Ycaf*OhZ=I@Vl!}$A+zYsq@ z_V1-Xz3unWcsvq|0YGy@!#{riI{Gtn zG56_@=+>o5=L?lrVC_;+Pk9OjL~V9a9ra%?@jzMw6( z^$kGq)nESVfBx%BH!gnAz0ZK7HmB>Ni3Dul32|*Mcute;nOgG=K;@^>r zk$8D*Y}4EV4^P5j7-H}$Z*OQ!MUXI7d~wX-PpDZWyLYHTPb<9C4&6+AhLLH=#8fqO z1``c5HA531Lp_m5Z{6l8CE& z2pNkdlgWm9#uNbf%aSF(zwiEdDiuqm+3V9>nP`{mG;t=bXAqVBsM}MiNp4^?0FZB zhpxh>2D#dTg|Zq~db_HI>XIn{97h;fYs2qv2munT_!ZHNOd{FXSm%9Ka$x}?TFl_L*12v2_jveb!x4l_g)=y0hb(uu6r>H{|%f<}e(#&|t zTbePlZ&cNQQL+%Pil2rjc8BK^11B^hvbo5eIYt01j1@RMYb&4|P&HC$Z`qW!5p0oo zn87i`Z%nG$bO;R2irSd5Fc)AQi(F6ZtP8yy;AoC84rm^L1dt3yMXuC1!3vqI5` z#lk0vX{SVE2~~~8Q*}ffktvY~Q`6m+rJ;_VWFfL^y`7KaBmotHXbSxZndBBkBQ(jUR%|0Sxh6|vnBMkI@I z?;9<*>$Qq(tP8QeGn+`)lZ;?js!QHF^7UJ>j?k1&k8Nw|-@M6)D1Znd^#o%5r;FOt zMJ>QI@>NS<1#G_Ls+;j>;;f8QCsY8kK>sJYT5d}Cs;Gb*fLjM*01SwQvfg5Ov%0Ls zMnni`v-LSAOyOy`VN;1yFvf&Z)+xi$dTS=hUU6+fiCC5pn4G{MHLp#cG@&jLFZ1Lq z)zXNl#aI*oc`ORVwRqf6R6|ubBG^hahUyWhC`?h*XjC=oVn>2?Q5kyq^vn5|aCUhlsh!f}RM)%2H+K&2>1{(pMDk-e9S#wLSb&0{ z0Bu79eLkW}i$KGupnOf?(RGDV<6al%Fa@>&4o53*fnh-Dh-?2cPcXT>86KK|pz??c zI@OMD%uMc>@K)CrN+qC5nsKmlkURo0lzb2|_+FImzchlw%Nh_^q`|B8#SOn>uRBB$ zo&a1!hX2?h)5!bOv~W`tIAN|BE6~x09ZX92nJ95yzM^j{?<~}yjJM%d{sIbib`51 zKFNV3F*a6m}l5)Rqzyn2)M!Wy3#*% z>c@|ZM3thhhrad{CLJ8ddVpB9#BXKqAPFpyom1c=vX$G52l|)7WMa@;M-FEd`USMp zGYZg8plh3GP?1|$B22~7JoD9v{SxmjmA*N{F zenLnp8LCxTJk>TFD}UxxGF!Sfs+KC~nMG>wQ77BeC`&MqPN(YHqezhzd1@i+|e zj#NrNuqu;H+8hzaFwqW2?v=w5RmUTvVHS10y?x9Dr+xAd5B*KkbR!uBg_(i(k|M?? zleaSk%WzojX6IF4a$T8f65wt_L~x55Wi2Xy6^OrKR9OKX$j%$|J{cj`TP@OtS&B+c zxW6YX60mzFnru)AoSTJ-hJl8GMFTj^>S&*T{Lux2cJvPb8}{2G*&dc_#a%FsRHD|3 zhxt0lEg&lG`GbC|+1+v~RLLQU8inkGqS>SiUCj!SWVwKHXM5o^bk=a*Ybq-WOUgBp zn*tzWh=4+oCq{?@q{$9?mr)C`GB+W*w3rb5CZKZW2$gWXbq@@T8r8V)i|0PDk6-vpLWjhag z+hvCJYvKAX7|hk!h@~f^^-k8P8$EZg+Tq`W3a&^eaUlc^V%Z#OIsil?k*OUMW=@^7 z&zP~}Mm4>$VN*fVc6|oe$_OEO9Tu!q|8pwgF?F~6@C!7jEfj`kyLxg2ygPIX%Y)o3 z{WQgtw& zA`zZW0&(JoeH#sKSbK9m1Oy+*0(f25Ip?~r6Nzq32IpLS@eg}V8Bq{Xwf#v1M4U(= zAo|d_u|NLYc>{%f-%zfo8$-pyKrX+de_-3%wT_A{(yxe0DF6y{^epZM5e!r~8GuuP z0p)yH}>uC0{{Tg`<-?W(#+6StrbL-q~psNWR-*=>hWdLn@?0uNSL|t5T2|oR5I{QRV#{8XU@M`n}IQw|r+Wm#9~{VOUC^10+}j z5+cLkVi*S3bzRqWKahxjiI@!}oO9KQOK>1&N{Ykxn||kW|1PIJRWb$1C2Gr3M5D2L zUPv=^K_ljZ&;#WT*@`6RR_h2Z*Q$;|C9*acNG+omT!_aj@(==Vz zG)>cWy;v*~w+3+{G7Li%^MwOv#7tEhaKNa*At1YnLus+O8+Ghf=d3zSa2SHpLO)jfr31wqx6 z9$1~gtvb&Xhq<3Jx1Bt$s!9hd>rD)3RB7c$41XG9CGVpv=vQ5H#u!7bSg0bcIrO;< zM-$muEC4q+ca&7ESQJU9B$>bH*zq5%EaO6999K~}3IUDs7-LOO0QZg5_mFb&sOP2UYUMSTFF*%w$PUQor^H70Qv z-wjj5u0;@ZE1X0_Dq$a5{i%FjILqzkX);p!MMBx7jaUI-gsR-Z>!4RNC=)!W7D(6# z0ZFygBh><1HP?$69vd*K1h%q35_%oDD>W9Sa`b|vf7L(&RLJE#oJpnPaG{FnaQ%9Q zu1m^sE;nQW372wZ#ODJCBm)Bjg+gIqU;qGwMIsPoaB$ED5>3;J#iF8MzK|an7|=CM z)3~nd!V{)xnkwUnO^#w1MpgPkYeZ>P)dWKou})zCFko<NJrGvNhZ@exzoI@9nZp5Y7!UIM;PU*9=|fy3RQ#gWQ&f<@CmoODL&`OTGnb+8b45 z>3~B?QeHecf$^#Y?nnVi81OS1L6_99EIBL>093t2Qa-^Uc$+|Og=+3|rShD-gl&}p z2{(oY2Lr6?s^8&dNMXTqUJc?!J&YR189l@01?Ar0CCQn86*_8wWzNi%4rt~IhqSZbK z&1Hq4}MO29V-cKrksQndtQ{C;-gkqm3Bi zfNK-xE_e zHr*?R?hLJ{X^D88hz17-zxc&3s-B0$i332WYfJLgPD>>^;?d1TeT7bhit{EI8~_YJ z02pFQHvsCq3E-&4bZ4&k_F%3QkW@XZ%DN_kM9K)Lh~#lOQg%kIH-FN28#Og+<;`xH>%N!3{;m2FD9^A_#0 zWEq(iNp`!sn?sksh^9>D>HmIZ@|dZ+6UF71i`Hy==g6P!zhh^wDAuZP%k zR3Tpoy6;%kof4a?s`A2%FC2CBQQ3h(-%Jcpgs|KJR8@KYh360d@Zp7gaoDOhA_z4U z5fzoGkw`SEMxtsYqN)+|UuJ6Cb{`DWJx^qqIl-I*(6vAR`Pi{zZ@caHoEwEgL6wwv z&WH(DD-UyhkZFi~xS=l3`Rhe)Fr}=DLV!D%+Ee6XRdz&U-E-ajdO6LqVi!ahZFO+< zdxb8Y3Y^y5=hQMd=Z2;mn%1*%L*J^E-}=VaTiZLf_4NGfwH2J?Ok$L2+wErX;shCr zln0Ym9+8pNPuCLcPLp1;)11-vZrHoCXBIPyKTVB1Aig5<+0aToBJ{b@LVO)moiHl- zpsUCdb~0|r%!?xe;6w%|PMmXc+A)b9#E6VB1<_@e1XXmGoW>!i6aq)(Nyfr2ceg+Y zRvv;34PSWMhq!f6OVKxT7KJe&`+o!X+0oXT%jXA%a-OrnD)GYCUeTu3ma<)lfM{rN z==GJW-+6aEH;6c&y6@yiA6$~_#g)rf+ie!qKmY8j z6$|}RO@k&)X@6ze%e~w3&;RSy5(Y}QAJf$MPhJW54EDsZUl&fC zb3@k)`NBZIwtnsZ{nj^I#!uL=wF>|e(FnMEfmm&t2+1OaXBLOLjVfr9oSU%}8xEw( zc=tcT+yUFfarnT{=?sNVQ6rhiLTE`{w=GiI5##}bDw1C-!5AtjZtVni({;g#$lx52 z3=(|~#Jv!G0Z?J6AY;N2Xx?Jxn1y8sbG%};grVds60Mjut5Ua7N%2pW@MV>6Lx3U5 zcrZhYqfRk{$N+;A0vA|fvF}JMdSuN}Pl~%!1Y5m&62#a{K9dC8smsWa5t=7M-u9-5 z=#|caj54L#nuXv^2-8Fbgf!)DiXV#5VLHHFc`LmSo%3uqyK%z?K)m9LE53itHEO^l z=EOr1!RUH`@(_V5p+W~e>*R^6XpU)2r z^mo4d?)^Kqc1)etxp_+>8bjN7u8FhvpGVJn9~b|-qJtoT2fJ-^Ur3k8~G!z13HUBuoHLAL9y04uUzthNM1z&Y0q zgCXji10r$`gur<)05aP)Ml;CmC+?CCwt2_;Q4M1XdSOS;7W=-nWJak|yw;X=`9cpW-t?GiTt+8FoA?)cs2E~b&eqjFQki9>O&>w2M3Sn~Me=YRIIL%E?;JZ2q}d4R-}=4jdg z44kIIB!dNl+2hgCB0VlUt4oy2-*4F>Bnl+SrG^qpR*7kaknKLRx|ld+?ck!8*%h}- z5bp|w_^o_Uen4J)UfB*_I1r?Psl_`puoM8S$UVaeAibG#F zFsc|FZJL0}y>`R19m;nh!{JW#%5cbR+DSw}1|kF0zz~;?D8vGCPZ$7Q-7isaKobd~ z4D_A=0l=2+8)h6oe)TgOQcbZBpS1tJM~<%_onH0Kx+j12s=@g&pF7}yk4+xfF|_)h z8&>^uU13n0`LT&BAMG61+F`zScAOCH%4kAl3>h#$Acko35CH|7cLE7)vde05T1JsX zODvj+l~}phU&!q!3|kfOpI*E<7Ojhl@A{xd1B7YJ#k5?Zd+V0&)_mj4`e6sCaNW9f zU--foRIds{1QeY9J2O+4Gx!$5AlPs%S@X)P@l<;3zM&_#1(noL?!}j1KKMf)+C9!; z91*}MjXPv{Uxhdmp2V%&cN}=|ht_V~l!!!~7!gA|p~Y_6Yf5v*Y%9bpB(`D|++i+3 z0%E4bH#vuq&=&J{FdpRwicSY)6qrIb!@hWDEj&ZBcPh$VVf^pFi1)iD2y#F8LK4nP z?%R}eG8p6BupI~@4TqabD2kjnMPZ7EZ19%Qmw!PyyQ1OO=J1R!!G zWX${}+#-R%mdw6iOBg8j-lCbEbg+;-8sEzUDQ6}r_Z{WGXrCa zyku97wPWYbIdcwF11u*(zt<|t*tAUgrNKOf^2Y%H4EFSPzPkM5#~i5}#^0CxW8WhV zSEJFuD_yHo%Z}~Yp`mm#343f*={leaUd@k`Z9Li)y);W-aB9?#J;<^V$4vwHZcw%)O7J3;Hy22zhvIrln zq&xIoZdbXT8Q_Ts+394A7>NKMM~2AJ3`8NJX_26nOl>AX3yXwV^31ITTmM6J{q15j z3oJ{biiEDcCi?FIRw%uP+cV34>NFg<2#te*nf!-D#1uvb5kt<98Ayms(IY5+cvpbs190DkH#YaFzqAl_I|a37KxdaBK8{u#Ei*nF~Z3 zJ-W#3?QnwiB_N(bQUe>TIAvpG^{~tcZ%f4=+I_IH6It&NSlcrFbM z^{Q;RIUWJuIH)PpIg~GkC0P>zz+i9hx>sNO^0^B>d+Mi%s4kxP^WUG`@7SaKt1~n- zf;EFf{Dl{eJ?7{V=g5kEnGN@5*54EBT?qiWmJesgp430#OdhQ-C*OwaP^cV`tP)NV z+%(+aoHIlQs3^=Ni6a7JHczHqBVs~}9qO?BS|GJFH$%pR1RP8$Z?4XO5jZa#negMZ z;We|3NeZEp-0YS~Ji-=-82t?{PgnY~jG z36KFpB!(OTtxR}vJ;=m|toj;p$zFmil)?^H6h%4|SvP_Lj43AXprk)3&`C(-52*U~ zMk6PHM#dNs_a2Y|apDRxj$8rcCRH_(d7p`s)aY4qADQxoynb8Hi6Wqu(*fYooBs9c z-&POx<;U;Wy5PGf*0*K=pl|!Yy+3@sbNQxZeSFSGr+@s*M`{HF10|KIG!X(aWC~-% z37I$b)(sD4)vzB+*jfk;>)fJW;N_kTSl;)xk2a;1vPWeKcG{2I(%wfz&SLaMq>36GlcIz-C*3DMd>k^Nh9RaO04{M%Snii5h`<1@cx~H9B9()@f%<2 z?$@)uYw}Be|I++#918&d_~R?vR`u5>n$nG_j+x^LsBhZ<0e3nxpk?M-K1>2YhNv(= z0#0_%I@`5n=Bqd-Kr%w0yuReoa#8}zVM$+KpZR4?zrC=2QpR4s3vQHPH`S{ zTy*{a4)k;rkiRNL_|Ax6K+|7-ZRJ6;X8POfPWacSdnSFcXVMqaU4QFqKSSJ(p_apk zS`JU{c&>HDchj36-SVO9Li`HVkq=^NPjo0hh$-(x?vNe2MFJAMm=ent7tN~>7$Q?t zLCh{@tCdp%96%xS)(H3!4PuB)+h4qw90@t&M7H0BtZZW9ma~T2sq-RYKxDT1usvQ3 z7y$=DW`R)!EePXU3fo|yi=Txh2#R32vY{Y7440Ux^T#S!>$P1Oc~Ae*$1g{HPsLoOWykThWd1qJ1N-x#md_vAdVu~P9E2mt(oQKSilSqGL!ZKyEIh_PXSTe1Sp;j)r>s)-PZ2 zmGjQI;I#Sn!tek5x?AtMXZq1c8oB`hUZcc%OE%;S(H-0T?-MKb0YKxL- z3-$Y(M{N19qV;Ds+&eJlB(GgE9G5=QuDcDSiO7KrL-1pAgL7dJi2s^yFT=1)8bll% znOP~KF%(kYJSD;AV6}TP-%V!f(w6)~+sY%`?Tlu(7&Fz6q5 z6#VKoxAYOKzlxPG;cCch-*(%#UdA2a*HB0b2cg}06RVA2j4WtW+9{IcEJMi@v0RZ> z=Be#Bce@}gaw`Hk9O0gNjp>%RSG@7ozdNTL-T?r~hIkUQM_vn&!uuCykBcX71;CC;G|I3q}8q8`u6;{&U<5pX-_Qg{`x` zXD{iUcxKD$|B3a#J}~A)d)C+ezj5{o#o3?D&-+p4|BdVaKby+Ehm^Q)fx7+~vB|Dj zFx;wZ&^1lx1~(bcI9UM|iyDg|V+s@T6yZx2UVSF`M@^y6xnS|KF#s52hzuF|{PL#j zhb*_0*a6sSDq?3=AOe6ma-pt+0T!eQ<(Ucaj$XG-gIU z^z&yfxVC;&hZ7lI`Hy!PQ}#P@AA8C6b=~*<=;=(lxvY;)kR6cQXXTuv+ob5}=^2JM z$#Kg1utZ4npDkJ#1~8?oyQ&SDBwAw8y4cSaEfo9z#==G7&_7$W@EZ#kt>3zNR>Ktk z9jg3d%?^qFDdYi?C}Ty=1DRDfEMIZy`R81C`h0oecfN7?cfN7CyyVq4R(=rLI$< zZ??Mrne2jx_?Qn><<=+n7pspICr+BK>AIooIyZE#8-|ob&yXn!15{Loz?jGYMpJna zfj{J&3pa{D5<@gt6!MVS_#;#-CIE<}qFw7{M7tXbnVKU>FR!U>Gr_wBC|nF+2W|)v zkxPDGFxw+ySzx6~qRr%ZtR*)b+94uOQj|^0Y9pF;+fniZp&fd12N)OtGnrn|iV^$d zrX$2HMVYKBY{?mCWdX@niQTH$Q$9=;P9}%6O(O6IN1FLhc+Vk9MJ`QA{L2nTVQX{K zWRs0Ga_1G0Q;16ve}iqAH)mRgwhsK}zaKdEa|h2lW=bxbf9%))e)r#-0N}t+PCNR% zLn0Bj;^}uE|LxK^uN&3cY7@+%$8BTzQ;{*o6td!$6ipv|O z>s9To@}Fd_!$y>7UF^p{__{dgx3By;&l%rXxah|}_&Nam_y=GA_LV;mf2O5%XJ@Gz zs8<`B>pENFv20I36lnb`%RYV5@fV(cYT27|;C?guySD0@hHf8M7N8{_D;>+|n{Y<& z_%l4~#QNR<07dKbzp=6ms=sc0_N<4DF$dLOH(qZ)lJ#~DeD2?3IRNPGM-HBLr}&<} z>y+HFKPt{X-~JT9bTmQYRRock`d?32Rp=N0VhhyUG`LKZ=ICQ z^*{Nm7azId833$LH0`!;RndQv&qRzWr&Pf6fSm* zAMI&mql-3FyzHyrFBKyh((E97iMn@thsFLvi0rn!Dg6ZqGK@UCsysccIN%)7EJ#GK zm$WuE+TCOC^+wWxjqE3{x@9Ti6VpRWBqRoHO=MG zdRFX<3~c}aBjQa0PTzfs_+q1i?cCuF`wX6TCjg}GKU@4-_q)TDEid<7zM=lQ3E49r zG{zhRM5+7FDIRcs?${qjU%Nf|$bSud?%x7za>xEKy8QQjmv1bcaxA#1O%xGuB3iQv z_Ygy33K|Au%;1W}`ozS40J%fXL4cx9ug&?(k&sLum@lv;?kWNk(GuIpwS=A7SH!Yo z93mAFU^feQ0gwn8Ltv(vZ|aBO^lG=Y6{^hM4htr^oJAsMP3j~`E)XHxyCt-KOJZ}= z&x9bcV#-y7!U{1tGfApjmNJRRDY~&Q%vWL}frZoTn|vy#M-MI+CJ&-ABrn^t#qmK{ zm4x4OJ}_Y~n@LaNBjrFa3uz=OX_74x(|u~mOewp|d)28#X213W&3R%Or&Gty45!yY z51d#}kc3Xg7}}8x0WJn{iK~$TK;MR}oQow3cRwFj5N)EDTP3%nklRtH+|($+dg7P< zfx|u`LsTQGswkADI7J#7>M~7r^$qE;lMmEd?2L*~AR!_o0z|`ocH48gIKrUMx79X# z*6;qjc>Ji=(?5P<=@WQi*>VEl_H|qFmK4M7xt!nn>m7ea!^V5X_jupy`#v@k0P>mr zy7s?%sO9jwt&c@=8v#H|j`zIC17|+S#~$Q)PsQ(r>8FcT)%DM)>z_$H^?w0?ZCk0g z9VGjy)D6!J9R76zC>(Hp;;Adx=9i5z2Ne%Ezy7-M#RJaw6n(p!Jezh22NJwPIv4H6 zxFB{%1Q3x4OC%vf0_2PUP$2-|3>g>F&k)J?NSrJ_C5}j%VW45oeuEo8B9MW$N5>)~ zG{q=K!C`1k1Iu1Pi_p+CU#!5W<&!Y`pE!v)5R}L?Jh!_~87GTo10*tie-ahCBL617 z8eEXha>L*{H*~|$4Q}SVS<->43TKL;FoiMaG95n^xk4lIYl=>7m6H&_$!(Dib0|z9 zDMOYq24=;*gn?Gv*{Y&@FZC@E+K4sx(L7<0zc2(&cKwE=;##o?af1zR=-f~h)p2Wq zo$V1|)SBuMT1^wopj`;BCCRimWRPxfL!29#%&4fS3R77ms_I(76)pGGtGf*jnH3RA zaBx-5trCVM;V2%uPrr{VAm@Xqf*cFiI*Ouj&LfeCyoKt&DL`JXt-Nj^k-@#iB}z1! zX&?W+8-LBYamL9Xw*&Q;Uvc#Vk3Q-R_%t*ac8rAEeUcTXsD8C-V9ZBtAOV1(=DFLZ zeRZhiaPeo;np*&XM>73wCkByqmwyEYg#8h=rJOTF1VnoCzEJ?Zd0#okN)}DF#mgZz z#;`*Z!uQMULUD8oKHO~xxT(9DQF4;p?_?M{alNSJ3tFL|X}WF@7~HUOUaa|ThBnPZ zni)WL6_}~pnv%*+fg%x^vEl+~1zqe;SRyXzNZ0E4rph@=>~J@^F~nzdxoggyhht_~ zb25mFqEN%&Hr*luAVY;Ql?nD=<_07;n)y{ecd`sgj~;yNTUE2xA~2>f2GK|~5sM{~ z@pwEAz?h<#xwPOa>whoyzCtH5ZmKbikQfq~g`gbF)DW^gjuK}9Gs#JfI;~I`RN`rd z3YeVO-hy~=_opOsxDYTfI_&X!n`glbg+U`-M8=q+kkxX$p}w)NuY271w#^&2<%SA^ z^waA8;}n_%Ij`h~*#Y#xek>^^`VmVzJBAT5fwK9*6-Z1pvj$is5=o^}Teo(#wzkT% zT@5%D0uTFdU%rrGthX2tAj-6k22S6<={Eo%utZ_(x*uL0O(!3FZfX0WCOwYHX2ZR~ z_Kd1RBFhW6sD^GeH4QG<_gD*f)?}zj5>04V$^KqdwD6SC>*1m8l9t2Jh{5edILz zkp4p?C!nB1HsW#onc9nC7-LRs?YetYYvY)>8fOagNYp^hTF!DHg5cIL_EE%t4W8HY z+k3W*J*~ws3|mRa=L#2o{VUgAarOTD?>BYEL?A`i4WIdoa%Q)?iUR%KSh2jNwQ0Wt zrXmCpc9nBW1;Rt~sK)&cm^SPvm$1DQ#uSCc;;~d+B3+kEr4z|?GL?=eQi)_b5sj#J zJ0s3P$LBW>Wx&Jo+sB8zS+}vrzw383zQa|#EXFPvTJ2hJHd^$w3?%k|w#J7tV1iUI(P%<4-f(xMd67nj*CBcbpx zGuCKT1tJos!Q4=Pf3`kT|A~(s)zLnIfN|?p)d_TsYU23)JQSuX4UMtJrlv_96ORSH ze$$rcUw&=#maPp<4RxtBswUUVd%F=Yy24X#avDU((Ggf5g8*B5`o!)`{B? zNpbHiM9Kyj9%Wt!P8=Kggww~2J-BVtmhH?;K_pGrX^6h@qwoKA(G72`d{fhkp2k1{ z9-p9-bFGC40KdECHn+FOCH~6xGV!nTyIXFB;kL#S6>ExUr=Vao7EPw&$y7X%iYF5B zL@FLn#1qL_B%(;k*kl+c|C6p8MNNxFqK%CWCx7yj8`f{=?sl@GF`Z7|efK@Ty6GlF z28=PLJiM)c(tcjz-me`x=fQQGjc}RWzjbT>hK*N$>0*H;0FcWUW}S5M!LZtzh~|@NZtN%&3x&d9 zHrvy^^OhTb_1oXv{PK#GhOTqNY}seC(IGIa0vH%m9GY1(H3t}D#K|De4cgJ&)7wAz z(Rs(t*ms&{5U-)efBIku5d~Mhz4obRpU-5{qeitT3RBEPM;tM+KawU1IULxW>zo?~ zH!R{ggPW~lY&W2rI0hy7fwty`sH)l#Eani7c%54|=Z{Hr=U(W&R?7os2U2uh-@3gA z2+WS|R^3u08c8JLLiwxwrpeY)`NmT|tHoheH3=}yeGs?GVeQN(57m)fYHZyD^9#4! z>fCxV+#+b^Hj5k~qN1wtSR|f^#^cdwJeG*7u|zBuk47RYknn(`MJ1>k1{vJYi<+is zMNNBm&AU6cZ5tdK%;j=JLqlhtafUlaVtqG!q$Y3f?CD6w-*WdKcG)GPMsd!+d*iPO z=*&-k0swBl{ZF}`UW4;6IX$^9l~>ggdPF|6-MOeXfkww;M> zOl;e>ZB3j^Y}>Z&y#8MGpI&uW-*vj`RGq4Wz1O#xD=<_Wx^Bq!qj3$W<6n;sob}5) zN@Zv-F(=f-h^^OGspfdAY?)lXnc^I~Z3LLXlE{-o9Y;Cq@4H1C(VBXY0VrUmY-;ul zB0tZ-2CcDe_1lCZ>IShLmy0h%!*?W{8^~aoIOBDb==C)p9x=TI+wvj~vz&l2`i&Wc zbNPN`y-Qz&KyVyl6jG6bcw^d}DRN*DDs8qz30k=`vubMCASr;jpdc&Jz4E?9>zcl`L5dQnC^y5nsB`@AoaZpYPK;IT8}(cNw|igKYiTCb~Jr~73H!fXCU zt?&1+;`{WD|70ujUeu(8MUMN(zhbHul=5pFU$N;I7O@T7?MK%!y*TqHN)Tpnby%Z4 zQ|<{Yb4VF@uAs;OU{+Ns@s#I#<0qJ~S=LjzbNjy?Hjwv!xR9YLwD;kON1Gilc2eYX zGb_kdls)2o3K|Wq=Dp!5o=zL8*3OdAWG5qXH2DN-U0c1Hb;@ z0RTApBki#XWYTfh1;Z1fpd=+nfv+C}AS#EW*I+f+#9re(lb2-Z0P?_{EW&b?2r&%g-fS zuhVOSA_7KCBHjoa=D#?O>%WRWkG)Vfdpt_}gFyTcAoFWbgmT3G44lx!2 z8Rz~84uFJgii-pUYzJCm1RF;42R4(;_;i&cWj1{XU!pGcyYa3|6!@j95ab!pS2-|O}l=ggdKT57|BllU=#ev^`}VWrtE%t%hc8W8%_92 zOLgJ-KynOc))?7gO49J?_OIMf9fLkO3e&m>ji6ZM{A;3df?(SN{{kBIJUN%H7zI@( zo}|JSLCUSgDE_K#f~7k~L*)-a)@GKO;m>5$u zRgu8-=x_;>H#-HG(xxqAO?8I!T|2p)005rDST8!on2-aI{b$Sp19vvN4 z0(V3#$gBB8+&fo;u?uErh4m|*^VB45MGKaHtk2bU_6zAhQ!%_%#N!)9qj?w#W5b-nA$T9x5cpN$@-MqlN9*>A619$)u{2`77+`;%W&buu{R zuI-r{NqrAkuwBG-vl(H2PJ582xIZy7A_ogw7M%mUy%!&=8+q+F4q7 z#12W0xI{}xQZXzsIk&qin!GzT@`R*;%}p^0D5hvn<%yi@zq*gucAWn)6Xdc}ll;U8 ze9LUZGfEIKI7qt5EFHq$*Kw;IaW>!*3sMaq;^e6MLMj35vIEwl+}H&JI_Ls7Kjup^ zS3vDKSt$9BtDG^ov8#N%zJtaF6YA-S?2;$wv&7^{!)c+^?iV@i}QxwAY${ z4I@BDq-h3d*Zb3st{4=Gn-s)<1JlH^Oa&Tnl?ei)vFKM<>K+I;JCL^g#v|R4WkESu z=vre2kOB9i)p-_Ofx--fbCz@Z%)(4V^v=d*e#!HLT-)7+?k~t?@FH z9JU(#aRdOsWYID!K!D|;=11m`yg3IvA|L{_rkC&Qb+&ZdR_MI|2v*QmSWsGb72@7# zt5>&I97(xE{y~U~!p8jPj_=#YT~pVHKxO{nU3~i$5%95n?dzL5S)k;Rk0*732#6u; zn?I{`Ue~X>!LK`5eF4JV(L}bbmH$Yp=;<_0F!B1qY^@LBDt{*JCr8Dd_%;RPO-IX> z;BHarj#ctyt2-T zOccv|Blw0kKOw;&%K`ucVZLt@bBQH#+*WHvSS{ANi}PkL`;SL&_y84S7Thx=0+u(T zbM_CLNi7oJ%B)G%H6j&Dj$$w%FD95fp~4Pgc-Y8}J}TdBKnVsLko0+m$p}IoN|=Yy z1kEP06&etRYuaW0fP^4>m4@zOE1l!^u=!U_K9}kI@~=7;-0v-pYK@O^u;(eh8{yiX z7B4T);bFela(i@5pGnxuf^fi$`@ML{R3NIx-AZvfohj^1n%il@m$X%%_e!DDX9!iU z&(j5qoGj%YfDxEg<9-b`OyDFU{vL#?9c_n~Io+i&VU?ypOXVe7JdcceQAH>&Vx-pYiXV6#;MtbVl@L z?AL1+YT@qJFSposyq%gkX4tBAUfB}E;N^>YA2>R3L5fS9+wjl@Iw8YcVs5Gd8NzMh zkM0{XQEgmAtZbR+tRllNFa^NJ5RR0}4^EC|T6oWwYi9od$wf?_5;UC<@p)|fj%4xF z=sht2u&*C*-(OgO&i5x;KLO&?&eyZ`>2~?Xs)(4#tJbF)&1L%6yC3(K2|gULR5?D7 zfUDN$FCd$gtQQJgkNp=HMa!7++~eb^{{^s)PK}Tfcth{I=QiA`g#D$o#Ssz^m8#1_ zDQRn#I^q&f#^u4wmA7|6l81u_AbY499 zG%J7@U21`h9AA4_y7(DP-tIFGB?jKj;t-&-5%q~?&oY7NH}}J7)donTVdy9T#{t99 z7lCDM2ZMra0yns>=Zyd`jkW!yKXD>i{Ucn$*vlId!2a}j%xYuw-P>Qe{d=o<@f_cT z?BKe3>F=O0AR!-)@S>5;&Ae$Ef*d~#jf(NyFUqT)`jw1;*r3K*&zRb=&5wjEAU{7p zW%h9rA=)6-b1lG0&)wj(Vp%b(h1uFg7Dw6Rvpt>b{{yz`YzxmJs$_URwNagM_o(RDWwaBklD zJa^sU76 z=tXHt(WORbi#q1yBNv zR%W2wwX1>*kr8+YSHE)>AX9Vs^MngD`k~?YLXpjS8rsg2Cv|<6F)Jd5SAOgx93F1U zPBjDkP*Jmx6bDA+NN-9)S+FElN@=gfExGjdP`FoV3sB+woC3?Jx%2Wx>rFTsC=+9s zEFs`z>NRk=5Dwv@C!-Y;bGh_^bwVBo^~37|j=lJyy)S-TP^$uWx5{$TDJN(wR!`{H z1&4IoplQ&6@!EFW-xtek%bSdLOQm*S1JWE1{P65 z!_saDlGi2Hf%2wD`3sgjPg_+=ZuxMfuC2$4pts%BQ47Tpi;3u?IyF>^$qVqo&7zEq5O!+?JYr&ZflpPL{?j7(bgTI-uP@2~_?Zity6PJp7CHroIq$MJDM zm=6ZR@dgW));5~f4_6}&uK`URn3Fjc%n?)FM={dtAo_d7>N)q#gOu$rlNlW90VYeW zOIhBNf91geoVyc^I}xr+|2i!ipL_NX+@VzPr@!TiOe?xA0Qay?NZRXShkCR?P6ler za7Ibb(D^PM)ikqFM(LKah-c^L3^o-8k=-XnEja&_f4@oT73 zM?@BYFNNHwkpkQFcr|5ayf(==hKh(th!aDqN~omSBA2LRfIcrg02!3+jX7Im<4=yc zzu6(CBsC(A!3bJG>+161sfz%**HPAbGqEX5^+*l!d%cc!FPA;()T~q@i+7;u6eq_o zjgies4H#@xfIT^&tBitlmge$3sr8EOy8H7ia+=3wpg|px=Y#CY)$^4_{+Gi{z7z1k zgs?LB-@1NV+Z(n^cMZ6>$nY-4V&vY|1hIc(fC~&yWjO6|{)~o-ouaR8YY7Q)^liOo zh-rs#M8GrYR3_cF{6vUB4;eC2c7qaE2+ z)>k+(>zj%q>YpO>idc6*y{RE&3nz%G=7;S^!KXq@wLN)?i~i75CZdfpzHGqu3qg=C zl}C?VQ>H+s(XMDU5m)3E8jMtKV~Qo^oX@6!WwAZ7rB-z2D5&UrEsLL!2rFdNLoXS! z04)(4GS2OWMrPblg;0VVn!L?+$WD=Dt@Kh$Pr(=k;NVZu+eSK#3d1g9*-C(BEH{b) zGcWZMJrj@F=11`u43YZ{pYB-T%QK6-8PwZ>eg}5tZ@t;JqwL6@yTv?jXC3Fq*FyR4 zj}IRdUEhm2O}#)-JMH+VL)Xvd`+}dY;6X|{H+9!Cbu;Fh2>h-4A9QxKk27mMA9IoR zHxPENeK17k9S2YRn>5`z_FJm}`*or#bhw|dd&g3CD;l{LmLms{PUXh!LT$R#mY!qI zWhzV88L~>E>x`bN@GGIp3!yRBu7(CNO+kv6!&T!v{Bh#P0>I0E<~A`Mp3HM4M% zh%nPfv>X^|gVbca+#~{`DpLvewLc6Q`_t2|IxZBZR@g)9uG3(Z-te#~y_iEqrfZH- z7VPjl7x@#EMA%nZ*Mghz!$^>C4Fx0rQm(BJrEq@J%$r&R`MzK3x@=XAnC~KJ-zu38r7G7ser10WIbSb@4^Mku+)^=cezV-V2?0Yif4@%$ z&|-de7;vXoNq_r3b@TE@kotZrZ~jV5)FCHvrGxgmnOvZ9G$D3%xs`-Rg#GqbAoNqg*;l=7@Vs%3eqF`6~68g^ydRqhnd zqN9e|T+~3q$(ju6a8a2Tx)FAzLvg0jU)bmKXd-^8bfvT-eKL?tl4f?yXefg)GHg=B zA=HfU@QLF$S)Lv9W83&Yv3cEcKrm6Mb3iwf+&2RA5~KP_a7 zpR!EO=IQnw3Iy~v$fQv^4ln)iSml5R02burkfw6*P;uF9l|Zewe_nmbOIPwWx0}pZ znJr~RU_DnakE1uVSY{}hnXt>_{vF%yx5+7kA|(~NznGUk;OJjn6@8sYmCZYzr46iw`iwCgw9K|}8J9XvH8Qr%W6UV#G!x z`PWmuel&q$0lLZ5ayP)rvL1WDQ02VQpw73V_Pmls7&XfyYuQ_+8!P$^F6sJ1JTHUX zU$_C^JmXDZs)Qm4l&P%k{HKBa19w+t<9#bie+IVP=^GemAXmyFSlNPQfO}BfZ##R} zYYbFeNWha$3pFhE4M6Y_W%e6c>bM8?>q-~5*nrJ5f zgmuQ0CMS({lwvPo^b13=jE1XmPSdEoUBe)B{3_%FO3`&RF^L1~A{06}oGE9;t)!rT zYtm8Hk>RrB5Hc51j8O=ZePtRV5i(&dQ&yGP_4RVYB||v-yRf85glJ4=^o`)c17qI- zY4^()2oxfBApPxckh1#vJ&fYX{LA-_=jZ1j`dj<*FK^GYzsDzET<$NmIiw>ZGbiRn z9XJa9{#Cap>d{Wdu(hobbKo3yr1HZ|se;5a>90CvCsLvqGc| zA7IAa;BBls+(CvK#vg4brV)izbnNmn&`>kOvEmG#7zQK zohX$Of@U1DCXjHJ5`{O^5VMCvrN8z=9>3R!@I>3gl)2uV_*7rIL+OwdnSd4;bnx!v z?b_Uc2$l(y(^J$|R#LQxvtCY7qc=EfD)(@d2{mQ4U{w|syD%RO!x&Z8ctbH1+lvql z-65s_7!-3gHk|x1kOum1g__)csC_LY{q{EJDn`xh_U;x21_3O{>+>BTkVe_pKR@2z z-(O7gP1K=qRzls5sgt!(7>XpleP@#k;2+>jgK1rSqnLvcZ~1bT>Ih@5t-S~{sY0qU zMlrn0wL;;r`#}faFcB;SomR6JF2o#vPcDTT&I%W1L5@+35*_>pLzLJAF=+su9)%Rs z@gEvVewwix6|*2o5M!)p7bbItWK=w=1Y)9TkXGlMY?v?lT)HHJap8MyABe!s8>-ZY zrtT@8-ZrD&Ht|n+$MX_Ce)-aQ5Ww*P`oSpDk+4rkaWjv;jCgaa6`#1#|9k z_^EJ`ZGVbu%4E}%7uwGP3u;n9)BGe6xi>mC{aYqf_#ivAD=aQ=+0E>;o4Pnp@mPls zjohv7Sl$)^5(}otR6cpL^{ePFZ#G4g-QeKC{CpBWPAGZ`M08M!>UhyOuwO07bg6|C zK{9AoBt{h4T+Of~u=_y;uLS7OfDF%}M0#b((l`7b9CB(2|mugx$@MV?qDJE>P+ITXY3eLkK%A$g# z1ozdzl33roi1}k(IA}QGoE!!Q1|YbY|8B;7C}M&(hpeuGgmri%cRHzBUPFT+3SdKHV}71Tq(Ybsa6bj$xc)tqJ{?tyY!D zERs^m0F@dIYPvO>mSS~~IQ7yuDT-e&QD0JQvA$y*%cWs};GB^GeFONv1YCGDrgYd8 z6RfJb1c|+HCVrNGL5%QVLqYg+qj6b0*rQxQhd79Aj|!7y>nNbc!yzEh03mPhKo$IU zWv)|yDBJCtGU}fl9=D`JtyM+f|LyJw9Cu*C{qFqReRtYYE~Y^p1K4g|tz~A|`q;M) z2J{ebOhYpWyKsdH6r;41K_cg!Go+>D%02^)#7rWJ)6zMP&>CW#@j7)fM+RK!C7O3C zg;KID80l^{B*FXbY|7zD09ltQM%EK6yTu~jWM0O0qHJoK3=xG~KX)YA?T1NMdZ8S? z9Qgh}tEinZg@-wPE$<{pmJ~E#1&rE;qBIPkV;?6EuM^$pfpg1w9=OWvof*Pl(|El5hh@pn}3$?DW}|a)MN?HFZK@4)xGc4 z2CFmM-#h@syjL9NBa4wekfI{V8=XH)vzec6LZv-R;NyIBx7cWobTRB}f3NxW)ZhBT zFkP4Y=4S0a&}&3%VaikTPr?b%zk3zm{t@I&?apS8zlYNKK|<*1xqAKEJJ-a|fdBoa zV;~~7GgVZFn^ARk*PH3O_&2w?b@_*Twfq>OLb>1|h@qe2frD}kxmcb|dq`1!3K%xT zCi%Z!qaF7U4bNK)!V3*O`JTzM%X-#t%;5IrFu4xmF15} z4~Lu>WbF&YK{K0f;sc68B$Jy_(2Pp3bOx420~9^8(1Pe8u5oYS-MFZsUTX z1KfWli%SLuB#&}*6KZ6W;K?gtn97e3H2!%cToQzP8kV*&bHf?q@4K5P#zv<}g$}4+hVV57dC~c<-MXaV+p!&Ax5OZr3X#WkcaZZh zdwk9gfH(m9_j+I=H_VTnxTl{JymJ+oy+z zgKB$F^z!KF>|$@PNUae+61iVX>~u@?r^bAGDLzL^7%sV@Dw!%X7S@SI{xYd4O|}f# zHF~v_DHGgjqgog^N}Za^?-?_i@KEeWjI`kZouFuL1|e`sa6C2#Qw|c0J_>N~ArL`h z6xaA5}`S5sJ6oKR5PwDe`wWo5KK zl^eqBukHc@U|0w_-B0pdbBS3NMtZn-AnJU&u~U{g9U6qyKaRps`4p9hkI&MtqD32-2fPH z@N`=^wNOHS?kq=LI}!W{AD#IIDC2-}5QB?g4qDJqdTVk-`c`-^??2hy|9XjU&JLL@ z9#%#j96rhVKD|2sKniIF6}0WZxOuvl(r4%?syY?6vYz)1>Nz=D6`f6Of>tNX8QUb{ zn?;8)TSVySsxdcdQy0aD*X8e^;&IdQEZ5otQIvD`qJo@+Mqo$vQ~EoP9>47DogAO;9a00-MI=L6G+pQ{qqKcHgIdc}q8}dzm+#Lj zDxilP%lX@iQW6`TjK4wHJixYBP72gAE8!2L-rxiNhQOD-T^4>L4@ene8~W}0?GKdW z-b3FDDS8M%!?U0j5}y~=ZgE6;?zg?9!f)5GVGB(5J*jVJ-CW|mKf7&ym^jBr^JIi|?Nf~YC@ahhE%mp%`t z$siF)p~FM)gxuhxA;(D2f2c#T;f7^auJ@jd{QE30mL?r$_Go86y_z|Hq)o0+meX}8 zJv+{AL?U=0=`Bsg-vAXzs`wGd=FGm&B67^2qO3?#UcuPU7=-MKgajxnuYiR|ctnJ$ zuBZe9M7h@qk$3GWPw%VvS@FySarhtli2}Oz^mt0h{&$(<^!c5=o6p%>Whbm%s$VjgVaI#0mIM)sEvpykt($Ij-W-L01|&5 z=sugo!E_1+rubS6M0d4dTcO^(ePPi4GX&Sv2>-pSJTx$N&ssNb`b|Ov1P`-5m$C9} z-HqWWoW}hQcwal$f*Vl%q&{#G%u4HdB%w0JT2}{Gs32&PdZWFoY(AsCrc=V-IX;5^ zkb#5%4YT9SzhmcDD)yFt3U#!XUqJlMgzYv1)pDw$@ISbQ!i?f0fcVf*jDco9j}V4V zuu#B3 zV-F|@ia_fJKpTMMwI9GD2f_5UjP?(p;nENcMR6q`_JlEE#2(&W9PW}F|0yDR%O`rX zm<&CBmE+~4vp>C;g)Idyh;uC1tS zGSu!FE%8s&%wcJjjm%SUAa5EMPp~wQzeexG>8fy`I#mB*E*Tt%^cRvxtqeAto-q$I zL5Q_}-tt7Ju$4i;t$4;4Z*;`RH5{$DD$4&L%nwYgL$cf9dBp`7yD}ND9~hH$8lMu6 zxSZk(N!(tp2MR$lL2%sF{xwRYUelCvha{Cse*7n=_&?quYMLfs|Xo$zh#IP8N%|G^wk3&-Eh>5#Q--!?p+`RW&jgol)~9`N_KDW{`jD%Fce~E%AXn?&mYz! z3V@l@$1M;+6AoCn9M|*3%DbiN8^OQ^xQGYHY*C3K1*>e~Dg3hS&y(X9HtFSJFIDgv zy02!q12%x)Snl%E7Z~ITMlR5)G?+rbXOP_Eea|-zS_+yBn}5mUYzg zyYTzO-(+W<-;H{I`*)69CRNygxu@LnO4tS(lgW<$PIkycCYn~_u zBUUMAZj6T}gr|p7V#XbBhmu{Nfe#tyT9z8OZENKW1%HEhx;@mG8t*3n0LcpAJ9p(& z{|HK+zDBCQy*yu4!Zx!!kG8ve9Qyb+Hpg6G_3&^@Gd7KMw*0fFh3{P}$HWVg z=_J29=ft_UAx{k~R{xnqAi`T0U0PnreTMqmOz=x8P>vimfBfu3wGWvIRbpW0fQNL?zPL~-eM5+i$ zj$0=;Y+395d6;VFTQ50hE2wI582>|$<5j2T=+LSbOEd^dG$^?25*EMt5dmV5!u?e= zqb{!-W%uDbBA`G#zq4v#x<{Vsx4>ED_&enL^5XImuq`f9P*9|seB02vsE~%xSEnE$ z5%F3m%`R5DA2$N8F!1Bt9c}UL?cGLuJ~Y%XqM3HT#$pWwF2Ui!!a!0WQULvcBM_sV zMWJYCa?Xnil{_UdJ7g8J-nw2!QYdKAJx)Xoj2lQ|;uaQo{bYM+eR#`2>;MK2fK#ud z*q&m!U@_}niWjR#~9EnA~Q;1?^hST zk8J2yHi)Bl6}La2l6$u+G1feIEB2R;Yclm$qFADc;ojm9w5=(8U4b0DfedyBMfSCd zYVOn<1v7n_UQr2-79#*-JerXCM$BOJ*%Rs2&7-wr)=&-I1|Ca2)&H|#0@t_8vAMg( zA5kv!-{RsSVPmNPH-AzueL$k}RFos41eD@(8Bcbi6L%?2X{t1WmhPQ&dQS2#Zq=V% zftPY>U#revCJEw$8%Thbi?hke@6oqm8>$4HA@Ex!+?r@72_ z-43Q&AuIwSv7gg@jXVyEz@{XV6#6E{Ho;hfbyZD;H#J`hqTDfGa1B6I3NY_MK4VOY zCvJ$XmU%2`%YV{l!6F)(U$;!7a9Uc(*UES6$&y5qd3e8LPG z?trRRB0&-aE$y`~i5Cu2ICB5f)^thHkmF}jgV`-y3hG%VVHkE%6(rJK{R(-o?EHY~ z`J0W&VRQDuY`Ai{#?t1hMtPl7aRYZzkM3f7JNK}Nc+*#PSa{3`uloD_;KuH=$gD4K z#8WA11fe`dM7gRQczG4(_CWkmvo8q155o9S*cz}3*kxkB2^toGrcL5Al_WVF7l3Ah z4 z`}f`VyRm0F?n`l1-In#_!S$VAR!|Tmo9jeCaYJ_}X`UrvOrc;;Y4lTK0R@Fo(G#UO z29Cr~vrjE+5+}Strr~BiMZ9Q2aA;!~01iD&THcpR4UbbvpGn>gO5tg{Yd9D~(LqXK#oGb0F#+scU-P@&?A+L&c7`xV$2p5U6PCXAINkU$FuED$N+AeYJG&W>XRqi#u6;WK`pL4gGGcUWfmNN){d`d2BAPiO24srd zjieO-8;p&t?CeFLjPjaer-x^j>?IT?9KU{Ts8}X{*8lFg>L>EyMFwV7?CohO>wZ2o z%7ZmLy8$0YMk?D1YN~|wBv107>Px`F%ldc1W7jEI!^ec~xKZ zdkY&KwM8!1V6mM&{3g5-^!5@*B8c;*dEThyl0^;Q$4vP6_y9tUwY9a$=J0Y669WKJ zQc{Tcoc326T)w`(w5d&&|JGpPMhhkHV+eVs>SWFQmC98ck0(fCekUBbN6M&b3k{+% zrl6OalVmLdHF<4)b5r66X1I*)W)1w!HG*v8$d}&^G8Wcyd;3}_p_l$r6;!4dW4@qw z#29TAvZN6Op!b#aw)6^dV*+$rgDe}GwsvHoLxf?q5xIEi$fVf3y*GG5A~fHsy{}ng z&qMLFo2(QM_fOySda~+Yx=MzlgWZ;zORwEN2tXRMiBvA1;lLjOf!-tT!8i@zo6L5j9u78*_aAE968|7Xdm?35*)2Rq!bjt=&y4qXwU^kg=k&W) zSZQ}-w~!%7`6YE7yYWn7I;Iqa|?ML7KoFn4%VxyxT z9c=-t9&(Pq-yfHWd|nK^y$Swd0~mq#toQ2o6Qgk>E)4bgyvDiHX86S1{pH>nbUIS$ zT@pq`b0pQCghMNIJJzpCf^_ER6JHjdIy@uu3qJ-Ali}&C+UnYCA{=(zh9MKZvGP{s z#SO`-=6QYPdr1>XNu4T*(~Q>EmbTZi1XS57byxRMt&4!q+c)3qm9J_A(k-8F_}=Ry z-n$2uY4%W=C}yZaudRX}`onlNKLhL#0~LHKU(O*NK}}uV^V411$D7ObmP`IReooe^ z)KIEn2l)Q7#j~w$pWS%HPa{Y~Y)-e{-hZFhI69U_$;YR=zc&v&8hsmP#Ylzi_fSs; z*oBjR#CB;?`p~Q+Yd@%IMX$s}q!bn)c#?BbYCkj3@=y^413O4>HOf}}B3vy%@=VpO zXG4A=N+FYC(mwTMVMZbgQM1d^ow5vI4#s$5;{Ju(hOkk2YJd*Hyi&B@ZbTj|xnw$b znifLuus5h$$*uR@m8d6jFiWgfi@DrUzs+btz6aL7k@QXH%9&(yyQ17{d^PR10hg_% zrKOa#baFIs6J=v#`}&flr|tv=WoBWfo5WBiWo~NNNU&Tg0V?~9CCdQhYh2TWlpygf zYUUg>o#&Zzlil^z&4{_dR^2yDYy_YE&M>9~rI4*)u_auP$AbWyb~OoV5Oz?Kg`!3a z&ZC@jG{P2N*XE{Yy%M2VhyiEv*yN-HFZTZ0*-akfd zgzm<+N2e_G-xKt1zS_PnM;z*YVw<5nn5mz!EB4k@(HWdKSA@S>J%aDHLK>+mD zkzb83gfyVLexKIBl&g-3|z3Mx_JY9khMl&fikda-0j&_)?nxn?h1_>{xao7y_ zrM2JuxN?m(p;y=Y4~=bkrRD&}U^VjK#qR8D9fVsBWBBwBB;GaX{Xzl-FdOo9v6EL_ zonwH}qsvxqFVMkAEc3x^KmObq5@;vJLPmht#{hvDa_mP)@L_4VTUG#|nM#DR<>V>D z2E_p>qB_8uU1EP`YprPor!F(@G*33Nxl`!!klwGT#aqASjkU4r+G1%5(dV?FFK{}i z$N6R@oeOEB)Or~YezJ^b=f;cCa)FwkzemsKRTNqR9u_ttDvHow z`bzLb;KJP2*U90LPigyD?ceA}RKpyd&XdMz{^`Y|j`nsiAtK*~{Pv2s?$N}|i&wcn z$+4wu=h7mi4}_K~_80^qM&lw-)fcQYsu6o(c5o_0VA$8zpB6tfTxT+B&iD%jS3GPR z|9R$z@&hht-cfbbu7SWL8cbCdM2xLj$v@JXnsM+N4e|$k@K~B?XmDptttT+S<3Z}{ ztnYK8=S#uN=auFY)osB2K- zq6uCzq6wH@`UdGzo$k6fU-!El`aiwBBc$yJf4SE@995U!8oi6Qcw2{x70#N=*zyw- z>jMvSF0CS&@gU*hxPY?GEX@MR2T%a@Xr~U28L3=Sk_xDsKf95)seoa{2%(fydut$l zoJ1z=Pcxz3K0=;Fue;f|>+W^Lh$_++6>Y%HjBsNrz4s7PS0q=eeM6XGQ@nzeCr>Sv zmxrfrS4s3-(5jEZM1g1|yRFRh;%`?+m)pCiPq%(ZnU_)Jk~RL>$AUSgK_T3$ZrRL80cunTy@`g^WE{vIs;_friLnr@Ck5j`0*Y?a&In)e{Cy*$+YG z#5k>HgV<+f*>uU0o_b0)QqUiP`J*7OT7E z?aK}?w(Gk^-nLE2YDYCUjFxcAaZE2SFH@j0hDvvWHdQJqL(ECa$j$-;Hu?r8R4bKO zj2BbXbqsaR-WFv1S_cLI)$|!72_fph$E^98egg|hfWZ>movuaP#U=kw{-;ad*v3fd zM3FfKJ>Qp+e^dlys4S46`3qNAne3nYxmL)A$U@Nd!)Gs&{{F6;_O9{hG*-(sx;;ML zl9J)KeTdmcob6lw` z20=mvfj{B!k&CtTt`9HsXW_6ImTB&fHm=5Q@i%Cudb~f`_)Ck$5)$Cy!J$w3A1YJ- zU^qj=J{YOrwtl^CyP!|5IQhAUq@<>%rKaYpewc7y zL@S)QD= z2PP_#;O~&MrutOKtj=DJmf{BJL0y16(zC_wzShUq8ZGDoJ+$L!G#*C?B7sz{#Ca|# z$li{!oAYlar8y(S9B8zF%v*bi$K5@~D3n7c#kF_Q=fhuuP zd^Y%tfH90f#0(uGpeT8Ixt|%Zd6p6oP@s(h z)9>>3-A(TX&CMWZnPf?ZD%4gqkAglUZVCrnb`doc@zh0#{&E9K9n6u$T8&)XZBG)x{AtN4$9}z zNb`mRL6#8@4FI-22kLzZMr6Ss!m3Qwl$Mg&qJum@F>T@R(P@a?Y(Vlw<_M$qsOwpJ zCDbs40BDAJq@+Npu*i`ulIe>j;!#V818@YwEdO$gvKtF*Yvj70iTt*eTg;XM+&tXH zT&&xzj4%PCcv4hA8FYh1WCl?fOX8`(Ndk}=1)!59xC2F-)PEB3JJ$Ki$cTs(WoBy2 z%0A}(6YgHU+tzFF?Y27u%jgE9PE}A)aK@lzT5QIi9|0qQCk}!()ZmsQm?mB2&;1?O zSys@%tmk?8Fe($}U?2zr;OuDqsC$2ZHv=4^{x|Gk;KZqf1~TO6B5@Fl3QZBM1dJ`` zxMwkhTi+vvl5z|+ApU~!inIRyg7o7{3o0z|f$lyZL7qsTt)=zdOKY>9dXKIVDSWkr zb&IXfs^5xuwc1=?BXDxFKQGw6`0B{HcLPBOmqPjG)=p+t?qi9DV%`BDLM7kh-;v%=1qU+z)_(B$r($?l`2qeHHJ`iFb-a{ce7=i?Z+Q-V>| z6Vt&XOEi~BG*>2;wX~MwKvjL!ZT7o$?$;YsrLQLAacU1X*HO1TA3@VcAlTi~;(3at zwKMf!FRaFb9vD1D;Ba}mgX2^aN39NomJM4%H9!M^WYQfT#qzm+kv%#u2Gcd0JS+>A zZ2f7xspF|W*}u$eyPt54^fWr{uJA{?UAl0vH0$2sB;Lm1BTID zjChV4sdXaHIdjZ!aW!(Aj&q2gD3=0DiFipToccJ1vPAuc$X)Ow0RSO|Kc#nbgL<*} zYrcnf6jAlPq(WC9QT2_H;{%@ip6(utD(YjZ~A=C{H_C{+TWWdGa{{1ynNj#2vOY%0+3l@uvcR;3LDp zrWh#(MLYii0KC&iQSLd0P*s^72k#_Mi=cE^zEX#9*CX zXo0EKFh*6IKh)=bsi}VjNR&(DGJA+$Z@2k(=Q~`DRrI<9kpNqKd>DV}BH-XQH#Tf| z(@AP`Ehd=M8Ac(ae{cDCdwG49PNunkdieZN#Sl6< zkq`CV`1{^*xh*2{*gSk|@Uu!gy{jE(OWBiO!{KW#;wxZXwJ+kH_Ms|q%X4n?wJs|MJN12Nc>j1$54tAA~`NP$6` zuqLD}(^}oTRJF<12S@GG)v;k8mqDLdBcO3Ka)Ma%v z=ct+R`Slr$JVP&|=S?$;BD%DtF3u3UYOVYL+}}=YQNwqTgW~k(O{!?LsZ*V)IjNS* zSxnj3*>iXuWW2xufg$ks4-deJMMOZbT40mQeMLS#SW}Uo|E&R&z$e9SF(ODv`9r+L zE&}CI3zStkA;fyU`*{TJa~t>JZ?Hi@Qlr;a36*HiZytg#iX)lALQ{9(9?_92i492- z5-%NRe@CjNBTlA8Uq2ayY7mx5ZVDE1(+y_&i}l@?#})tk)LzB8C*&<8i!K#eC_jHU z_2(z|DUhc59dQPy>WSqtyTJlB|G;@l3E<~ChP%zQDr+=5=T_S$;KU6D$YTh*VReQ?-QqAkz0XiiA9nRlRdj#H9CzU3>+(0i zr1ywWY+KPs`OlWb=ut<~lPvol8XqCk#uH1CRf8$!x$E?y4RFSGx!w)D(7=NU0MHoq z3s{iBH}0E0KjMh&#mjX-G83- z{x_tpj`J&{>%XTDdcgq&>w(9wcXy64`xCGlK#M{$maYTMVQp@{@|}J1DIFFU3C1aj z%v3OVfsT*fYBT&yWc@-~;_Ga0&qz|#&@g9B1Z)7#KW`WOd>hE9_}I9p8cEIEfm1f}J%w7(lptS{Bt#2JqN#e6RO8{R0@Ope)3KVD2gc!tu4-vg5%4TG+ zoj8gAe*IrvR~Z)77xb?PxP-WbG$P%NETGg%cPNcC2uLFxf=f3@2@6Pxq)MZJba!_* zOCun$@8$pPectCi-|oHVIWgzVnVH|roO^K-78bU$va&DSf)Rg+{ZXoXlFCz&5tN_v zw#hGZ-aaj=QP#|RijX8UAHn#}Ioo7hd3f_Ly5+h>GsxLO7fL5>pc~|6sOKd&MM+3F ztRknIpa^MBg`CN3`N)BT>E94ZgMEP7?Kjzz&Bb`##_MTq4EkUK3%8v!T6$zYEf+-b zvXG9{PV&)+#JgUjWiTI@jOIn7JUZgCpFRQuOt#kdWxbXAgpxZ`p_GNHcQfoluwoGe z%13!~iSAa7vl3%y3ewYP-LVxuXD>fKL#hu~0W9&L%~p&kLMZM!>@X#yN=sdRu9TCA zjI0xkxBoej(sO(*3o)+_j4_$*X8g$jNKICYa!iem!e2}`q z_Nlc>6Z*P5C5fx~wm~kMe1hSvG~2ZX70z8ZFB$R3xP4ED<*v?lH&G}QxB`27z88nf z3W>~Y3=~lURQKNMl$T1Kx1Gk0u&UzU{FBAR#&ko=(G^vGfO1~k8?8wU3R)=x5h^N} zL*+YIWN6~GX1g(J_qO;IvI<$~3R4dk?vre&1~tunZhFGG%94$l1Z&~8rx^08#~cOm zWV?IxlBIaEZRE!N{U|an?3!Za*n`+7a*(6cretF%;S>6Uw5%-JCr=i{Xt6ZIm=Kh+ z&xtP4{u^k^PcO65(C6(dPNLK#B&Zr~(hXRkk#ZEOG~);gUvyafv30o~92^WL8tjSP z^XZ!|*uh^G+3*%e0GL2riv>jG#{;a1WN86SChkQIaVRi(hP?g-VFr|5-`*Sy}o*#Ryh@Q5RqY^-tRW z7clDH+$E9Mlw|TkU3xE}frAjG~rq?^%T(bhU zNnf_YC7-^o!Z^u`#st!>S8T%#;Scl<)f1(OLQKEe7OQA99@K@Ni+s;wi=1k19v@|N zCyYPquCy*wdUX$Q+Az+7;FW)uYOIr(M;vFJulENC!K-^NVpOs@;luZ3h|RXE+5uj2 z@*T@D{UU71s4kFSG^rF=mc6A!fYe@GA7ak@WW1c;^t_>eIM%Pkp9`b8qT!zjz1F|( zWQmL1hpAEb1qji;06-|>5$ zslToi+7{a{!`{zNoHmSD&np{KU8!V{;5{w;>7wa@fCxlXD%u~^vO$tjg+=xuxZX6Bf9QWS2n-n0r#Ub6)ik!|eT0h?mBuOIg``{p} zo^!GDLs~S_`iIuS85M!sV@lIcHU+o-wzL2%&%om|{f{h6L(K(SfhQS!((#0C#2Qt> zsoFF0tcXBMs2O7*VpUj_6B%6Cj-LAU%=i%7kh?3+@BsE=#!e!~Qyt&o45A>a))ZbZs7KO{+MTHx19 z%5^Pvb_+{U0Y=0HWqGTod$S`pMH25ELAFJ5H_Hc$I z-xR3WeJ<+6RB*82PH7Hj4h?@#ETV#lXPw z@~Pp`JPF}R)0AjaIO!FNf1Nz~5RCLuWhFepB^uppfK^S!j@+M?;2%_U=T3&O}?ukNq?_RJ~5qlQZG@W@JpVG z46!21Jdq#^uFRvXX@J6RKSF^j{>A37UisOo(rbfxGHsL~*fFllr4u7lem?1)>Vg|# zA{pGy=0aS+BN$5tmbq>*U{Zp|4N4ubXtPNl1w%1{D$0L+qK&4%Gkvq2 zfS(6EsrmARE_rtrA$L(xQJG;Km`=3?LNc(9D2h?aZfVxJ0R<9z12xt}unIr;orsut zbz?&|G$^N``NUUA7&DxceyralEJH{pN=91p%z%UhiHlT~(?hK60~o*(W{L?MLYE4a zo+%Wkr<=-#LHq6lX1c25S}tVlyX2tUQg<5+ACUHt5e6`%<>`1(L!u^q=PvIvd9B*I zOkd{Gx7=IWd4?LCCiCxkp=C7rG+*aHfk9Ov_zolZNX&UaZjRu!g3^~JPX5?vkv*K;Rm#S?i zCCY?x`uqz|6DYuuIP>;1GNJ)$>+6eNv8$;Kl4bd^D-u_4tn%nqU%BF}KLV-#gfSif zr?te_8b_)YK)xDU(9z53vbJ?}aDJ_Bs80X{-ui11F{`G#&;orKd|Wy{H&?VVyvpaW zG?S=pDp^p_BPV;{lwQHMctA6Fe{89a{I5!mE; z)1+}RmV*VvU0>ve#vn`Vht4rcH9Gb{>Z!Zo;qt8$iOAqK>n;()og)9W6R*nRg4zFa zu^f8RA7;8Q!M4t?ztaLQ#Kc%SqTfx2?~9UtIiSAVCLiNgs7VyCC`{X<_&Ugm!AN4R zFb2M@hYV(+z=t>G;4Qq5tT^diyKh_Nf=%XeoO2&~zx1HB`;1i)?R=fpJ^Dn*|JGmA z!O-J(n$i4JvM6dfnR+V6j&#rk{Ho@_ff0E?LgIlEe4rQ(>a%*RHsR7im+~s)z}Wcs zwx~aGV)mm z!DB_rymyW%T7u5&G_VWVhGeJ>cbzIB1_FvNDUZi2flzmNBYw9@u>W1n%y6;OkF~dB z0S+Xj?|sU-dNspIQ1^mk3g7ldb_Ym!{XM`%Cgrs#X8v{BNyhlLp6`gew3hyeMeS-+ zk9V=ZL}SA5vAx%Dt%7(}&idXWlYP49p2T1f1A9pjQcZDEcGzf$=f!uH`Lc{^>7L!; zmMsz0e9`ozhX8xhPNM?xX}xT(-)VhEcOrA)xGhk7xNBKp5Ss8bai#r}k|;r)ab{G4 zn>GmZa*GHq6H7h*t2kxNQ~I0$Dr!BxaJ~s%9NpxgvUqh2F&!~JwwyASiJqQ~tg^!* zfFMs+R+bX8z?J+!H9O&t?JD8rg*Y}`?TEc+fAnyWkHA@^Z_R0)#LXp8-fyWp$v4}NZkY3?qC^iuUdtUg+{mZ~LD2H!6czn#}{ z*2{z{VKMXZ)0Vn#l2-f?>G4;*6vXS(s;o&W6Wpzyd=;ZECX+u4iHH_&HXfZSqP z{w@>rsX>?8dW0|EIhk3`{iIH{IpMd!WVY|gs03Tg*vu=gk-*TIxDj^sv9ij})fo@@ z$dgt7Y&sx*t*JebeD|rYy#D@oeeYuWo8od~-@j~t?mr6`-M3xmKK`t14LCrc-?f!W z7Qgw9g>%2Bioq-W1#^qW*gB##k@JzT*D)`modd;07pUQMDtk{7BH2~K(#g_vd8j~+UdiIJ zXQylZiXD(>0D-#v9s0p{#PgsfWsw?OgYv_*-}_YNeCm zDJHhzihvhC%u2f5{8kbxGt%sYqLVh-^Zr;NTMUE#tJaHvrk*9A zRa$0WS8+FycVJgH(>#mb`s5MJ-NCI8o{7xGf*^<`_9L`Uf1CC98TC>(>{>bKn@W_)RP}$?wG=29^CT;Sw_BW!5MF&SC359a0g2OD^sSlgWg=(|85^NS z*kUZ}I)`=apbdv=Fa8Y1Aa7iqoE@B|Fvtld{83-vwHlscjN*Kiu8v|(BYj(y;6AbH zu^R#h9YmcGdCxLpV6bL0({z{pp;tROElloFM z&0@g!<;c|A;pXOML|jjgVg-oO`2tI0+ZE^wr1Lj63@BXh85e_^%DtuH@|xRibVJg=j@jc)HI7^NQ%`0fibCvIg0@M*drV%`47Xtv z-0@_1*zN$pI&(aTgi%kU<{eG^SA^HkB4yVGGCh zOC9|>5{G@7DtuD0bb(0ZFNXudt+wWx+;|KibCb$aP_VjME`+PR@SpqStwh7oz^d9; zPS1^XiKer`@}|YFT%5xc7q9IkatufC>0&Lf&Lc@1jhi%5jdee#8?(yCO*)X+;3=|m z96$^h=;^nd(oE-iw*zPbj#Y-s&#U}CFMknozp}V}zv^(5L$ProVSI(Z(a6UFrh{(w zAzxkeQ)yFs$+g8kfMoKjLbc%`YQZZ(N9G;xyB=bzex_)!OB<%xZ0oTE&%orU$Bi6f zf&YRZz)eP61zbn0di&ecb@Y`btgc8L7kuHVi7q4JB6L|V#gUh6m|bgDUL86klD``_ za_c-SI(}G5&@63L>f|ku!0b=T?3GXLMKJ!#%LmbAki zxC8H%p|MgP!fGyl+cFjH=4l~w6}eJSx>#jjxegJ0Mu`%>NUrCSLEL|e7_&VKc}S&c z>=SLN8)6D=CH2OdqbjqRqzE+E*ojoa;;!?4cK+?t7FYH3evnNCxn9mxXmU* z+injZJ_MuD*4Nknw+DWz?m*J@x#PP+^g+n^{rl06Zc*b0=nE~Yp3&|{0~rKBK!9U^ ztejfIZ@1-=2L%+tlPfEoncm&s#y?K8t$IzG&a`%`L@iH{#w;JLc6LTn$;s93E+NFw z%fF~z45p-{xKe-BE>6NW>fOQ$6r!Z0e1mQ}&w=0U&(&$Ye*GGZpuM>66e%_wT}W|Q z>V9q~QC3v8O+}G;yI8tYoqEB_DoW0^ffMm7Mm8DsxsF*NE=HQTh%50Y1)VThm3ZM~KgNvhA!?6|YRP+@nHTW84B zi6lxSS`s$c>vN7_z=0KlQ@Wu9ngdv2(t5D?kc#(ueV_fC%4y&ir&OF_UV*;@t3=`Ix^IaE@v;408^dS*snlz_woPx*H>1bBI- zZ{+Gd~vVGWjujkMIhmtw;-F*5FB~z6v z@%hu*YQ84_`7k7hVd$sev6ab|u)FEyeZOCRojIE+WTd1RK=04<)7ZZ#l&cWO)n47n z=b`K)b6Fgp%op!Bj+l5dMEycYhjT!`D*Bs3W{xzO346So5h)uh=Vwr)^^OX#$}2Oa zUo7>dc{lWtvL|hciP^3lezGQurRKZdtK;lp0;x!YA1ME+-o41Zvxf{ z_M<2bX2T!B;j1eHnZ5rkMoIOf?l5|-FwDY9M>0h9_q8P0;+K4PHqbLo9;L`dOdsD) z*u!F^!u{o=B#5|s$TI?xkb>%SAx1lpfS{3W`ctce37Q>`0v||7`a|KE@#KiIe6Rr! iN0YvTkndi1qG_KM05bOf9Tbq6O#lE$N;VP_ z%F5P`u8uC&j^D^-B_zndIXha~*jWI;e=9j^R_bcUctQ^wx8m~Q0m<@?s<Rq?0* zoCF#M3PcRKaEc$xxGKLeB_&~rhx5Z>Vq*iMaaEX5B9WF5_9zNsgA2nWM_;zR3vCxV z9}Xton-_%-t8Q`{rx1EUD5)|WDqI05<>I86Tfsy9gWG$|qJcRLVZBxA!unalhRGf;xpoKn?RdniZb_kW)QLma-whDi~~S^0`9-j z-n{)ciB>Z?$sOB*X7u@_2mS+WYP$QrKUMin6acne{iffUSQ?1}1mFYg-wUWOV66?2 z^W7ezEE~{8n}Ph}6|I|Z|DPMlAMtI=%lmtKOLG0;{3-u#a1P{YS;p7afkxliLKn$S1&XA@BFFS^b^ zL|Cz55Vi@$N;s5hq&8(N2tOnAk>ZyOELId1`A9g93RpgYONLD~Qk`5whU8kv8JaIl zU#dMpU>INzdi~xh&6XV4pdvJf(k#(d#zPb$Re=1*+?6de4lh6Jk8=}|P&D_C!#|bQ z=qqu;5<{%LM+68Q{dTO(gTKY=d6^KC%*N`$RVbB%M0J`~FdY$hW>fVZuvmeTy@=ef z9^&LCq+&AK3fhWGGG*kSs5miK5P1+`LR9)_!AWKEO*HM8PyGa@>}+A$GE9^USaH}a z7~bI${XA4y5fbdQZSl~u^+oD4STj;H4yu&LOyyaeGDMU~BP-^%4G4V6OyrEip?f)d zzxO!yi1#S2^^kH*MV*Qs)pqDqN59Gu?qlq8?!#N8vx{jIW~#22{ZPl`iqjRZ{?VdZ zs}fd*&FPlOHxY~{D_>k)kTOeTjc@&6Q+wpvj=7#fs+jgiYi8_N`Y7!P=GFrR^*e6x zP`DKxVHN=bffb<#L2bH13E^xM;gC8j58G+_VFr4JqlPv^3xf}C!YERTTnbGJF$0Tw zc|}RZMg_9QjmDUIT)Cl|Z;g}&huUsA;#_K_Mn#VDsT#4GRk=V}ScO%Yqq<0upUztZ zyv}ch-%1iiD*5$ByPbpN$Yz9%|1nY6qE>!)3*_pjsh?Q(acAgAens(zCxq)*@ze7)4!l}^4W}$Cek(!pOT`5zkQYn4f z#a(k=np4sx*`f0ih$c29N2^aOZ51~OmvgALthQc?REqaSi2tsJxx%)X_(uoCqsO82 zB0aa;Fd$dKv2??;>+t!LFUyUZ5$%ScOkD`DOK68vgSi+zi)iIpk7RqH^_?~A0a zB;R)5m^UE=)Uai=N)lZXKbIzF9DYsyjm*jH3lZOe+tgzgEA1(asU?ox7VI(lew!S% ztXXL*e5*E>;G6KM2>GBf<}_jEEaJiS;jTS7*E=VJZLgWToUF#IzVoux+6(Rrn~Siu zym8Jv`dl3jmp{LUCAL)dr$vzSQdn&_tNfHClme}q4=Gv9SQ50V7wcM!Jt`hdF7bu$ zg`M+ug?9ycHrO|GjK+C-TZdc6lzuzr8ij63_)~tEe|UXN1Em4fP*yMzfntGr&@Yc( zJ`_E%BK)fs_YKSEV$u0+Vz^>)LDfO~zp5#$htJ}xDIN~fCle-Z&_b2{ju!qPm>ify z{q{ql4Gjy``YsatEnJ&unk|jXV|q=(WfSrYNrh}=S+Obc)qa-aVi2xi{wlb_)6Us0 zGRSPHGd{1Kqb+ME|A~*8p@!SRu6y(K{3dKCX9s!L8$X?8*x;MzkIBB<&{Di|W-KQD zR8fU+Mc(AUVi*i%c+u3?*dEleNS=KpeO6$WY3}LpB?)~7QpIZ-hA&=;X9=BLo>T)I z#Z3EcA++W3oeHQ5>skD{c$x0x_UuCZU2MUL3Gq(i6%=2RTC7g24lLcrsw_eq-Ul3_ zT3JX_5Jqep8ow?YuP?TN zhQCIGelhekx>ZWGX`Q5$bDofe~-D*d0i$q&t zkKoTvi_($F2>}uHBK2GKXLat2ne}Fq#Yczf3u5oid(N}@RlUxKH{p@)RShVOFY}i3 z7B8|djSnI<5f#UesW0{h)r$5`=R+_vFmDKyXf2CvbMquKLh7n<3yi1IXhUS(?>Uzq zpHaC{HDa;{cPPI>Joka{D4 z3r{bcYa|-Hs%H61s*sL4}%_do0PetdXoMFR`gtK zSz}87^aFfo@YH+4T^zauTwF%n*mu<6twq z)qFYs<+0{La#^^EuC(Vv?oan&{ZxOa_NVkEi7+YY0~RLz=GBbj^XfmmNp2>i`UL>I zr~x1#7yzC={)NW?;Km97C&mE4pAG={j)_JCQUG9XAPW&w|8M2Y*CRl4VE&!&aKm8b zA}EN?S{e2ie1SFCI{FtCyq$HlAN>Ly1RGb~bl}2D3{IYjAZD7%h%=%9-2ZACBNtu3 zDVeFg^A)3r$--k(;PCZ5-T83i!Pf)dLI>+`1m0uQd2B7iYEsYzNfS*FClQ{GQ*MSl z)a%KW-i~H?&|g1OB(v$-!cMU6mak|zX$=3TV#oxVP3VH%v_1KONZiwh+4OeZF?M(d z_IQg(YCB}aP;wT52La1w`pxVnhGL*lV$`5|@l$yEyRFec0nKNxmI3_O;{ns|`8A#a zAEnV-Y@7S~C{LIP7s<=$bo&aLXN=S{p~N1LcRl$2Vn1p&)b7=)!=b}Wf4Qc?U?}n@ zIFiv+hA3Ydy#mN%I?^|ATPRM;b{?hAIy=idyl8k6)BVQ#q+g1|Hl@hD<8XyMj$%PW zLVwr3XOx1KlqeI?!Te;pyjVQ0PpdP-@DfrqfZiY(L!)|sGq5h6NqCx0lH_?HAzJ_G z&sryWx=@q|VY-omhqz57n=b2zaV+C(&&_4Bh!SGtC~L#M?f4(=XV-K-;#4z1rcAg< z5td>BK1)wx`7b@x{Nfj+nc$O|G@X0PcGq%Jx7+O=&l8&^=x;M7VTyjYBYHGn+RqnO zgc3FB}^Mk`C{(GCqx_nOY)jUobpSts8#&8U=T7u0Y z%u6H-xxk%HA`ah-qSH zG+)aL7?Xl1Rh*M0in{NU?9xpT5JV0H89#UA9AQFX(m_K+%`rr=Ab>I$+)f4nkzGkm zMr|}$aY|>nU@+DZats}`ID{NL(_^zDZnhd#*G&jZ0R>CtkpPB-ph4czB_S#hNWyzs zIH)ij#0Ca~VZ*`V@`>%oXSF31lH`%##WiRE@(fiEfR6m^^0*pouyEFy0*rNkCqzFs zqIjLf1{};lMSy+f!}kn~EKR`5f;UT6_PT7or$5cQ3lsYi5AzH@etBa;gTp~k7@z5)#v}|n|XC9&3p4Twjq#22UO4|d&69UF!2sPB1y;zq@Z7Ke=)U$ ziZF$5aSRWrGv7YIsprt-_dL=HnKiS@;+OEWlS;6$md(7tbXuW=&4vOS!sDt8PC7ic#s8}Jn@H}l|sS(k!u1fH776;2`b1~ zAu9lphg)KRPd0I3$U(reyalF^maZ8owH30!jMPJEIEWPr5uh_Mg{2ZR`7;*{0#MRp z;UqJ0`rSGIJjC=dLFfQjDz6{pWmy`cQ-7f&$2A}T3gq8g5;DvbB97xZkv!?y9^>{w z4uLnGRzj-o3b9DvC}YR{5sCco_GRiw6^o^VgWG`{2q@*0KqGBS1lh7y*(X(q57j!g^*%Wh2M}Y@VD~WIJ+~lBq3OiPk z_N8a$RwQYU#)5LW=+9PeI8e&H09^n|!7WNufp)qMEI~T%sq}9!9Vpz3uOP;Okv!^D zH5CIjiV_4us-p`6g}|xI(k-L0(3Mc1udf=GC?zPy1b~5Xu=xsFgbqbQxG7+6ZfcGr zK7EKQYH9+_{=Mqq?6$c90MiYi05ap`i3_Rh_gu?} z;cJ3o=5PtwezAm60TWHhnVW3_S4OTLlPKXU zINU+f&z(|Dg_W^c<_U}jp3KwKFj3BlorVs$CNffV3ya6~@O8OmABiHhC<;{CeB6y}(JJZkN=a4^NdP{x=O zeO~k7B`*A2l6f+>y$JB+kcp>Jkg|iKF#t8^tKOu&Ct_Y1UpQ6NVlc82m|McEh&auX zcwk%i6%)Y9C{18axz-J96{C2UcD3E-gwbS>#d4@>eIXVH%rznOI;SFt0acQ(M>A8F zJ`IXJY~~$`L$@34kGPCp1b4qxS`3rZJ>Uq)WwA6zA2c5iPaU&;Czp8?e^L*Mzx~Aw zd%KD#WhfXv(w3S7vyaCJ+a9(~aWp0+Z+x*`S;4Z2>{w^hW`FtS8O!zEG$Yu1wR5=~ zEY!)O*Fl_&r5Bw2rXZE^1)ZAEL~?ACQ1u!PVRAxpe5c9)lTA08BRn+b$nG(ft)rAVp^$tm{N22@oyztuys&SlH0Kn^UYuaFH7(?= zocjz`^(KC!Kq4Gf^jPzWq#66chmU=`hiQdo`#U}~MO7|92TPNww+cxPQNE8s4$DMV z29X1~(G-3rwZ-tI^xPs9`pEs$ZC_CQS=7o7Ze>o^7=VW(h7muf5uA|#7F7pBj&O`& zap0rbcLFagGw3I-%MCk@`A881xHw?I%cTK9V5ab*iLb4o*|V>3Dhkz>0_d1FLjA89 zciI#Jo26NWy4{P3;ib}tEfySoO?pDb$b7O|YP!wx0(w8lWyQGWY=vVW1cANfO8|fg z(p#{6*@;$Kcst(qzP%hG7133{j#DCj)rvivrWl($O2()R(~cq*O@yX}^G|rV^#6Ey zG>hxL&$KlIjyBwEzf7y(NMhQow9I`u5ZROUD~3a-zh^Cts>@> zOqIDnh#SQkp^8M|iy>Mvi+Er#*Oa|INJ^eh5GbWR+jNw|O;KElO1VRhk?E@f5v?9d z|16A2fdSjq5e_SJbY9W`AVSyY8eoV)1%Rob08Y8~qSZihkS>^Q$jbic6s8mjhk#@K zOBg5sXK`vbQ?F6C)H(x@NU5)`<@i?RM+18HxbpI&UyJhrC(N{Y<&N-gB>iL*_ zNPI}|Tfp=k6!@>EE?{&n{{JPyzRe@;9(t=8d9E}ltE*9r_DXFnCya**QCZ$ztodQc z#l06^Z@X9xMX}(4H{^sP$(CSwqWwWz5KdPhqqnR(pNi#NlF_iA=cppbi9%7 zC?}uVD*revYeT~4(cM{YDELGW!%I>OqFavnGDex*w#ifpem*-N8H(q(dK_&ynvn1w zS_o3~(9OXdKXxeZR-DRy*dx3;|BoqiG<#FVfn{0yU|-OuVUQ>JHYqu^Ltkz>S^q22 zV3UQjkf-30hXm^MQ=8hY<3xyEK(#ZJ)L+l z7OXL(m>{{2u0bwsIfSZ^z--XvGb5$;5FQjTQ%fu+DJcC_6wGD{15F-vAiewjN41_f zIV?1}xVS{V1B*%sE;)nxaI#!)I3$7&?0ja+g?@czEnB-#Mbva3@1PQN?=MS@%ud#b z_ak9cC0n?9!XKLbA=fh*T2o%Gm6YvJE@DA@#IdZ6L`E|*MUIGgsDR0C@xZbd$_2n)-zK)L1Cn-iynPp7!GQ?wnsEwLgq^){Ywu8Dx$g{CRx~|asz6XZbYZp*6CfOxMrBLSgKeHRGjQU;(5W+s-2rZv zcj&JwjW8eC&@DJy?x4q%Z(o}FPuD72yXyOA!e76hPCR2{HyDqR9S%2WMMrqIA}-m| zZra_6Bx3K1UInAurjp$q9XA}i{ySD56b1spi&UZ`?i~IDD*cP`ZU%R6iCNe1_l}yj zvymEDmAoo)ymE=qCPhNKSiT_;NVtL$Ehe566{n%}!k0ftr?Jhb2J#h>1q8VZ2W40B z7}F(u0HGlbB)SP9+bLR1zR`VEu?PFuU}-K`1qZp{Di#7siNp;@3GWAkf-n;RWApv} zCdBig-j-r_GAQVJVHEeuKR5hP80298obw5aNm6La@8-D*?eSPbe7GHRKi2K9Q}fcX zB~wg`)y)bUtuQh;rSoeihp7C8jh5pt{mjYirW_g$376}Y6S74J%{3napzzHC@z;P0>7BxYyY zkE{6}lIcobWr)D5r49e((qWM~rjF2IZaoWX*Zw$EPL3=JG?^gBi5#K-WvhDtIBEGU z&0<3D!RU63=e#_wdn?w_j^&v2AhXrqWx3L*>txTstvRVb7<&!`8M(|7VR-$kWx>uA~3x-3&*qka36VHbY|R zUz**;1!kYU=L~P7N0AQoC$d-b!AF6u@ydtI8YYWcgWJEKdqT;g1-czIM%;84C^z|T zwLSLL389pHhWkGy|I{7lf5l+qz{bX+z@i&~P5?FbV@5zqx^&VZYyx+qNqOuPB&s;x z;YGy`yC;DQ0nPnXG6CWX`FQ8m_VIZBT!$qa2+0gh!b-n6yuLiHh>lYOr=#TG-|Ilq+93@5|UI|9^ z%iK@KZ9JA|*}8b;_=3#i8Y}L9YeeDubM8t)&O7MqWgu9AkbDq@R5(=A9SQDT^!Ms# ziFvJ))6-ck;qo`TcW95mQFdqOcu-vcv}!;kh0{q3py{D=HyySyLvc=Bk9|Hd2-Ypd zm_a{XR2t`h%>Jb(S@b5g;r$}KnD$Ct)}-XB0li2$Kin^%Z#!=Oyl0FJ zUni>zhc@eflN_F{OI~LR9x$EEH~Kv_;-hu$o^|mDBWKqO@X_I58bfd-YqCHx5I|f7 z=SkCfVGuq!90Z@|`F89*SEqIgOEr@h0fsK3i>!DM+;3UEvu&Qr5rSg=xxbZ5ZuE4} zFT2Tf?nO!MP9ivA0GL7-@WvJp6w4?^`r(p@32*Tx$#hPhA=yO^ zW+kp9TvyCd`918ETH0xugM+C2U?Oe?m4wajiWA*j*F2UPkY7iKqhg#bbX!iSHYphy zp5B~MQwtUkuUfzgyfTAQLZ@ip{4y!DBzw#}DVd#}BWwfE;$2xN298qQc^v1=Uatf*CJ_w@N; z+=4{AF6cMzsfB#QBkVgyxOg0Ay_-p(%tjYi%W=<@-zsL@rG{}%CBuw0I$m8X+-e?k zH(+@8Oy>7Fch%=vEwknePoDxjg8!%#)7$P~$djzUlB7_R5F)!6MgWM_JZv)H$*jEt z#?~Uej;+ZzvPv)d$rYl9&i_pHIyB^VZ{R_gkUMkcaejNCtLkVH#f{gbMgJf3`{3G@ ztFUtmx{ajD5M26XO)$P43K7BD2O@~OMy)Bq!h>_R4&Fq$0H;w^U%5(~i$=CDk*+I(AySNu6((xi z8V@=egL2i54UodYlp==^U}K3vL~G2TF`zSOW!!Dm6lP0;=byDs(@9qgV;m86BlJ2r zywKP-I3ty*ritF~ThiF(JMMM{-c1S|^*EjvHv zFnvKz^WIaP|Ba?BGIhSzK4)rm`JL0J^^~D=-bQ{1`1e$AW?iqlT)Iu%-N}=6nxFQd zi)i^h9Sv`A_m4{{fNQ*VpJ!_xJDgNH&sq=9JDTyeq*6oAUh8hJb_aW7)M8hT-)Lir zDQR<^KOFspZVO&mmOPJRN{!yI0N~TNY2TisF4sP#T3^DgeU5H)+I9AQ*8i>_T`oEB zT}O+;&{v)AvUp=KysKs$Sl?JIQ!()oY zArBF#o7(aP*doEti;Y%>jQE?&{@WQm!brek-p!J*mHvb8IdKdgcr|-u=?S(6f;QbL3KyW)-skmG?c=IX3bvy`X(wcRX8rRiuUAfBKRf7~UZBp1dM@*ZLhrdLJI8-Shjt zB6es>V?x)Y-*iOfrP~{w85IXRvqpmQ?+1`+Gk<^LcJB)mf&xz7g`M)EZ{!R#=gkQ_cXQ2S&$K^%zWi&w8 zZ+}Pc0~%oc+b{38R=a|_*NjZsehua8E1m1{CMI;c;rVyPXkx*N?AuC;$XYYe>A}av zsQ<-(I10W#+`y;jo6~!ZkDuE$$3O>(=U{>mW5SpJ7#m6sl0$XUp~ULxEH%$eOJw_3 zBzN4e^&b|AKwd$(D|9&KIJ+3ogTa$7m*o${Fi6LIdgXxC?S@ ziD-RN6j(QvxdLVY@%8a*Kh(&74Oz3q&9DhgT&BD$4=C{dT*0CNHgqCiWu;cznO_Gy z%Ojkqro!%C{3BKalNI2hG3${D4!cotR4h?~WZ`80kDAsqHv; zrIH1<3gjJETz*UMGIzeW+fE_`oYwGt{L6bDY%g}VunP(w?vQEl)+;jTWHieMT~{Sv zH?wROE1rRXC95g5tDrXdxU<=`4e#yDo{!tq>7UB}e#eEShG=QRx3^o>P@3KDvvK}^ z_ehk;_^w&vNT~tF&7a!{Q>4y=!g{~GLAf2Dyv}*J1{SaK|bx$JFaYZIAe7img{(EwXpXYxXY~^Ms^fKA# z@Vp+_n#&rlr+u+V9b5*L@-^{B{u)4uvp z2Bm#-U&~DNu{O|(UI`A+iTnI^-0YE!w_3>vviR|Mfh4$<#LHNSt$9eyQ zQrGK&L8aJNqn}%;J(te2VnX@ulfEu!A`cMprTuWesfC(#x5cmPur7J8TghV%&n9l` zL18sMTO)AzZ`N9(0p)5}*~GQS6nUMlzerlU<__D%Z2kOCdlb9(G7W4S94u_{grBRg`ygL;a0hkH1_z zI8u>`QQR8^Dw5>n|B9`Glc6(pU1^Gltg=?Zd0{}uyKg#aj9#GXkEEnQsH&K?~uOVAjJHq(TiMfmpth0xYXeOmA*7OSk2L^iKnEmx`G5K{xo^ingQ@hB+>rC{&SIz5rU;Uj$l>b z?|i+;C*|Mc8s4#wP=;4mUrF=bWDK7+fKt?f>~doNkZp3obCA-1XwogRuDdak0)9 z&iIm}r^nk0Sl+hv{w<(08Lq_0#$#k=$c<>mk__A>^4^nP?X_e~xoL4ij zjzU{q?Q4%Vp6jyjdC%%yUH&`QO}?a0#mpNFeY> zn$-O_nC;zxxZeqf54G?>{KyZmAkmt7_U!7!bvAAxm zx!w+?H$ZcpT0Pqt4m8q1;i=e>rn$6A&rw7V7i8l`tn4fx!P|=1I*kAr!x^bEA#~(+ zvtJ=qIgoT5>l`&kZ~+D)VZt=;K*W4bgc}it=pWgV=>JHetXUF4f#B#n#+AuA?-nni zLAuGI>7~UWa_i7}PF;j1fgiNV4NhBTn?Ix-jSF1TO7w^AGw~2ASW;dcK4iKL3Yt>m0R`U}y<2V~56hq~A3!{Wl z1~?2DDseVZaM^4RmDCLarVIfH*h%Mii!O{@TgZA>%3jXLG{IySHnSAoofIJR>6M@A zdL-EJ*s2R_8GUNE6f||K)qh_4ca)#MFt06d{=9Y(SyJl~xa+@iescV1x?K2sk$jn# zgq)wMpctWw20BPnb9_s3=c@nybYj;>N{_3b=7BdJ8p{fk?fRQC?6RyesBUJ%k)IZJ z>6MsCu5?U|e^{Fy%0#njE4b9(4?9obDzJ-x48dQ>O)yHe%0>QLLBEt%B^4Ar#=tlb zJk@S87chBTQuai(ROLH9N@TwBGM!DJjj&ul7S)d;_fdgE&Il!qQl*BzoN!t2DdwCO z7#~M^MX>@iWxHhwc&$}$o@K<6jL^W1^fSv%uTe63xmCGZw;6mWUHvNBBdbtU(?94Z;l7>^`T)D zJ0GRrDkOn~9G)=bmxUdUmmlim&~;j^3@TNwzZo?7zkt#OBkbm^s=e!|syHDbI!Fs;>Pkg-q?pKjc^%KtARqJMu z7*w%HzCt{0K|Xd)f+++X8RHZ0^^ZW)_3#RIZ)@yu3$hE|9vEw)>XV^qm$urTL8Sk( z)OE;tn*Fqv8Dx;DfHC7K(?tKv?p~|04Z_ie$(AMx$!_feTx%|dNxt&Ct}5DV+sf#W z!&4-t+vQWT0sSj)OmWSmL0ES!H4jNZZr9e=O!;MXx4?c_HoA>!Y zGU7t;uXpL&ZudxS_PvO=$F!_nNQU=0AJV1JZUpuCc;`-@f4i0<=}&C``>Cu+ua|;Z zgvBERtSp%FNBpO=*-+=LUtJxbn;E``uN?iNr8~CUj0isGWZ0zXPc{Wa$Riyr>yIZ|J>9;v#W(FA0w$Z91IPNpJ0dq(Sil0>h5G6ptivRqgjdHT1EE=X*LFEV%qc@fT8~b*qDO z|Mce0`ajw-NTGw`KkDOgu)1s$s3HS35^)lX;&F(OL($gnzl$j4-RMxrZulSU2yDX2 zCW@O;r~p-oRI*s`TaaKl2=z#dZ)}jXqt8Jwm29#u-z7_2->~p%rpKMfZ3rcUNy@jx zG6?+udDXh=d0Y;o-B^9aieHadBaO)O0)q+l>o)PjIMMBV?)>)%ZEeKHWiqRS`O4Hj z!xwv_0q}?JEpNcGcCgOFK)Uox& zWZSbx*A@E|kN;+^=gnqi#H3DSr9z325gXD#I*Jh+C=fAF)|XK)+zHwV;ZxC<`5FIB zOg6C1xP`ws{#&0MnHn(weKey-nDZ%uP6}Jw3}TQZth$QAO}11Kuv$jLkU<-D%93ex_>qvh+KDHEi~6R zIm_-$4;^mdkDR!pfhHF~{I9nYqrgmP4Qy>#R7r+1QHBB}eA{y`Q)J$AFz(V< zQ_}Z}W=R5|-TMh$9ZbI0OQ(B@9SCk04YLC;ar}-m?n!YKBtpeQ z>sII|iC%x|fw~Abc9ZRS?`+Qrbj5Dhal~hBk)LPpLKPYfiBKUiYWAh;J>IYVl~Y1+ z-Tuog{_NfN(Js=fS;`S|Sk!e>8}c>6yKw;E{c*eEXqR@BY*~<4WcHCz_|Sb;6E$JE zl|P-9*QAG9L_rAcxZ!fF;~sS}N_Oeqx0GW&shh zU)_tn4-PX2*S)i~yk%BIgy{1fq)$m*HBa*?J%94Z9+TwJbhvS2c}v6O8<)yA>wcTe z6s*9&2lfU)U2eMnN&)~F#kRiz=g|tBz{byuzAylg%66JyCb5|46Vdv=}q z^7AX9nfw**!WV~Ou|2!r+g5sBs~Eqd34IhjIJTcdcWJc^$)@>K3smx(DN>CJN-U^w zctuc0rqr2QnA@^Rfg0tOUKvNdZi;oF^(S3BCh;*Bgn!WG|8b!!;p~RPh}Vg@*C*%3 zqbYPkW2*?p*SFUHd%N3I&nXT{q+xaKM#2nVs2b5((8b{Ht_b0WYE_X2tubRXfFdH) zoNQ2F;nF{K6->Ao@9IbUR=>4X&yuWs+VNWRE{|40zA@zg)@7R!*W~u(;u_cQS~?y+ zQrpe_uxiGV>AFxJ79;4DwvKRTZG;#KpTi0Z6+k6!hRBoi)P5X~Gg8z}lM~b*UGvk~ z(|5O1GAhsOte&lP{VmSF8_jUTvQasD#qIU)+XLz2?>zbf-bh!U!mA&VU4r11+3#iQ z`NoQP^m!UZ<~X1BID#Gt$GX%ba%-E@h*|Qi4fRVfMcfl_Yy`8>z?X0PLuxG@Z)bry zZwfNmQcZPxGwby?dma?iirtDrtxIwAt{)G-_o%Vs(?^IkvI9EI<2`8bj5dhiWGUmzew?=R=jLWOUgQ}iVB|t z|EQs!(~YIWzTG=Gy^iBuE#@vgKlkN7=W?IKU$f-Qt}w;Ov!LOoI{mY&e^Qgg8Df*f8NhXd z!=xaHQ^gMv&mcGY=8$L}hd5}YYJ~Dsx{&wKa2MgmiYxXx>$9_N4heV<&#hE z1_=={@vP4bH)WU&q}DD-UOi{x-fA_MItPJWCs|uxRYPP}jTsl`Wwn~-RGc{*?$>3Z zVSI=AEVzg%_1;NBs>Vm-{-(ImmlH>ni@T~euHJRK!_KpW>BehBwX>2=?GDUSnJ=Ae z$Z1TYqp9L0ia|$(Qk6I;UPy+QOb5s!#lVf=c++KdD6m^8F@{lCUO5pQRB-i1>Axc7+DFyFN#TG8#WLIT*#BH$*8(xc z{!*?*B3M^B-@oFSBRUN^UPl#|IA82$YpVsBUSr8IThgyIrU>QN~)O8 z2&p&;YtZ+^X+?HTPmMy^?5x|>fWIN9INN-Wj3i!Sr?p{&Dl9MVNINUlXt-?JyxYqI zadIzoh$GnOV6?(zu?t1*nYIr!=1*K1VAeM6$?-dBD_RXD=|oLuIW!!{ync5h%z52c zCm*=ReF1xZu_8i=_=MWxnaO;jSZxK{tUjOy&yWw;{pnV(Tb_ScyQCmxa<{gIcY+v>a!@Mc&0;1Io3vEKwU@L#B-DvbuZ#~k->yw|_ z5)oZ5y5Px{#6T0n-g*JHQ+G+?=-)fx2u4ZpbrJ0}*63?HjjH0k zpiHz7{qy!MF17n1AswtFryW=a1j~A|SloQbCXGolk#aBjbe$Lcs(6#2Qel`8@KY&D zr#uLksdpALm2vnI|D&gYFtZ^oXu(CbAthda$+|uZ)iPq#bMKqVcN)bg70+9%o$hh8 z@7{~BZINT$CbrOfpB-DROiw|NZK=EyoE8HZ_g@*HOQm->Ve--$M@qgy_k4@a@@wb< z8WH)FYVIxNBTRiTrb7Jw<$tDw2=g9Tq>v9f8{N%HRfE?Xhom5gSp(UpEf+ za3RBS2wEOAUy^lO{x-M@>{U5JFIHFIG+MhY-C32wR2j4`+=Psp!}CyAW6Y?Dwdl&X ztksOTK$SfVy3PGit(cy1r;zL|8GM$H&@!FFNZ(l~c^5BSoS z7J-Q8G0=_^dN05(D|Q=QsH{vJhw}rJ@BX_*EQCLdAM?k8P0SaPA755WUAlsP7~q%` z3voegVuE#sQ+NPqJTTimm-QvajIeB`^g#{adAxH#Q*#97&wO>bt|pVG%a`~HQ);A4)JA^%K>w1(bQD~p;5f$ zKZP7TQVtFEH&E_bBfi$B+Tow~?9lS=iBstv8GR;$I?d&tWc8ew_;)?3nXdPa3=AVV zT#Ib2jN6B~_I*waJ#%y_v~#QNg9=FEjw6XmD%3%Vve#iXoLM8K73zJX>C5d>GJT;% z`MB7&5v!)y+!ufNzagbVNXz{-`IRwaM6$Hx7TbnikTN;MVtzL)cdLQQu$-0)C8@yJ zy=4zm3SMyGlua3$)h^+z49VfQ=Egyvp&&X7mUSA|!(VxrP{ge(y(3cE4K!fcE@&rX zfVUVJwOlE?4233+C|VQ~UH#E>mdN?;lx_?TR@_D`OiuUY83&pW^F$h~I%9LexngxZ zRZ2_RZA#Fsi9Xi~GB#td9JtMO8YS@c4lRC<(AC4N1rb^WPZ{b1sZP z1*ep8{g5XVdm6_!(CXjMt|L?~^y&@G4FmW>&N!pl?LedSfU^4bYB4QWu2u^Me$hWT z8GR*dl*Y=Vg5DQz80S8uIaqSPwDDl)JO|I-9X_GTHlOqt&F5x$dCJ8i=&I^R#%`^hLel+Wx%M%`W7z26IjP)DpB z$EkHDWGHR4MO%bpYmI`g)b3sW*jPc}p{Qe%Q&dOk<|A{+NP`Vxy=5^C;BcWZlrv}l z7{*kZ7qwzgSGz~G1SoHWyLie2u-f<&4OOVn;=O$!Oi6A5dJN?dOp_3dAM>@pV0Xzm zFc6Vgv&0df@tVds3+{ENh249h6Ua}k3F@h*2r%FX-M}QkL=ic8nf?c!L4Dw`HPM0$ zMOFaDY=dJ+pWmd>E{>`A_AJ&CH$F0>NwKz#kv#TM1ZKRo|0grOM)C+p^#cx}$Q$qB ztA=De7`BN|@mwr3reww4hF@LKsB6Q>DKR^4c^1mt_3*gi9GN@xD#XQ@t--B1DVmz@ zjY#e6^4bmGYh7T>2ON}(6Co{@yy11tzlBiyWijot$CmP7U`1V_Wyg+3=P}ZnA`7mD zp!EjUE-r%HT{$dD2D}%`H+CGIS7f2ZIxPapX!r257AIA=aFv|=pY;-23d+pIy^DFZ zs?vBk^|)4e0jn-%ebBe0C;TYyuQX0BHWC79#dEJ2^kPAN8!V0_hbgd=%I=e{Q+%I` zkrHJpyyd=ky9mS|6H#-8DxZz6+WSYPTSM*E(H8iY#n|#UVo}@SS@`wJWJXSnm5nm3 z&=jeEo=I68m~tLGqAhBKZkaVvTUdZ2MYR>!#rQHso8yaufe99mq-%-D;Cu=9Fh5*d2lH48?i&1)a$hNz zI`xi=Wm~qKb+HC!iLyhp7CKGq+~ldN1?dPamTNl_H8Byckov(MFgx95HDdG2oU0yEVQa;w-`=-{e9R?@sBBe)>%P4&zgc?9LCP6j1wALaZi z5FxFR1yat`<}C5-BE(W>#@wNi|{uG8cV;Db9_w{lT4%I@^=oO(Atfi#e};3%DQ2&t*c65AW?Q(kN)c~>}pqmSA|ts};q zYVif=#mnKLdV#m^2Sv~<04-sU0AI)2Kz_-9pGlhj47#jYy}nn^ppK9-lfjmuhSc9q zR^17-#3_5xY6s1Rge2jjP9`hHokJ|d48GzYuaTSj%B7RJ^avkA>6#*r0p+{$fCk#_ zB`peQ>oX2i9)t+1w%;k{#LdI+tpr)#8QgkmKN(|h^^g_RSah)YjzWJQ7-ook&XPw$ zQIk_RdhXDMi{~;+W1GYB!Gxdo700)H2r!oHqo_~zxWm!N$wV^>9lSr{FqRT(#Qv2_ zjc!)rhjDzXU?V5$Bf9Hr44G8rCq=?9-GNSy`>DK4rllEn3M6WAqRFdHq1R??=+K<_ zj1*miGQXANpsL!}MaI`=(Lsz#vWQ-N&4W-i<+0s`2i>4f8Ft&eyaTbf?C9xyL#i}S zWBxzXtFF{N0XdmI-^=6YLru;7E0WVg=Z!(BEAtux8RaIGV2+KNR94yhTh3~uVsm`_ zLQHu%SuBGljOp<0DZ4%{8kl3O;X+lZRnWSGXd-K4#{g>%?L%T#HQn9_yH{xekE(E; z&~(-w5&j`E4q`;ejDs%XeC2GaiSBiiCJRBZtq33YN-Dh_HC>|GD$?U^Du-PY^5KUn z@a9&T-`(8yr#ii^ZZ-kp;9tmW9_(>4G{VjAsy8G4Trrp79?^cD1!2$bd^7xX;d(iO zKs{;ig?REdO&Rsu3tIIj^tQ#S-Aj>Kjy$~w5cit*qOxpdLE2jDJ7PM%P3w)Q_|F^x zy{pT74jcRpxe2NvJ8mW6_=Ay3>F!=B6F-AkjYx;MMK#aAh`N7aUlS716*D2G?BS(p zRn77x<$7y*#mpWk=RnJN_*88Se_f&pLEW$E9%gG<%dY=sDo50#f?J$8;BHX^{NIR7 zfphHrCwr*p;&uBmTyiOD(U^e%5ra6j7ArEpRpB<0av1)GB}r-?Z|;HFMj>x6;^RR1 zgFwTJpL_j`LA&Awp?k~oUGCe4ta5r4@5!&OuCFeyEQxN?^yb>6+cA(;+1dq9;6hre z3Lg)fTG$&>*Pn+7CLPI>-MnRQ)fo*M#2h(2>-loWiSXtPYU2#xKweVMl}hQ4%GR)( zG-79M_szcPh(Ty%jDD7znVGq;mic$@Pu04R60WdxUkTFNvPdRp$s2{zeQHoFAO@dB zYtY~Sa?4Hs+t?}9*=hXa@gvQToWn;Bn;7V)*M7wa#TE^e(-2|2Zy%*V!Hp*V1J1C= z`x6=FL^;GaEi@kVA%5|cEa}Vr*Bn>}6A{8lK|wLrN&pUkvLBp@`LF-s+P%$gJck78 zY%5ur^}D~$otDA2lDW|3BwO%3r~syWE*W1e`V6eYym`~6R%pEtXkf+F8{@6^PoDg? z9(5v$^u~H%Bk1{^N!H@uK6uJ(83imhv%OhI zGmtGT#hjliYXn=t01zEa`735?w&>5BxMI$egWIo*-ZCmp)iq6AYCeZ^l#*@DIdm!~ zKZ)lQ)xR-x&Mb0k7V4=+n9_zaFf=4)p8fv5m~&J7woO^yq;ilnYFoI_UnYgfEgl{m zXeg2Lxb1@5>sIHPF7@=F-7kbtD3s?_O=WfUov@9KjXIMq%;rq9e!Z#G@%m&>;PEce z9b8=4(?~`o9h)wn_wmHUc$O}@`mNQXVvOFD@DYV+5?cOTX(z;-8@$J}K&B_)Xg07Q zxYK9LNLTj`zzI=f*l4Nb;<8oTn@|vPw!Ywt3a*!rI6Feq=3B|hea?8>zzW(Tz_ouW z5BR>uvNf#C1_CJ6K0>tzo$hCth4`;eltmDbp3O8^@aWf_?UsbXPZ3zT;nIGKfb%~6 z6T>+c*Ud)F{x9d-;z1|7{s$|XIbfHoi&MgfZ{*rs7ruVGM?`euX6u9#Upa9W6Xw0f z+OQ`~O--Ff?XIMxG1WPjNV4d^`a$K<`WWmo?s5J!OtB*CKqkaJq+*o@bJkB7yuy#} zd9(aJ0eNWB?UUp`Ha{t@8Zm~$aAK|Cjn=) zu-)|%_qEdA0(5o4W75lc)Pi%S3_Y+pqsmP9fuzHp^1NzX3G{_x@Y~gB^E{g9=zLVO8l>%gw}!t8ENa!i+;TK;F?FW}Zr*5^ zURNjSCwV3GM<4XvyjQfX`E4~w&10G4nZaMINit`rtNBhHX+3@$tZ(Mq-TS|=>cYSO zgxf@fwwbg}m*9(zT>n)WA!59M-|Y-3k-xt#yoLwxc0x*DPw)tIUks86^z2`t%+4w? zRt{0P>sS#mbY;dahS6gHp1~Km`Zs%Z1zLZpQS0<>gF#Obq*g^r`h$zLRpvZ%gNY37 zH#sBSx?|L6p_sxpQE47rWMX19^7yD{JMeJpc=7tpG)v6WgUx1ascu{*Op9$he`GAQ zm=YBqYtrW#Kl{4$OmS=9wwD+g3 zSoR-l()O(Q+3>^GB;(Bn>iX4D4xX`y2CJ>(XXJwh{j&WZ_s1hoyb zr=2cY9*fep!zWA9JHdfL*FEJ-uBWuL;wb8v=h=t7FWbwF&8^NfsCJeMb~w<9W`6UR ztMt>m^+}Eefmgk&W`64(w59>ur*LGg$zx``up`o=1R4RucE2CtO6oNHrcEBdHeMAv z`JFCjoMYA}8+9w%79)@}dUZxI40lu6qOfWvx2PzMWNU;QDR}Q`9=G}QZ!&K*LzZ4j ztXexu5j2rewsyxK#VW$XGk3H#xw@QT<|<@z$C{YIyl?uHRS8m_m@VWJ?!Vaej!{ta zaNlD)w&)`bIb5YYaYB7GFgnN0gp_;*el*~2B$P?;$}>yIw~cVYH(uLoW1VUNUIT3&;eH{&U1XV^_JcmSNT`#e~Ylr26>T*5@)b^9AE+MRE=p*#gf0?;2_UQO*q zD|6jX>5J4WK758oi1F5H&g-xA9Ju3sCT_OuEvDpR+w1ImU*J4_r4P?*-3dA8!|I2B zzDDttI%!TXn$rop&%XhL{b5!4GLN5tLnDw$Qld<__JRrn%%Ftb_DAeVp_{9dWF@`DX*~c-vB8g2%6#eT@|0{PctvaLyC`nMqQ( z9sRq{Sc?s>ITmZGiK-6qa~=2glB~=|Z%Wx-aEdUzYl)N&9(;Y^8uz#D;!k=oFnc4u zm-dxwz%)M4J)`l?{-mk85i@c?^C+vB3~_j{5XV8~cV;a%G7Nt<^(4h?gj-4l( z=PFU)K_CF|X~^GA!)5|fdQrRW?ql>>NOw03rt?z1suU~G7gMIOeSH=j(fLPQ9p!gE zc`SRjiHR`{{WBuA#m)IFld6pJxdCNwBEFH?n&@i8sEBEB@K~XIv)zbez@Ci7<~=*6 zZDAjRCvy(EmZ?H){|=sSVW$RYpE=hcpiBa{++ogYz!u&BeyZOAo{1&+VfsQH{v>Gr zdxyT3QMcd3FVE{c%J3Xbb#Q*NQKet~UXmccC=+sR zqXr~|Wyz%q-VqV~tn`)!Qwc@eFU=jROAr0uvC>aY`-)V!z9iYNT>OFdbMlv=K@ig zmU!?XQ6|TvIYigdDh}-65OLq+#U3rT)a1cu`dXM-%12p(U-*U#b1&U$JJ)qN+-4h% z&c1>tY>L_WlAZpQpK0h2I?4Mw&U~1|;tQd6TZQjQ(L3B?Vh^ezH+i(j(noVE3xDdNZW!%7e8ARHP5S%)}>~xjQSI=(|GD3 zS>q0mWs-0m zm-b1_UO47F;^P$9YbEkwu*XimzNGaWiS=Fgm9@vCOoF8jtp(uErhRMcnq~$+q%J}B zoxpglHou86peJ^hJ=wQ@!!OMp;JslKjhN~@p5$(gPqnDTai5bn5s5|Q2C{Wj;?X0r8|r+j1`)&#RE=Eeg6-cBZ1 z$O9x!yYk-CA-pd;Nq2&n?Owk@O{7WrY|oQHTFhCQIm2Sp+$TCNXD7*=+E!hAWKU22 z{(Ud|2p1R3Sf13!#oG2x34?`3-z?cH_?s_GWA}YFdWPa&y;0N%Oo6Zy(^A?jQ@rA3Kp=0%CV#Hp^lguX0LzG+;ZZ(?)i~h$N80@NDCO= zGSjFl$$8(C$F}T=4sVSJ-qNf$TEF&nZ#--KeG(!eMMbON6i!e7Smuu3es~lVQ@_Ho zfi~{dxw(PXyYGd0wbJKCcm{rx=g|PbOMU%%!{+jEdIPbhcmn_s`K#7gw~gQd(KA3K z@Pk2N82r@ELs+mG+O>PN>rcVhxuV00WKy%t@|50G#gtpu#&0EiQJ?u=V-&7F5_2 z^ZgoVsNp$HnUdW)|LfTE(e*+8b^;TI#5-=iWXKk7zb7XR9uS)!v z6}SHo!vdL7($_~t)_*Tz8gXnn=U{5E1;@+)-5v3pwMJ`e>#=@oqJPAjrXpAfcJyKq z1zLx_MF3oFB_-^dW2=NyK`!!v5GWSFIy4JZfJA=Mh9e(Ig#%Z@Ch( zft^k4vRJExlIv9X(|7EkAQ3QCng_tcKDWA=$ zs!zHvfvg~076_mbT4NPi2?`%Q|mamb?jx3h$`#)8ZI368_8;MOPUrVEiHvoQfN8^3fd>N(}$LOP3z z`M(IRvg`+%Hj)oSkJxg0D0A*37c^Y81APrvmejpJwWcakXvT-`l#|=(+Gl*Y%!GsSqyN9M%Mf8EY`y@vso3v*F0i7&?JO@vVzqzD}aT9r}EQAyLVe1 zqofxAz=q2P0hJO7Dc8idfAR=MVn}{o&K%pqt^#%zd(My0$GxrjMzRSGRCY6m_KEjC zCeRKqyzF<|Mw?a6h_iZaC9Lz28N0CArJz7W+8-5zq(Gers~H%JVpz& z2*q0!1UtXs5I$`1`;nqhv^PH)UmunR)X5^k8 znTn}PLY!vxr&PX2QmWu-yRTnAms*L;QNHq9V%NWf$rE_3zgFa={;;9lSfsnWvCX(* z;(dkmopq0~yTY_7Mw6luwR5zcg(Dw(TV9)v@kv*$C*vGwwK$o7T=HN|g6m}1MMVcS zw>@=npdywPFDEt59Pm16k5i0a&Y(;b3_gtgVZL3M)rgufMP>&Vmf`)n`0MH_O6}V~ zv#9jxFL_=|dxy#^VF5G;Q$TJ1ERkI7zZ(0R%`x}!uTjVa4~Aw=3k!*>%#skVrDp{p z?JZ(;=A*e1KV^^S8x+Z^Dl5DH=Bt?cSE%3dwOT7}PbstfM!+QsW(K@?`KwB|OO4sS zrjWE!hOV=Ju=(fH&X8}>SmUhxb_?F5 zAOHlou$-T{JUiAph=~=cZKSTZ!sgiG<|**U%)o-rUi+_S3G`ef$!Z0=d{HrW<8)@9 zstVR)m&3t{NE)^GV9qU(EFu@g#>T)O4Dt}FU6{aEL)n8l4l zhg**>PgZC=65G$;-EDgio0$G%b+y@sK?%=D;=_w;6W^`b+PNX@HEURCCZiW!TX70~ zWqiJuAn-Hy9Mi3pUhU0b30RwwKiV{vcyqi35BV+LI@fyM?SJqH%ZM%Z1Ty)~yPLfv zASSY(sJx?fvMjRw&-9*3V+g(WygqBGBBk=G*fNxy3EP%2yv936*jDqEbzuAY}tXB%?@=G zEap*weL{pKHgdqda%yt|CKM@-I&WlujhXC`jQ&-i%(UvU%@ z%!M`G#2UE5k+r&)IfI?Kv&dIa*F48AoSVcz-c}KtSu5~S8658%ec5-zdxmk`b8b9h z2?}p~TMAPm z(?vn=$I5E6TlJXoO%=xXY?|H78DPqCKzYcXN9_$;iPu6};~DFh9n*$dYo(9SHM^lV z=O)Br_sI8fM>T`JOuBX0){wW^@iG%hN50kt6_0XR#y@c_pJKUrjH5|EZT?BTd^FHd z8Uo2wVs5ylr{^Z1g6M$Q?cQm+0I!|wZ?M#8bO+>2&EFF91JlSF^ne_etS@s0J2S3H z-Z0}MTnt{yj}=5=)7kY(o=_HNqW^gLxfJMReXrgxv7>Q5LlTjgu)~{9wzk&xZXk0} zZuc#0*~2WY>~3ZP?(Dldd1FLp%DX@Rrpp68)=v#|&o_QmE0)|2Ahk_1kh<_yLnbqIx$iHx>b7FSjz&6@NaHEs^=(c*O?0%%1{) z&3nS2O~wd=$XKPP`g&vrA|! ze`}ZdP6YpS9}oh6kTa~s8yUtN-L5Fza9abr^T;IL=fP7mR_uA5fx8qyh~V1IM66BX za=UPv-JG4(V}QN%U1(O10R|pD?D$DG5|Wa|6%WB1|3@CjC`APVQ4pYRX5Op*lKRjm z{#R;rouNwJ6#~B!;bv{y+o7YD=~kFawaFFea~6eI+V{Txd)g{!=jttY6~Sm5I(1v3z2J{8%*pH$?JxFi8yt!S!Zt~7snz=0V3w^AFXbT)5pxT`?y88DnQ=l6 z4uJi?QFAlB^YX%6)Ghk{XsA@zd83=j<;v`M56_AUyFBP1GiZ2sI1?v{ zN!o6PPO1%aGfiPh>B9%;^JIow@)3fO&7e%HjI7ju=1 zXFnH9wmaqdvroh|5rD7z+a@s=fJb=&$~y@71Ba>*7nphY_)%F(b6XbOW}rM7R?nKg zS9$SA%Q%lY<6=23G++3_c#%hnDd1m-n}DgM?gyD*%vI7O5v!#(8<7U6+@+f_Ck|bm zt!*Qe-YWQu8eNleShAKFGqbr!VRGeJ%wvAp^0do(ByGx<;8vq9iw-+P{i;4Hug${$ zIGVuks42lrdRu(xlL(W&rnL3HA5qXxO=YR1v7M%G0f3n`Pobbk`&C%Hb_PrT+Z6%# zJJ|9E30zNvNbNX>bnJ>Fd7rK~pkQrTt{n?gG}vXZhpFAX-9QPS>jfVh}KuVY5 zq_WDqLj!`*Qs+-kHboYBcCNh7hD`#GC~bihi|dDkOw&ha^##Y4PG-a;&CXA1Z1~^3 z>ZY+cc5g;iW`0?LNB{nb74;hYzrXz!ItZ%0Xr3hhDf1`kaly6k!K#RUh}F~AJ}cTl zL|iK5eGhi3ir*L(Hk2C}1llgax~k9DyKHARlG&M(8BFH5`kD)6VwC{}#+zja{D#m!U` zuAI=z0krV|LbtxKmJ~SiX4*E+Z9Zk}D6Y%KYST%MZvpF(A10w8prXgv-?TH$ey1+u z+Y<<2){MXMoFXGENC*#Hd8^u_!JTAgXm17`lnF6^n>nW5NYOgkG%%R*U%TA_2^ z_xf)1*lMe}(Jga50M7qBsXrSAO~OWrOFcgQYSp*c3hx0`<= z>tHL{Ij)^135=lqxtMLnr+!QoF%A98w_ulmg~E8sEKE{ph!JuZ3rsGb<`So??V5Xi zq``=dmIb%NOC{$J*sZ&0;fKM^>UVaKJS~btz=XJB9mv1==7_Xgad%}v$9;pTIJL>v zoB39v1($DF4sxg{cJoxg$Lo4T2E>7~^0b%Y#_r!Vk-2Yjb~y@YLw;i=~jujD|R$AHjEqm^!i|%-8Qc!>lwheNGIHKW(-gg1y^z z%Is;)nw`eShA(?4J36~jB zQPi0a$RKQN3TzOCcmN>sNX-;7zY`|+fCXp?xzC~m0qWqzVz^rh+`n>LJkLyPptPk~ zwxb*IdbqV#E)W4KHn{dfMljEQQxIxyuzXca&cEr(ARmf=1KCQ2BMj7D7$oF3r}_mb z#*mqGcTR-XM}=l`#xP3knv6fN({V$cB>Wc*nJ}>EJ0lf3PxpwsfHB-nfyoN!`_p{ z9cTH@vY2Rm_ro9I$t%^BSUNJhZ=bN&A7^5?zCRU*p|SvnI@GT*bFgDP$B2#wkkpq}^rG8XjX+x2ArCnNPl`0+(+Q`(~cokKg$vF{e z&+w2j(R}gV_j1ke6BtMq8LB?CfGbI>s&Y*Z%K^0?A&irxF$Vgv8GNPpyBjTNAI+8m zs9p?zaQs+XbV$@dxld_HUbm!XT`#w+}| z!=%&hD?oO~RNeZEQa9k+uGK^1ZQlkG)FHu$>f=DFv*+`xdBF6=sMBcI=wT57qqg={ z?G0}T+nyK2-u6o)*MW16PgcATc%J%2zCXTrpTX!T#dP>ix;|v$vB6ioqf+uq0TN-> zgmihL??+Xs%=L0oAelXt);B!kqP=gRVErdnQWHD~80p)7gOSc#WC)J`~MoqR* zx@xSbaGvqKuY!iRM%*oAh*Vv-_pyrRq!u4Lnj3!57%p#3W|hMeywfSaYDOv<@py}CxpZSwQS@3G6R5J_gRV{6lB59D88)wAce*f2c$BW# z3nu1QYUscVrN1Q>w6u%%mwO!@1^ZT(2z z7Pr@9S#p6Qx+z z;@I#|`TfS`2f=>IOrJLt7Bt%CY{*DGOME7{$U5r8jCF1|QR;=9=4ra2t3D>5KJxX3wPpDd#-8(22n>BW>!$Zo#Kd_PqUSIkmr)m>R;wwLWijU3rU&(R{MjNX< z^8dHLJcNxqCM`eWHLJHSl{NZNK4QMRvT`&Wonp6!!%Pw0%rCvDa819@m(q3rC-cat z&Dt|Q`!+?QACt;KlI2svnD@Hj(5-1D-tzU_<+MpEXI;lHKg4QIJ7dosb-`j`BA1>Q zahlI+daV;&m4}*5F##+UE=8da@c`VdmV<_07Ws4~xCH`6%UrD8o~AQ&XWF>haV3-* zC#07{DM14Y%xns{|BO}F@Ve&r`RtHcAM()`KA_T?ht8yu!R%`zwXX<(kK-P6J#nFG zd?iN}QG%CH*mk+DT;gPgr-3>u$e1h#K2>@yr=r5s#blmItMgMfK&YrDV8hu)UZDaA z1S$mt3gWV9txQFi3_gT7Etg@A55cS;7Ulc;5FMqPk9W$0%yRcFstq51jeCLLd7JnK(Ogs%u}`-^g~|l6q-@ z<)BESZ~;?DBywsh*BfEj|0s|*eVWW6WC!?EmtRD~sIx7yjElWQI}}I%TcXD|do?wF zmgIDMZ{D6A-Qj|X@XIBH7lRtD6~i24S@ng{x#K~fcfx{Bya}^2<5Tn%OFmPQ+{ah1 zNlg4FB*e;w?zw@N!K?tY%DE7E)ebwZS9crG0HN~6(|A=b+V~~;C2N{yH7y(YP`L&Z zjx}8ahVEQ)xli?!*eh{P*$K5*K1(4x@cgmbj7m&FeL|@dvmLCs zP4-<*wz@2>xajrs(RUOSKcl`$Y?K*iPlQJ|GQ9Ay$y-LhOm5&0qf0rmU93sUf;RV9 zrHDI8ei$(E*=S1fexsO#FQgu8;Fucvr}5R4ZQiHW_@#KvmXs29pIGlT6Tsj3nI<5& T9)|r>62LR1=a4!D^YH%x4Mr=a diff --git a/wikipiki/concurrent04.png b/wikipiki/concurrent04.png deleted file mode 100644 index 04321dfa34845a4817769b8956ac3183b616e913..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28727 zcmV)iK%&2iP)KLZ*U+IBfRsybQWXdwQbLP>6pAqfylh#{fb6;Z(vMMVS~$e@S=j*ftg6;Uhf59&ghTmgWD0l;*T zI709Y^p6lP1rIRMx#05C~cW=H_Aw*bJ-5DT&Z2n+x)QHX^p z00esgV8|mQcmRZ%02D^@S3L16t`O%c004NIvOKvYIYoh62rY33S640`D9%Y2D-rV&neh&#Q1i z007~1e$oCcFS8neI|hJl{-P!B1ZZ9hpmq0)X0i`JwE&>$+E?>%_LC6RbVIkUx0b+_+BaR3cnT7Zv!AJxW zizFb)h!jyGOOZ85F;a?DAXP{m@;!0_IfqH8(HlgRxt7s3}k3K`kFu>>-2Q$QMFfPW!La{h336o>X zu_CMttHv6zR;&ZNiS=X8v3CR#fknUxHUxJ0uoBa_M6WNWeqIg~6QE69c9o#eyhGvpiOA@W-aonk<7r1(?fC{oI5N*U!4 zfg=2N-7=cNnjjOr{yriy6mMFgG#l znCF=fnQv8CDz++o6_Lscl}eQ+l^ZHARH>?_s@|##Rr6KLRFA1%Q+=*RRWnoLsR`7U zt5vFIcfW3@?wFpwUVxrVZ>QdQz32KIeJ}k~{cZZE^+ya? z2D1z#2HOnI7(B%_ac?{wFUQ;QQA1tBKtrWrm0_3Rgps+?Jfqb{jYbcQX~taRB;#$y zZN{S}1|}gUOHJxc?wV3fxuz+mJ4`!F$IZ;mqRrNsHJd##*D~ju=bP7?-?v~|cv>vB zsJ6IeNwVZxrdjT`yl#bBIa#GxRa#xMMy;K#CDyyGyQdMSxlWT#tDe?p!?5wT$+oGt z8L;Kp2HUQ-ZMJ=3XJQv;x5ci*?vuTfeY$;({XGW_huIFR9a(?@3)XSs8O^N5RyOM=TTmp(3=8^+zpz2r)C z^>JO{deZfso3oq3?Wo(Y?l$ge?uXo;%ru`Vo>?<<(8I_>;8Eq#KMS9gFl*neeosSB zfoHYnBQIkwkyowPu(zdms`p{<7e4kra-ZWq<2*OsGTvEV%s0Td$hXT+!*8Bnh2KMe zBmZRodjHV?r+_5^X9J0WL4jKW`}lf%A-|44I@@LTvf1rHjG(ze6+w@Jt%Bvjts!X0 z?2xS?_ve_-kiKB_KiJlZ$9G`c^=E@oNG)mWWaNo-3TIW8)$Hg0Ub-~8?KhvJ>$ z3*&nim@mj(aCxE5!t{lw7O5^0EIO7zOo&c6l<+|iDySBWCGrz@C5{St!X3hAA}`T4 z(TLbXTq+(;@<=L8dXnssyft|w#WSTW<++3>sgS%(4NTpeI-VAqb|7ssJvzNHgOZVu zaYCvgO_R1~>SyL=cFU|~g|hy|Zi}}s9+d~lYqOB71z9Z$wnC=pR9Yz4DhIM>Wmjgu z&56o6maCpC&F##y%G;1PobR9i?GnNg;gYtchD%p19a!eQtZF&3JaKv33gZ<8D~47E ztUS1iwkmDaPpj=$m#%)jCVEY4fnLGNg2A-`YwHVD3gv};>)hAvT~AmqS>Lr``i7kw zJ{5_It`yrBmlc25DBO7E8;5VoznR>Ww5hAaxn$2~(q`%A-YuS64wkBy=9dm`4cXeX z4c}I@?e+FW+b@^RDBHV(wnMq2zdX3SWv9u`%{xC-q*U}&`cyXV(%rRT*Z6MH?i+i& z_B8C(+grT%{XWUQ+f@NoP1R=AW&26{v-dx)iK^-Nmiuj8txj!m?Z*Ss1N{dh4z}01 z)YTo*JycSU)+_5r4#yw9{+;i4Ee$peRgIj+;v;ZGdF1K$3E%e~4LaI(jC-u%2h$&R z9cLXcYC@Xwnns&bn)_Q~Te?roKGD|d-g^8;+aC{{G(1^(O7m37Y1-+6)01cN&y1aw zoqc{T`P^XJqPBbIW6s}d4{z_f5Om?vMgNQEJG?v2T=KYd^0M3I6IZxbny)%vZR&LD zJpPl@Psh8QyPB@KTx+@RdcC!KX7}kEo;S|j^u2lU7XQ}Oo;f|;z4Ll+_r>@1-xl3| zawq-H%e&ckC+@AhPrP6BKT#_XdT7&;F71j}Joy zkC~6lh7E@6o;W@^IpRNZ{ptLtL(gQ-CY~4mqW;US7Zxvm_|@yz&e53Bp_lTPlfP|z zrTyx_>lv@x#=^!PzR7qqF<$gm`|ZJZ+;<)Cqu&ot2z=0000WV@Og>004R=004l4008;_004mL004C`008P>0026e000+nl3&F} z003oTNkl1GTTrS%7~2-fb3poGn2LXah(gbX1hGxI+8obMlZeU|r~ zcai|paF21Ad6#Fo&%O6^md`l{FS+EBb?esMd+)t3yzoMv=WExl6%lY^eis1&|BLwz z1Q5*c000OG6A{^pciMgqqyLvaB~trUEPlCglyE;7eas!m|2Mt}5ovv?vQ zUWtf^=zg02+7BSsE$GU%mjA%|Q%mvdcDcFjPz1zmieYOko?7bXm%nU(@rYnwv4d+4 zC?WtXA|mFeK2Nod=vNDL z61H0D+hbqs?!~@7)!jp?k*!*_s=vR#udnaE`|g`EWy*Qyo%hj?ezXJvh3Vt2L~3qe z`+#Nry~)*TeiYu@B%2%#>e$%GzJ@&;ZQ*laPws!5>*|TT==YRg^MHgLk z#1Ti_ci(+~`?r5VSL_2kj zy(<+PD@qCn5*}nm-W$5y42s4{MS%ldi zi$RQXXlJ^g=UQvpbm2&(o z3BqO#xAp=AemPP%wbEg zZa-23v2Ty*caJ9J|c1>5eqPYQdyQYNM)I7WLa0%=*}8lS)*I2 zOeuv#gbEQ@w6JEKi|A%^R5;i97;|nn4$vS#L_`FLiZYcoh?L42h$>T=Jq{rVBLaxs zTO6>u1sDJ?3^-zqvQ#x=%ZgFumx4tvtrnfcf5uDW#6`#Jyt(?$A8r24qZtAc0H6XO zL;z8M2teSUG!wW@p@sT`(Mim3FaQ9V>8k-mKm!0E1F%~eTA*+DJ#^mu_0S_zX6*F+ zANAO6adaZShN7U z^9i^$W=v)`7E-WIp`uJxotsiZ&FY_FX;-YW7-CsOlqex)3jz$F%>rN$1ZE*5voSag z5DIHq1dP&PA%xld0>I3g?YUSCO4*Zo>;VsRV3#Wk2UL+FC|T5mfN18rBQH%6&Dj4i z80nA`B*tVmYu;U|<^nW=#E{ACua^Cl1ntKh2eII*GM9}A(a4*v$GmPv*X`RDWj%IA z8#Rh%Boxtz#LQ-S2P_nc*I3xTsptuG&?4UKk@n6RX@Q+s(%ZaA6AKHVQ3(XcMNRYh zIt#n9GFqIjBZCwHfx@kMHAOsPl^tQ?9e!n70RhGPM#Wxycxut3iFaIZs7b-4WQTq6S_S(E_=P=0ZNdA%iW zO40ek(do>-Y_tnDe+mkK1_1%ib*=#bo>;f;=3AdUJB`H*fCm z??2**BksEEE~S)Lno0_S(N+z9Faray00RgE8{^Gs04!Wof$Lqa)sSH1#}7MpZPcOk z?bz;Nu{ajcLquy$%p#;w3kwp8FaV-L5Jo_9TOc9|2aI7h=m^Zr0IZo~?}>fWZi~S> zWbvjjvsf>PJB|fBqs&^!WC!`o=9CT|-PytyL4-An0dDs{_ZeLRHjxVcTF7Szh9;CP z&gcP%+tGq*61xPL-MR{UXs|<~uLuN-)1jk%V&2wd)_!-!2z33$cyrUNcSI@$*^HSZ zk)J4@C|L1`R9?sWAc+(|Cf1e_r^~moBc&3Uwl^X5P$(cESiDqh>+ixE%QaF^5J^OW z&1Y0kx1|N=fE0}hK|nDt`-ehk7EWxi0gKxpvG^}&3fNLn5Nl6F1BB5y1jM(-qQM~` zH1I4Sj6x1%3pO?iFga}@cs?D-dL3WPnnt&Kh&JeGZA#J1nzc4NU$8PkfLTzido#F_ z?ezAB94Uo@%&bU|6thNF#;O!zW61L7GHi$27ts{cg8UaWt0ns`q0Y(zw z4737bWCCQZ0g%WHne{1{5u`9NEO-TDffEw#nr#G!j8mp8{5CF{~oX$pHG^k0$%$iv-F>B2%*02#I1#VMd zHfB1o1b3-{Ol#2rSo_lWfgNi4lg80yqaq^OuLw)R!fl_68Pn-@o^(O0OKh_f8zaXTVPJ z)}RGA7RhtXCfw$1$N&1DpPzNsSyz1Ni`nSt=&{Ehd*_{Z8sH?N*f&o^07!(f(J3OD zK@4V?a|F~Z*xp6HN^O+KZOTw2Ak{!EmsFTCgULXZg%TEK&CJYNE3LI=t(aMBt$_%I z#Z%5K=81Kun6RZbeiC8xlY=7@*rl*`HO7kD^2hzZ*cb zd!JKKOmyE`@`e!r0zl5(GcZYRJ9EaEMK2VN^c#l_R<$Xao8>5G`xsOdodxU2#R7T7 z2UQS+tOG9ubP>hJGXnqzj1y^&n(bx zT9SYZ1Tp|2iLib8)@?vx4NAbyh{52o(=AND;wr!>5q1W)R%M|`@Y!R$MO57Rzh zoJU8@i4`Ct7#9<{V=HjC0ifO2|6|?r%fItAbC87}__*ZxfBtSu{K|WGnNomEv5sHk zK(#iZwM|9xCg)9y-2ejo^wYmPanbQhFIk$2$gEkj3}kwv(*&PAcAEcq&z^%5hn)g! zoV0Cs1c9QLuT1}pt;iZLSBZ>Wq^d-=gRn6!b*}9%T5C;O6Kk!B6rsUZOCS0)qDZHIHU^IfEsk1$oF&_6 z*16_f+)w6Q>n7_Qz{EAhyGxCG9-U_3>`KANPiroT6p8x|5orbzB4vHSN}QQtco!t7 z1(X1bi#Zy4lAZk~%n9hVWYHEx0JR1iE7pzz^U3O$*n_^>C-Vg678Wf@} zKAP;;n$xR1b{1Xn9!$g93{mc~j*TW3P}F@RSOq;cnvaf*KEKKM8x$atC`2+!6Cj~A zF_oL3hNE)mjBMctK5me5`FFnNe>bRk=!~rS!t;jHsvY@&1sDx*A_EAcHqJ$m?$HrF zHi}khB(tCIG;0YU>u{V@m^|e>`c~LYehPz9Fd7g=S+rCBU2_Q zirDF?MKNAV46#OajeWeO=O`>**Y4^x&@dUsSadAB>)lzbaoXsf!Vyp}kQZbxh7B+?wGHYhC z8asOyg$Zvm3sNBFJL)rN3FN;(_16LfT7*;vS^yYL7%rMQNQlg!2n86C$m^yE?CnSq zF{Bm?pBUT`cB?1y)?s0bcBUs)L-++>BeW(a5({AF zIQ5Jcx_o?@Kp5aXGnFvM*y&O8km-2rOw!G!IgJ^v+&gI*avS3$?rj-fSJliksh z0RYJYCpl40ysc@e&wgqIf~T=?o!2v($2GQQ3#Ge~s#43t$P#h2_bfE2A_Fws_F_FnWTkm(a(#`DUCT$`BtQ*y^k zY!Q~M!R-V`yA^FM`jOIdUjlTk8Nj zwkt~pGhr+8ov~2_B2ty-;l#OrAsqp&o53$PYjs7NrYArkN`WFdz7a1`vQZ4C0g3?) zx7WJ7P+7=Ca<(1D-;}^$Hd<9MM7=x3(jP>Nh$gLPEvvff11>G+3KM5JixX3?>1QFf*fb(lCP(Ve#0>CY8=FYt0hrf(G$5A}|PQ zA?rM|>qUWblQstt1xf%6&DU(!=+J`f@^W-eW{9~vWK|Y#Bv=-+6tk*Yx^1hbXYkO* zx_cq>DDtoi2y4wc*JERbS}A}?42T?YmOLs@bYuZIW*Uf=g&+9%jbHzg`M}8^`}2dR z$}!V`$HpAX!;*|R0#56yWim-A3?QsoYXn48h$29a&V-q{0cs(*_6P6z)2|Bv{K3V4 zfBqpm5v~89OFnq}5r22y!2=+|j?U{WPN|kesPo;Kmxk~D!l@Vit9$ule{t&@SHAbm zZ-4Zw%Z}T-2&t;N7sw;GoOsR+0;hcOACKF^y{NS|F?Q0JM_D_f6o8;sj7T}=sFet4 z)=ovX8UTYfgd%rS9GsbeQQAfz+Blw%2PhW~EwXYfdEMKWEcL9JShl*?^mP{)CBLkiU5*ru4g;Qlops;pKXNoETI;0kz%^0fyn|d6vF{s zic~Riy+txeR0pC}qWd^zU;Dg~C>5gQumYU$p<0#SssK!9*(&HcKHh)`$+dxPYnl8Q zZ9*~45nWuI4b@gqTuK1i10tD+f|lS>)E2N+hI}>B>2TVld4@6pgg}aj(Ec;8KylyY zz~JyqcROJ?xRfmCPUku6TV*CR4^)a6Bt$tE18YSYw8DVir#SbCH z$sdk_0K-o_HoSWE6aV?INMOwM3?x&iKol?`W(b)J;wmU4HUYrs!0TYjt|KEO{*p$X ze)8FeSNY4+#-K#V0dfHr&_WteGvq#-Qvmx1hM#;45DkaaIX4gyvx5I23ThJ3bHDiF zhc5i-$F9BY{e!sS=U@2Xkw5yvvd`{Ah7(RCBFcv@5$dp0+Jun-6e7Ii;v1G6GQ-{S z-nZWN-nt|lhh07fy5@&}cEejQyy={SW)==@5^1z%dx0P#B&>u`hyijDAk2V-P_v!n z+Ry{ESF_dr+%pgKA1=f=1*8r#T@0~cK1#?!VU9wT0wS7ql(!i&YYe7Z z#yZC-m?kJ|^(WzSO#>{M!cj;ViU?PmfLlV!R)I_?G8bdOs{^M%UN1#YOQ;!BQR1w! zh#edZ(^fzzHCVe%k;L!RSTKnnSl*tWP!VHnHw)Oy#bFFX)uh}z%Dv28;t zB!WmpyKD#5m5>_*P?vh zh`W3O0pmZ`25T*a$rg(OW;PB*VG+>Qn78B|6cM5*!UEQ>5KRoRB(CCC&yEfq&0DFP zt5RavS|iw4oXs&r>&qk%Rz@`tK;U3KTjR~GZMkcw{qCEx>y=l0rrB(ogI;;XXFl=& zT@0+>`OHJ$*sO(r0u01}T7&k~AraQOan)i}qQE@ntdKJh*Y6m<`)dw0iD=d#7u<0N zA>#TWFg#ll40ItATClmCB7vP%m&8`t7fQsz$d4Ad2@qv1o3G57H7f+64Hu9|M2JX4 zn+pU&VM2mj6o{C-6bPy;X<s>KC599fj_NL0rn@&fYaO$3MrP5(YzdhyP0SYXX@iu6 zRfOVbFiTk@f=hS#M0z=SBM(7M`DfXMU3#6+XWIN&W&HDc{C1k=-G&W3;=h=3MB zG`!rR-5Hsl5}Td{=0S-fgmDHN0(maA`z(X0^HE`Hn=k%k)_(U*-Tf~v`?NvLPk#Ec zzqstv0Pq)=efpE1z6=oGx&GmDIY94|GKnvqZ*Fy8qg)acD?d^l6VEtOpZFocMYnNJbnhMzAz;^-rfIOeGN?>TDe-NUE|iPrq!m?Mrm>hR-^y7(6xh>#w=W&Zn) zKH_~xAMr=WeD6{6d|eac2Pim+hwuI3kyqTkfoS;NFCKNp_iwr4Jx9I&`;QPl^27HY zy>P+N3l|){@cWMtt^MI~fBG$fZ=Ze4317PVIehNkFCBZramSu;+_4{c-(|mgj))$; z{ltaW{&E-*pS$ns(@(zraRTGzL0<*VX=HXinTirVj2IDryv1fBk)9(fBJ2bAw#J_; zVqnxo$Ne#A%2p&40uf)m&$4*gsi8g;>gi4~Nr(ftz<$Q&%(yau;Vj{(#iY(6YDO;= zGBV3wsk+?bTu)yE1Iu=8iGu4_i$L_R7R8I~-#AsqKZKHU&>nTHOi0_< zFL7(+>^SMARVGLMC1Km|Aw>B$rudSNJ=uj#&Qx;NYH*kae-sfK5`kS)NXj$tLn=Zz zc*hC?MrkJsl|qF`3Nz)flgN-LF(^%OK_rkOeb6T4fv3o^W^OX)taF`@>3o#)F>SC@ zHx2(@Yi-x5xQYiRzl#~{tA;{g6=L^!yGXTW&04cI>ydTNdCn#uPUrUcI?r>%<2Cd} zEy89qF|`-WADZ1Ubk1T^1UM{ccS>f>TFg0&F`egH=cdLdYg6sWd8b@_Cw$%A9fM<1 zXcouT;v!-V1hEzs7S4dG;22;AIw+nl^RBspcbwh7A z_V!_KA9eRZS0D8BaZjK0_Cjwj^!Av4_f6gX(o4?G^E}V4UC5>h8myKJ4v<-frsaR=r)=(?z{q(APy>8IUTJ`_M+Ktxz`^P=0C?md5C6nJ&i(%JgU%ua1c0BO|B<5s0N}8te|6qI z@vib8-+17Hn{NN)%niS|?1K+|_V2%U@JxU;|MZ^I|LKjlEx7esTyTbb<+k_i32VQ9 z^isI^hFcGw0kYxeUpVEX-@o+c1;>2pqksI#e_wFzYkzP#EWYyS*`SSS@03+ps)1-Q3y&k|3c`n+C{v`AMNLzP)up493KYkdW)Vp_Xpp81P}8x2#`1hr zn_#EbcF}=2k^?%HuDE1XK+%XK$U1C{#K54fEgb03Xv?Y~0*W9rWDVk6=L(S!^IU1t zxmFEi76FwZ_?p$?5tQ>h7ZzrOI z-&C7?0zd!?O^lY&Qf)y|Sv7q_{@W!NT<(8=7e57g7QX^h`pkF8T(FA=l8~|!95crk z$3_ns{w&5NdlAsNYCF-aBVVon4BdO3oc^`9&IAF(nTLGn(u6h6a&R+&g7kz)H ze>rY%1bBAMio4)n@A|MO0R6!;8)WYp@o^7Z`mOU19kAzp_K|1_y!~@$95fSP!|EUZ z6#nC_%$nUls~!ZEi*s>VBnw+d>H@qfwc?v*z>(hKm14MogoLG zd)*rcAlI?W3I$BgiQ~?iiXZ~TdO8v%H3G+G4M$aYLhRC&$t{kjNg!b^RQ3seSMY{u zDDGq3xg5&ITCL9|-uOIJW3oah%H>Pwam3?|e6!waiwX%9=x_y7ubpFdTtJQ2gfE+Ps?l@RKxA5=NI)dNmA(R2HuaNylexPjhZ_RY5A=3+LZ-$vw7$g0&?Kh9YZ6PQ?)R zVgx{K%yP){90?maYsx97++e5Hs1_5Q!5p zv}e1qXmM$*5*KW8aTSz8oJOkjaWm|hYS5IvuIU4ya|Fx?2vH%R;{*{wh5`T?a+J*p z?}p)b!>~P=0_dLlhtVsbK)R=DfeauQ$^ddfQ-2@_8^0BSoPhu!%V^4!jJk@2?(GF< zJ{%Q$_K0X;?|1*fPd{_#(2DmDmMgYEu{x(j#Yq8Xyyg6_J$}^T3*?;_{@s}f@cS1p z`_#d+N)348d0x)+VBbx|fAFvi{`&kk&x{9ngG6eO*DQS`GR|OOkhqtYskkT3@4_rv zi_SSz;teKT2-Mj_X@&wh$OkeZuEZP?OE@Y!>#I(NP9_m{iYt9k33Hk>ZFf-+RX2zl zrc}!sv`ET~1DT=hR(&87TNM@_moeLFqxY`DxOh-)nIRwP`oMCS^{yI9p6fi%^QLpp z=B7N5S&_A^bfnlTPi&bRf=~m3U72+B1XNqGmJkIP2}y$hYMo;apc<5G&MDV9X+$jo z%9cMAcI+fJuH8J>dDApYG3kW@OorwINTfhCl1V*ale{U2f@rGXB9cKrRs<%}N+Bsz zM37C2rv{CR6rjml2T&C6(Z1}VxB^VBPJ#fC79k4Ljy0Q7xh1uxp!HJdNK++;P4DmH z-f6u%y+)600>BIf0W$<5$Sltmh!_AA#zD_|0!_T+#O425yVEA005LH8Kq~@(>Yd8H z)28?L)sb9*;)Dm|ueavTjJJH?<9PjPm;Bc=)*-%n`9=TrjNhC0e$(lA-N%-%5dn~A z|NHO0Ca1k|FJl+&_1+);!-aqFlRH-Po=3d%-#_!!pRJGLdj$u*s}#o$HNd&zZO$_5 z>3hHH9Y4L~>;JRfHS@AARR9q!yypQQ#c!SUy+>G!$nf3Y`L>+A|7_;9x1Rs)4_|!E z61esB@Caksfdsu3nhIgPOJH?rI+)^;LIW(F3p9cw}VPO2rSa_dujy<%j zVH*OLrGK?Cy_!&B%L2I)8r?)Ym(+zk$D#YyV-ic}!OIR`uNgora^FH60-^Otl`&-^ z`JA2Pdd9rm;6id$W<#1>wPrQ=@MnZ!gaJVviNssC?d|NC4P>hvpz+FP)CkH8-_xvTo|UsdY2N6m8)>5l1p;740@;KD$@AE@Zx$ie<%X zSMD>t_h85Tlp`~wf$c+*LkjUQlS{#D=Vnld$;IyLK`*3~~P>!043+MiAB@0vQTtAASewEmu{ z{n^z1o`HcWJMXg70dIWtnWy*P{|&VZKl2$8zWk}*{r7zDKmFZqU;IBO9%(;&`qzIv zQ=WC$z4!6o`NI8+K7Pb?#tHlRzdL>}c=l(Pe$ZxSo_hT)Z<#4@`ezRN;Kd(0!g^Uh z_Ya>ucxFwBSx>@>azY(}Wnk{9pMU#@FFf_%%;(>+#LJfLKETI*=(3B>89e`n!(Zc2%jgEVoyEB+RS6Jm&1jL> z6n4{AvzW`lCe|1yAV)O{0&aQHnhT`~ILb5e8J%LPK>Gr=)DxWnCsDmOSA|*a>Jx*zK#cVJPYC$CJwaQ^99^qVKy2p|PXb zk~6L`r9h>;aBZlzf||?UE50z zeQ7}iN|hs}z@W6t1Ecge!H|9<0LbD@aoem)dk#M{qt0_AL`|$UYo#@kM(->%rBB?o zakH80oSRL}O;ZL=KrXf2wZ-)X*@Z=oBiI!YCMo)KLT45`+O{iSH@uVh=thL;lcttJC5;=&aTg@PBWL~1b|HXLu;6I5B}x|!#Bo;UM+teH2P&C#*u zShJbuc{A6|yqV{DZrNuV0JLjY0*AtQmtMizf!oaWkkjPq`k)>O%e-YKQLIhuEN9@XO=FO3OY^2#7$(y4(AI+Pic|K}@)4G|96eHhV z5z6EcjM8&TkGNRt3K2j|K|4dpR9Pd-8j3Q?dK%rm-Ccc+o?fN8l~SY{N+}T$&V{wH zjCDT3`KZ>T1~^5mR&99A*14?+Da%M9DNN#jsr6sy5y%-hs;NUintR3ft^1Jb?r}XVJIOiRIcF_Y5u6gpQ z-^ECC`Y9iH-JI8F-Va%5SRTzAb8I52|QMK*;L-BuXl^PZz2Qm_oM5X+G^K~3z$ap+)y zt3cZ#OR`9j4c&1|y*z6OL@km&+k`w@+?tfKvnJTfv);=Zx>Xi?g-B_%P{uW6u~qq? zLLK!&75Cb~$5ITt=)5hCb3t(tSClsN5ELk~uhABZ6=$#@)Y{aZ92?o1nW8LH4KjA8 z&EQlauIVdgW7#EOPbg)dxpNk3Yrt`CiqqQACVN++#7vF2Z%?a8d@;%nu26uxEZ?*?(34<~6ZCWc78V-4egx{N84>DrS z26V+UvANI%&ynUNu4)2NA>=35J=N3Gv*7brxEkpgwYh7NAuKi20jzkD%GiP}tx^E_ z+1)FjT=xthR!?BbK_*=kqkhFAl4Th)d!sX|o#8VsysuTFzL3bS{*LRxQ>nwpQeVZ> z@myL`QDR0?k*0@eJ2{Kb8P?p?xz2U7*=**z*=&yG`B<}=>wK)Kb>7T%$Z>SplTdNM z#`wfhQQ4?AkPAbW=s%WJ8}%^pRcE<^dA@MGaItCufM#~fM!XT=3AAn~EHRuzW2PD& zY%TXyN{Q>PD?-On!alMC%-wInPbed9Ah1o5BoW z+6V&*pa>x`urOmr2p|@y4EYBE2u)*b20`P=7ZA~&y-aAjTo5QWUu9%#H8GmXxkShs z0Z~zCVdRn$McCIVFeNbTVnjwDW^uj7Lx;(t^WQl?L#7JZvK1%*_{iGdtbOz`Q#=X) zkrbkGHRaJygs56)>G2mAQiadaYNZvknZ%o9P@MJF;>`2h+*OukW`Fm;m`2bsaB^j5 z_vQOdiY<$1w*@m`>>F-r$_PlYU3IJNJ}CPT^;NL@kRcVBDQN@rV`JVcn>U*}&vmn@ z^So(7@wsLJXBtNA;zEjuZ{5d*KGbo-Nk|%DU%g$lc7W=k5kXj33NcaN>LmJP=&Z>R zg*KuMm$)raB8oH8#5Kz;4q7O-6mxr|Cflx_JJUA&hpqBh>NUDLG-_puMt!0RRirz# zI7`QDZG-xiUI{nW*c>&9G__x>%`K4$wo|EI075xE)VK1kfl#bLTUX1LVm-7FR0avX ztYg=lGqy}141G7uV$IS5b~^3O6>TR)nM>Bp9D%l>N?zFl^T_R(Sg0ddD!v#s{9(Jw zEneo1rK4Sbmq?MD4^Zg;QIC9kJRLahL*GyN43~$vv2wyUqTn8Z%#|F|Wa|<3B zO^AnC=Z3_TbFOvXWJ_OSbo;*|5flP4aY{o`U_smb1PG99TBeC%X$AzM;KQ*G0YGc* zoW4M|l%T03h#(9^fC8G4Z1)v*ow1!8%Ot8`(6PX@V?hxR4ZbD@K%o;|$(3j|byH0+ zRGq`x?n7>-1#oryBfMwjQhPI(K_8}9l-G&i_>?9Wu$aQY>wlt45joGQ2xgKjabIp04 zYg5L9MQcl9jche2mlX)WSnNv@I*NF}G#KpiO4tWALn@i8K*UAot%lIL!40xz&y0go zxjY|<45~}yXmu5sok7WE^}JC1m7yj7UfOYKq(JnRQqkCG?v86^c9LpYOaLqUZ#%I# ziz!uY?8uhbxfL8&+aADeG|mT~QqXHl=`ln+a>FvuNWI)tV?X0c69aHDzqQ>&qF* zP2t@1NOZ+JMTCv5X}Y=*A`2+{lbk6=);=d~AegGfrrf9PGbgM8 zNf3ybO-oVJMg)n(Sto?#a+D+##wnEew-x({YP43Y>8T=dcCv_2sX%N|*W{uDNm^HX z7RPCm@%f2T6LIp|WAtWbp0okZDBHo>npNP8HLMVabNLd+NYl>rG+PDxqQjAe9>*hU zc2o%)da3<#g+K%-V*EZnVbSN+=7C_;%S>#fg- zm~CG)7h(F50T*hxN7b2qv1W)+_Ab};Z) zqe;ot-Lqv@hTFvfTPJDAIKJ8TJ5-y(2mnz^LgdA*D=Jim%o0@BMnj9cVUa!634Paf zj;KTInuO*^+rSP1x#n}&aqbG%ROBo709*Ci+d(b`2}nQaL`SO3JUT4Vr151XbcQAPkH zF2&LI2D9ZtT`gGz0MUZV@@avHwMH_nqD2Hr5S1x_AjHg|5Cv^_7XYw2ftZ31wq`=y z6djFeZCePKvoHrbk*8Y}E9wM;5~Ge|V%t-fKrRGFDjP*jghR^4K+6ruGvG=b0hE{r zVxh>!IBi+fNDQ|&X4RIA&X^`6Hq>YO!}|3U|aDkNiRTVouLQPms;#9)Q@Yx$8 zyG~7qR>`$Zugq-$N*Nn#YL;B*TC=d^!cmt?+c?vsW>f+pGBmjWtEL!&W^KzLXj??D zQcpJ2bLT?wAUl0R!FPwU5Zdo?As@|$w*%+6%rA~(Rbc0CgrKErk#1{~&?UE&PEskw zUKExP$lNZ~cG|+HchnS$2L;}|)a0?mJfrq_T-1W=8g^E+gpL?PE>3~*{@S|KEVi?2 zu@IuH$uxm-3J_r-tl2I-6tRx^9DL(uOCb#Hp-UzE|s5t04nb&?@cq?M zP#8dg-yU3YC0bsgDeJCHwk7MPW(%LpIl98@rY$9bVqikW%%sd7YhsmTemAw?(WW?< zl0aY@U1$+NP^eflDKfz-Bt&6A(!ho#1c<_5eZtIOfRNEO1^{94tv9R*1AvOy?96P! zmSWW@)0oT$grmqh7UnEO%hpU{!P*BAa~GfvJ1f1D1UjbRVX4ni)SobpaeBwBooHH@ zXhEjPdllHCDy$$r9uLB7fs-B27A%4W;H;2-ij9=rmzbqwFL_&wBAy-CVo(m9SaQP$ zJ$waNRL}SKf=Eb9w{(XhjdZ7iw1jjwEDZ|MAs`?v-Q6s(G)UJj-LNzZ(*3SqfB$!$ zeb{|2b7$_IIq^B?%sCSo6sBqFj+U0JCuaWN-17ul?3L{_Z%ZZc571ulkagw3=}~j| zjTFcmFLLPLdvXIvmRCC};&!HPi>=BfZbBj3pR#jl#9{d%%jstB==vUCL}wjii3BK1 z=BM)IZWj5w$j>JCB6dp?e=Jxivlijuiww^EP&x>m>*0;BWc@I$R)wXtzdS?SRiS#_xr$Z zmb*|$c!4Va0*-QJ3i9}}WMKuK`KW4MovHlscd3;)-c2k+4BFz04-_<>sjcBjjxY4v zq{CD75?vJLYo#k^MD6OBzi=}Ea&*Y6(ONxykDSX;tQtj(Di@q9(+kBirz1RC49i0oSp`wO;+OSDlB}~i!w#XdFIUgI{n>Ax zGpV$;L8qOp`bBGJl&J+SL8 zD^N~Y?#!B$9di#senqL5PFpZ_&-|wjRpg~XUv$BK?73kf!w(hq$@{21i3=Ph(v&^c z%-xF$+i~Is0dfmZ6{`4uEOPvDTPf`%$lYz-O;_j2EC{wU_q7HBx8Tcfoi6=P?{OkTTBb2lo-{I zf;MVKuoiM-ziA+;~L=71UUb&T@>;m#D6sV$*6j+;*(!4@h$NNom8QM z36cmV2THVOL+PI00@zOi7k|O&x$YqGv+(po@3r&K%5~H@B8Sx-9b)786*d$GIc@!y zVG1l&gi4%Rg@r#JjpqXnZlCv=2eEjMj_$KCU~pmdI;S8XwXJc*Iv496bNW?Z^F@&B zC@uLhbCpoHYadE!0ETik7fLYuntH41a}Bijb%lry3M#=&jdkDiQBj6}OT3}YbpZ8# ziJksrOYoM?_Jwv;t}PKnm)$`sq~OKYkyKd4zC`IR=v(ZRxv;j8HlYIL#AiX^p)Kdb*6=*%#iY7U*E#l`1ult!ZM(}|zHm3CG; z#E;H<5-DOXu{LB>xTMh9uZaGsdh!H*F~S6pHV~cZZ?$=!9k-p0fgcaR{IJ48W#;U0nsN9SI!pvK5l7QF7RYnKnc#@c4zZ4_1}cH# zBsWrKXUO)8;Hw1Js02JzTvg%?OXym z{c_532;Y7qQwbkxsTtuj<_|C)^&8VplODyEc9YL8e5((CPC?a2QHMBR^CtjB4s4Fs zGL$OIYwX=VeU(}PJdGT?fT^Zk?AZbQpG2JGwXh{SF!K5<%mKgIxLZc_JUkPu7h|3)zV zk{I-{W%7H2V3G!m1ULI%_uuS`ONb+pY)sE2s|D*ge&GH8{>Xsvty6rZ$_2T+b@m;` z|9dPX0NuzBHm#2O&UpxA+fAT-k^lc5CrV=mlJxv6F|rebi^}2-d1r8N@Z^Mt7ktu< zS$H?p*%<_FEi1F@k0$%ws`}q+CC+VpG&D4H0h04P#|tkONjQ3*p)US#UKRLoAW!4} zBizTw$LL{S2i~~oSZ6h!_1di8&gd+SjMwu1vI%V1V@eH;Y`2LSxSsFzj8|CG@< zSftkeE_gAPqE8vLqhb`rt3ca7zr2iX;xOibHWou6fP;;#nl0u(^n+EY1Pxk#2T8Ny zkDWLhe-|d>d)TsgNVe|)7HCFfkgyc|O;8-9j~mH)=Swjr0^C~$W(n;+iJpzE^NOSq zL^%rE%%4Ecn7taiaN?f8pN#ewKh=1xO+CCAceyi?UOokeOJ)ULoSZ-)6n+svP>Lt^ zu^_3?4Qva?Yjp8N#=B+gGf?x`R%(r)udlEF&Xxnp7-C-go=|LF%aOS^r76n|e=dzh zL1adme1%AW&X0iWJ$+7|w7?x>+!YG(#}0v~$8;kB9v7Dey}2wkTaW=E;8UJX^{s6LD#COQ&#zt*7g@d+Eqpmhjrs>sc*J-aPMK!WluY3 z;6oa_L$ePAc}y!m`C5%V-~=L>x7)^#t5J^uo0xfSutSjJvSv?D&myF~+Vr%utuJZ^ z8;ipTsh`u*{PcxxjhD%!s`K~_nvlATmw?|whnA<#H5gN#!%*^p;)tuHk7U^jW>`1$ zL=~$KbU3~~_5Jp`1(wzquU>T&#R-0CJjb_r?bgj4#zx{0fE$-5Xu64WAvg;YTRpz6 zppoB$6GfpR?$34ShPZjWF)g#*+2_Z0m8V~|9D}YX9OY=MCi6AtS{gwz**h|a9^%d> z7S%+7NKrZ=;|*C`1$hl=i3EYp4l8A3AujU2M(Zj+xmmdtw!PJk_62e#_gqsPUZ%(u z-rlx8i1!TBI=Kk%MY(A+G5jUt{uqk8+uIJ`f%d@Daf5#HyH|Wz8ppMoS2Q#ocYBzZ zqW)c3MPOi+KQP^PXv5Nw7w&BjJ5}yDOJ{~2HOv|z^69C_$WpIU;X+Tpw0pe9haMbB zsXKhc%60uF{(J-C{%zdB%2i}-K3?;RJP2y*L693dVwoj(XqxT45bgT7fSqI%WNCde zB9cPo^_awN(zhX7T@K}~*-*O5tgW(nguu2fn3vscwsV?V^K)9cLoq=}$*bmVzRGH? zd)flnPVIa7j0JXQ15WQg;d1gYx9r@r>(u+!jOvtv3o2rd~ICY9Jn)mZ%Lc@Tshzu5lpSYNR(7H1Qt#)?WN5Hw15NyH4@JhK`k8 ze}XKMwOVF@k5iLo<~1?r8&8m60~rJ;z$(2vEy zMp*J4YHejI>YJiVOC3MIr$D1ys5;le&iU1`f4@tx6}5oZ+0M$XPT(W#ky;9n+wUfN zT{8^7KDu3RzgpSR0k=ABFuLtvoTW|3<#P4Kj!`zgiUr&_75YNJJ!Tl_ptjEPi}V;# zQ)N9IN(mlyPKA#cJHIUd#5V)$gBq8#S8Er6)& zskke^e&dIm^t(HI(>=Kiw_}|^2D&=Sqx0Q7u(wO-8bg^iHm(y5fA?A{5C?Y^Q1qkW zFvkwY`PD*hGEF32dH+1>OuWW@yI>Xz+t6)q=v2b>&F_iQq($Fi;~BE4Px96@JFk|)Ug*j)3jf@Znaky+=M~~}?tXQC{tF06 z6IJ6jh&O0)+3Xh`M_Oy8sodLNCi|q|who8a4+BVND57z$}SHV>xc=`qxf4?&B+;-EHo!&%FMfOFR%%8l` zopDUS%|axcD(?`#&CLlrejOc_vzWZf8?Rg%;Bw-DCM@1J!I$E5VS7^it@?h5Jw@7J ziE_!Qa(YF3$!FS=X1o=%%!8B*>@Zl?j|p>n_y)ncK*@q>kA2@zWWSoaX<_0qJp$Ka zlOa23OWsk;M@9us&YE}_#Q^KO@`%ScjU?o8+czU-=l2iRtS_d^`-01sKBA4k{Um)c zm??hXvZL|o=3lJ&-JcE=sigkNW~cF2yL2Ud z1&9YyO^Cet+iE{=!sI9S=7;tL=pP{hwjR{#R2;QK)|#j(*39quoQrr`w1do+kn=xPO-+kMqP08u2H_ zGx5*k?nBaOW0`}D5I>hk$gopaoG*y7A$%GA$RnB6ZPE2G$s7HAubP=5AiK|r!zp`NECc; zTJiN#pw_U`{I0TVzm61$^Yho9c;d0mz87-6 zv!XIS^KvVET*g>7#EdhLN2mm3wUIa5PxGi|F>+?htsYG)K4sxQ_m9IUU3c;2DNj3} z;kpOxWV z;3?w?6%B%HwnHO*2X8-c3aGoR?pcW+8f}V4XgNni9-)_Op_Qq?32Eifs?gtVirmoe zU_UZ@$L~8uB~P{DQ4Cc-(SRq5u+=~9;HR7At3@z=+`IkicbB9i026a_b4aQ29fCt) zha$9{KF2LP2>g{c3Y(~F*TcojMHFuk>mLYo^x)l*lZ)Y!)wAT7oE@<~6i$?rlMCPN zl81`ljkv9qJ|Inj?_JL?e2);Mv0%@yO54fMu((^mp0eV6v8DS$Co6D#sUWy|V<=rs z-`T^5pL_om0=;e(5Ry>`1YD4-gK{P(U!Ob(Hb7C;k<4@Rp*1x%m6erYG`@`>tK?Vc zU(s!oE03`vTJZtj@k17t?m?RZ6vQ#g@^7fE_>nFMlUlarH(*F~&>CLy{6IzAqri#bDJK+oCD94WF&`jp_+18*8V z1z)^|65p+u|LC*ye!?7dWO84E>v@t8y=dBWOTGW#b*d<|=*w@8d)grM*bQN%*Bgq3~M@Vpno8;)$w`-W`a$(tI#P|$Sn+=S7z&Kbkr@;@6 z=|a`J!=_n8Mh-pOW)=}49-@jwYWo3)<=B~MWm)?FETKbwD{NeTd{XG*t$%c$f?{TQ@U}1bb6F&9>zrn+gu8(;5)eN7I@MPxvnJrJ+dP|k5DDG9o`wET~G zO(OJk1wX!uhUy3Dge}w57W_hjX`N_i@=>#YL}CPEdR@S9k36yvr}S#nWib}bb|=MPD~ zR(0QEI!qkgqyztqc6o7r?hXXfc)X{HWO|k=qoAPFUieg_{*>L4mzNhO{+J$&BW(Ru z%hpZ=Kq8z+tgk!vTr(?hw{g4Ln5BQ}x0QZ&<-%=4VVvDSk-~plpV+@4J^rL>7nL;zI6!0@^ECfa zamwo4`3IHND@*{Z+^B=-fFtOLAE6Zy6XVicHCAQuSy`@XhLa;i%435WST7r4OtzO5 zJvkjOspzF(J9qa>?}*-Q^R7Y{Azs((VVCn(Rb5?2&uI%D>*YB^wwtgknmx9=^I$X$ zc+}*j$lA==^K#x8YVrTg-Y60-ho`uR$rm${%DeN8#7Gw$@UXc0_Bxn7R>WTtKGMOA z(P&Q|>{c1LF(@8rvc5y3cN&GSAyxla;g)stXV3T3$v{{T_1!i%JoBCJY>V5DWA;}` zzRVA3ar)@P>MibwsZl>8Pzk$J`=6W_CWsXv{<{Jd@XZAnA!{7t->qjVTW4)F<($#R zSs=!f?VW8u_D~nQ*$T!L6SNx3;8pXw(_?<@@-L&ln}4QW9%w{u&{UAqII>c4(C~1( z_6&CUb_RhO^WrM~5jX=!Xlo5YI8I>HjI*i^-@UeA9CE=`vTU7k8c|!?46xrib}(v( zb{68taxfq2x>t6I_;PI`DlzsF3c?DSN;L6y#}0+P{cC=Ytrq^@E+O$@)Ag@~AXM^b z8lR4lcR|?5W~|6Df-N)N(;t*Z$Ht2N8KkGH9p(bH!T73v*M>q72O0R&5yeI<>*oC) zZ+2$O_0C3k!HX6tv&Z14#}c*o|IuCQN7s|Z*lQTJG3esyDI#pFPEFip)&FX|F)Bwd z>G=5g;d0T*-Ti#8DBGyc5*r`?!{2kW^706?M6OO{6yYm4UP7dBTow)_{1u5EQCn_j>Bh zmwer=WkQyJOstq7crJqnIKRLRO6W`dH+20Qp{~nh)O4S(B><^^H&1m#2>~dCc0gjY z3=F}4>y}U&E~^+;7(_N#DupCS5YB|ym|e5mN!gf^=8at z);RFirl`Os+gxKloo<6nN)EXUx|oR}lBhy`vt#^j{sAh06L2;?>^WaMt7UamEPjzk-1mr7Z;hn$1RB3Z6DGu6`3O1w!ilvWVoGE$F?yZXU%2ej-MC! z;gUN)FFagvTSd+);ddx|t+aA^i)a2b_^*UQp9DoK`_|_JBilogC1bt`zd2HjeD-4B zai(zSAzS%dXQgat3#W#DGG_zI0MlK(}Ke27K10k zDOjR;?fx+yStc^T{HK)75L4=iMt>6DY=Ac}yl$XlGrIjV zocCBaaDdD=?yiC+^PvlTvl*znI%yT<+Vz~IO-A}A7uPU>L4?>kvN;=xrDW?;5k1ZP zPm9vlS4^((;uPuGjN8;_PwT1dxIpehkK4Vl#Z*vxai+mtpTOw6uU&`tX&(vZU1 zNC9NR!OGM=cZO*`KBTY6ReMnKyKaLb6T54`<5_kb|I=az5FQrm4~(jq4S+550Bc<@ zMI3}E$646Ax^|rm71mUr? z^eG)>?&ks=URPP0G&z^#YlbN+=*+lTSOUp$J~!JbU>WIo+udV*Q#b>4NE{dwux2RF z^%X4)id^2l3B4osr?V#A#4$sVSx^tVRDVJlG(G+IvC5kpLa~J(UzPHl9me@NK}x|t)Uj}I0&WLjyv%-PNr?r4?|~Uh<{5)h;iOE-C5_@f=yg@ud$*))KcE!mLHdBcUOy@rp_X!`^c5Ah;Fq=6OcawWtP z3O>dOzjxT;xdU&85zOG}wO1WQ)9MfZCO?*H_9%Ly*~Hxh!^PyK@jN}sc7;=4mn^2x z^pA+Qn1JKB(Evf;jD4;7&km!Uo@Tn~cg9<0+C6`Z1P9o}JxkKrXu>I@L}G*Y&z=m% zV5<8g1~VS<9eJG5lBW*bJQ^0S4HM~_N6fkqu44V#XEZEkI}7f(-iUh8 z5IyZB5dRY&mw(Kn$Q0bRGc5l5aTm7=?rl2IF*qbW&>w>}I zM+YH_mfq}SXSe1tq>8#u(84>87s{U2K}}!!RPRR;;@ShAp4H7AC5E#8-g+xk)w*BW z7exZ^Y-;v8-QbmDzD(MpR7%)loDb+_$b0qcM{Az$8Nus{euhNHjmQjdSgOe7NE)1-(WdpTambzYVNu*6zd<1P?MHELy8G1QcG`f^c>DV zBH>Axxsbo9fVO@Fh$$v0(iLR~+{QY%7y*|(c<`eL63P%UrxX++><^Uj_0@D1Mxy}0 zBv*GmVWP@ds_(ML>|gyWa`G+<@fCFzQDX}fr4q0?Qe-OP!F)-O8~#lpaR8%$Jdrh> z_cud)X3eO0`R(Vb4=O=_a2P;{N`eUUlsrc6 zuhLBw8vtMt({PHQgIZgu1FqM{11{@O-=yB;C#nf=|Iqx44&Rz98hPHVjMLn~9u7`_ z%}P66#rkC%$Za2^iTiYx|A!i~+aGTaKp>F1;CcwcM*!z}c7l*s{#T$?Dk`ew8beIQ zN8oQsv~duuOy}Wf^@-rsOIE4Yldsdbf}I6Avhl#Dz2>WEJpUF`ReqagLeW{SQZ4Y`M3jBL{^O zVrjtUj{k=Y6G+uLq5ul>8-G#3f8gyU3hlWJ{^#Tgsy>P|5p$}le~`}HZdCO%u?(#; z08t!N(4Y5%?LQ3n(#bWlSp$tWhPPBJ9XaDaAj_aQzw187Lg^tN@qt(Gf7cMu6c6A0 z^9&$T1tUiS2N9|K9}Er8V4>?Qj*z5q|1mL`mdd&QzX+uwGWsiypw8Yw^SlgH!9Mqm zkRP%C9x=fySks>G9V%)JtO_e~`Gbb=|KhTyU#9EJQ3;Xcg5whUy!Px~<^La~^^!!v zlO&eJ!kL#sLOJVNUtc$i6|zLc)ST?vmC%@b)06?x;Klu`{hX1>>V{q#%p=(c8f0Ws zcQk%STNETh6ab1uwK3l%@LcOGLGxX7ut*0l3JS+QGoC+ln+DW$0oxFbrhk8j%{cof zD&ZyZ zNO+R?00|_*I?;HQWmSgyC%hoM(P_!@Pew)lK7H98_00v%{0k}?856Y;P9l##o71=} z)dcFQoyW>k-SAhfKH$Z(NNdPMD&#yUqHlR3f3}2Wc#LIW)&Uj|#U%2*uzDOY?eK}A zVnpu`Wf8TwiUYZ1WKvt$WFoZ%G3_ilb7fWd1VPgHx5`pYwKb3+2q*HPNqc>OSi@bm zdu`)kMdCwti=UJPFLU3+Gl{*EseH&+vL~}Ju-AC@N`X^x?c79*~D4_ zI{L5hReQV%nxaH-0rZiIK$WLh;X_06B42vs56#_*PR02hm(JIu;{TiA*76@1aP|fRo!*%WWB-raD>_NzaKe64g^7L3IL*6=A=c~1pX}4!qO| z59#03eG8C5DGm_ULFH9(Xew9;MtlCtT1k2R>xYpURwJ`fEfMfnP1(rO=vBWO=io=U zb`aHZ#>9HzkJrC5UMfGch~w1gtKui-iJUEYaZo9zo^Tp7dtKgV=O*6$%4E6qinsHL zX#ZYJOv73#sczXB@g_PL8(y> zH!s%|z9C(Il$&{F`+aEelP)wSA8Q{o3TieA3m=nDH!}!v z%X^E2PFKP~KlCOkUIWnYN8jYgu;O+=s2|NN?761OvFW^J`u*!8Hz!H+>JCzP@uanR zRD>yyu0I_tX5E(pwL2u=!$D5LI_xuR@ zwbS>gWzo(k$$#(9fr8ybQkCB}!b4-(xU}$6BRN4t89abzeJm_Dlpv`mHDr4?e(gO& z9=~$5&pmB1`LR-aC@qYP59O8neq@)zri;sylmlbUBiroPio>Jt-Ri7eIaQ$kZWx3PC^yHO ze{cW7tZ|nE>iX^@|B^BEQCjUHZSBk~a@QnH7aD`adH|p$Wi`mY&ly>T8MUc149qWd zbYLy41~&R`nG*5x|YQHWA*UOCC?I5W!{IhJwfMKx<`cExDqh!pe+|%k-U@5 z)%rEfCpBBMuW6jKPmA|vvtR$j!>C9Ryxy1?&#tz)P9m#vu!I(J%eFCk%~>bL$9C12 zFG03KwU@fN2a+DU6ZnIPL^{n=tO}kc0mOW#i)EoO2lz#$0P(_*7zB}S2qje_udBs z2E?d8I$h4n(qLwhl$;5vI?q<7;yZR}ags*A6>efR5uNS%kZ} z$EzJy@g}Hs1*P7EK-2Fz7`c@<0$38T(U%0cD7( zHsu)Be)Tj~aN~^JbH^?Po>)b*V7GFbh;+=g;5n=y_g-fK3D%IbiawMXa)};98Vh*En7TE} zdAoR;&U5Z@ykqg{stFg?MXAvrE{qik&OAEObz*3C7gJdkgG1z*{5n2xwd7^IL{BuxDcNK4{j z>PQhwyX%(0J;Vn(WUUI`5nu7{9y{-x=n|POS%p3pY$$(gw(VnQ53jK1ddXf(D%;!c z#BX^;S}m_3NkuQK5I&^M_Pjz56HzCpTNOqr!{MB(Q7VaG5S?Vc_ZHBoVDo2U+Ekyb zKdW&GD$siBkY>k9F?6d~U?(AVET=fWgi8ZEH#)rYWo8H?$=EkU*~*?(iK6CL_+MNm z767y_wVYea7tDk>J}i&X8CJhso?{Z3=A?0r7t~M^8cJHPN&Rj2^MbP zVJ2yjW#a|;Bj$^>wH1*6Nl0FnkL!gM_w8Y{&XGXDlh#iQ><)yTgzLBV z%mJ@5QOAg!RrTwB@Hy7vg0sSieIg#z=XC)u|9VJ~!8;<<#hNH#{@zFtB1dqTjwxPy zc%Ath>e8OgxMBHnHHQexw9N_q=y+n$g0ERHPr7KS@_j1Pk)a%Y4KC3`DG<(5A+->`WCx;ptY}wq0j+3 z6wxt$NZQE`{A^M*d!g#Dl~;xa0{Qm$_ao|P)MjNJa~d?x*v{}xUZ-#`*KPHb+(?Wz)x{?D~jWtxw;2D}+wfqVIb0rx$Anbj;NTGy1+!s)prhTz1&_%>X z5TM?_N~$ClrR&raTX+WLD&?Q$cj(WGk#mC2=;=Z8$lpCV0R(db^MVTfdjN>0D61w@ JDP{8Y{{g;+Qtto& diff --git a/wikipiki/profiles01.png b/wikipiki/profiles01.png deleted file mode 100644 index c8ba7b287c39faa40038f6960e874fad5dec23e7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33003 zcmW(+1yEhR5~8Pu0#=lk2D`X9+d6!(0f5hIdD?b5+D8Opx4-{MDMtpSDm!c8 zgTPu+F+q4q^vqPqSW1ypML+R1`>LE3Ot&8L1= zk%I}!%cR!^3gH3s2`kH8K!Xi1X9(P10D|)FvV38Hcd1nPFoj6~7}q9J2Cx?aYG?GK zWdQ?D0MAx=PzYFM12`4+Z54pVcA$3}3$+OVp#hwlk>N}Lyf0urN<;G*2+IQSNXUZ6ZvktO4Po#1&LZXx=EdB)ngoEt zB>cD0UOj)F#;Bj3=8tc~Fk?IJL42jQwA_8!o2hYu0Km3Kz}yQfM>9!~2x5@aOEKLk zyuB%E;iuae+a^p%D^Pf}rhnz~A8%xf5<7nW+=D__l?J8WS&ZxZzu5Jg_3A%=xDOD0 zy1m}&-k}ZVHVKx8zuW4c{HIbzHj|7TX8CJBLH?;7_4SE-fqGEUvcrHGZ&wq?HC`q= z_KLfVI!Y>;X^3wA)p}=>^$|{dlMiTg6o>ImVyiT>z%uaY-MIyT%TDLMMMe-@ zkbUU(jMwX##It-M9S~%znCuDwrZTkbI^)d}BOm~fDGX+AlqCJvN5tBTNY;n&s}J?b zoIgy8cCcRxOA5t0h|JBLsWwE4F=DEboY|aX5kk(}t7#vR;)226ulo%{%mwqo0+ip! z*cFTnFF6XrwV+yygt3e^pos?&W`*BT^(nyP#L$ArBJnh-m6P}sxU`~mz`6?Lmtt

q`nHWBBxkQe5I~Ms~IL~)T@Q-jJmd(`RWCa6D-?{ z%n$D+1-77&R4`C6P+L`~1e4M7Vy__!Aj5@e_A^kYR4TX7f5*NbB(mh@`eLBKO0$fU zfXjj98!0^~K#LP4&CSq}2&?$DRA(M%UT*%Q7R?cBRSvHL2~En_n)Ul8B%xGRFw1B- zG!Hre<$;nysV?84G(ORO0e}$`+amB~Vl@t1C`hAh9R3zjbIh^!Sdwkw&4GF{?j6aU_43aR~R%3k^L2 zKXfG0j*&Qr2#Ls!*o&wkQ>C1EA%=KFhf{#-Pv$`uW|p(A0dpI(AAZs}N}5s{eHtk< zhfY;>dG+sVRNX7x37v#0Q*HlxIb9y@-74h8^cvmjJdHovq}p~>B9&jN?JAvhBuWDe zpQ8{B2UG^srAsvnznblK4TDjwh?_sNQoTp7iTD)EH%R|=>ZhM4b7$r=d1s7Rbybm& zG>;OGezVq9s;valZl>#9u7?`(0b@nRRY3G_yfda9Cem_Vl@2Z&P7f8=@@NK#&1kfU>uA$NqCee!k|nt~Im}pxVdGueU8iBE;Szd8dMbKl)nnDuY%SG}a;9<- z6%mz@smZD0spTxb95JpH?t`3zoRyr-c5|c8Myzd>ZQpDZo1jMJhNo>^AH$7=49g63 zjZB*5>hkL7mOJY@E3hj%)Kb)H@|W!f8ZX+$+N#=#8~0Wb*X!Gy+Wal-ED7z}hw2AT zQ+}lQfA^1j7DGb+@)M(m+=x8Dy~PbrSWozO_H^#4g#XaL^dk;CgBh%uRi528+zF;Z zhdk|^1$jF{yAJoztH_ur<&X*X3~}}x(&3HKA5bNaYgdzPpZV*&oaUVVlgjmmQ~pzj z(=WdYCV2~(@(p?1X9q^5w>0|INxv92B=G`2ivtC&~R9BBhn4WR0Pq%*ug~wO9sD# zeZ2GWqw0y55MH;rY5I908C%#Pi7%NDQWvth>UWI%(PgBU~fkaCsKV zV&5WWAOMXa{7blgghaecqyfnsR|cQg+%IYOO_>LobeZ2dc3kR04Qxt$%;MGTj-qP< z-+8}F471xBPA(bb87O{GCKF<3uIK;wp?mY`-=r=+ zZ`vWAGS!-%CY#6C69sb5 z3SLie`f;|C+sY!8_1VY`_J7nm3N?wkdatAG;v=v`=pojMev58nc3M)eInmFk5BNdv zqxwGBv~N75uNCI~A5>kGy>S0OzgA96)D1WcH(M#Fe|_E~ z{o*{{ll3dLrK)DI!+OSc-u7t!H(UNYjP&Y^{S1tc=s(w5&^Ps3POfic*Euq#7}q;P z+oU^6dPKi<*;I^8Pl-tAl&Xb*Jlr!94My8a$Kn$CyqJzw!ZOPrd5jUt z?w7nXFE(_3bltez;T;+m8E@#(E%N3q1-kH>XRL4SHqrv6C%GLthoe;XWwu<7cJ|{t z%Xi<^C&lNMkAM3-$*)sl=JJXfdMjP&j5(|wg)F4lUCzYjrRDhtu;2eOUoUR+J+PYI zbi{N%`;O(YJumwjb0E?sGHrbM&Ev9ZeGgavn|^kKu$j}b$Fb;3%7XexXKrV9eTVV; zj#Hl>t-iLmN2K`z(;NSOcwZ2_E-&Q^iEaG2@^QW$y1m{c*a&cAc%Gi<{OQGTTGyrC zW%dtpBKcE#~yd+&GU`it-WF<^Qphx`47Zeu~ z+L3U3K6x&nJ8-ewnBzB;W|RTl%vyJ(oFGlyRAn(&OY;_I%v?hqz&VxPO?U zd+ak0m+3#f$CEyH+>Uq zrJ$t>06ug85EKdk_pfi^5deJR1b}0601(au07BftFtQr&@v9=K&6R7kn7aX|IX!GY zP0C)vGR&SjU3flxJXoC%PT`QqNUGaYp&kiaTQASE-#Ix*w1f9V18 z5kGqR(aP8PzWa{*y6oU2G>=l62=qv5e9OhZJ|Lt&F4PX=?ufavv87PA8u>DC$HE10 z4g>@ITTx5iyR7OX<~ehCcZV~N1&$~(M1qWSv&FoHp^c}@6F68VfbfVVWY73|JZuPC&pBRrW zz6r-IS0NUAs7CDa-M2cR-^)fr=m<`W*kqXAp4x3$VfS?Q%geRM4Nu_aj2K3fkB?x_ z@SOcM@}V1dUvG`h>fO|*u9YTzES_$VeXOGiv+yjJXb_haG7&ja5jL^=B4bdJQ|Kk9 zt)I33fY5?SLe^Q=X;COTsVVVXhkM2QZr?s*X?uWmK{`x$ebiPKFCTst}@s(2cf+M zCeXopdr=_~Ts#1G3R!0U0aZw~nm}S!6fz7p_MR!cIoKB7+nYWiGAa`qpx&n18ueVx ziH*(Gcz}(?>5cYxEU)PTq;ecES{dd?!b1W2Bk{C}?WncME(6Fti=~KQVZoz7WT>z- z3L$tvZx8?r0Ym@@6im%S4Kg7``H9OI#_5R04gidpFd-1ENJb)Q@HF8xz*BRg0zYYG0Q0^}ys6ml=;G_l^)h{ZYP_57ddaX4{^i}{ zl?@-z=u-Mt{Dt?Q+hqc>lnQs`3S*zMxwFY2_G zM>mpx-p}$H1B&0RY?mEvM+n;tyrid|Bxe|5K}n>`vhv|UN}ofJ`Vd0q&U@pQ6ob?3 zO)c#Ky(7$EEvZ7xRE$@ZWh+H0mv{Vt^C&|zCYx^YJVZ|qZ@wZsi%$$^*p{26xsl71 z$C*TnWl5com1(Ss4P;*gMTsg3%gA8(nno*dVxwG&QqRE2C)2}fL+F}t6|U)sCoShy zBMYQ4lOo}85^d=8gGR#86k-p9qv6{;Uov z-q8nu6j-a^meQc8Okn}?aEftRHn>q%*5E5uj2}ydr{algv6^X@nOYR3$@%nnQpq&> z7!=&2vY*l=`LsgL4I|*D2!im_f~t|8sg#1?ds(3YKw)aeC4lvMRWNSD(eu0EOwsGN z_d%Z5hKXB$yYbqs%^VduA{xolm%WCLWXrIpN-#Bu>PbCXfiPnaNw~hkO~XNOxf*AJ zTd8KGl6BX4Bx*01;s6s5gK>sP6!9H3kWyiYm^pU$jmJ9-)NL$XibT&8EETUyEeF6# z(M`iUN2SuxN-BIz9*_&fDOp6Cl$ji)D1#z*hn194(S>mFREVnc#V}^MWsY5qDtkvV zNlE_o{u_)%!IM-W!_p(I+1z#U1oaPJ%?fQV2rA7jypxTgoK!iaLb)G|BwlsLQuJq7 z?VG)_p=O(*;w%Y8>&<7dAu&gkle10DGS<+1pLb9=S#UyX zY3QN%Bon+0UeGtsjR$8;a;>`w-`D4vTjLkYgRrWUm0A`;DUdvf3ab|zHXI9at`O^3 z8J~t_(LoVChc7gPk9IVZ!97t_h%*MOfD;bnARz z^c~D6i6EP=NxifBRUBxigbce_XU--{ylb=$)!5`^LRMOyhAK)%{iI3m?^zBrK;g|l zNRl7S&r$IQOU5FPN6HX)+Q72Rv%{YSJCaW~RtTIe<%rv5#W(G$q3&$emt#%BV;M!E0 zCG*`4IWt74ImqS5H+qvA>KWxSEuD98064Xn7V8Z=+JgNYB&E-qfCCG3ozH9pKA)L- zZv|pF`)c0C&p1^*{0Z!t^<6Vr{gFwlNQDD$9BLGo?1s*b1z}Em+v#P;)Zlu<$Amu& zYPnqQZ7f=R2k2t2L;8B(>vsj?v7|uTf=YFI)M~u~_9&mQ5x7fOtw7>Q+?5f+c9|T} zMx1?Q=twc@(Sw7Cbuy6=hBZZ(l-F!pwM9J_*)ox$fm=sZRd-Uy2BqRAy@N)~ z3_aJSv79iNnw+R5Y*l>+`N69+>VM?5{(!xa;c3gh1k20h>m+xjX1JNmD0^4wFdxxs zGtDSQ(bB@eh++n<(gcq(Mv9tqp72F@XSGt}ivCRGCjBd)pfF#814E>#gdYpm+SN>u@Z`>qr~eWNP*iPAbpRL9(Y8daj$ z@*1F|syCq<8yP!1@&?Ei(F;bEwZTgfc??8ixEG?14Fl9UYq*7Y=CHPs12+v>%3O#Q zuIRSA8Hx6ATXZS8Nv-B6ftq4F-9$|h|n52 zJgR!^46jgU!tP=tsK^AD()9Sw%c*ovTI=kXg)QEpoc8y)*q0N;u{atkW<}C2jZSF0 z*r`N2bm=gssr<+NG$lIidIc1`Rz?7e6S+4C1E4Dt4hhl{O~FC`@=?N?@3t&^v{}z% zK&h9Wx@_wW$Am+*88S!QCbbU=#==T0?bB7zl^thNP*JGl_i(CJAwgr^!)N0Ke`eKX zfxuE3B!j3M55DG(gXsZz*NElTAWa3nh_d5S*7Y?l_ApV_F{$yK@nxm`#ta;?2~43x zYHXX%B)IHUpXei4R2CA;NbQoQ^O%m4rBmh8nxD7#6y9eTuqaF&jQ}1H-?Bz6cubM{ zrn^%KzOi1x*6{M*z)PETmUfKHag5kJ`>sPL*4JX9F>%PDVmi#|rvC2I=>P;*+LrP3 zGl=@zW!AU&w|$_|6UIVzT>zomD@=B5Ql+u-EFj=#V)|&A$@5|Z;^yLcK&&!f?4!Tyk{7iLDv^RG6kij8*PWx2p!p4CL7O=L&>m!SL z`URqjgyV^OZK9SN!YYuFN{9EpGL}d|_onbRt!~p(=Z8U|2J~}GwLta!!-d-+oGmm! z^BAA_#J@8@TEvn$ONRy)2G9zc7geeK$4xKU?Xl|(^%kGG>j7rd2=U?*t5aynI-(-u z%Slyv3^LdRm+c3#;B!Xdy+@~q5DCNL;Iha*OKFE^(j#YOWgT=B1GP$W$7Us?)ij8!dvU-9!_}X0F0Q zr9ic5#g$kfK#CY9D>8A^mFyCf1XJb+#w12$F8N9&o%uSdik?02lB(qbXXBnG_s-JO zgS-i8@9!sb>NNbf6P_{5+3cniT%t?5xD(p8s<@$&oCUF^!UD2-u}3L*nrX$$`nY%+ zOO|+L58TL*`^NF2U%bXs+6!wL9s3t((qY9(aq>0jE&fHeZc);6^?KAR;yShXnW(44 zaX&J=e@1q|qb|PQutr1KM?vHwAxi)w-}Ye zQ*%ekDV}B969tJnlyDiy-IlTxWa*@lJ=26?S$f?!3_tBOJjltv`Wz{qC1l>6>w_(4=$;>c*UN3V5eja&+0b-wrPzgQYhS@mc zGY5M^KC(eCN03_IoiKppLbc|xb|hjTwA(qzXAR61l% z0qD(dJ7<(~(TIU4S)Vs(nRIV4^!Uh|)Ni&n59hl?N<1S|iKCE=O!mGSJ*WJf;WoZI zK{dS_KqXXp*fTs?e)SyQe0+w^&$k)fW$Y_ady0;HGNGr&#En;G$M%*1#q02rS(@Mc zgOZi}#K$HK^GJY?jV_-Dv6kk+YJhYWmex?}SsfT7i6hBn0%sNKEmmq&$ffLv^A2~r5RH9p1L7#j=)@;A z<2hEvcCD7Qy!#|iFlm6mLF9OXPF<|p%lAEwXoT;@ICyOtef9awNjHc8`ADT3e<5`*(xY;CRdnE4Ou1FtI#bpdsS#%U@m$qE8YF`F{0gT+ZI7orHdm(Plq* zRRZewcq=zc8|z6gvET>tU};jrKK!+z7c0WSv7Z`0!}7IczqQM0`qy-)J82%7ub7Af|(iGT^zzWopMLL?GNF zn;HwUwuFF<{Pa^52$CT8l=8O7cntLR<<3f7`u#ew&alCoHzx9@8Pm^IZn@B!SWZrs zmx56-(a^!gLA3mk60JbRMiw_R{#=@})SXk<=Qnq0$Y3Rx+ktCdbeeD3wk_Gykr^u0 z$;dhFJoDbZgz@XSK!w%%1bk^`OM%)&g^-To{j^^95ozIbb!6d)G8&*R1juV;=j!#7EQ>E z6g}dBa(QogZ(&y`L_b2k*B-S@P1nwnh|8Rlmu2S`POkAZh245QP;XoGVZVN;5T#9% z;huaACiOC3k0$C55z^uRQ7;7#oe7o7mM{A^DK(&J1j2(21Mq@CjF3u7yuLQp$BKc6 zRIfw+$NYCGW7gbRxgHB19b9j**SVtg0t^vJ0ys9`N}rHya&IA-;QqO8?L=D}n3W9N zP)XQ`lva=Pbk*92$C;iU%k#5}o00Ya&#{^jQ@AV2m)%SxeG`!K7ZU;X-`^kHpF+_% zFS@==XLjGE=jQ}?9ytXjE#(RA3TUfw{O@dug`&9#_wypPh;zWzUwP7 zFyfZmxt-Naoj)jjRpqke}CelxJX z9dUS4j_1@afz<(L`ueX=4FHfa<#U{CWqfue4IUO&CEi#B^q4W&?$p*1ArT*n@V#(ea3>D4TF zx{ze@AWHZk3CIGPz3RLVnVqB&bOmbH0h7bxEkXaSg zD@$FhW$lTn3K|&fVnT1uYx&7P9y6pF&t^X@Z%C+>X#t$~6+MC$XAAB|MQ;AN*) zEa$o<`@tCXDCY|h#QlqA2wb|Nl^@d|rR!$Q`GmkX1>d&R^IOaj9sr(tI`i|5nPYKZ z1p}WaH`xn}y8fI=bV4b;o&t1VErX`s7FatJx<_N`ht=&)K4bW@ajJ2#)6w4dZ)ie| z4RN)@c7K#o{PDbLd*HzMYW6zt*V8(CPiKnVlkI0rv|F(J4_|Cg|4T$NFW0XZxp1OQ zSo=TDwG!Akas`f#+NZPq9G6fxd*0^dX1qCojAHjaRUazb^#eUS}6cM2qJ zh~1_n>vfRxZ9W6%t%UsP0Rh?hIo0zx{W=!}hMLJAHrY9;rV9 zGh7p^?%`V8jyTsI-A-+j2N9W1@#F;lyE01A}hJMQLUt^XP z;^Yr>`bp?JN+K6pzn6p_ruE=}D)Hxu4Rs2h?HlYbbSWYdMn0PbZN>u7N_Y~f8aznL z+RkGvqqD!ITJst6LI|GNs!I{Z6az^cCl3~5WCD;r2XQ2FhgucGld}0WdA!%P^{R@k z%#*6Ylv;|1#d=d7;Vn}I`YY*&JV3ZO-t%f`AV!bDAT-n20ZRYJ7=9g^$E){2Qd83R z+6wbnC4A)b-H-@EG@0jV6;*}h@*}1^89^{P-vO?~RUClvJ(JO8o#3IH2lgk73%oM1 zlv~{5+T^zd@z&R@rv^ZabmEWbK|4=M-;eiT$Ma%2UwH_g$|F{G7VA``b4;6O9)rC(*bQLUHtQ z=t#iz`kC;?Jm@2XNnFB*nw_0n%DtNX{59-1!@$k!Z+o)W)BO}zaWf(LQ)qDjO+!EB zkM_L~3kh%7fPniZH4gMY7=VaC!vjy(#lalm;qj~49{b@k*R#k+1MZ;h%p&zEpZjF9 zI)9h`G1=bp8B7AM^OFpTB6Y@}{u^AAvw`!s>VL6RD2{$cw^M%eMgxG@uInQ4FTh{K zpayj!S3jgn&%mdZ_Q!Zq*Rb4n;ik z(1fZ-bJ_h-iber)kGHrNMoCENWC&Fm4vi$6b<-zX>tzlg>M(-heb1`7vjXR#7 zg{l;54hDBG+-?yYULXId@?6TOI)3owbn5fVR$VH*l(~{eXWDjwO+;JPBz7ePkoiPZZoY(F9dM>Qn7*m4vs=kh-5b(q>lux}yH}x1m7FbKD_A zt}DF{f`ggCC}dG~$YKk$f2Egh4H)wWP{{{pP2GLqlg^h$cDon(ns$<$( zT0$&oto5Ub4iyo;q(X~HI5b8Td`7T=EiQ+iKrwVX#O&<+xZ!sVxd~}kN!g*8pm1p( zx_v4%F@$jGwe~W8@->f_?AtvGAoarzET|7zeq4|dUhzf~Q31pIFKG&OkX!&UkgB#h zuf(W;MGYqiF9RDl6SYvDxaJ{P>i=$;yHn`xJUqwL^yHIUAl+zOsNx05{B_1lOU=7D zU`puf2$h;$=-g22Mxo5U`%6zvUG4W+h2;HrY$K9i!t3OT3sXFR;n($6j!0CL=;gnv zeBOO7>>4NP{ZqSNuFIqg-LL(&=}F=uo7opq;olQkD@{Ii=5dlx=A8evrBCP@Z_hUx zwR-UQSD518B)-dml z<9PAn+h6WhR`}0S<6qvre2wf0{597Unc=u;_k_E^F|e8DEcX5O_F`bi~X9=&$nJi>d-}c`5{$wCK!k&tlp(VZN^bkfvfgOIn1NJq9Veg-^v{dGknKu;``@~Irgf9@h zY0tvO;C_<+4Hj4b+AgZUmXIZ83wy56LB@#70dRdD%;&#KZp**>aEjFABaAqt-B-tr zm!n#tq33ByK8|Coq>5$_r->CcE?Mi$sf+zBVaJiId5A=MxU|`mkNFl!3eZZ>`%l7~p6AMhhw%}wG$3^foAX^dN?cST_ zWn7FG&r>eJf8P=>x#)3g5p(+6<^B_)cy)s5s@1_d54{-o%}d62!all^inz|54(}P0 z)qw;aG^i{0E>}n8X5Gwl_3b(G0h^A`RLgxkr!!X?()D-G=V|AP4@94KIp5S@ik?Om zIKM}M_PW=;1ddD&_57}L5fkqfk)FHlT7fqJeEhNC^c_5>&!s>^E}zk9h_gz*#Kj-- zz8Ss+o5Kd@dzYtHn!UM&08wW@Li(KqvmbuPDQJMpn(A%5NcLUjI>+;diFU(hqjXa5 zk*>ZIIs`|KKz!(wxVp=h+3pyl>kLhh=g5o8e7L|biEAIjg?8uf?fN3>vauDkaB!U7 zw02sNQNn?{-}@RSef@@OjtRO2w!cX;?s+rKC@Z?9s7RZRD`R^@O1t9Gk!;A5vEAah zQXs^e4*0K?PXt5?*)p(Js)>y;FstevxKRaKZ3aT(Hm688S67URIzDg{m8ys{S5Nn! zw!cJXnQAi|yXNVItg4~p4 z&iQAi`?28S-C+q--K;6Aa#|s-l8<~cUin0J6i5}edklgXGGT6vFU9N6EE32pxtZ!t^d)O z4!2>B$};_X?W)oPMdCOWE;?~(tS?Ng_w>A5q=IN;2FgH#{FsnqnHAZzYqx2vV37R4NIGS-B85csKgBRSfy;9*BU z7#v$=L$p(gT=EzDj5&7B?Q2nbaFPUnWb~9^uYyXUB5m*)^Opq8Oi#aw7;)P$Sk8M< z97ZH8+gz|^&ZqCJH*vJI&-PQlupI=*;2GgBP=I81(F7e{n>Q;#c{0o{?fbWjHgj67 zs!x^9xN;ezEVFxo(u=jvfXnCQC?Vmvso@d8CYlk$A8(I%oB%5Q2Z`39xa&;`@putl*TvL52j!4$nk@a6cvPGD4xs zMZ@mD1Er!7acF!Wgx$+NF_1Vo0a{9&7s+p}D%1VPUhX~bx78f|(eeHJ_bH0%;hxG= z5iRT$(yiPYXx5V{@xk)2a#~A;7{>?;Y_q8eP_S&8gjD&El> zhdX2AZ~}heDx^!(H6feCYuXhjM!}R>(n;mxtsVbCQejg5be?g~4i0E>Sdh=*M_A^Y z-HCNu(Lpu?%4ozG|ByGMtZ7ps;~f@bF_KXkkEjZ&NeLq3)h9~Y_alE4`bTFi(V#{P zG6}Fvm7zLtjlA)}tTAlv>Ne{lH0pdZgzRdM3A$(7Y)uwpKTn1^_&zNL4xu{YEr zjz-O7CrEAdl_Z7fKqGOVXLMZw0*Qbv8^UpLz6k9ye1}h!$mDMr5w{r-p>d;nW?l}1 z4xg(~9--j_*@QJWY9WHGEokR6v=&(_y<{jY(WhvAQ!G!eNw{!S^mBT;Z^7Vmji(qytF zpJ|ffH16294^*@(HTIU0Sd#{!@)RhWX=zER5Sr(x)OT^VDlpu6_}pI;g~^fT@`Mw@ zV#BnE8+9T~%OZ~q8PaOC7`@efVehoJq~N0no->JfbA3XH5NHgIuR?Lv1%nUX;= z+m%FUpXvcBYpp)8Gopf>nLJ3oFy>I*|MKixFy&Dc_4UqC_NKLn1I7`?n~nqPUWXbi(8ES zL|y6q81C4@(gU?8GL8t6(haCTDSD8E#ffup0c-9PZ*F$JUzUPaQWp_1@o=9;7X&wj zOxQJmCE%m3qB=!YN9UVG@lq>aUMnz}J}32nPFwL(;YF>ggM+&w0GxWBy30tP0)qh~ z#r-WY>ox?-Cy$nyjH+VuWBSYEAez)6NFnV26QOD3(sz=%5B>eCOTn+%0^al^-?Vx# z0>w6?9(7hfGD4vThHX}*2D*f~R+d6p3f}{F3?#vDl-4AOwqh;ZS?4-ScK;j7&TeU$ zoK}t-q0T**^}dEo5jwKcOA5P?8Y7QqV!a5o1sh)L{_1zP>gX$&DnvtZ=b9UiIx!sE zy8EZODdn>QKKVN^8TmTSvjWj{R5>25kJVE+I_;bbca}_1m~=uImQ?91_WTPAA3c+h zg`mop$q$}rNqorE)CiCD%em<{FbkJJwFA+{{iD705&CSVP_5K?-k4QwwgV9y!;vJatr2xpHEg(F<)X+{b$elcS`R`7)O( z^O{l$A@)~>gB03|N?rpuMAPZK6oyaq)HkCv9Fh1S22{1j3@YV)%-F9n7S`+~DFzGoM-rs!t7!$fW!?BFn)sYHtrHvwzE&?5U? zVTnUpzanKuk!_FLQPE;odblZNVKX;G#=h#kK(uT%F}T70NuQE67B3E|M>+r6x#(7v zd~&qdvnx>*UBf}pMAjUhL(r77P>z{h{zzwqlII)w{NeA`$a4|IV^Nu2!nQi0_+I*F zVgV1Vy!IM!ZR+`8bX`#%9c!ww5=U zPg#!YbxB(l6)*!mk?0hc2fjh0+G_M#PN;5ZG>^muA%%R46!yaX8V`Rz4?^j*q25f? zdc`q>-H&TkxiWp}G_?UmQrN+etVb7CtowMo1 z)^Ml3Z%}h*&c;UYnO_TELt1V3$5BACcYsUBLCRJ?5`bKdX^-Oq^nCkzjIExRnaajxiqFWhehW5Ox3RgGnJ$!%t8K3irv9m zU|%S5@Zp#uSJ5RWD*67O9%?c}q6n%tpMtBdFKHw+W4JQ(=ab|3H> z{4Ewdmf?AMkTR`AN@-jdWyqBlaH2kGEvr_ABo|OhUfCpqscXmYw4cdLIXGK%loY;3 zH_Co*MWAU`Cd)%xVKVBswT@T1H@ZNcWWsur`iuq`bmz#NILQ;l`mMAniz*OT)y6dx z&0es$BJsrcBz4m@zIZ{bTitZH84i{j+F4mcQ}V@eWg-JR0DI0gR(2>Ay7%>F3^iS0 ztM`iGkN`!ILefPwF`RyolMIDKQbjr2(e`=4T;=8#OC%;W@rbG}pNpb)+|?V_QkeNH&8u36)+x-PyX) z;`LL_OHW^gxj<`+oQcv?C2K|DY>a&Rvahj%`e;1EIP=*a9p0@*8gat5rdd;^%2|;} zKOui0$Dm3TNSwi;ZEh!3#(2;}O87Zfv&0#;5O$b}My_9D$tq|mbInFWWcBD$Vn$(Z zEqL&^d9Bp}SGRqBv!wF0-;n%$;k4zpjLuwI<}SmK&~!D~rS0x{_oyP7;svD|0#2=N zZ;?*kz8B17Zbr5?Q|Tr#kMMr)HHRdb3l|a#PpPj^<_zq>dpfB^tD!??l+GvHf9{ie zb7eM~Q&8RD4*^6laVNbLcB~6!6}eKUBS)8-r4*p^Z8KdWi_X!dg zoeKOxL=M?JWvf>4ffeosEL1H46i_X3C)M502gl!$IRpN3$;lb2I4?T4US$5G{-lp% z5U*FVZR~1mPNoY<5bS{XQ3w4zE`IZ9H|zWOTy3apzI~96$x3*z_OZeaxH%x z{+mEovBJAs#AF3LWeG-LBx@Y#ptdk!stQ5 zCWDrv(A-s@VeGfvD;fIwZ#X+ra7T*KACXhqVx9l3^N*@$J#YkXbS?Snj3(rKs9_s# zFa2?CB!=hviIIVU0TjUCASqe?$9+)F*7p|Y4Y9{gK*acwvBHDn&3X-OiuZutKcMW_*OtF{$dvkjvG0)PtsE0 zJ$74TqdojgB^%v0BIIX5kX1ar!5hrdXkSQBRz^S!B{1Zf?C*OcPQ%G+^ppgW%z}yir6WcFDa&zd&UULt({0C`DyZG!h~{ zx=$hXfwnt~Z=vRa30dRt!S8|&@rLxDyKIdOBr8*FHyh$xj;X|dQoH>OP7g(_RMQ6k z>?#*pKmE~dNZ=UT){Hggb#&ELv%!2Ct=eVJuD%fZrBnax-HWK9OeAK@V`Of2a<)<; zJHd5?yD~0^J8m9^rklJ!_PvGhn~%8p`ke! zhObncme~lar@~0m0a{i&s*sTDn=5P)#(R#;#z(jwU6?-}`yHFvV|BI@j6@Ir-C`py z!Pw(%bds308aDK`py(V*o86~TRpQ%%ZK>^jo7oRj>kHTLdpt{I$t3eW?+S>Y_6kz9 z!yVKa_OUC@ICHqDq|Iy&)3=5x6`bww5I{Z1EYxDljb86esUA_Yj)HB^Qj9-BfiYg9 zX>a-{dh2XWV)s8L_iIeg+#B0#m%p!Ss`u0TqLH7|V-rc1Ei^!m>LFO z9_Id5o9;gJf&YpTBp8XjW!BKs-=!f$2x`@~?R$Dl9x5S-VDIwrwVyw2Jd1Q!1^{OM^hZBlx4AX+?b~`wE1_5t zz5Sl{%g;Z54RJQv)3Rc$7|nN{6{9(S^b<48Nh;&NLS#sT0aDRP5%x$~j=ePv2c9nI zsu6!|)~X^?&=A@*d)RhqwCxWq){^e(Cx6}lrNOVlGZk&K$3vgC)GpOrvP0o|lfiIX zq4)Kx@!5aF)X8hmPN%5Z?92<`ee5`53;Z;;rkSD|st)(oecHLvAslK4Y6Ckfn_oS+ z>m_)b{K;<0!#$?De3ZkyIx=ViC0|?l=8VS_3|M z1v7KM*Az1iYN4n(=-lWnv34Z+#!DXrsZ;RJ{BC%C?8epFV*DhLMziyd9x@MO&YzxRvjG zxyh6lDHzh`Fc~54@9#uw>FzWeZs~{^)a}n7t9e_yIKP^$JgiR9s&HzISOQia0F;K+ zPn+#EXTv-6Gy9%M0tOv8)DMeB1ek6V+4Rtf;ArHAOj!aR#D9z&-+mPMSE&e&c|5el z)q|eX3lvboKKA{5`J0lmX?s@L3EFFR8fypE3x`0*Vd*U0@lUJ`LxU5LhA zyMv2~h+8+@8xQezi5+;XsExbuF#K8zlkFVS)nnU*-TE*0>rVSwBa%_s4&0wcyE$e- zTa6y3_m9&CS3YBXb2=SjZ-ViAtQLQJb*-*w>V9X^H(hj-G48ilf(oi0q3G2um4r%f ztBkLkPoQu_l&<~CP3G~V~OW(~P6{C!x#E6TGWLwYu@qXbE(L76O1A3e@{y6?Eu z;A+5$X#vzh_vXl02-ybp`iLM^l<8IT9Lx@*8HF0E8poG?ILhA9LK&(wVc{+psg~C@ zY;q#*h-tFt1>kW+wqS`0!29#?`|1`RDXL3@6I zRQc?r1Abg?Q8BtKyA}3aIz@@s1kc{I^Ii*iI9t&nG~^rt1c9dzTW2JNK;6$Ya!UUF z->z&F@;}oNBJJhy;xlZD&t|_ltvY{MQT7}Uq!_H9s|_tkZ45t>Lsy#M)4Ms>3*W;q z4|pT9Vm{cxw0yeHM8tmieC?KCWb*0$76#ku@h|_14m|-q`_!y(3dL}alxf&C4AlgrQ7mk=c)(Tt9c4o`+HBx?J9OE!y# zBnJiF?FCBka{4`fYEMP?+d-FNCP*|5&?h#Qpq+jX-ZXO{fVfKnPvtVoHXsidB+Uv0 zaFIXLudg|RlqiK3>}o||Aj|m|fe+Xe+lJqyq*5t~lTkZsW?&jA>zcM&yiE!W6o(>4 z@&8U?6=G+!7ZPv`>F0>(TsD#coapI9g49~@y~v^cnd93k<|piS;u}#`%Wtfw_roRw z0t>!f%)ecXtU+_($4L3$q1DLy^vI~DUx}N+7ljFahgQ&z1i>kFVdN)|cJHT1@e&aS z0f9K1emaWgfZh-TQpjMU>HB?mvjK=W%C3mru#>ziEN@g#Sk#v()dKFuf2D9l4e7d5 zijA+$wDxpTGVoLc*+4kThsxuo0iUSd1q%6^X!_A>)$3Sn1pzB^;M#p}Rx*o3%+^p9 zozzqXHwhQzJ69B%X>$30=EinTDr@@#{df_QDgy}055+H`=d*gwyZIuXU@B!#&pZ0^ zeO%8XR095Y__j!8V!n83FYkHl)e~jr^VSF>uZzI*^~__s>%1Bvk7MPU{uG-SR33{n zO%AGku~iqyhd6*Nz&5YZz$9Ir5r}uZ?61a%lq{E@`jXu5&R(x{UTaOKY(fTaBgEsR z*zD(}OgSKQi+M=0w&8QroE9wVR2!_dcEKedPd~tZR$0s)_z`Hea`uQec=c>K4SctT zcw&yw<^`xe@O0R}MQyK3dXJnN+WrsMTR<;CrA=g&90(Ggs=?Pr)=9euCke(f9URHHOyVOF54 zNHiHdS#U1CY!YgKd_~ zq`#}9Td{q@WHa~KD?f$xl`U*a#n|!cYt&hl%QZ8Smaj5T6IL2jz;A#3D-y2n9Of4^ zmZ)D|@_**LA)GZfEO>aCv0cCIN`7;|5p2iq>_h~0%Eu>I}k+(%zy3wiQjRp zZejko*ZT!HzVY&}lEKq0)1`z;Fz@fn#$4>eZ2)R?`)&W6=(uTIX3cG_-O~Anz{9vU z2p>ZCTABo*chZex-Tmm{0`2PiBJiX)8a|zsl1=6DRqT!6k<7r70c9I4pvso!$K8Yq z2->u#azLy5c(PP;>@>gL=6>$6lV6dLwz^w+ zo1C=hxx5(HVdqR@rPI;!_o~%E=Xqpg1D}u7#ObggPG>6{G+BB#WIIE6x6Z=m9A>r+ zXCvKm(Qnk@jn4oBI&kuMYY<$7pG5q-Yl00@WiC|uIX19T|8j0o8fd#Sff`H%j_7jl zc(y-nIj``%d#O8bzZ-8k_pJ9E@U_umNugt402dcmeWC%FSo5&(aDXIg8&`i^Wnti} z)_US_btM%fLHph^cIfOlVRKdtUQN25FW=BsfdO7Mno}1Sg0~pP9;EcQDMn$U5Ino! z^_(crH~+Y&5v?}sR)=f9D^%2fYB=e}1-Jssc>Wqt^)?$-XKQyGo*mC?cOx6LZ@M;P zNu58P^uOl+9F^ID@OfS%5W!y29Vg%|Y2O;ne0|magU(n~EPJ*d=eUwb;QRJqxiJ6i z92M74QGcuBbTK;lFnVPWeck+zzI|$yIWyRp53AU$y~Dy(E2)Yrd0mc_G2t6(jIAcA zvA%M@E=b>)6c!X@Ji2WbYV6&4)mp-M>qJLYR4jEmR3Tfr%>z!l6nI)489Bdrz~+te zGhdO$l4T8mNcL5_PYY&2Z~7n%>SF?RidnM4HZauMY`n%#=f1T#iJrDEw>>SAm5?*` z6^BJPc;1iW^INR9xF1DZF{-g8RDwXg(4)O#J3~la>NzB_9e-2`D$&Ngy5lot)L#Y! zUk=}1FNdC5;sRV5J}a-@-p9!&bGbVH;jprNQ)O#H?!DrJnP9HU;GF*nQ8$JhC6*9b>y`NPDPVo>bMwb9C!-!5 z!;99jrg%PJk_2Gb$Of+r>^Z}hrTrR0PZCs8Ycki2{=BWMbS6n!TWMN#F-S%VqBxDG zti{M(Gfh?U+_WtErF(MfnXzp5hSHY%+iw{Bv`2l}=rwl=1}iB@RwbPCM!f(%6c0gz&&opwmOUjZ)sFy_Ubu+|g)K zDco|MMUuhL!f+{vXS2&>XnM!|l)4A~k?-5dsDpg8VFRcTo!zX{fQxk+9jF~E(^abLzBg=iq2VMr*-kN z|HimPlnh((K3-SbVkgfR1e&zE&WmA9GBMR0PqJ`(-rk;=5O|pE=6F!jQ4bu+`E0rY z{`;pb{LN*}sw~*rRP;!+>&v66z=sYx=H)vazqVm!66(- zM(hhGqnG2hOb5JGhM)(VV6)w}&|IV5e@<~Z_t z#7gZ~Ol$UaWC0s&?%P%0e#?2sQ=%1-$`_0FYxB~#s@sVQdUwCjF_znbS0R6gJ|?rI=~z@Jt>#T4h7Hg4&~!|}Ymmae1}i~(Cp{Os~6k8h&tL4$s} zoF18AP^_0YL^$gsn=M(6n6yj&q1$dOvPzH(a-(~X4;_rY{GzQ(;)m^$u~YR;$k+NR zR<~gva{T9)&By|Gol&^v7W1U058bGepX;t(BHc@z9S^SS+~%K#XUPf^TL0~RYU%Oi znc4!eB6CC-<8&H`pcS34`h@7=M>3{zDsW8D5nXOa3ko>D!4Y}r>V%${qvNy2OFEq% zR`~r^X^Lx8+`XL$yV3-^K&lu%D4eU1-=XWIxb@b?a;`t?$;n0E&{)R&>0Tq|{`!HA zE^i83q$Dn)>I?aGgVT1c%q$!0DNh$Lr|N zg7T+n&EGNyWu7k;mFU!cW~Xcf5p5=3y_;z~%LOE(UJPoNYrAg?5xnqT$)R z6A9WsGWihE+LW?)Bzq23%l{l`b-o!AOnxb>icUkY?LV1qse$;LU?wU5blP|&;k40c zdSF+f+4#Dax>;&|s_C%X^C} zB?f`M;Uhz#A8WFYvCgB1_JXxqqIiyqtXArmOwwSqnjM$wEL2EiiYmlvJO^&cY2Q2) z8wA=Wc*k^LvS+Btl-uqWx+uL_1uLv>Imcag6sc#q7U7+(+s~_sI#;dMaVzbn9+Kb+ z13Gk&Y@n{+{^rV#wt+y+YZp89_yS(n*9uWyPu&~8T+#?%II3A#wb)%&a!sIv$HUW% z>IZU~e0(~Epg(41sE9x#6*P23uUSW#%oQsX=1V7Od;II;cfYNbr$q!>=CnB;PRph9 z?2fbaYF_QGQ)YPPA6MCx67LW_c^_+kwmouTRh~LsoW2XvVV?xKEgesnL6s|P5UArCM z2%gjOJnCpTr_BjU6YjrU|0{je*%bI>`z&vw1CsY8LN)oy*4gQA-M+cL&A_u~%yn3T zC>JZ~u2pZjvKI zM-;dU7cJg)v74mR{`C4JndYolpoCI?-pw=0=KtCAI5Qd&WZ85M=aR`+#LI&8awr&l zggvyu@bb!X{xp^3bRhqB_`r0{JdoOkPM-jY@s`3|kVjaj2m z&ki$}*D|LO(ydxhs8qpCttovf2S%;c#!K>l5$`@(^V!-!AOfjkDX~ZO>-i}!R@7&2 z1Lc|i{tfT_M(*>W)6%mwx1JwJx0nw!t=z~0F(JuAWN6C}s#0tjlBq@~=CtLqQBEjc zOnZ+m>(5v2$FHqc`_|D@n2Xt>E9(QF1?^`sA7HGGra9fT9z~9(DJIwGKjJm!{E)z- zpqMZiAY&x2!KTU)o>k`mNexA(4)FnTRo>al^=pft`loTOt1{N{+EQZGod7<#*SgYz z%1$eku_7EOvm0apg=h}l5gg0&5q!Ph&h&abZ1;RRF&OuIetss4;@S$M1rO$5*hyly zw-p~DD+uGE8!)YSR21pN9dGxg+aWNKu&`R^x1tyXHA zHiPhaT+S?s9I#G+ck{3?)9WHT7~FEZ%!BxeyEvDs;&B9S#me43{BgLOh1*rs(J4JP zXpro3R0$^JDEzX!z^9ghmu)3QP3D}msRlZKyg}KTp?YcaUm{qpt_TY znD>L#F_j*GTT_8aKtja0Du>c+AQ}blD;Op9(EjcmOzJzC-oHgzlt}YV(^zP2AAVfb zMv15jWE=P(j1)iU)*DV%aL!$|3U{p69xnLLhK^9qmIiUD^3-$T%u+fWQedDME?W5N z_fgMml#~I(P2A9!2_gYFylm7beaWr%l7S@WiMc2Vr zSM*&l$rT1%nIf+vwVGu?v7tr zK2&ydGoG@%z)MPYDNUj?lq&y2_tQGB)%E*j>H^t0TMVlFO@`NuI<1!TLOwHRB}I*h zAZ2-m6xR(UAj7EVL^v)OCulCo$youijHJ(x>sF;SG|jk$c?+v!rlBe|g}?;$49O2W zp*_k@U@&<7Pk_^L3%I1{0CtWsO3>5%@O>E&^$d-+7fW~LZm-}ln4#Dwcd(n6BWDqq zVS)W#$*4(_&~yQu?wLuiUd>1LauW~5B&kF>3!9pV-s-vaKBMxQ^VZgG>26dx=JDoB ziof(XU`Q~&Cmc#AsX+DsHGzw8OuN%Q7pFv0Q~xCCqR=Ntz|p925PzTQStROj^10!! zYbKf_xd!cg&!7V=BuJ=XDo&yxJw1wt!9>pvMHJQq{kNnxl^Z_lt_LiLWBb|pmlmZy zZs6SMush|a4!hUA8t@TpF9;h*A@(}|#?O`D;1*hHbN!z=g*^vtL2?uFA$#0ZEIMU{ z$8CxA9z-r$jQ|LjBy%&YNprk=i&!Poho3ZfkO?;TTU%kZY-wG3s$`K=L-?SURz++3 zT^T->wcgosE+-$W$!6lBe%I~)l^@h~ipnrM@D}VXO81_gykAzM&(6wfqsFzL5hC(>oO`Jfi#AkSMygZksGApW#`y-Pur6eMG`XKNHMVXRpVq> z6fu$0@j@J>p-pH!y|HC(^W4KxI_QsVdn(Fh?h{#IW*?~g((XEwv{CJ4Y4$#rs;`pd z1zES1SahO*F#iyLKDvL4m}LqSr~Z_2_iVw4Q0a z0;hzwLN3U{bN)No+VFZge$k8zN#&0$G%Mr+Ebj~=5HrBtc4?^AI%WqgUHzmYnB82q zCO%_p5MtP+ew(_(eH9S*`O&X;SY2$a$-0&w4SzBI4Xkzq@Bj(9k`7_*N24Tr5>oYgO0Q|Kbf%bY0hfEU|3gT{-<*RcT7E z*b@Rzj2;7(ES&H&QBQ)m%?hx=7$4%(wDd1##Gv_R{p`g6N`#BR)7hnM39;ALazg;PuUD=VuuXv?CfM^ zBRxfyekdp?Xlh!n;nAx%entQO0Uu3PI%K9sIHAcU{uDag|5(e(U=V)lBMCsWQUqAE zbar>^cO1y|XIhJencb4xosv~ontG!Az%y?Lon7xLcmL;r0G|_IXE?v@)YGc$SrWUC z{CHC!+wnP1&eFr+#GV!lu9RzgCN$)yOnCqQ@;+rAB@?HG&Z&*nuk2-Mi)H}&b<;Sn zF|&DF)szlFOR0U?yDP7x48~i?9cWZa0HC$X^RzydI5QLo)G7IF${g}a?uVe7E;^>2 z*NzRRVRUa*HJ72)Pkq?OUTft^6&jD7Ot_@E># ze+}>)?HBELa`>l75d=IZ5C4~`_hLTnwLV-}Zr0t4qx`5b*VNqXW`j0ge*W%V@D)3_ zUayPu5or=XLN7M|?d~$!XaEo`k%XjUJQnu;R?U}5uomwVjYjRSCRl?I2?-(UFm6+p z>9oZf{LcBXn~T@2E^^l0_LzO>ff|A^LG!5RJCpwxVX}S4qpq9CD3PH-KGwOEk!ejH z7WXHPvv%Bw;mWyOFd~sQVRmHmDSHW{HQ-~hvc%S;?OX4pwvDGpgOGZb&c0~tG;XFM z!#Wy-lut2bjP~&n7U^8ByEQ6Kte?K$uV&HrUVd_@=#WjpH^8o{HZ6C|WjWC6#W}f> z9^rtkVW@hnw;4NnIf#H5U9FR}`DHxbP0vjJzDzv#@`!z~>e%S02G+Ri-c~h4OwIG@ zXyj7$MUHkudDL1Z2VS_px>)nPjA`SKTQGfEhTSC95_Uhc<&qSR~ z>Dlu*rAn~6jQ;4b`eTl|#GsA~3BX-~S`4Bc+w6yeXvYX$Y;b-belJR_&6OyIa5{(lD;i((d`+z`z;62z@%~sjD>A zqewj{i#?9}J;60*lpj-~P>{R3yL+=+F#qA*irS7L{1C(Vg8!dosx3i(6x$Bxqz^Ye ziKqzd>#AVSFBM<(3+W$UQ=c2karz#aXu7D9sj0Jw(AEXFDiinhi}UHS)9epPAXOd% zZ0Nys{s@pfqlE^Xeh9}JW(EB=KCq%jll}i0+p_E_TYP?X3iBf5btd4nP6IwPQHq6S5aD->KY2aS0n0dmkPi#1+}FZ`7pX>` z8crpMA22S7a;zjGda$s%D2E7DlPpmHD=ex+$$e_L_m549l1+qx{++$0nIg`y_3=r0 zKG^}!m+X9;*N+Z-CzgLn5P!h<2qHry{qSrG5{7Rg;8ZVo=UTa@;C-nAY(o$Ng(T{3 zIUc7FLV7*E=U>(W=R(mUQ5cw*(Q_`y@eT)rJBfz|>?7aV=un9)l#eyE$;tfGLpWY+ zROwb_mxh2B06GAI0&O*o^_`))?Y-UL{qk{ul?N$A)=pL0CKF;sv5lDKAlS#%?Bcy2 zFOdrgq0-z$VXYD+3GM&%?Jv_mRf5)JuL%NxKOPfeBer6TQp^GYRUEiRB5HDU69hZ& z+_NR6DjVVqi1Y)=A_RrACho{73+PFzkm<|XyQFb8+Qe{~)=>zB6`^j?w|1&1VH{_% zpZlHaS1&<@TtfBpk)6<$6`%iL39Q&OM#60d-VkV(Qc4PKR_WJ7xuW&%ykkxCJ_J%- z3E!8JRmhwfWvOHXV%5dIxD@_(YZ5GxIryTyXv#{}!1Ll^y3au>C|3+s zPBd#%yzaP%%MsJ1(50e-0odOSFlf7VRsQejH7Pz<=)0?QJ4|D)jYqPwKVS zAowyJp|1G{H(5=>rlykrN+|~?=4<1FYbXayD91yn-?Nx@_t?ltYlO?ty9})qGfd4b zbER}5$B6b_0a$iABmGkdxWh1vT827(k*O>MbXd&5_)<*tu&|tE&$ixotXku`||_sEr6Q$e46Db3iwAuM~2@>BA+u72@TG6|7pD zg#xV=4w#3BP_dk>EZM!dZ*DhgE!mL3%$*?)(!)WKG#jcAmHJCLKYE6DD$hCdC$`@8 zlqKw}!;+8No>s2s4@y4|f8=_9q2qAw&D7v%F#kvOE_axR;S_0;an)%XeZ%3uO zO!{7D^>K9|&jsru5Es)PmX$!gDMyB$G3h1H5b2YQ0n=mnmbzU*-8VJ_PR7k{@W~gPiBWdwt}WMX;5sE#aLBfqP1855R{wi(s-IDZ!xFev zWyt8_fbPoq$CbZKA<(5H zP;n98#pG;qCI7^6j&a`&SnV_tF&WMgDqKli`s#a}jaDEGZK&Ap8fGCT#E3(7`EC>0 z0Eo3~0XcuI=F7X#Pj!u2^;OwIu067UujSoveUOp>FXq9EJ4A*pW0~V(1zgv516C00 zW+pk=S16R@r_(eVGAYOcTs8e}|3!ZVc^*fYC7`zN1(tuRCw?F zZ>3!C_BPQ_gl@Yg^!v1zjc;ShoFmU41vyi{uCFaz)Z*GZm1oo2O<{l^K&neDGD!z#lAb0Kl&{o(^h_9lTSb{ggR@U>$V;Mo3 zP1&S+P{*iOP&Q zi4y6;noQO%*;#dmlWUzWs~Lk-&?+ho8wu+Yu|Q?2%Igc7G_`pdg!nD>I?#to?CTO_ z2tl$O2m?IS9sH&IYK9FM*Jmw*zZ{OMEHyT8uLhEYtfkv`y%MfPF)J9hXhRz+fbiY$c@9+8wu3`bjNT6DD>;IQ{>2mCkDE{09+kA8e< z7OXB>B3yj?uHkT6@b2WIW6x%@It^Nf}lI&btinS(#YrDSM zLx{u3I3WZ+&CyOuqG4VPBKLztDqAQ;@_oI`OiATM)qwp&D0!;3=lo+>cNid=Wmk5k z#eI8B#RV*mGMo8Qee?L(A{dyWlMaca^_t3%^3eSPwhh%!cL{oMs)lj>mxAZjzT7YgEP6=57xYu9#)AJ`FEJGq znU>ROV|ioS-{5xqsV2LMEWHs<8gvSl29_ycG!(*)nlV&mKqgCrE2y?c5rM}}Q&2*o zE~8o%vB|hyZ`K0Dq?;-_``9Tgde8FKO*gqN>-F0;b6?q1q6u5JZa7ENB?;|*J@l7E z*IN>~AHEUTsSX4ax%M&;C*cD15o1Sf1=Iw3>b!D%#cyS5tR~}Wvhk!726FsQCtC_~ z+Ti1xzY2Nw9bNiMef)P#bu9MC*{0Re65YzH)8XVHKn|2$vH?h&oFi+ z3h?uvS5rx#osU$n3p;Gq)o#S^7}DjAUf4-XRFD(Z=&DytpL^W|)*5}aB*rW>63yyN zSL(B@{`j@IchH?JZZ_@G2BK^{IdAamoS1F2PddvH-o}@(tRUWy{3&8qH4W>k+%p_1 zsN1~g;W=MI1iBEeEPSMWUEzIO)qW69BIC`lGmi$kA=Eq2rK)>gCbjLBmBfjc_Mis4 zw7*qx3YOiM$sfi@>$u9pKcBf4qWtg@_B|yCFNimaKf;JH&A~8GD{un9l@cixWTD;_ ze}@`$-@d0|ND* zUo|?aDtwGB{gf(O`Ig~Vw$UoINb%CZ7@-iTziR%nvSL8D}ML(d;N-S zwjk4Kzu0Y7RyB_~Q;7-^ps=vow2tewab5DWYp-7V2TD!mzsn=9nPiQ`f*rDd{D7~X zW7jB^rbmH-)IvAqF|pPZdd@bBFTdj0Q0qpWl|>u}u(s?IUyqTPR}PoHJUS++PnaPlkrW)l*w?sII+J~URo|K@UBW^QcIJ1 zy=;#7KGNa^8Pw}BM<69gSzLr6h}Y<1(5crdr@PB1QL=3HNVhQis`oS{Il^QWj^gyO(=hhzhUl=s}JCd5CL-F1o*PbPC8HFC* zipfV#UP&oIA*gT>S_P|V2I)`8NM)gEKTD*zYFQCnZ;NrQN z=;5g#qUDydVf}Gx#k(QhxXSyc8Yos!sVnNTMAu};8u;wK%73@&u%PAgbU7BzDB$vK zLjhoN=;%KFO>XxdUanZZG}i&>J~(wnnd|x;yoC1EZhh}iW`+10!`UqwTAo_P>DM!4ZGAwbQMN~BHGSPcR=RiZ#opS;1ex++FRP;W|620bX@T~mCUNnte3vjkLWBZj|_k3pBj4Y6^^2LO=-I+>PJ^$_X%HM~>r zkqQBEP8I2Uj1h+>JBwv0^`3P}p?;xEy4IKN0%m)PH0_>_NHC+b@4Y(rxV&t6dv%#h zDnBfUqBCc`-XUXrew^Y?1jL?zdhL3~^XaxO_4DAwgy2>P8MtvP>_wansH@vvYG`;d z?g2lu$}w7Q)U&Ut%GirnGsM`$ zX!qcc4Fe6$a*K;i>7nn|)|ND5o8#@t5;70|Oj0O%(753%khVs?oqu`xDs3fr7+Ox0tzE(rE3m2yt#CN9z|h8rr@ ziZB*3w0Nb5h-4r@js1f!c?W^BbZl|}Omfx^pviVU%&m>ciWo<}qmwxr2T7QD>h3KW6UIMA%1p|0Mf+2j)<@c?_~@K4$!lahWA6BEN`r^JUg z?86U#^k^TI*XavBmZLr;aRGFC&1W%n$quu9_RA?Fs&letgP!ayN3(-+7RCj_5X7|; z87#1@Oj6nX_7UQu$^8R=uNXBrZ;o6sAI}red37$K0e(w;e;i$9xC4^{JPQ*flg5{9~CQbzHu?&Ew z+g?4w9>{zhom9eL9dS@rJ)>QtfGplZ_T8jm+o{T@p2Pn!R z`Of9z69TTELSX`tF{x)%nG!TddbR6c&%e3Xjj7JY6w+-6zkYwuz`8<+zQ+j+lTa`IeBh9aCrv=(Oj z1^U)HikU1SU!ajPX16d3`~hAGx*sF6dUe&Hno&q*F83Zls4+gxmsX5%A>#P#%8btk z_DEjk;&XlsC`Sz5pei)?%hk1h`nqv=&ioM-O7r=kKjoG9i#nkI-mI|YnS6)7s3pTq zdQnMDdomcljsuLY9$+Ss>O;8sCBQat8C2HgW&{>kY-U0!a*n4P3bS>mbs|Ilho zS4Y5hR=Gs{9}H|X)=UxmUMnZX+&EU38|6$PIPj>avTOsta#?rVU145PJp|(T_&wMl zhNoF|k(`IKwph{8(*HO9%sp+A3-SdWjFONInt>+ z8Tudc&S0h9s=N&Df75q!$7S15f)5$)XHEP29roxCQE@18>v0_^Gj{+}XDIZ$U)Q&@ zGr)OoC`W))R+{+}+l?oCY2==6AW9TU)E_Do>kJeGN`QLBgAS@s7!T&G=#*W8|$3^`JNyPh4y21+pR&8XgX?2 zHcp#OWUd?QibxRG*2rNgTU4e`>dqkqZZ|$q1)wl|pro4`#AVSJg2fNj{Xqn=QV?2+ zdn*GJx1e;351>+^5H@Y7q$j7uNPS~7P3b3vBk=m#b=$@+Xye`+Enb@X>k)EmD6S{V&{E>?KqJ^Z^4b zf#0VRD5gxagMN47`P19?Uc74Y?Ipd{J3sB0o09~HuIzu}e;Cx9SBLPisAzLuZ*_Ip z8#NnEg`h_UP&2?QZudu)cAVw$`KAct)GP|y+rx@r@hAlVTu++qzv2N+k0WNCe{!aS zK9>1HH;BS&u3W@;38_K8LU254fJmb|r%Q2L6g|}9b3FBMj8zFd5FzyYK#0(7J!159 z7UA>*bOI3C{?@$~%)Z_MQ~zVKr3$Qk_h|gZ{cL0R59ONvMj$A&ezgB^2{AlHzpx2* zf&^2cF>bZQcYM3@D-;d3ijY8AD6CP40uz+cdt`zV1DiZJgQ!5$j4;L{tXKzNAeBW# zV?IQbeZsKzdhxE-qKrs#8y26x1+?k&3->}5n$k?l3os`J)IvRPQ^72|-I{p%6Q+gPIhIVjnSwH%kbXLWb8w%Qk7W~aEhBl$l9S$sgm#iqMDy!UKt(4n>ex{)t9j`Rkw@?NeW99-MzOd0 zl5QqUbye)e`Ol{<_+Ol8TA`Pv2`5-~sAD2~<{k3?akbU!w5sIl?D;)p(B!_SVY&)zL=zAhJQ zs2F2Rtmw?>%vII34{M{i_?^u3`=g9XqoD94S5H3(5VWrw2ZX16%*GcCcoBu@2^KrU z@xz5{8${N+mCSx0o=okijZfoDi(I`d%Zo#!83SUMoWD|CLT0%~^`_(aA!BtwBGl%uKJ0e>B8%QAjN| z603*ajcWOjIlN?LU zzH6)+usas8Pm^o>H#Bzuh+wW67>$82pGUL8oS#~zvcY|d^b#_j_lHJB4G@yd+6H~t zFZ(4Us(8^&71U2?j+iAy~6NnGz@q{yg%acBd!xe($< z6cHuiv8Q4Xm{AG2+Z8GOiwda{H+y_h4?h}w;TLBm)Uqce51R? z#rd0<`E?spv7~V6w_0_CE*4U^E^fA(M7Vj0h>o#E=S<&8VNvU77qO_ALa(vt#7#al z(dz|=pq(ta+(116M8L&{y_gsYf#|Hu`<_A{2At3kVv>SG1HLwr#-O-@zcwE5P!ZV5 zP<#>~jCJUy-!| z_l=tKir7K5JJIT&lH^O!FsJANYHmOsVi0l~tBIWO3h8FEwUg7$-q;_;#=m~QHl-+{ zKoXf2kkfkp7vyUPF}SU9W;C9yFu8Sw%P?i#-qmjyRcmI}8_HTjxj>euN1Wl6HNca$BQk7p+i27X-3;Y8c zAulj14r<#EcuMdK!jf6XS=%|s`r0BpO>!BumuShhT~1R@Q+A!g#S+X%*co+M#c;ng ziK^?3uUha1uSKTYb9a=U+1%>#&-^qx{r7tiu@sckfCa>CH8T!F69S=2F zgcwhIUp7<7(an?6EHIFZqrBmsX~u{~pyS6WHeWf1%ePhD#W24fop9vP@p@#VtRMnCemr{uU^bY(M~l{=k0}z`_GT z9Hz}5-E;}JvD9|8&3o3Edoa0fwL%m$K;R%_WpxT*R<~zsE7_vK2mE3O z?gR*_Q-c1CPx;bApom3v39+dC&2 z9ajJV4d=fL4v>}e831^%Y%MPS{kxT;o1?3hqZ65|xHy@Ui=&0LojCyDwVJDDsjhbP zN$`I2R!lx3Fh$-`6%Un6RV+FXH<6l-{2i8D1o^KOJeA&$l9Gr-e+wcI;^G2h@KhK+ zM7>`|*&{EE3n_|-8hzgOEwWwgxIdV9Yg`gKtiH*upF-(D{g5WZuEH7kp+b!0<5tM< zz|i&{lSt5eN+$poYW)v#*VnIbfQJA90eXralr8|A*Blxuphq#ghviE+6!TatQy(rc z6t2fDkw+di5Emfg6DL**5Rrll%*~)y0~8H8?n9<896&FH z91pG_5kQ7x9w7m+;s;buX+}u`v{?YS7V-nUfMrGii>#J~4B&S&pl1>btqy?t0l=aX z5%vv$=nF9Z`}M0AAT$$zD|M|Ua7AB>bw~%3RA!w(DsFkLZDU1_LL{|Likm>fC><3A)Dk302oS8GO3T&3lF0L z01^d3biYN3ZhJp7^dNufMOyDgdokt;6{8&J6T=dF|0D2=i}APWU@_XC6TgY+jG5;} zh&g&xtbQgtVKDV+v|tE2VLq9l=JnEc1ieEP{fmlYLcSUSXBwsbH4YU&Gwgx9R|XL~ znv!fJ0#}7XK9N&~RW(YTOhbnFTF?caH(Xz;Es_5(fGzmtXNNRvN>H7O;QWV1@z!!~ z!ceI~wCNvitXc7&3bLnN8VChrxPBc@S6N}M#tVrLv-JG?jKV%($HFw!FZPFr;a#%X z*dL1O4^=~izcs57+9M%mQ-3@Wv4bRg-fqhG7MiAvEy-=v3w)M2e>J*BgNThS`*-9{}ijwV$Vv= zI;eg58wch(&QxWIl2elnq)lnNc zf_grGaX8$wcqc+W$;y}16sFD*TH#yW zTZ8_&wSC-3B~ePB)|wqVlKz+e58>AH1Nu+Akl_eRT7vA)D4#6}JU@dn6iNx^q6vo8 zS-4qGG7d8_GaWUw>6+;L@DfMgr^=;LrxMXIt5;N(R&G|JY20XxsmE6ss`=MSX|Sv9 zR=k@}tJ0{<{eGfGq-I&cUmjj*S?;JVTpXbD8i}mauh6e7UaV5^$7r`>hz!k)px%pt z+!np+r+X0R0QH}V6+aKU_Ka8J_GrP%ieJ3q>~ic{^{O{17Q!gI8O{$mZc6VCY0J`Y z0-`o?FTU-3BP!)kXk|6mx2;S|Pt&fFsZyzuKI!DDJuAyC?UZcSc@Dx59hRffr;)ad zpG3+%R9jKoD0^S_Nl}mwQp;3nTSD}!UBa{5q3k>(ugfqnPr5D(}tNN?` zQyE11gEn&g2TJ6%50jq-205J_1&Eo4*RE8=4f;jIOH5Kt(zinsTW17{7NlaOFk`HT z^mi$D?T74#il~vP$*JWPj}_0eR25rGzm@VU@GA^Yj87C!EM{_M3$iY;9cCY9FJ*(9 zjdi_r8JfzQTFhnZ_H;{i&YLf zzG@n2s%R$oy}yjSR@-FXA}ROB~?Z;DXDi z$+wv`nR71eKX{vV#B8ZOg*COzzT1Q|_HDpAS1o%^+7jQg)ivZMB05q&c#J7sh$)+B zXyb3^o}3%R*z6LtyI=4O#U(X-s$p4n7!|poW|5toVWq(E(EkBjT z7F->mEUp}6*?9Ps*^D_+t7hqUbBSl=y~zc>(4CM={;trj0QV-_rjF4#cTe-*<}u}d z$2_AjusHB5^as=jIs+&Rq=K_Vhzt@9(u03~@bM$>juYlvGry}_ITMX3Xcfg1jSsE~ z-tVm;xB7dUP(yxym@%0+X^j!~J>cKsG>XZANpyd}2b!?(Fs+}$aZVB1gfpz^oSrl5 z;;vwcCy6wP&1_3nWnK`Y94DPnC6kT7Dt8-4oA3~mh0gebcCNOpo%|PGCc0WK2fHrt z%h^r%PVNrct}lKD^Iroe?_ZOBw_#(WG`XZZw;lXNa#>NSJ=qr%lnk&L1xb; z$k)jll9ZU>ELKUbnA~J}Y9ql!)IN%~L597f!M%-ewkK#B@At#}Pu7>t43xE* zb-;}#Pd{^sgzzGxYH`=_)A4}IwCi5`MB$F3-I?nt4HZ=btv{wLW-X2mHW~BuFw!d1 z57IFl&{tL)(7~DwXOKI|HRkjQ+O_tOCh^vyZh@8#^Rki234USqV)a|~Cv~p#*^Ne% zr3Z(Zb0Xi4JC4(ZHNB4eSD}%vH4Qio#RZE6^Jm%T`g`Hp$jYOKv}b#R8YO$@vtfi; zgjbZW7)?v9^9#hYg6gXAi}WYb7{jDpZ@CwqjObkG8nHP;J71k7y!Vdo-+}K*(D_z9 zVtlK&QRYZJh%JekZN##!v!t@svYz!!_1cujg=Q9yH+^2D*GMsQI0SUO?1lF;Zw{to_0{p%LD>$U#}r43&x{}YiT?8>k4K1?cSqRe_2{KceCo#(bsqj(;oDd({wL;uhlP`+$(f9q zU+LHB$=&vTC9lUlCj_9ip}rxKt`RSGR>ND(=d)hVbx-1pA~2@%o*x;I7HakQ2ckAz z_MA+RoD4-o$hdhiV`p6Z4|bZ#s44;gK2!ieUhsrkb8`RIR!QQE{vHx1s=IfK6 z3itEobsojWL2JYJL~{W&#jD|u2?!=b{lD{0IEO7g6}p0s@hN>KcFPjdG3(_bps~5c z#7xXo)kRlTuF{m{yQ1sjS}p`*Vb|uF9CE(F4@>m)Xj4qVWW*xw?vU;N@YEK$s)XB< z@J+8NOlq*t#@4w3J2rMqowS)o<2eW;$KVD?3T%G`O7=ICX`>D3CAC4$^MN-l{1+{+ zS--SA&yuWJK65Bm@fjI(UGxkolAgbu&Q&H$^B&d+u|yA=a%E2?G9frXXJ*(v1m;kK z5$8bCt6i9yUh)1bOpPVQ#l>Z1dJJh9Y2Rc!j9UBPqtTpla{)#%|#ANOqsAm=n231nNi1Pyl%-R;0|xQKqL-*Ws@f%)5)VaFq!O z5mfR}vQR9s4)`B~PJ7Fdbzo+2%Q-2e@lemxPWWjiK8{52sjB%cFVSLjYO+TjMKr`(ZBh@gQfc#+!4979SoJ zPBKw}nu=;Q}XTmxUo^I*sD(0)8c*7NvG z|DU#0%CUICr|9jk(rI0HqnSnFp;(N9EFryHF0BASDz0dP%ym6GT~*GR_OG#hw$C3_ z2Gq}8c6UK3ijRif7hU{D1}7e^6>H)evDPtY} zp~v6)&{UF8DhU80eZ}A7m5Zw|G|=%3T0X#s#&I zUaZAX-TJi3a3q`@)m|jjK3<$0=Sdz*30cLzpHt@{79D@F5Ur6y6KG8wwe0wAJdQG66bJ=8~qgAW9t8e>TNxa^FF2V5Q4 zMjuyBHvQ|tmAq=)!MCi`B%EVN+NSnA(*@O+HZ5*?UY^zUmIDD&=k6@;V|z#a2kw z^S``NtMBH~xLEiceLtB*DI1FQO-4U8CMenWUP;({Qs;2q#y~e$+SSY2<6?d=tVjVl zzh)S5zG}R}C4BUYq0RlYZo2MT0SUiO`UW?<{Xg7%aIJ7}dNKKu{)IEY?O7ah`q<3$ zcMyHWoX&*{SBt&_Xt=79L<3T8qnXa2CKkMQQsc>YLPSWYU#r{Rzw3h0df-#PV#h(4 zT~YQF6own-B@m;c=rl@To|RmQuI?VO>}Wbc?pi%FTH`7cqntIsNAqvYVq8_vmj0cs zQ1Pm!2ji!v5;NV!xz8KX|I+M_GCswKnsHaV_G#&I37Ms>>N4(k1xNshp!0Uc5Iw1K5YG3ddExUboN)uwfk*lGRqa6 z#IqBoIv36seTair$l94(>lr#^SSh!%vf|21!~bZtv5J?qx2O`rq}4fhbnB(xsKLAP z$;`BF#!5j(#_B*MRHt+uO3iSn?u1!Hct~eySjm^M)Z2kU@~p8^Q4cn>jdjuL))w;h zc#N*;tds6G{MC)uM1C=|zC4P5cNezRt{ah3`d-B!0!jWT79X*l74U zT33DVwEL@p>gwEH2tI_Lk`|H5RNNwxsNb0xgd98BGR3xkn>x$xx;-qyR_to2oRiOg z99y#fcCapFohD?B@Kmf@D`%OsXHwWZcIr^GxSiS(luSuhz+5+D$CYh!>h2IfeB@D) zHOeE;lC5ZwJYvU|JpuUcy(i-@-dS0ZRce#9S|uGnKaU%0qtrZhb~V3zqF_<4%~kT#=r*d*Sb){187==er87c7;dJO4H`mOZ>w9zf!AU44?+tug-q z;TS)`#8>N0J+@KKm9MJR!X)OkojnB!@-WQIKTy()6nCh(%?aldG@oZWLmw6CvjAqO6$;Z5ed04&8T+ zhZOiF;4@Z6H7R#0^DHfQEf*=?8<&F;5){a4#ZoQpdceW%=f&w_-~O|2YbY1JoyiPo zvb{Dox#B|%jZDNiJCl-(G38)TX)MO}7y3YVjLZivJ0Qo>A#r#BVWXKS1?SVIY?_ob z-}pTyh^`^uwK|qR?2Am#oIW4Tx@{v;oO6ZanAJwR&s$%IG`?QQ`18`CGWyM9$TOZg z*5~Am00*=on)S=(NpiD;af02o`acW2iv{&twmcolqP_5)U8QTWbEaGBDBOf+<>Gt< z`;HCtU#(r3hd!6wj&u|I1>~NU07>XJ{C?~=sf~yQh6jg}@NZm33zPDw9Y)3EOKF!% ztahLLBLzYSpBCD?HyiF+kNQ=UV-&f-RE*@^`E|Ch&$e$b`CzES;pQ0);D^!DI}<`s zO~ppN?M0Ka@Y|^oX|9k@%dgt=mlbyRg+pTZMhHfG7YENNI!1d@Q|W=9#zN+trBWUT z{g1;kQpe}LxlZ5i%9@H2!-*ekM-D=QZTly~d7S4Ubi=NIQym{S`BO)tQu=QT0<~=$ zIVwsTN*c$FYL0>$C$au{vBX@B;|3Y{rb-VDxMb>za81Hb6xHuN4+}pHv8jcD<$=x> zHO86CEPD4?>39-;gf(Vu*Vtl9SbV?%l^eVEDXKf5* zNHtIg|9f)8|H9Cy0nt!Di--qp?LfECeU{C04MvUO>-F+kQrJ!Rqo`o4-=EDqP~p#- zYUd*Tij|t%Nl;qtXpOh~`si3=Z6&yiZ0QjUP^53wHf5bq%#78|zATm070lP`j8=J%vV;q@5)E3d;#M>C9l?o9tovc6bk9?QvTaBINS z^GmPPMo{e}^VrU`8m$x={6&<)IMa<8v0~!ilGa4y!$zwk{SNMs(?7qVg@NYXOheK9 zpC04**=TV@%NS|>rxi%CN~ItK6~gQLdgEieOYqf9KT?rVz7f`S#hGzy_c)v9_G!k( zjc+eAQzM)MRst*H zVto|!tZFBU7e#AAO9oEHn$m*~1xmVyMf?0nd-7am4w`kJXZvrmvH%fOE5g@@U1b~F z6I{uIoU&3&08Y|?B6af8iSOEcSs66c7DRjxS;`OnX1(`|O$tFyuG3+Xz_QX9TP?O$t9*Ay&^_ukYH;CtZM@ z{IEhOx)^RC3=rZ3TV-IY9ojF%d=;PD*tvKGuNG$&MZiVR5{Z$Ixe&z!I zhtAvHU^cMvx+(=xGEGJV@NV5J#4l(7Rl`85jW*&)@ZC-bgFB}=CHB0f{ z*aSj-t2Va32zfbD7GikyGLzh?SDFHghyM{5Qj>lFAWfE@v$wTXB4l<68Po ziPzor_+!qSOT1uh2C|^W?^^%%nXZq&JPM%O!Dk`&P0#kR|H4eV&g$R+4~ zyqK>)dd4Uh37!9jS*WsbTn2<2vMo(!|EseVHMA_7ay)J1gGb_kwOM?y!;W=~`8mww z(+Cmn?1;zIa;?$X&pdEAGhBL%Cs^hvMWJKeB1@vJ#u{4M@>yrL*X%%M@E=EZsV**t z@zo?%4Bw7^8@)cP(m+qL!n=j{P{1cAb=;`&dS2`PbE(_`tZej*#|@`Qsa-ltKX zmSURNKa4PsG859?ZPY2t830@Mj8Nk879c5A=k1Q8aLI6Nb!46N#qL4#3Nnh}w{CyC zHghtIr(F=dAozms$dN1h zo&JYP?L~&HpK&GA%z3FeJEfZqQMw-6Y}4J6M}9PikC)NtA2z%KW7TK>qI{3BhJ)?8 zD4_sRq_Q@}_khEx_N>otP}pLZ=HH%*H+I`>o_jsl7XcK0LJsz1HZ<7gW_f?mjS+u< zEmjK5=H|mPxfKqKy8bp0Fs{l1#{b2rt$F41C?SSQ-g>d2_Y1|yOnm_v&28o9ilZ`R zXu^@xg`HKUFVc+>si3b(OU0*>szqKLFmmTk>E?{x%EN$Q+Iu6#8Plr7+y+Ks_CGI> zN2Kp8-K?}5g&sw@MQI+h&|5}s4v*jlT-l_TW6E4UE#QS2P}ujn;h_8|xeuJd&&Rm( z1%e{#V-mrilfasAD73J@xLsyvB&NzoNiAkd=XEMrvRZd>f1X8&&;w25-&`&ekz<|~ z*m4h)H4Y$!EUDl1&N@pzh(l*z8=J z{-uQgD6_lRWF|(3Jn=*Iov?P=O!_Ax4Y+EbPa=qZev7K}zOhi8%lZ;mSV)mQad#;X z%<=Na?A%*UkN-Qw)Rx3Hp{C{j_vDiSTe8C2y(W@OACGa5B53fQd-zKZ>6%{sBssGo z@%e-#qn%^cKkZ>tJwEFDwXj~2f07rQgU3CC{7x_S0m(0q(KuISTe~^XiMIR4=4!xn zv*l1bNH8HW?aOyn!9c8Kui0YRPtjC+&5!G@N&ff4d;C8w_hPFBeX-k&s7gu+V_(0- zsolK!*Rf3fNE$gv-c%nW`$btnc;iJ-Q5EJ&!&Z+{Qri^v3SqZVOpS-3#fPXd1;nRv)eYvhHCn`U>nAS z>RY3etdwda10e99QB)`Z4jwSRb_rr!8wLm91o8yDd|r~wg&k??pRPe`unMHLdGVhd zg`aQFe0O8H?Vm2|ixFq4w3x;IdV>9zj-8KKA7+>~38feEveed25ASSLp+e#`cYk8I zs6B?GOFPF^pvsvRj#&RJDRM;>d_AUKPO`g0Efm}eaVTn~iavH6CfjH_zS_^;8)f<` zvF6oYQD>0#R?}`g$)r`G!jT8Ei?%v>x9l8<*Ri*$U98d=Dpvr(c22?PgD5Lu@S!Vq zLT<)dHa6EayAB)A`{z+1T+PE&LAV*A`B-G|Jmz1#f_a^{3f4`Q;+L;SCU;YfVo7ox zIS9wb#so=}qme0IcoZ`;{m=iNx(*{Xh!+aD#OW?S{vO|;KG=En90?Q(XvdNk@6Qtr z(<>E29nv;6Ei7E#Xlh=1S-*Ofj9+(>kGG*wUxNdTBPReN0NhAY#>Q-J%E1WvIX;di z*18MeM zY?aoO=qGv2bi*oW)1;yQ=@5}L6(!{t;eZZzi=(*yMxGU+V6w!~X^(bJIg@4Z2u#aI zM|BLoEfq~dt9r!u1F4tMyc&COSE#y`)<8;HH%O~BUZ{xN=jlpS02GYfeR-;hu{T5CJNJMrZ)Z)$--RyH|OFzC$Wg3~51WL9MS(cU;-HWn->8 z1DO|H&*zuhqvr<6KQSicWmwS2|6@2G5A%ofWm%He*Vk=9olTw>n_h!tsIzc60^Zjr zpzgT0U7)0j&)w-tjUIPMFPUtTT<^Y{w}xCOauO?RZ%STbUeb^E3jKD?Ys47R{{Dg` z^A61?vlY_fYHDg!vT{mFN{Wh#3JNLaI$CQ#k;~>*3ZUgM-U^mtV#ceh6<*On;^7!) z8|_PH9=qORSbKG3n+kMw3}t0yu(=3QQBkq7vVQv(iM8X>8j8h~KDObAgKUXL)-s8kZ_~dLWd3%k2asfp+)FI)ydlrQBBaO3l3~2JZ(M@Matazc;ha$aI-ye zFZBB$_2f-=Z*q(q{9R%%G=q*IbfDEZX4sJHlVwKxQ+jYSowlU4=uk`D``54jC1>(7 z^n=+H!o*sdy&+i+uh%pBuDyDAu~gXso9^dB9u=*;ik=gwI$}Pv)hagWN>YnBWd|Mt zV=Y^=dC_mws=e*(FsQ8Z@ZcI2FFgF&QUOb>Fm+hx^YcCEZPEVp1oLGkZ;^^X;2A`8 z1BuW}7ImklPTz#yLGKtZ?Yxsz2+P=`u&zi&-obIdKHV_Z*ZBk4y&j;Gf*;5}Q>6MOCgfahMjI|F&#nCLj&HF(TS*?cPFPgkk_E@Gqlp z)0T2*j1U47CYvdZHw+O-bd+#WS3qd!;Y0uo{?@+&#GRQ!u@d*4E3Z#= zavEHj$8tTGs-A~&NWNzr$jN*JARoWp#yy`MG;loY^l!e_4oH>~0r5^sRo6*$ZR3+a zNDSX-x#h2W}Zp^D` zS4S%0jNo#BpBo`y0;SlbB{T~kaF~-@24^2Rz(Hi~|c5*v5`9W)L9 z%U6rkHntY@vF@AQ*9lOy&LhUD{mo`%k4`or`imn*Mu&2+0nX2wr=>E)z@9Rq#h0bx zKPD)6J`8&KlRoEj5eULjpCUtUnk?DAQc=OwkO;&Wb|RYWBtE;_*RpSC^W0ZCCvTy z+TJvOTEB4m{FOn^J%dBTa$PgvF%vY2)C#O#v8?jW?C7R09=z&q>f}b35^62607viY zZED`N$bO}d`$CNO1!&EIyT{{U{vqTPA>BHDmv)2d^=(yw)H@B5n?VvkHOwh zBNE;9b)(r_WpIl6W$KT1*c&m_;Aynr{%*wvmIDMaR=HN6TrRSf%h>+8UHI&KUe?uE zfYT%|XT^QeoqG2R83BMx1N>LQFr)6ahb0ix;@CTKl~FT>p=6_tx+CTO?w6KcG?MTo zwcT5F?g#v`vc;n&UqbbkgKYaIIO?`_CxUV&Q8Lo5KUdt?zMCBczZsf zo7y52X&*#fzr4J_}nw+se-9#rs;3FYR}IKjxTSeCE&m)-&}-ACXW87AWDdN}GeQq3^K*2^_V$gqqNcus5TGD{v!M zDI!lb5WL zx1e7&$>GFgy7QqW*N4NJ>)wz+=5znD^Hyhjk~6Pxs7eDXNZ^{dhq!n_Jdn)3%vN)# zLz3Q)b#6VUXMdTK-t29R9x>tfwf1KLCB6GzF!f!Ua&8Gzsy9dJ)1Z19rD9s9lWTwX z&rK?Gi}j+mA}tva3IKLwGZp~5XrOr(%!Z|zR#P2gq&%j3&xW4o3k(r^W9|4Yn{DWnV#gH=8(_!^-n&VXd6Ui{*L?`jrRjoau5K zbT?M$>Pr0XK6k##=C|kgCwWOSY7aGqv{Y}Y{6-JA=3W601*f;7D@P##jhPK!0+~O> z$}ibIfbhcKwcdo`v1?8#kf!9mA+Ea`Nkn_TJVZaKhuFNU7oe+W^*aU{iZ{;m>N z0{huxIL&Mn_m=m-qIQ#YAJca~0ox(u!s4gGj0=K&#)VV(Z8~>#mG5Szls#IUg z3~a5u*0w_`rt(RhAJ8z9Gt$|brQ8YJtH$L8V?OZLS#HN!x`Mh?KKS!kNG`Z<>V`)# zA2rL?#*BcKq@scyBR~b=)w71SlYAUOFg?plv{84%WctLbRT7%2P6Beg z7d^_*G;MSj&2E>-a;PJkI8x{VODD(&og1(nK!@CdhOB`zt`>uc)pKSa@5 z84L|S&wpFJyTcgyAU+g;L7PW=rQ=;-5CX~`hE0j}@nVafIHzR7WI4XHat^On5$OJ3 z8gGFSsekA7@(8=7?X7oe@EG%Z=JeMZ9aAbq%M{kT)1v$4KZ9+nSqA*g#7!Ev|7NOu zNU{*X>3E~B z?2X7U;C|Ea?9P7S`P@^ugQ%c!<3#(MnV!$>a5cwhV?&zbJ}3`hb+EVZBu35~lo}YTXkTaY{YXy)?{CFJPxk|d<@zXs)AOD!uLu)TDjJbwE!mG~e zGJnr?%5}O9GB1&Fy*NwDq@Y{@Bm`^#N}OhtL^p)n{HMD>!oup#ENg7PAJZx*3f#MC z1Yd=LtIqcztxd2Vxc%@|8D<>wYo6~Lc+Ei5Cz=4%tqIbx14r;|mY%u>zh=P4&%7qc zfYa3mHap^(qfO46$ib>x$VoWHhnxdg9813Lb?uv_(__iO!IUp#3NXD@5`;a}&~)2W zx6=;u#B$5!SG+}1MIk;TH)EsS{C>5T%?;cnq#nDR20q2f#9(#wbIX5gMOx;Ap06l- zT+fTxHH`|&rz>u>P)ly4v$eyYR|rDFeqV-eS8npM48Z4?xpb|KwK=Va zaD0c&x7!BKxRcn2ru!vXGT_ya)1#38-OKz@yrhTsS>=+C$AydNLJES@M~F6H>lP~T zGEWo^0Gz);M#~)EZ@ghLuY*zG!~KAyfm_Zu_V4~+3j8*!UMzCI{@)Wsfbi8+{==%x zm&YE0P%9cVhj7fMo&vaGMq!=DTUaF2Z`T#Yi@VLo#SLO_CLwUk^-#M-Ob*NLO)P!L zl8Ti7F0l3~^>GdYq4@-AgZO?$*k_)4jwE46XNo5Z=tOPCGy4D_R4;{QD##Eq&fyHl z@9i5j2QH!HAk+``7oL+Ll1&Q|~uRAkpP%RPG|)RR1CA1JU!Q8NG+D)@g$foAcNz z^y=dJVCEx#4ZVku@0{nw3t00PEK0|Dq2Uk`OVg_uO-jTxkaq~Ydn6u%^{HLHs($GA zE$j1HEYe%NF!ZK4{SLez#etp87)<|-za%!8H{*o}V+uoN7^D9;O0Bk++45bGE0%UV zpMx`oK){I#H`?l(f!Ai6>EShLAAk3A{w4e8*B>iSc;~-`y071|g_hf-K|Uvo#5foE z^H+zaW$s9Tb+4tE-|hpztnGHDF7I>_@6$|a5??81noxL9|x#b9MGX?MCn3xt)y@!<@9@iGdE9u$) zeGt1%-haM@%_8sFZ*1!3dRsV~zU=LO%Acm{>(rpVa0UVZ`t;0}E{|>~U5^XsphF52 zJwyVq3;}P}L4clp)lND*F_>^cXE5pVBpqWH_U_gz_+pE3HZn3E8!_j!X@FD@o%oJ( zmC~OE;$4T)r}VE6Lr8%tYhURlDH3vMPl&j?8SCxTb)Vg=mTOjQo6mh%gttg@Uaoih zJ4^2!hPr5KFkg`kpPuXdc`&M@ERo`iZKp{Y{g{^r0$GI5NtX7}=apX^^Rqn- zHhU&rJURTg?6=1Mm;oLc`E-_`_pc{LUQh)iZ6jU_%?k`+d^pGlJ!!W#b8~@%DKM{F z0#%FO8-3NS~6L$$iZ)|3C zTY#z${+sQVliQ8JO(cNR^(!R%wok2$uFe+%IdXJeeVVH34#JPFb*#qe(uTZc9^^c9 zr*yi>(pq1bG+PWGyT%8s(8T4JD6R| zWW1!5^khF+o4n4argE1O$SdLFRvHboJR1Svw3Iv+KuQ(m|GKLj*LKG3$_4+S19*(M zj1FLNnLS;YdfP*>mAxx}x1!iwU({gtwP%Rb4-P=-dz^1b@73XUEG{{z(Opo&g34`|(jXyG@OwA$y}xvkjNyWVU*jB&SP@SvD` z`dch=8q})-Ay3geNaI~sDcncmWe_N$wzrZ2U$z}s$+ zkkfptZ@&M?sEZ_<=h)v4b}&nMzQ^(%741*kpBu}wS?*)%?Z!oJ7O;QJFz{Ccr(%4r zE`-JF8*rTetLpG?nL3@dJU@vo3Tj9KL(MydLf#$5sKly_W(?6Ts5399S5~Ch`W|@c+SXQP%%}ItnhJ5V{P2 zF{0Lt5^(SmV*jg+P7B_d?U@g9%%(sMb`#Pkq_wQFaVGnZ8;!W0=(=#i{jYfZZ>~x4 zOCVV~L&|JrC7q;7j8qXNXIG0D>PNAE-3pi~SYiSs$`%#}z4eQ>lA-FBPTbuK65-uY4slfa*ed(YaayKq(OK#m)3NNmZ~M&h5K>^i>LM-t zfH_o7&9fiFHX*x!T*-$R|Fv{cOj6~2jY&zw7 z8QL+I8_>H_Vy;qjnSTM@DH%$U<&{Y?yToGI`eo|nF0^#|gQ^8xur-bh9{o6u3Axn3O zF`v`+Q`~9Eui`oeOait6JFclb!FDR2<9nDm;Pyl=!)-}wTQd#@wlHA=H_2qHr2jV8 zQQ4lvKAM@%&J5uxUsCGyklc=|&mX8T`P+fyJt$udSLUzcJ<{>bM5sHC1QV5RI(ml} zve-ABoA`;&+R$)w`j_}{JgKnV^6wJ)bS^FBHQbj-kGI0S?IBcUG*3H%nm9s}mUn{< zlBT1XwZ-Z;Eyo_NQn0uirY9ntFR}ggI*6V5Z^TLGKe- zNE-?5w|s%7dE~UhniN&JrKw<@ld<o4ifcPbUa4*Z3q%wbZ{ z*id(Ol|s64kt)|^&KS)^28cyaQ#u-s6lTK0Gzz1r2EEbBk>EXSBzebmzi+j>ej2AU z)Pmb;=cVrV(VfmgbG&u|0RA%f)-PaxHlx?7jk$xYG^h}KefY`>3Q=P&GZcJCUV(Ob zl{v_=rhKuIKIffk!{FRvB7eNehoF^U(!7KUQ;AZ#zFU{=Vn8N&yV5~i21&H*C>s3m zmIr|G$V7+;Vu9PtwT{~REanmb-m~W(=Ey=33jd|P!A>u!?e-SuoEz9rkb$lS5Xi|g zh+mwkZ-pd3vk3Wbg*_o*?SaFk0!k%LwZBWjRQv){RvI22BPwEQPn*MIHBv9Notd^Z zQnk*ec2|+t$LfNV+Wf|TQgD0(*^1mSGDaY>LEana78VS~bcIqA%#C_(C_2EiEO!5X z?ek!R+6uF-h-~Ho9J$E%-iocRqsGa6PtK!*XZ_cgX*9j=NsN>fWlda36=YDRhe-D# zHFNlWa`uhaFJr@ZxR{!_<_B*A4GPQwm&5W4KBbH73j|aTW>vIH=uDC-)Xd;NKw*GF zw)R#xmm3@dtsZ7_>OXKvFZj<#eqjn?Aly9Qi)#%NWCZ>w_AeRsdi$r~TInIg0!mkC-kdPyTI#GDkNg|P>q zab2*LgAQ7HI*NaB`)5UofI_61ub#JI|6EN}9vkp#Vyd4eCg6Xk#^nAAJjkejFNhoDSOXnYkwoOmU%cF znHv=N;Wm&znfurtPhHdqc5bLZO5~m(gsRiNB3-P1_%S9^zr2voga}W6emSC|5a%;P z!PJaG7+MKR`V)eO1h|&Ruw%UJzEVd{TThY<8BQZv<>f-3N@N?r*Je*-0Ci&?u8s z z2X>xidTMO0I1+^PjPhIvUoWg zMBs5HhWAFHyhYNt-sT{H>}Ql)(nqLXOU|8n@G}S2VtOtyl-4VB<@g zQi@u=O?6t%wC`Mx*m>@vu6-|`2R{MV$|VE$L}GBq!kY~ws%`6 zF|q`~YOscIep%qO?Dv-X-Pi^=|9{62W$YJecA9X9Zfm{}%fu*+lE&Xx^+WFpcBTe! zo5Ovm7qsWHSps`I*^wy=Nr=BRyf*yITB4i*_H$ zBA>g4*9sa0BH=1ni(j+)4U!Jt%5_yFpxsif9*-M;bY+oNN?q^J$%M!fhLpLG=xOt4 z!uEM%dILnXD3_v@s<&^hMM&sFX_^wzl(@Pf7M>WzgqUZFm(2kgNYmcbzEZ56>W-BU zLamM83HUwiaBh%;%;trF)V}ol?BgXwFs^B6$HuW+I7+f$8XxW*#1?lU7b^j2k zz6WEtF1i8yP8)le3Onw5Sp7|ixOody66NEHHh9tFVRaPqC{_l=+XOV!Czu4+HmYc}yID8ai6k9=|ZGGt%>T80`e4EyimIuSzR57qA zWC!ogXJW%r8uJTtt1XH=dNMcd z2pHm+eA$Vod^#1`+n153CkSQc8X#0;Uv+EsaZq0W`)cd?-RXydh|fHJ&cA7;c4NHn zCMsQN(u#oxJ3-ntihNP2nj1Z#$q8AEPkJ>lGZFW1rXPFoS0i@#J3YUwoZwC)c?w1A zUl?+j|7o~2^{~kl%Q`R1$`}8ghBIP?iA#9yNyPY(wmJmQJCS7zwiFxyXRR!2$5s=v z*Xk9j+~Z;VX1#z!iB+qf#FZQewJ@|2X1N#TO%&Ig>qsZ}XBTSvc3;}sGXZCTseNq6 zS^FD%_2A}Uu@(0}$F`Pgg-@xLzNeNnpM35;eqepl8@m9Ln@2eRWLab|}-=aPojIH^zBA0pQC zEGd2qw+fQ+_t(*SYrbh{>c_IedO6731Ugk2R9<;A+i>?P=KTjObT92E7`pR z%BEj`)qtWJP}b@b2s}FlfbjqK0*hL}C`<~#IRRie&pVM6HNt!RJdLJQ7y^TY+g@E> z{riY?m?sx-}-V{8E$&6;8MMRl#G z9-1+)zWn!9UM}&bz>`E;IE)3E{LONzALrx?k$9r0AIRi9{=NF3#OB(W=?S+1SS<*6S#4D|D`Rq)bI|Y zYw+b!w3c_ZfY-ijXC8hlD{^|vy&oa$48$WgH#cLBNDuG|kB?m8N?`=Y8~# zs^m#DG?fYGf^~#PxMz*A?{7$VXkg{z8(9;9pn+(kL!6;-JbDUq6l#2Il8^=^!6P$; zF6M7%0??S~B;@o6PMYiw0nMcLEIVv>sD_ry zBGV_%6kfa@_Oi&y%OEJ?>NtT%g)%?E4(P0qw$Shgx6u>WF^b*1?-UzE@1fB3h1}z( z%@Sozvagy3sUAMGsp4bzwmiU>*=kt1eZflPs*9KSEq^>zp^fAM^GsR&TJJ7F%Kq4x z9um$vY{>J@yrC&&1A$S0nhkJ-rem4>XP_-&zmHA+^56d(JLbB}2PIroDwd{8`4pYC z9iB}}u?ef8ckuaKX#Tt(HcG>9TwMP(v{VPMuJEdM-glY}P5a9pQEXea^ccvE<(12< z`j>~vA%2v?8I4tG8q;9CV@MC%Ax(5oK9U zAzi$ZzF<}+sS;?=8Q9vU5NmJG=Y*iYeKfue87jkIyx{OeSg`8H6kP2M9i8pyR<>e6 zNxP#myUKB7-r1JlTj&tSNKO7UJ4o%S|W^5w+P} z!*Tr&e;)MN9 zb@57uNkNR{Da|jZkqLGQ8a*k-pvwu&43l$&=i&GEPQDnK%Xzy*w-^Atj}S zf;{_o8&DM$>QsC;<@S zU@@P|}OzZN9u<<>|wdr}w_Bh6)_YV24GUM(??77HKN0~9zHCIptljwn*a*&kautq=Um zIBGt3B-Bsi#s=wO9bPmGkB_S5`arz7DCCxxwnPD=`Ls92vN)lc$HC8>W4zrYC>ocN zvTWesH8Q^aTJYvED-X{`jUeIVT;o{nU*s!&t(VrKG(dcO#+x48sWcrKnyIGx1@%&m z%i5Szcl*ObblIlEv81duiIqKvAG_A?=c-rMgq3SA)Q3d(eqX=x*`NV|3^wu5>K3Fx z*dIEWlaeeOnPLgZH6v4N@P<$rH2jP@4kBqd(P-^uN|s*Yx$Nf2UKkc){Oh3S;m zv}F<6G|2m_2Uh&-H#XM>6s5xSfxq=xa?Z9YQldI1)*s+t^tN&FrwTMCTKr-H)$1?m z+jD9=3ocnM)$Wc%*cT$0L-IfSZN)Sn7=%a_+s)*!|FrSTy$7~$Q=Ne0Yj+i!aWuDI zLP|8ua|cm`@aVgFD10VPWL{X$HPyE0ILXfbYObz z))Sq8HEKyt|CA*`k1O{JU=4^+<9J9XWCxuc+V_X}1G*p(_f1n;$R!><2prjHE#*fK zrmoou+&KCLd~zwy?{^6&d@FT~y;!VO-dekBP*k-OXvFU0imsH!!h}yf+Cy*qiV z_AHYNTn{q~f2}Yb7OSRehJqT7#3!F~{9@5~YPuX@qD$9%Gbu#XqWZKLNj@x&#{mw&pEv43k$+oCYGn( zc$!`TCG1=!?CfI0gJOmoqM43RrTcC@D35e-vi)j(I{p@0W|A1Ye({bQkXr@ECC7C`RS;n{gnl9CM`R2KPgQK50cBQxM zY)?MlV4E?y4*Jnax8$%#80S}HU9 zGD?<{;2ea)crap>H(d-Uij{XheZ!HA9coUnv{2(h8eopS$HQNh(qkP4KAgt8BMS$F zx&B*e+II`p+2iZ?z7yCjU{QGUrv3A{l;xq*AN3cy>bQ!Ezczz;B479!nJX&36f1@# zOt+!qNR9%YLi^MwRZxKK84f4&oY}?%o*dLnr|#}GOk%Y_h)VL z&l}DEEg=QpYk~S=^@F&8P_cCso~+xdFGM+xeQ^f7zjUZH9lxw#B@%g_nl zx0I2=v*IvWi>C)*MCC(p`q%Nc|4583|4UcObq{NHmZUrpXz*4qQciAcK^v@q$7Exa z6jYUfN))}TL*7DXn&6=yz6S4-)$jno@uNmBzkY)#m-bew{(u%Us2#C6`dYp0kzx23 zCF5rEJ6}-Bvu{AFG*e^wW=?-h%dIyRfTr+@h}iy(xkvkFNm8YQ;v!cgKxKswiY;F$ z0NR?BfN#wI)QMawRGr`5pZ3~TAdoJf^M0Bww)bogP23M}Cz6By{SSpUL@E zplXSVx8+os1;Lh@Xast#{nZtEkwLx*;tYZg)2$j)?VmA^6ne-Lr{3mA^b{z+wX_&} z@1WtC%^=?YQ3Q18wp|W+mZQ_6l#fFv>Q0TD))eK ze!(@&%Ee+Ju2^ovq?As!riQnAarxZY&)8RDcYN*QitgztrX@DAl(Hm}qxynQ{{bg~ zy-1zc;$P6BS1>Ie+=Ucez`Dh);(KEgzi}G$LEvc@3 zcNVuqQ(8fOZe*;@poeoD5W}cDdG+SU?V3?e*ho>FM#i{{?`R?FhDN*hn9j18f*ZL zK}j|9c1)#2!IFY>w%FV`wD$~hXKT;={v&{5EUaVS4Gjl*?j%pKxUb#-jk@q2iQ6Oi z#c!ACKX?`D48xz;+-a#)Jbe@;n>%E~O>yk!YN6L@Phu-V!M7u1#xNRRxCtHYO|7-W zIhkrNIXPHm`Swrid1(h|J+`T;^GxJ5cB`cJi_0qq>5;{#dq6pLI$zdP@xtmiMZri> zx!cC@%4Tsnt&pSXn>X}p>m>IyF!s$<8O{kOY@E^llTvS>z@^E<2$N1+pSHGd;TkrW1{;rc)e;`{85>o3k0-z>Bm=+YlMOw_xeUr}W^nWLA`-Rj(GT!miT62FrLJsf6`AaVJ`Ad z#BUFBT3N`>BBpH83b!bkloCQn9nvaHcnjfD2k7Tvb|213nxr$|WJlx^fKzN`?;3`P zsS>J)O@VWS_ogaCN{KY(~#*%}aU$}sXO8UZ(LU@a}LT)e@NyWy-G zs3-9GHhCAqF+uN1ImdlX{47o?Cs%=+?D(U?qQGLp;=Gu z2|a(2Gne>TY{VC+zTvBNt2ewqr|tGdM?U{F?Jp|74d)?%uZsnU=VVd>O@1gy8ma+t zqMa*N2qO1N7y12%NJy?ffc{_i@-q&F{^w5~WyQ9AC=fJF?-&{u#kgTUv+ zbZ}UPfzou9;0VL&Luo8!^rF{H1voii7UnSY-x9y!43N0r!9=04crs87v_O!IKiUIb zFhKb*x}@a7)y=8g4UNkS9x~W*Gxmh*#PQ2JDO4yyuoqe^(Xe8O>$!2vNZVLK<^735 z<)ML4CNwOV(4sILrc;=L4w3Zl#d1(l$s0A$F_ITBFw>BdGOH+IP*8va6{8h63^H+$ zMdM(1e@zfu(9_VzL1;k%B!N)eNSBVFGm3_2x`0#Cy3{mu8#V>)pp1Xa=Yq5JIqq@Q4S%J zHo4_YPEqCw~-{3#eT-?wfD(YdA4)eT}_ceC@+ zUO+(pE!rLI#wj1PskMznU~^bNoPB3yHDXXa2zNUr4_|5bd1Em4$Rhu4kKlqJgv5s>U8DhO5~3zJ3_gcWXfJ z$fNQ3`B_5Hf_rzCgW(SkpiHE<%)_elZuX!{Fnz7%)N(?sa{IK;xwAF1AS*!dS-EsC zIS_exCt#SYr<{vQwxe2!yn-S$kSMBLEeJu258Kp`e#6>^wF>E-!bCe#aPDwOyF|R)&^x zdEG-U`?up0aKwB-T&Li!qqSm^M}FuOGLLj-0+Yi7q3Cr`X-70(Xe-c!YEE4rC5|+i zZ2NVr(`VlofAh%rPvaq`XhS#`77WsG@ga}YOf+y!yP+SKUMLst%vrZ!=*a0GXe!0+ zgXxdvI3(%oyJhU&uy`u+Ir-XB)&9|rK#S8g^zsUjd2N+AqK?A$*ALVdq#QZHB#6KT zkf9?}5JMf*kXRa>0L}-RLo1i{IqZ34kCr|3W`HZ|!fy0|_|@bTkdnnx|2MWgtM1JV zNwl}$^`nV(u0nm^y4$lpoSIz^&uico(86X`QzI3SlD#onwUO_mR*au%gwu@<@uz+f z&x*$Q>qEuiNYow$zO3dKVR}}2dY;y|&nTm?;)hK6+2WM&!x`jx<-+4^&=$??9`w0G z|9K6B0}+6v27KDom4W~LGJ6f(Phx(3Eb#^|O!gj?wX= zL3f=mFv;NorY-z8H`kq*V8@$$pU2)vR!A!jb4zNBgyX%d1N8nepvQ17)Ba6M7*4Cd zTF!vUlGmdwj0wN60ieg5^u(LT3=3KiB(@Tzc32)%3Sz|vR0LLh>EqkkYE|tATT7`y zfff@Km@1MG*vy%PIPCi^6t!2Y3dhZcdj)v;%l-C=5zfMEq>x1>VZB!Et8=-{B{bHCn!01POn1e5^X-&VUtfSZY>leF~K!0vav zg&rSs}B~dqp~AgU1us1Wh^Bz?3{2u_h~6A`pTzriw{jnt-#_p zZ^1kPV7n-wdy;}c)TJalnPiO0&MF@8BT5Em`!b%~Y}s`QIluh@l7z?+(-T8+AO}~M z3t7itigjB>hD!Ps&lnP+wSV~z>QNdTu%ZB6woE?YA+plz6#@b0M{{C#?UldUbhObFM zF_x4A)WG@P!+TPHfso9#q)Iub1o?xY=&%6kma}7dC`?LF#)n=D{WAI(&EI)ZyQ$(S zA5tzZkA>GAaaumR(c zgcn)JAr-jFH~HD9Ae&iB?PnO8G5FGPVQ(MDg>~_wp*IxJEsqA$;=qPeJ)M?eKg44F zp=rnu{jPg+Eb>^nt#4H%7=eLC!dcbh{gSeF_vL0 z#IfL5At*r*Tskz9Asj^SRH}Kg?!KfQxQq|FA!Ct`BbAZoW@cbwVhe{Wgu~oh3AO(e5XlOXGY6>L(V##0%+OSiwh;L2EVX$E9F2d@N@bBg2>rRum z1HI1o+>UD_dlE|uHRLZ`9ofB=P=YbLZNy~)b=3%j89&v*q$sf6!&5dr*_hYd5wCEZ zDH1%E#I^4D2$1~odNZ}0mmR2A4l85qZ zS?T2um7R$zM4>nm^l>HM*#=i-GEk)Y<2qQ7ItRU^#o2bi&tQNv%emA+L)h(2Jo6XVyTxKM zG3_R{?JKP2-}m&ObNP3JWicFk%J%dE%w1C(E)w4>cPaGt0I#&~!Y=VW6$g4GbEw9z zH$qy^=u6%CT2|}znjP{iEu*-K-=YZ9*E%<*SC^_vN~&-yLpUQe)%Bitb>T zqUYSRjGvL8k})IG1ts;Wn;NE?JuiE%!o~6D7z!MnPmm$bX&PlU8(oNM&9kIPY>+=u z#7FJv;^LjL;t)>i)Ypx|RfK)kM>AKi`*e-o&1(rQR0z|IOlav$7oUjfGz-wPzr*+q zx$Wt`2yS}bX*-6_*t^bPp&a~WYFZ|ott>H?@m3c zIMhdos0jCYf}BevxfrYRa2WSte{%+p)f2P-Hk3Q6oY&`E$<$aqsUzgZN6nTF-7NhT z&YEfMQy3x!x^&S(Gme226-w2Jg(#D0{+QMdJI?NiUVia;BVL7L9E z15o-J){CC8ebk=Cw((brqzlAgiLe?{B=7sf<_mhzTVLna!Lf#r3jXD^!WVU3HV%Bs zUF(Tj%>s*Jx}|PU8*9_?PEc-py&RP~$upGsYwFRAubpqrXHFhJJ@)8vOFCa7=6lU? z%6{8*R+*;qyQK^qC?p%+;3}By~I=xhPT- zlM)j@(v{$BC&r7o2!`8+n5l5jJMQf7&VKjecNA*0!Vq9%Q)3Rrimp6uKS<-V-d;m( zs$`WG6@7cTyw`ZMCOGqeuHJEdQ-XqdJ?~dNrMY2u>G!Q0w};`jP`ZcFhTJYE!>i{6 ziDXw)?}xO%dw&QZis-?`K1U1^iJ9|31-rUw>NlH{#LpnEW4YRgzKi!WutQDX-b$ao zxct^`*Y6i892~7W?=yH7RVGf}@ZK_p=)nDrO5-Ax2{C($NVcQzwwz)=kod7PHg+2J z=*u5;-w)Jkb=}5Ip0bWvK0pz(&LgsC)(fGZKd%{XKr_d3znk$2Zzejg@t6N%Ou^P- zE>v+8>CY$=b8WobF4_djDeU?uKJ?IcUPRTA+&r}37ofbeigabH-7JgVeQivcXJz%8 zR^%ZkGNgw|DR4}EJ0s;hD@jX7(7qhe);BiRo6Wr%zs|z^e&p(ntbKyQM~uinW4zj- z+a8hTVH0aT;Xc01TVlGJM(@h!s%@mN9_V;KemNa=Fep@D+9vu0y;fO~8a+=`&EjY5 zlLBg2S5ETsBIJpyL*EL$eqf%k#neJcY3XxKBcC$lsgm|P?b1%$$QYgPe}BYrwHwV( z3Old8+kV83&1qYpSKSxP*sSIQ^wS!SxvI=CZPlEU(?xYTDt1{GvyG;3@h z@K3KsZF^|`BA%MrJrmUa)c%!?{o}^1&IpOgF+2OIjN7AFykN;VGEN?PECLlOw@S}m-D*?xtV17LC$t~Vja#47?cX&)Btg4!Lm<%R+T230I`y`KJ-_~6h7pH}%V^cOP>hLb(<9kmy z%zdr6*}YUz`ZDA`-6wd}{Pg5*PQMZNfs^FYmy^P z8n!wPp1eYCcqy5@>g6X@)f9+bhui(9Q z(jR9;Mk0$W_4)9AgiA{1^o4@__Npv?DT`9?RB7~Z28jEXJmO(Ab!IhGRw;|;@j_&| zSjtMVW9Q~({@*8QDHN3WH1!e_OGKCI;Kaz^`rJz$P3cT;@e^8(1;!R%J{(j|H<9 z3NFtP@fd?mFCGrz@oi);paK! zqsNYBdU;H_<22!Bymu>pccH2>-yA?TxW?CXuDP$B6vY)}ncRw(lfGufL0eax|Gv=} z4!D~fXb)$9fZ;dI{S0BZ-Bfa45v$P$e6%S*7Ru9JkXf&F){R3)4=3epvE4w^ar<8k zj)zjA3)Bz_Qq1yYMUrIH?o9nrP5OI+5@3@UQ;9S8u^K*eZQEZmjBInkzl@g^nUkZz zL+jd|E;e?>rN_s*8GkbS{X|Z2BPlImGgepS&KFAt3l#GK>r3y?@6k)ECN5Z{4i$e{ zH(7R{7IhBox;IbhyeSvYm}4XZX=zWJd=L_41X6TR^0lA)no(C}Hz7UmLh4Z`n?u!Z z(YtX$o}QHMXUUoA(T4I1N>^PgyR*|7{TU)|Ds?xfrh;?;P6}&%A~V%$({Z2P1lwu3 bqXWsIKMd=&bvXq3*@NU|RHVzKOyU0rTkX@S From fd860e6c6985cfa2469fc78ae4d784bdf9a9a473 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 4 Dec 2021 10:23:59 +0000 Subject: [PATCH 462/657] flip RFP newwin max values, closes #1286 --- user.js | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/user.js b/user.js index af8b477..cf9df45 100644 --- a/user.js +++ b/user.js @@ -8,7 +8,7 @@ * README: 1. Consider using Tor Browser if it meets your needs or fits your threat model - * https://www.torproject.org/about/torusers.html.en + * https://2019.www.torproject.org/about/torusers.html 2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries * https://github.com/arkenfox/user.js/wiki 3. If you skipped step 2, return to step 2 @@ -479,7 +479,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * no unsafe renegotiations on the channel between the browser and the server. * [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation - * [2] https://tools.ietf.org/html/rfc5746 + * [2] https://datatracker.ietf.org/doc/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 * [4] https://www.ssllabs.com/ssl-pulse/ ***/ user_pref("security.ssl.require_safe_negotiation", true); @@ -1031,12 +1031,11 @@ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs") * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme * [1] https://bugzilla.mozilla.org/418986 ***/ user_pref("privacy.resistFingerprinting", true); -/* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME] - * Width will round down to multiples of 200s and height to 100s, to fit your screen. - * The max values are a starting point to round from if you want some control +/* 4502: set new window size rounding max values [FF55+] + * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen * [1] https://bugzilla.mozilla.org/1330882 ***/ - // user_pref("privacy.window.maxInnerWidth", 1000); - // user_pref("privacy.window.maxInnerHeight", 1000); +user_pref("privacy.window.maxInnerWidth", 1600); +user_pref("privacy.window.maxInnerHeight", 900); /* 4503: disable mozAddonManager Web API [FF57+] * [NOTE] To allow extensions to work on AMO, you also need 2662 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ @@ -1221,7 +1220,7 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true] * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true] -/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF91+ ***/ +/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/ // placeholder /*** [SECTION 7000]: DON'T BOTHER ***/ From 9d61992c8cc2a46fb58ea79866aced25e3574d9b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 5 Dec 2021 19:49:32 +0000 Subject: [PATCH 463/657] don't clear offlineApps on shutdown, #1291 - in v94 we switched to cookies lifetime as session, so users could use site exceptions to retain selected cookies (to stay logged in one assumes) - that mean not deleting all cookies on shutdown - but some login methods/types require more than cookies and also need the "site data" part of "cookies + site data" - that's the offlineApps part - note: all site data (and cookies) is still cleared on close except site exceptions --- user.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index cf9df45..4087fc3 100644 --- a/user.js +++ b/user.js @@ -902,8 +902,9 @@ user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.offlineApps", false); // [DEFAULT: false] user_pref("privacy.clearOnShutdown.cookies", false); -user_pref("privacy.clearOnShutdown.offlineApps", true); + // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] Site Preferences /* 2812: reset default items to clear with Ctrl-Shift-Del (to match 2811) [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History @@ -914,11 +915,11 @@ user_pref("privacy.cpd.cache", true); // [DEFAULT: true] user_pref("privacy.cpd.formdata", true); // [DEFAULT: true] user_pref("privacy.cpd.history", true); // [DEFAULT: true] user_pref("privacy.cpd.sessions", true); // [DEFAULT: true] +user_pref("privacy.cpd.offlineApps", false); // [DEFAULT: false] user_pref("privacy.cpd.cookies", false); -user_pref("privacy.cpd.offlineApps", true); // user_pref("privacy.cpd.downloads", true); // not used, see note above - // user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] this is not listed - // user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false] Site Preferences + // user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] not listed + // user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false] /* 2813: clear Session Restore data when sanitizing on shutdown or manually [FF34+] * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811) * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008) From ec595c3b95909998695a714e96dfcf2a29823ba1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 5 Dec 2021 19:59:33 +0000 Subject: [PATCH 464/657] fixup duplicate line --- user.js | 1 - 1 file changed, 1 deletion(-) diff --git a/user.js b/user.js index 4087fc3..5f06eb4 100644 --- a/user.js +++ b/user.js @@ -905,7 +905,6 @@ user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true] user_pref("privacy.clearOnShutdown.offlineApps", false); // [DEFAULT: false] user_pref("privacy.clearOnShutdown.cookies", false); // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] - // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] Site Preferences /* 2812: reset default items to clear with Ctrl-Shift-Del (to match 2811) [SETUP-CHROME] * This dialog can also be accessed from the menu History>Clear Recent History * Firefox remembers your last choices. This will reset them when you start Firefox From b60a888da3c9df3862b9dbaff1b1ac2621e67db2 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 6 Dec 2021 14:45:47 +0000 Subject: [PATCH 465/657] update WebRTC, closes #1282 --- user.js | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/user.js b/user.js index 5f06eb4..6064f03 100644 --- a/user.js +++ b/user.js @@ -631,18 +631,25 @@ user_pref("privacy.userContext.ui.enabled", true); /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); /* 2001: disable WebRTC (Web Real-Time Communication) - * [SETUP-WEB] WebRTC can leak your private network address from behind your VPN, but if this - * is not your threat model, and you want Real-Time Communication, this is the pref for you ***/ -user_pref("media.peerconnection.enabled", false); -/* 2002: limit WebRTC private network address leaks - * In FF70+ these settings match Mode 4 (Mode 3 in older versions) [3] + * Firefox uses mDNS hostname obfuscation on desktop (except Windows7/8) and the + * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. after + * you grant device (microphone or camera) access + * [SETUP-HARDEN] Test first. Windows7/8 users only: behind a proxy who never use WebRTC * [TEST] https://browserleaks.com/webrtc - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713 - * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy - * [3] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/ + * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ + * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/ + // user_pref("media.peerconnection.enabled", false); +/* 2002: force WebRTC inside the proxy [FF70+] ***/ +user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); +/* 2003: force a single network interface for ICE candidates generation [FF42+] + * When using a system-wide proxy, it uses the proxy interface + * [1] https://developer.mozilla.org/en-US/docs/Web/API/RTCIceCandidate + * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/ user_pref("media.peerconnection.ice.default_address_only", true); -user_pref("media.peerconnection.ice.no_host", true); // [FF51+] -user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+] +/* 2004: force exclusion of private IPs from ICE candidates [FF51+] + * [SETUP-HARDEN] This will protect your private IP even in TRUSTED scenarios after you + * grant device access, but often results in breakage on video-conferencing platforms ***/ + // user_pref("media.peerconnection.ice.no_host", true); /* 2020: disable GMP (Gecko Media Plugins) * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/ // user_pref("media.gmp-provider.enabled", false); From fec5168203edf80768d67fef3eda664b0c899cc6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 8 Dec 2021 04:28:47 +0000 Subject: [PATCH 466/657] 95 deprecated --- user.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 6064f03..69e0fae 100644 --- a/user.js +++ b/user.js @@ -370,9 +370,9 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false); * [1] https://bugzilla.mozilla.org/1642623 ***/ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); /* 0807: disable location bar contextual suggestions [FF92+] - * [SETTING] Privacy & Security>Address Bar>Contextual Suggestions + * [SETTING] Privacy & Security>Address Bar>Suggestions from... * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/ -user_pref("browser.urlbar.suggest.quicksuggest", false); +user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+] user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); /* 0808: disable tab-to-search [FF85+] * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search @@ -1363,11 +1363,11 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("full-screen-api.warning.timeout", 0); /* APPEARANCE ***/ // user_pref("browser.download.autohideButton", false); // [FF57+] - // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] - // 0=light, 1=dark: with RFP this only affects chrome // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent // user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF] // 0=no-preference, 1=reduce: with RFP this only affects chrome + // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF] + // 0=light, 1=dark: with RFP this only affects chrome /* CONTENT BEHAVIOR ***/ // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type" // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX] @@ -1411,6 +1411,10 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is m // 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] - replaced by new 1402 // [-] https://bugzilla.mozilla.org/1715507 // user_pref("layout.css.font-visibility.level", 1); +// FF95 +// 0807: disable location bar contextual suggestions [FF92+] - replaced by new 0807 + // [-] https://bugzilla.mozilla.org/1735976 +user_pref("browser.urlbar.suggest.quicksuggest", false); // ***/ /* END: internal custom pref to test for syntax errors ***/ From 7e1b92567ca2bb76ad358d0fc786fd60b3cf7970 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 8 Dec 2021 12:13:47 +0000 Subject: [PATCH 467/657] 95 final --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 69e0fae..af1d2a6 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 24 November 2021 -* version 95-alpha +* date: 8 December 2021 +* version 95 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt From 72cc4d176ea08b4373e437f9f3f44e92da547c92 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 11:41:18 +0000 Subject: [PATCH 468/657] 0706: network.proxy.allow_bypass, closes #1292 --- user.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index af1d2a6..c0993af 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 8 December 2021 -* version 95 +* date: 9 December 2021 +* version 96-alpha * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -327,6 +327,12 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * [SETUP-CHROME] If you use a proxy and you trust your extensions * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/ // user_pref("network.proxy.failover_direct", false); +/* 0706: disable proxy bypass for system request failures [FF95+] + * RemoteSettings, UpdateService, Telemetry [1] + * [WARNING] If false, this will break the fallback for some security features + * [SETUP-CHROME] If you use a proxy and you understand the security impact + * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/ + // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF] /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+] * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3] From fe75baa79f407c2dd2368c4170265c10f0904da9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 11:44:51 +0000 Subject: [PATCH 469/657] move DNT to DON'T BOTHER --- user.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index c0993af..3784ca6 100644 --- a/user.js +++ b/user.js @@ -612,10 +612,6 @@ user_pref("network.http.referer.XOriginPolicy", 2); /* 1602: control the amount of cross-origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ user_pref("network.http.referer.XOriginTrimmingPolicy", 2); -/* 1603: enable the DNT (Do Not Track) HTTP header - * [NOTE] DNT is enforced with Enhanced Tracking Protection (2710) - * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/ - // user_pref("privacy.donottrackheader.enabled", true); /*** [SECTION 1700]: CONTAINERS Check out Temporary Containers [2], read the article [3], and visit the wiki/repo [4] @@ -1318,6 +1314,9 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] It can compromise security. System addons ship with prefs, use those ***/ // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] // user_pref("extensions.systemAddon.update.url", ""); // [FF44+] +/* 7015: enable the DNT (Do Not Track) HTTP header + * [WHY] DNT is enforced with Tracking Protection (2710) ***/ + // user_pref("privacy.donottrackheader.enabled", true); /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From f7bba92c71cc71455b0128fc4f4c739eae1cca16 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 12:28:45 +0000 Subject: [PATCH 470/657] cleanout FPI section farewell parrot --- user.js | 39 ++------------------------------------- 1 file changed, 2 insertions(+), 37 deletions(-) diff --git a/user.js b/user.js index 3784ca6..e1475cc 100644 --- a/user.js +++ b/user.js @@ -941,45 +941,10 @@ user_pref("privacy.cpd.cookies", false); * which will display a blank value, and are not guaranteed to work ***/ user_pref("privacy.sanitize.timeSpan", 0); -/*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION) - 1278037 - indexedDB (FF51+) - 1277803 - favicons (FF52+) - 1264562 - OCSP cache (FF52+) - 1268726 - Shared Workers (FF52+) - 1316283 - SSL session cache (FF52+) - 1317927 - media cache (FF53+) - 1323644 - HSTS and HPKP (FF54+) - 1334690 - HTTP Alternative Services (FF54+) - 1334693 - SPDY/HTTP2 (FF55+) - 1337893 - DNS cache (FF55+) - 1344170 - blob: URI (FF55+) - 1300671 - data:, about: URLs (FF55+) - 1473247 - IP addresses (FF63+) - 1542309 - top-level domain URLs when host is in the public suffix list (FF68+) - 1506693 - pdfjs range-based requests (FF68+) - 1330467 - site permissions (FF69+) - 1534339 - IPv6 (FF73+) - 1721858 - WebSocket (FF92+) -***/ +/*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION) ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); -/* 4001: enable First Party Isolation [FF51+] - * [SETUP-WEB] Breaks some cross-origin logins - * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/ +/* 4001: enable First Party Isolation [FF51+] ***/ user_pref("privacy.firstparty.isolate", true); -/* 4002: enforce FPI restriction for window.opener [FF54+] - * [NOTE] Setting this to false may reduce the breakage in 4001 - * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But - * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3] - * The 2nd pref removes that limitation and will only allow communication if FPDs also match - * [1] https://bugzilla.mozilla.org/1319773#c22 - * [2] https://bugzilla.mozilla.org/1492607 - * [3] https://developer.mozilla.org/docs/Web/API/Window/postMessage ***/ - // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true] - // user_pref("privacy.firstparty.isolate.block_post_message", true); -/* 4003: enable scheme with FPI [FF78+] - * [NOTE] Experimental: existing data and site permissions are incompatible - * and some site exceptions may not work e.g. HTTPS-only mode (1244) ***/ - // user_pref("privacy.firstparty.isolate.use_site", true); /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) RFP covers a wide range of ongoing fingerprinting solutions. From 97322d6e8bcf5082cfee601e480c520f0008a422 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 12:31:38 +0000 Subject: [PATCH 471/657] various inactive FPI prefs --- scratchpad-scripts/arkenfox-clear-removed.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index cc8d330..17e39e2 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -13,6 +13,10 @@ const aPREFS = [ /* removed in arkenfox user.js */ + /* 92+ */ + 'privacy.firstparty.isolate.block_post_message', + 'privacy.firstparty.isolate.restrict_opener_access', + 'privacy.firstparty.isolate.use_site', /* 79-91 */ 'alerts.showFavicons', 'browser.newtabpage.activity-stream.asrouter.providers.snippets', From 0634a568efeca4d837a34dae47b1a3b14c85dccd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 13:45:46 +0000 Subject: [PATCH 472/657] remove redundant site data prefs we've never used these - service workers are disabled (or soon to be covered by dFPI when enabled) and sanitizing is already done (or will be done via enhanced cookie cleaning) - storage API, storage access API: we sanitize on close, and sites are isolated by eTLD+1 --- user.js | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/user.js b/user.js index e1475cc..f26212d 100644 --- a/user.js +++ b/user.js @@ -856,21 +856,6 @@ user_pref("privacy.trackingprotection.enabled", true); user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] -/* 2740: disable service worker cache and cache storage - * [NOTE] We clear service worker cache on exit (2811) - * [1] https://w3c.github.io/ServiceWorker/#privacy ***/ - // user_pref("dom.caches.enabled", false); -/* 2750: disable Storage API [FF51+] - * The API gives sites the ability to find out how much space they can use, how much - * they are already using, and even control whether or not they need to be alerted - * before the user agent disposes of site data in order to make room for other things. - * [1] https://developer.mozilla.org/docs/Web/API/StorageManager - * [2] https://developer.mozilla.org/docs/Web/API/Storage_API - * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/ - // user_pref("dom.storageManager.enabled", false); -/* 2755: disable Storage Access API [FF65+] - * [1] https://developer.mozilla.org/docs/Web/API/Storage_Access_API ***/ - // user_pref("dom.storage_access.enabled", false); /* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] From 83602baa38e70bf8a4a87837ab1cc5f5cff87bf8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 13:47:57 +0000 Subject: [PATCH 473/657] misc site storage/data prefs been inactive since jesus was a baby --- scratchpad-scripts/arkenfox-clear-removed.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index 17e39e2..b78cc94 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -14,6 +14,9 @@ const aPREFS = [ /* removed in arkenfox user.js */ /* 92+ */ + 'dom.caches.enabled', + 'dom.storageManager.enabled', + 'dom.storage_access.enabled', 'privacy.firstparty.isolate.block_post_message', 'privacy.firstparty.isolate.restrict_opener_access', 'privacy.firstparty.isolate.use_site', From 1fc43574d6cb0a229892738d7b9117a4e4f1fa2c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 14:00:21 +0000 Subject: [PATCH 474/657] move "cookie" permission info into 2801 --- user.js | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/user.js b/user.js index f26212d..298366f 100644 --- a/user.js +++ b/user.js @@ -54,7 +54,7 @@ 2300: WEB WORKERS 2400: DOM (DOCUMENT OBJECT MODEL) 2600: MISCELLANEOUS - 2700: PERSISTENT STORAGE + 2700: ETP (ENHANCED TRACKING PROTECTION) 2800: SHUTDOWN & SANITIZING 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) @@ -819,19 +819,7 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false); * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ // user_pref("extensions.webextensions.restrictedDomains", ""); -/*** [SECTION 2700]: PERSISTENT STORAGE - Data SET by websites including - cookies : profile\cookies.sqlite - localStorage : profile\webappsstore.sqlite - indexedDB : profile\storage\default - serviceWorkers : - - [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode - [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage), - indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications) - If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become - accessible to websites except shared/service workers where the cookie setting must be "Allow" -***/ +/*** [SECTION 2700]: ETP (Enhanced Tracking Protection) ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB] * 0 = Accept cookies and site data @@ -864,6 +852,8 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" /** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/ /* 2801: delete cookies and site data on exit * 0=keep until they expire (default), 2=keep until you close Firefox + * [NOTE] A "cookie" permission also controls localStorage/sessionStorage, idexedDB. + * sharedWorkers and serviceWorkers required an `Allow` permission * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow * If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com From 5d508e42422ab910dfd3155f223f0a0cab216808 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 14:05:47 +0000 Subject: [PATCH 475/657] move LSNG to don't touch --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 298366f..580d006 100644 --- a/user.js +++ b/user.js @@ -844,8 +844,6 @@ user_pref("privacy.trackingprotection.enabled", true); user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] -/* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/ -user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); @@ -1169,6 +1167,8 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true] * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true] +/* 0607: enforce Local Storage Next Generation (LSNG) [FF65+] ***/ +user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] /* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/ // placeholder From de28689e76f16820f4e34acb3fc850b2b47418df Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 14:13:39 +0000 Subject: [PATCH 476/657] flip from FPI to dFPI I will tidy and expand 2700 entries later --- user.js | 52 ++++++++++++++++++++-------------------------------- 1 file changed, 20 insertions(+), 32 deletions(-) diff --git a/user.js b/user.js index 580d006..d00c8e5 100644 --- a/user.js +++ b/user.js @@ -56,7 +56,6 @@ 2600: MISCELLANEOUS 2700: ETP (ENHANCED TRACKING PROTECTION) 2800: SHUTDOWN & SANITIZING - 4000: FPI (FIRST PARTY ISOLATION) 4500: RFP (RESIST FINGERPRINTING) 5000: OPTIONAL OPSEC 5500: OPTIONAL HARDENING @@ -819,31 +818,14 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false); * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ // user_pref("extensions.webextensions.restrictedDomains", ""); -/*** [SECTION 2700]: ETP (Enhanced Tracking Protection) ***/ +/*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); -/* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB] - * 0 = Accept cookies and site data - * 1 = (Block) All third-party cookies - * 2 = (Block) All cookies - * 3 = (Block) Cookies from unvisited websites - * 4 = (Block) Cross-site tracking cookies (default) - * 5 = (Isolate All) Cross-site cookies (TCP: Total Cookie Protection / dFPI: dynamic FPI) [1] (FF86+) - * Option 5 with FPI enabled (4001) is ignored and not shown, and option 4 used instead - * [NOTE] You can set cookie exceptions under site permissions or use an extension - * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored - * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies - * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/ -user_pref("network.cookie.cookieBehavior", 1); -user_pref("browser.contentblocking.category", "custom"); -/* 2710: enable Enhanced Tracking Protection (ETP) in all windows - * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content +/* 2701: enable Enhanced Tracking Protection's (ETP) Strict Mode [FF86+] + * Strict Mode enables Total Cookie Protection (dFPI /dynamic FPI) + * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ -user_pref("privacy.trackingprotection.enabled", true); -/* 2711: enable various ETP lists ***/ -user_pref("privacy.trackingprotection.socialtracking.enabled", true); - // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] - // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] +user_pref("browser.contentblocking.category", "strict"); /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); @@ -914,11 +896,6 @@ user_pref("privacy.cpd.cookies", false); * which will display a blank value, and are not guaranteed to work ***/ user_pref("privacy.sanitize.timeSpan", 0); -/*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION) ***/ -user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out"); -/* 4001: enable First Party Isolation [FF51+] ***/ -user_pref("privacy.firstparty.isolate", true); - /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING) RFP covers a wide range of ongoing fingerprinting solutions. It is an all-or-nothing buy in: you cannot pick and choose what parts you want @@ -1169,6 +1146,10 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true] user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true] /* 0607: enforce Local Storage Next Generation (LSNG) [FF65+] ***/ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] +/* 6008: enforce no First Party Isolation [FF51+] + * [WARNING] FPI is no longer supported and is replaced by network partitioning (FF85+) + * and dFPI (2701), and enabling FPI disables those ***/ +user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] /* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/ // placeholder @@ -1210,8 +1191,8 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); /* 7005: disable SSL session IDs [FF36+] - * [WHY] Passive fingerprinting and perf costs. These are session-only and isolated - * with network partitioning (FF85+) or when using FPI and/or containers ***/ + * [WHY] Passive fingerprinting and perf costs. These are session-only + * and isolated with network partitioning (FF85+) and/or containers ***/ // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] /* 7006: onions * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/ @@ -1234,7 +1215,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("network.http.spdy.enabled.http2", false); // user_pref("network.http.spdy.websockets", false); // [FF65+] /* 7010: disable HTTP Alternative Services [FF37+] - * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/ + * [WHY] Already isolated by network partitioning (FF85+) ***/ // user_pref("network.http.altsvc.enabled", false); // user_pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+] /* 7011: disable website control over browser right-click context menu @@ -1255,8 +1236,15 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+] // user_pref("extensions.systemAddon.update.url", ""); // [FF44+] /* 7015: enable the DNT (Do Not Track) HTTP header - * [WHY] DNT is enforced with Tracking Protection (2710) ***/ + * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/ // user_pref("privacy.donottrackheader.enabled", true); +/* 7016: customize ETP settings + * [WHY] Just use strict which sets these at runtime (2701) ***/ + // user_pref("network.cookie.cookieBehavior", 5); + // user_pref("privacy.trackingprotection.enabled", true); + // user_pref("privacy.trackingprotection.socialtracking.enabled", true); + // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] + // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /*** [SECTION 8000]: DON'T BOTHER: NON-RFP [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From 4d5abd6cc39ab67a52578c7849e1076198009925 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 14:18:25 +0000 Subject: [PATCH 477/657] tweak 8000 title lets not encourage non-RFP users to see this as a sign to use them --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index d00c8e5..12dfb76 100644 --- a/user.js +++ b/user.js @@ -61,7 +61,7 @@ 5500: OPTIONAL HARDENING 6000: DON'T TOUCH 7000: DON'T BOTHER - 8000: DON'T BOTHER: NON-RFP + 8000: DON'T BOTHER: FINGERPRINTING 9000: PERSONAL 9999: DEPRECATED / REMOVED / LEGACY / RENAMED @@ -1246,7 +1246,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] -/*** [SECTION 8000]: DON'T BOTHER: NON-RFP +/*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING [WHY] They are insufficient to help anti-fingerprinting and do more harm than good [WARNING] DO NOT USE with RFP. RFP already covers these and they can interfere ***/ From 8860c90abf5c1fb0f87661c3327ae4e75992be13 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 14:31:41 +0000 Subject: [PATCH 478/657] make service workers inactive currently 3rd party service workers are blocked in FF95 when dFPI is enabled (which this version has should anyone update to 96-alpha) - but I get an error even on first party - https://arkenfox.github.io/TZP/tzp.html#storage - I get : service worker | test : enabled | failed: SecurityError in FF96+ service workers they are covered by dFPI - see https://bugzilla.mozilla.org/show_bug.cgi?id=1731999 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 12dfb76..8e93194 100644 --- a/user.js +++ b/user.js @@ -698,7 +698,7 @@ user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!"); * service worker notifications (2304), push notifications (disabled, 2305) and service worker * cache (2740). If you enable this pref, then check those settings as well * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/ -user_pref("dom.serviceWorkers.enabled", false); + // user_pref("dom.serviceWorkers.enabled", false); /* 2304: disable Web Notifications * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (7002) * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/ From d5bc6715cd3d416b5c09af6be8d5a561df9de19a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 16:14:36 +0000 Subject: [PATCH 479/657] remove web workers section farewell parrot --- user.js | 67 ++++++++++++++++++--------------------------------------- 1 file changed, 21 insertions(+), 46 deletions(-) diff --git a/user.js b/user.js index 8e93194..aca695b 100644 --- a/user.js +++ b/user.js @@ -51,7 +51,6 @@ 1600: HEADERS / REFERERS 1700: CONTAINERS 2000: PLUGINS / MEDIA / WEBRTC - 2300: WEB WORKERS 2400: DOM (DOCUMENT OBJECT MODEL) 2600: MISCELLANEOUS 2700: ETP (ENHANCED TRACKING PROTECTION) @@ -675,46 +674,6 @@ user_pref("media.eme.enabled", false); * [1] https://support.mozilla.org/questions/1293231 ***/ user_pref("media.autoplay.blocking_policy", 2); -/*** [SECTION 2300]: WEB WORKERS - A worker is a JS "background task" running in a global context, i.e. it is different from - the current window. Workers can spawn new workers (must be the same origin & scheme), - including service and shared workers. Shared workers can be utilized by multiple scripts and - communicate between browsing contexts (windows/tabs/iframes) and can even control your cache. - - [1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API - [2] Worker: https://developer.mozilla.org/docs/Web/API/Worker - [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API - [4] SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker - [5] ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker - [6] Notifications: https://support.mozilla.org/questions/1165867#answer-981820 -***/ -user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!"); -/* 2302: disable service workers [FF32, FF44-compat] - * Service workers essentially act as proxy servers that sit between web apps, and the - * browser and network, are event driven, and can control the web page/site they are associated - * with, intercepting and modifying navigation and resource requests, and caching resources. - * [NOTE] Service workers require HTTPS, have no DOM access, and are not supported in PB mode [1] - * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for - * service worker notifications (2304), push notifications (disabled, 2305) and service worker - * cache (2740). If you enable this pref, then check those settings as well - * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/ - // user_pref("dom.serviceWorkers.enabled", false); -/* 2304: disable Web Notifications - * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (7002) - * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/ - // user_pref("dom.webnotifications.enabled", false); // [FF22+] - // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] -/* 2305: disable Push Notifications [FF44+] - * Push is an API that allows websites to send you (subscribed) messages even when the site - * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server - * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind - * a prompt (7002). Disabling service workers alone doesn't stop Firefox polling the - * Mozilla Push Server. To remove all subscriptions, reset your userAgentID. - * [1] https://support.mozilla.org/kb/push-notifications-firefox - * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ -user_pref("dom.push.enabled", false); - // user_pref("dom.push.userAgentID", ""); - /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!"); /* 2401: disable "Confirm you want to leave" dialog on page close @@ -728,6 +687,19 @@ user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_open_during_load", true); /* 2404: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); +/* 2410: disable Web Notifications + * [NOTE] Web Notifications are behind a prompt (7002) ***/ + // user_pref("dom.webnotifications.enabled", false); // [FF22+] + // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] +/* 2411: disable Push Notifications [FF44+] + * Push allows websites to send you subscribed messages through Mozilla's Push Server, + * and requires service workers to subscribe to and display, and is behind a prompt (7002) + * [NOTE] Disabling service workers alone doesn't stop Firefox polling the Mozilla Push Server + * [NOTE] To remove all subscriptions, reset your userAgentID + * [1] https://support.mozilla.org/kb/push-notifications-firefox + * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ +user_pref("dom.push.enabled", false); + // user_pref("dom.push.userAgentID", ""); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -821,7 +793,7 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false); /*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: enable Enhanced Tracking Protection's (ETP) Strict Mode [FF86+] - * Strict Mode enables Total Cookie Protection (dFPI /dynamic FPI) + * [NOTE] ETP Strict Mode enables Total Cookie Protection (TCP) * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ @@ -833,7 +805,7 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" /* 2801: delete cookies and site data on exit * 0=keep until they expire (default), 2=keep until you close Firefox * [NOTE] A "cookie" permission also controls localStorage/sessionStorage, idexedDB. - * sharedWorkers and serviceWorkers required an `Allow` permission + * sharedWorkers and serviceWorkers require an `Allow` permission * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow * If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com @@ -1147,8 +1119,8 @@ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true] /* 0607: enforce Local Storage Next Generation (LSNG) [FF65+] ***/ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] /* 6008: enforce no First Party Isolation [FF51+] - * [WARNING] FPI is no longer supported and is replaced by network partitioning (FF85+) - * and dFPI (2701), and enabling FPI disables those ***/ + * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), + * and enabling FPI disables those. FPI is no longer maintained ***/ user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] /* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/ // placeholder @@ -1215,7 +1187,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("network.http.spdy.enabled.http2", false); // user_pref("network.http.spdy.websockets", false); // [FF65+] /* 7010: disable HTTP Alternative Services [FF37+] - * [WHY] Already isolated by network partitioning (FF85+) ***/ + * [WHY] Already isolated with network partitioning (FF85+) ***/ // user_pref("network.http.altsvc.enabled", false); // user_pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+] /* 7011: disable website control over browser right-click context menu @@ -1245,6 +1217,9 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] +/* 7017: disable service workers [FF32, FF44-compat] + * [WHY] Already isolated (FF96+) with TCP (2701) or blocked in 3rd parties (FF95 or lower) ***/ + // user_pref("dom.serviceWorkers.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From d9f49bdf1fc7950bbaeb1882ee9e0d0fef31b9f9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 16:17:53 +0000 Subject: [PATCH 480/657] make 7017 clearer --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index aca695b..2c216a7 100644 --- a/user.js +++ b/user.js @@ -1218,7 +1218,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 7017: disable service workers [FF32, FF44-compat] - * [WHY] Already isolated (FF96+) with TCP (2701) or blocked in 3rd parties (FF95 or lower) ***/ + * [WHY] Already isolated (FF96+) with TCP (2701) or blocked with TCP in 3rd parties (FF95 or lower) ***/ // user_pref("dom.serviceWorkers.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING From ec7cb6a491feced2ab2f89880fc3c0538dbdf130 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Dec 2021 17:17:52 +0000 Subject: [PATCH 481/657] 2702: partition service workers --- user.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 2c216a7..63579c1 100644 --- a/user.js +++ b/user.js @@ -798,6 +798,8 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ user_pref("browser.contentblocking.category", "strict"); +/* 2702: enable state partitioning of service workers [FF96+] ***/ +user_pref("privacy.partition.serviceWorkers", true); /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); @@ -1218,7 +1220,8 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 7017: disable service workers [FF32, FF44-compat] - * [WHY] Already isolated (FF96+) with TCP (2701) or blocked with TCP in 3rd parties (FF95 or lower) ***/ + * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2702) + * or blocked with TCP in 3rd parties (FF95 or lower) ***/ // user_pref("dom.serviceWorkers.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING From 13e5fe17b195ac1e6aa04e57fdca9052f2cfee0e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 06:56:43 +0000 Subject: [PATCH 482/657] remove rfpalts (#1288) --- updater.bat | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/updater.bat b/updater.bat index a806ca6..badd778 100644 --- a/updater.bat +++ b/updater.bat @@ -3,10 +3,10 @@ TITLE arkenfox user.js updater REM ## arkenfox user.js updater for Windows REM ## author: @claustromaniac -REM ## version: 4.14 +REM ## version: 4.15 REM ## instructions: https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts -SET v=4.14 +SET v=4.15 VERIFY ON CD /D "%~dp0" @@ -23,7 +23,6 @@ IF /I "%~1"=="-merge" (SET _merge=1) IF /I "%~1"=="-updatebatch" (SET _updateb=1) IF /I "%~1"=="-singlebackup" (SET _singlebackup=1) IF /I "%~1"=="-esr" (SET _esr=1) -IF /I "%~1"=="-rfpalts" (SET _rfpalts=1) SHIFT GOTO parse :endparse @@ -141,10 +140,6 @@ IF EXIST user.js.new (DEL /F "user.js.new") CALL :message "Retrieving latest user.js file from github repository..." CALL :psdownload https://raw.githubusercontent.com/arkenfox/user.js/master/user.js "user.js.new" IF EXIST user.js.new ( - IF DEFINED _rfpalts ( - CALL :message "Activating RFP Alternatives section..." - CALL :activate user.js.new "[SETUP-non-RFP]" - ) IF DEFINED _esr ( CALL :message "Activating ESR section..." CALL :activate user.js.new ".x still uses all the following prefs" @@ -320,8 +315,6 @@ ECHO: Run without user input. CALL :message " -singleBackup" ECHO: Use a single backup file and overwrite it on new updates, instead of ECHO: cumulative backups. This was the default behaviour before v4.3. -CALL :message " -rfpAlts" -ECHO: Activate RFP Alternatives section CALL :message " -updateBatch" ECHO: Update the script itself on execution, before the normal routine. CALL :message "" From 1f0dc1853df76853f6559a2ddc99a4b98db76ea3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 09:13:09 +0000 Subject: [PATCH 483/657] merge scratchpads into one --- scratchpad-scripts/arkenfox-clear-removed.js | 202 ++++++++++++++++++- 1 file changed, 199 insertions(+), 3 deletions(-) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-clear-removed.js index b78cc94..d928daf 100644 --- a/scratchpad-scripts/arkenfox-clear-removed.js +++ b/scratchpad-scripts/arkenfox-clear-removed.js @@ -1,7 +1,9 @@ /*** - This will reset the preferences that have been removed completely from the arkenfox user.js. + This will reset the preferences that have been + - removed from the arkenfox user.js. + - deprecated by Mozilla but used in the arkenfox user.js in the past - Last updated: 29-August-2021 + Last updated: 11-December-2021 For instructions see: https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] @@ -12,7 +14,201 @@ if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!'); const aPREFS = [ - /* removed in arkenfox user.js */ + /* DEPRECATED */ + /* FF92+ */ + 'browser.urlbar.suggest.quicksuggest', // 95 + 'layout.css.font-visibility.level', // 94 + 'security.ssl3.rsa_des_ede3_sha', // 93 + /* FF79-91 */ + 'browser.cache.offline.storage.enable', + 'browser.download.hide_plugins_without_extensions', + 'browser.library.activity-stream.enabled', + 'browser.search.geoSpecificDefaults', + 'browser.search.geoSpecificDefaults.url', + 'dom.ipc.plugins.flash.subprocess.crashreporter.enabled', + 'dom.ipc.plugins.reportCrashURL', + 'dom.w3c_pointer_events.enabled', + 'intl.charset.fallback.override', + 'network.ftp.enabled', + 'plugin.state.flash', + 'security.mixed_content.block_object_subrequest', + 'security.ssl.errorReporting.automatic', + 'security.ssl.errorReporting.enabled', + 'security.ssl.errorReporting.url', + /* 69-78 */ + 'browser.newtabpage.activity-stream.telemetry.ping.endpoint', + 'browser.tabs.remote.allowLinkedWebInFileUriProcess', + 'browser.urlbar.oneOffSearches', + 'devtools.webide.autoinstallADBExtension', + 'devtools.webide.enabled', + 'dom.indexedDB.enabled', + 'extensions.blocklist.url', + 'geo.wifi.logging.enabled', + 'geo.wifi.uri', + 'gfx.downloadable_fonts.woff2.enabled', + 'media.autoplay.allow-muted', + 'media.autoplay.enabled.user-gestures-needed', + 'offline-apps.allow_by_default', + 'plugins.click_to_play', + 'privacy.userContext.longPressBehavior', + 'toolkit.cosmeticAnimations.enabled', + 'toolkit.telemetry.hybridContent.enabled', + 'webgl.disable-extensions', + /* 61-68 */ + 'app.update.enabled', + 'browser.aboutHomeSnippets.updateUrl', + 'browser.chrome.errorReporter.enabled', + 'browser.chrome.errorReporter.submitUrl', + 'browser.chrome.favicons', + 'browser.ctrlTab.previews', + 'browser.fixup.hide_user_pass', + 'browser.newtabpage.activity-stream.asrouter.userprefs.cfr', + 'browser.newtabpage.activity-stream.disableSnippets', + 'browser.onboarding.enabled', + 'browser.search.countryCode', + 'browser.urlbar.autocomplete.enabled', + 'devtools.webide.adbAddonURL', + 'devtools.webide.autoinstallADBHelper', + 'dom.event.highrestimestamp.enabled', + 'experiments.activeExperiment', + 'experiments.enabled', + 'experiments.manifest.uri', + 'experiments.supported', + 'lightweightThemes.update.enabled', + 'media.autoplay.enabled', + 'network.allow-experiments', + 'network.cookie.lifetime.days', + 'network.jar.block-remote-files', + 'network.jar.open-unsafe-types', + 'plugin.state.java', + 'security.csp.enable_violation_events', + 'security.csp.experimentalEnabled', + 'shield.savant.enabled', + /* 60 or earlier */ + 'browser.bookmarks.showRecentlyBookmarked', + 'browser.casting.enabled', + 'browser.crashReports.unsubmittedCheck.autoSubmit', + 'browser.formautofill.enabled', + 'browser.formfill.saveHttpsForms', + 'browser.fullscreen.animate', + 'browser.history.allowPopState', + 'browser.history.allowPushState', + 'browser.history.allowReplaceState', + 'browser.newtabpage.activity-stream.enabled', + 'browser.newtabpage.directory.ping', + 'browser.newtabpage.directory.source', + 'browser.newtabpage.enhanced', + 'browser.newtabpage.introShown', + 'browser.pocket.api', + 'browser.pocket.enabled', + 'browser.pocket.oAuthConsumerKey', + 'browser.pocket.site', + 'browser.polaris.enabled', + 'browser.safebrowsing.appRepURL', + 'browser.safebrowsing.enabled', + 'browser.safebrowsing.gethashURL', + 'browser.safebrowsing.malware.reportURL', + 'browser.safebrowsing.provider.google.appRepURL', + 'browser.safebrowsing.reportErrorURL', + 'browser.safebrowsing.reportGenericURL', + 'browser.safebrowsing.reportMalwareErrorURL', + 'browser.safebrowsing.reportMalwareMistakeURL', + 'browser.safebrowsing.reportMalwareURL', + 'browser.safebrowsing.reportPhishMistakeURL', + 'browser.safebrowsing.reportURL', + 'browser.safebrowsing.updateURL', + 'browser.search.showOneOffButtons', + 'browser.selfsupport.enabled', + 'browser.selfsupport.url', + 'browser.sessionstore.privacy_level_deferred', + 'browser.tabs.animate', + 'browser.trackingprotection.gethashURL', + 'browser.trackingprotection.updateURL', + 'browser.urlbar.unifiedcomplete', + 'browser.usedOnWindows10.introURL', + 'camera.control.autofocus_moving_callback.enabled', + 'camera.control.face_detection.enabled', + 'datareporting.healthreport.about.reportUrl', + 'datareporting.healthreport.about.reportUrlUnified', + 'datareporting.healthreport.documentServerURI', + 'datareporting.healthreport.service.enabled', + 'datareporting.policy.dataSubmissionEnabled.v2', + 'devtools.webide.autoinstallFxdtAdapters', + 'dom.archivereader.enabled', + 'dom.battery.enabled', + 'dom.beforeAfterKeyboardEvent.enabled', + 'dom.disable_image_src_set', + 'dom.disable_window_open_feature.scrollbars', + 'dom.disable_window_status_change', + 'dom.enable_user_timing', + 'dom.flyweb.enabled', + 'dom.idle-observers-api.enabled', + 'dom.keyboardevent.code.enabled', + 'dom.network.enabled', + 'dom.push.udp.wakeupEnabled', + 'dom.telephony.enabled', + 'dom.vr.oculus050.enabled', + 'dom.workers.enabled', + 'dom.workers.sharedWorkers.enabled', + 'extensions.formautofill.experimental', + 'extensions.screenshots.system-disabled', + 'extensions.shield-recipe-client.api_url', + 'extensions.shield-recipe-client.enabled', + 'full-screen-api.approval-required', + 'general.useragent.locale', + 'geo.security.allowinsecure', + 'intl.locale.matchOS', + 'loop.enabled', + 'loop.facebook.appId', + 'loop.facebook.enabled', + 'loop.facebook.fallbackUrl', + 'loop.facebook.shareUrl', + 'loop.feedback.formURL', + 'loop.feedback.manualFormURL', + 'loop.logDomains', + 'loop.server', + 'media.block-play-until-visible', + 'media.eme.apiVisible', + 'media.eme.chromium-api.enabled', + 'media.getusermedia.screensharing.allow_on_old_platforms', + 'media.getusermedia.screensharing.allowed_domains', + 'media.gmp-eme-adobe.autoupdate', + 'media.gmp-eme-adobe.enabled', + 'media.gmp-eme-adobe.visible', + 'network.http.referer.userControlPolicy', + 'network.http.sendSecureXSiteReferrer', + 'network.http.spdy.enabled.http2draft', + 'network.http.spdy.enabled.v3-1', + 'network.websocket.enabled', + 'pageThumbs.enabled', + 'pfs.datasource.url', + 'plugin.scan.Acrobat', + 'plugin.scan.Quicktime', + 'plugin.scan.WindowsMediaPlayer', + 'plugins.enumerable_names', + 'plugins.update.notifyUser', + 'plugins.update.url', + 'privacy.clearOnShutdown.passwords', + 'privacy.donottrackheader.value', + 'security.mixed_content.send_hsts_priming', + 'security.mixed_content.use_hsts', + 'security.ssl3.ecdhe_ecdsa_rc4_128_sha', + 'security.ssl3.ecdhe_rsa_rc4_128_sha', + 'security.ssl3.rsa_rc4_128_md5', + 'security.ssl3.rsa_rc4_128_sha', + 'security.tls.insecure_fallback_hosts.use_static_list', + 'security.tls.unrestricted_rc4_fallback', + 'security.xpconnect.plugin.unrestricted', + 'social.directories', + 'social.enabled', + 'social.remote-install.enabled', + 'social.share.activationPanelEnabled', + 'social.shareDirectory', + 'social.toast-notifications.enabled', + 'social.whitelist', + 'toolkit.telemetry.unifiedIsOptIn', + + /* REMOVED */ /* 92+ */ 'dom.caches.enabled', 'dom.storageManager.enabled', From 4ebabbb5692a25df6a5bf43911f13d078bb44e4e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 09:13:51 +0000 Subject: [PATCH 484/657] Delete arkenfox-clear-deprecated.js --- .../arkenfox-clear-deprecated.js | 232 ------------------ 1 file changed, 232 deletions(-) delete mode 100644 scratchpad-scripts/arkenfox-clear-deprecated.js diff --git a/scratchpad-scripts/arkenfox-clear-deprecated.js b/scratchpad-scripts/arkenfox-clear-deprecated.js deleted file mode 100644 index 9ef8100..0000000 --- a/scratchpad-scripts/arkenfox-clear-deprecated.js +++ /dev/null @@ -1,232 +0,0 @@ -/*** - Version: up to and including FF/ESR91 - - This will reset the preferences that have been deprecated by Mozilla - and used in the arkenfox user.js - - It is in reverse order, so feel free to remove sections that do not apply - - For instructions see: - https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] -***/ - -(() => { - - if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!'); - - const aPREFS = [ - /* deprecated */ - /* FF79-91 */ - 'browser.cache.offline.storage.enable', - 'browser.download.hide_plugins_without_extensions', - 'browser.library.activity-stream.enabled', - 'browser.search.geoSpecificDefaults', - 'browser.search.geoSpecificDefaults.url', - 'dom.ipc.plugins.flash.subprocess.crashreporter.enabled', - 'dom.ipc.plugins.reportCrashURL', - 'dom.w3c_pointer_events.enabled', - 'intl.charset.fallback.override', - 'network.ftp.enabled', - 'plugin.state.flash', - 'security.mixed_content.block_object_subrequest', - 'security.ssl.errorReporting.automatic', - 'security.ssl.errorReporting.enabled', - 'security.ssl.errorReporting.url', - /* 69-78 */ - 'browser.newtabpage.activity-stream.telemetry.ping.endpoint', - 'browser.tabs.remote.allowLinkedWebInFileUriProcess', - 'browser.urlbar.oneOffSearches', - 'devtools.webide.autoinstallADBExtension', - 'devtools.webide.enabled', - 'dom.indexedDB.enabled', - 'extensions.blocklist.url', - 'geo.wifi.logging.enabled', - 'geo.wifi.uri', - 'gfx.downloadable_fonts.woff2.enabled', - 'media.autoplay.allow-muted', - 'media.autoplay.enabled.user-gestures-needed', - 'offline-apps.allow_by_default', - 'plugins.click_to_play', - 'privacy.userContext.longPressBehavior', - 'toolkit.cosmeticAnimations.enabled', - 'toolkit.telemetry.hybridContent.enabled', - 'webgl.disable-extensions', - /* 61-68 */ - 'app.update.enabled', - 'browser.aboutHomeSnippets.updateUrl', - 'browser.chrome.errorReporter.enabled', - 'browser.chrome.errorReporter.submitUrl', - 'browser.chrome.favicons', - 'browser.ctrlTab.previews', - 'browser.fixup.hide_user_pass', - 'browser.newtabpage.activity-stream.asrouter.userprefs.cfr', - 'browser.newtabpage.activity-stream.disableSnippets', - 'browser.onboarding.enabled', - 'browser.search.countryCode', - 'browser.urlbar.autocomplete.enabled', - 'devtools.webide.adbAddonURL', - 'devtools.webide.autoinstallADBHelper', - 'dom.event.highrestimestamp.enabled', - 'experiments.activeExperiment', - 'experiments.enabled', - 'experiments.manifest.uri', - 'experiments.supported', - 'lightweightThemes.update.enabled', - 'media.autoplay.enabled', - 'network.allow-experiments', - 'network.cookie.lifetime.days', - 'network.jar.block-remote-files', - 'network.jar.open-unsafe-types', - 'plugin.state.java', - 'security.csp.enable_violation_events', - 'security.csp.experimentalEnabled', - 'shield.savant.enabled', - /* 60 or earlier */ - 'browser.bookmarks.showRecentlyBookmarked', - 'browser.casting.enabled', - 'browser.crashReports.unsubmittedCheck.autoSubmit', - 'browser.formautofill.enabled', - 'browser.formfill.saveHttpsForms', - 'browser.fullscreen.animate', - 'browser.history.allowPopState', - 'browser.history.allowPushState', - 'browser.history.allowReplaceState', - 'browser.newtabpage.activity-stream.enabled', - 'browser.newtabpage.directory.ping', - 'browser.newtabpage.directory.source', - 'browser.newtabpage.enhanced', - 'browser.newtabpage.introShown', - 'browser.pocket.api', - 'browser.pocket.enabled', - 'browser.pocket.oAuthConsumerKey', - 'browser.pocket.site', - 'browser.polaris.enabled', - 'browser.safebrowsing.appRepURL', - 'browser.safebrowsing.enabled', - 'browser.safebrowsing.gethashURL', - 'browser.safebrowsing.malware.reportURL', - 'browser.safebrowsing.provider.google.appRepURL', - 'browser.safebrowsing.reportErrorURL', - 'browser.safebrowsing.reportGenericURL', - 'browser.safebrowsing.reportMalwareErrorURL', - 'browser.safebrowsing.reportMalwareMistakeURL', - 'browser.safebrowsing.reportMalwareURL', - 'browser.safebrowsing.reportPhishMistakeURL', - 'browser.safebrowsing.reportURL', - 'browser.safebrowsing.updateURL', - 'browser.search.showOneOffButtons', - 'browser.selfsupport.enabled', - 'browser.selfsupport.url', - 'browser.sessionstore.privacy_level_deferred', - 'browser.tabs.animate', - 'browser.trackingprotection.gethashURL', - 'browser.trackingprotection.updateURL', - 'browser.urlbar.unifiedcomplete', - 'browser.usedOnWindows10.introURL', - 'camera.control.autofocus_moving_callback.enabled', - 'camera.control.face_detection.enabled', - 'datareporting.healthreport.about.reportUrl', - 'datareporting.healthreport.about.reportUrlUnified', - 'datareporting.healthreport.documentServerURI', - 'datareporting.healthreport.service.enabled', - 'datareporting.policy.dataSubmissionEnabled.v2', - 'devtools.webide.autoinstallFxdtAdapters', - 'dom.archivereader.enabled', - 'dom.battery.enabled', - 'dom.beforeAfterKeyboardEvent.enabled', - 'dom.disable_image_src_set', - 'dom.disable_window_open_feature.scrollbars', - 'dom.disable_window_status_change', - 'dom.enable_user_timing', - 'dom.flyweb.enabled', - 'dom.idle-observers-api.enabled', - 'dom.keyboardevent.code.enabled', - 'dom.network.enabled', - 'dom.push.udp.wakeupEnabled', - 'dom.telephony.enabled', - 'dom.vr.oculus050.enabled', - 'dom.workers.enabled', - 'dom.workers.sharedWorkers.enabled', - 'extensions.formautofill.experimental', - 'extensions.screenshots.system-disabled', - 'extensions.shield-recipe-client.api_url', - 'extensions.shield-recipe-client.enabled', - 'full-screen-api.approval-required', - 'general.useragent.locale', - 'geo.security.allowinsecure', - 'intl.locale.matchOS', - 'loop.enabled', - 'loop.facebook.appId', - 'loop.facebook.enabled', - 'loop.facebook.fallbackUrl', - 'loop.facebook.shareUrl', - 'loop.feedback.formURL', - 'loop.feedback.manualFormURL', - 'loop.logDomains', - 'loop.server', - 'media.block-play-until-visible', - 'media.eme.apiVisible', - 'media.eme.chromium-api.enabled', - 'media.getusermedia.screensharing.allow_on_old_platforms', - 'media.getusermedia.screensharing.allowed_domains', - 'media.gmp-eme-adobe.autoupdate', - 'media.gmp-eme-adobe.enabled', - 'media.gmp-eme-adobe.visible', - 'network.http.referer.userControlPolicy', - 'network.http.sendSecureXSiteReferrer', - 'network.http.spdy.enabled.http2draft', - 'network.http.spdy.enabled.v3-1', - 'network.websocket.enabled', - 'pageThumbs.enabled', - 'pfs.datasource.url', - 'plugin.scan.Acrobat', - 'plugin.scan.Quicktime', - 'plugin.scan.WindowsMediaPlayer', - 'plugins.enumerable_names', - 'plugins.update.notifyUser', - 'plugins.update.url', - 'privacy.clearOnShutdown.passwords', - 'privacy.donottrackheader.value', - 'security.mixed_content.send_hsts_priming', - 'security.mixed_content.use_hsts', - 'security.ssl3.ecdhe_ecdsa_rc4_128_sha', - 'security.ssl3.ecdhe_rsa_rc4_128_sha', - 'security.ssl3.rsa_rc4_128_md5', - 'security.ssl3.rsa_rc4_128_sha', - 'security.tls.insecure_fallback_hosts.use_static_list', - 'security.tls.unrestricted_rc4_fallback', - 'security.xpconnect.plugin.unrestricted', - 'social.directories', - 'social.enabled', - 'social.remote-install.enabled', - 'social.share.activationPanelEnabled', - 'social.shareDirectory', - 'social.toast-notifications.enabled', - 'social.whitelist', - 'toolkit.telemetry.unifiedIsOptIn', - - /* reset parrot: check your open about:config after running the script */ - '_user.js.parrot' - ]; - - console.clear(); - - let c = 0; - for (const sPname of aPREFS) { - if (Services.prefs.prefHasUserValue(sPname)) { - Services.prefs.clearUserPref(sPname); - if (!Services.prefs.prefHasUserValue(sPname)) { - console.info('reset', sPname); - c++; - } else console.warn('failed to reset', sPname); - } - } - - focus(); - - const d = (c==1) ? ' pref' : ' prefs'; - alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset'); - - return 'all done'; - -})(); From 93874bda436f6365832c1ecaeb691013bab516c6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 09:14:59 +0000 Subject: [PATCH 485/657] rename --- .../{arkenfox-clear-removed.js => arkenfox-cleanup.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename scratchpad-scripts/{arkenfox-clear-removed.js => arkenfox-cleanup.js} (100%) diff --git a/scratchpad-scripts/arkenfox-clear-removed.js b/scratchpad-scripts/arkenfox-cleanup.js similarity index 100% rename from scratchpad-scripts/arkenfox-clear-removed.js rename to scratchpad-scripts/arkenfox-cleanup.js From 460951df9e54a24540181a74379a12aaffa7798e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 09:37:45 +0000 Subject: [PATCH 486/657] tidy, add instructions --- scratchpad-scripts/arkenfox-cleanup.js | 27 ++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index d928daf..17de71a 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -1,12 +1,29 @@ /*** This will reset the preferences that have been - - removed from the arkenfox user.js. - - deprecated by Mozilla but used in the arkenfox user.js in the past + - removed from the arkenfox user.js + - deprecated by Mozilla but listed in the arkenfox user.js in the past Last updated: 11-December-2021 - For instructions see: - https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts] + Instructions: + - [optional] close Firefox and backup your profile + - [optional] disable your network connection [1] + - start Firefox + - load about:config and press Ctrl+Shift+K to open the Web Console for about:config + - using about:config is important, so the script has the right permissions + - paste this script + - if you edited the list of prefs in the script, make sure the last pref does not have a trailing comma + - hit enter + - check the Info output to see which prefs were reset + - restart + - some prefs require a restart + - a restart will reapply your user.js + - [optional] re-enable your network connection + + [1] Blocking Firefox from the internet ensures it cannot act on your reset preferences in the + period before you restart it, such as app and extension auto-updating, or downloading unwanted + components (GMP etc). It depends on what you're resetting and how long before you restart. + ***/ (() => { @@ -435,6 +452,8 @@ // 'dom.ipc.plugins.sandbox-level.default', // 'dom.ipc.plugins.sandbox-level.flash', // 'security.sandbox.logging.enabled', + + /* IMPORTANT: last active pref must not have a trailing comma */ /* reset parrot: check your open about:config after running the script */ '_user.js.parrot' ]; From af109d4696a3f8142a1023974b2a3713a89b030a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 11:15:34 +0000 Subject: [PATCH 487/657] tweak 7016 --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 63579c1..279dd42 100644 --- a/user.js +++ b/user.js @@ -1213,8 +1213,9 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/ // user_pref("privacy.donottrackheader.enabled", true); /* 7016: customize ETP settings - * [WHY] Just use strict which sets these at runtime (2701) ***/ + * [WHY] Arkenfox only supports strict which sets these at runtime (2701) ***/ // user_pref("network.cookie.cookieBehavior", 5); + // user_pref("privacy.partition.network_state.ocsp_cache", true); // user_pref("privacy.trackingprotection.enabled", true); // user_pref("privacy.trackingprotection.socialtracking.enabled", true); // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] From 7ec13c0323f53a959eaa7f21b425b30290112e12 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 12:22:00 +0000 Subject: [PATCH 488/657] sharedWorkers tweak tested in FF91+. Seems as if sharedWorkers no longer requires an explicit `Allow` --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 279dd42..3827e00 100644 --- a/user.js +++ b/user.js @@ -806,8 +806,8 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" /** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/ /* 2801: delete cookies and site data on exit * 0=keep until they expire (default), 2=keep until you close Firefox - * [NOTE] A "cookie" permission also controls localStorage/sessionStorage, idexedDB. - * sharedWorkers and serviceWorkers require an `Allow` permission + * [NOTE] A "cookie" block permission also controls localStorage/sessionStorage, idexedDB, + * sharedWorkers and serviceWorkers. serviceWorkers require an `Allow` permission * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow * If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com From 54810e333f4b9ef442ab66eeb412efcdcfe81eda Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 11 Dec 2021 19:17:43 +0000 Subject: [PATCH 489/657] typo --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 3827e00..23ba046 100644 --- a/user.js +++ b/user.js @@ -806,7 +806,7 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" /** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/ /* 2801: delete cookies and site data on exit * 0=keep until they expire (default), 2=keep until you close Firefox - * [NOTE] A "cookie" block permission also controls localStorage/sessionStorage, idexedDB, + * [NOTE] A "cookie" block permission also controls localStorage/sessionStorage, indexedDB, * sharedWorkers and serviceWorkers. serviceWorkers require an `Allow` permission * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow From 8cdb30cc0811ae3f2198aeb24c330993f5192400 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Dec 2021 00:26:12 +0000 Subject: [PATCH 490/657] make cookie pref active @SkewedZeppelin ... https://github.com/arkenfox/user.js/issues/1051#issuecomment-991806497 --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 23ba046..99a62e8 100644 --- a/user.js +++ b/user.js @@ -798,6 +798,7 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ user_pref("browser.contentblocking.category", "strict"); +user_pref("network.cookie.cookieBehavior", 5); /* 2702: enable state partitioning of service workers [FF96+] ***/ user_pref("privacy.partition.serviceWorkers", true); @@ -1214,7 +1215,6 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("privacy.donottrackheader.enabled", true); /* 7016: customize ETP settings * [WHY] Arkenfox only supports strict which sets these at runtime (2701) ***/ - // user_pref("network.cookie.cookieBehavior", 5); // user_pref("privacy.partition.network_state.ocsp_cache", true); // user_pref("privacy.trackingprotection.enabled", true); // user_pref("privacy.trackingprotection.socialtracking.enabled", true); From f836e553635ffe057d49c591e6256d46158ccdf0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Dec 2021 13:31:01 +0000 Subject: [PATCH 491/657] tidy ETP stuff --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 99a62e8..8fea2f0 100644 --- a/user.js +++ b/user.js @@ -792,13 +792,12 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false); /*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); -/* 2701: enable Enhanced Tracking Protection's (ETP) Strict Mode [FF86+] +/* 2701: enable ETP Strict Mode [FF86+] * [NOTE] ETP Strict Mode enables Total Cookie Protection (TCP) * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ user_pref("browser.contentblocking.category", "strict"); -user_pref("network.cookie.cookieBehavior", 5); /* 2702: enable state partitioning of service workers [FF96+] ***/ user_pref("privacy.partition.serviceWorkers", true); @@ -1214,7 +1213,9 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/ // user_pref("privacy.donottrackheader.enabled", true); /* 7016: customize ETP settings - * [WHY] Arkenfox only supports strict which sets these at runtime (2701) ***/ + * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/ + // user_pref("network.cookie.cookieBehavior", 5); + // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true); // user_pref("privacy.partition.network_state.ocsp_cache", true); // user_pref("privacy.trackingprotection.enabled", true); // user_pref("privacy.trackingprotection.socialtracking.enabled", true); From c8c86262d7dc21cfc1329cfc7fafdb286149d21d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Dec 2021 13:51:25 +0000 Subject: [PATCH 492/657] enforce SmartBlock shims --- user.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 8fea2f0..bdaf498 100644 --- a/user.js +++ b/user.js @@ -798,7 +798,7 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ user_pref("browser.contentblocking.category", "strict"); -/* 2702: enable state partitioning of service workers [FF96+] ***/ +/* 2710: enable state partitioning of service workers [FF96+] ***/ user_pref("privacy.partition.serviceWorkers", true); /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ @@ -1124,6 +1124,10 @@ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), * and enabling FPI disables those. FPI is no longer maintained ***/ user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] +/* 6009: enforce SmartBlock shims [FF81+] + * In FF96+ these are listed in about:compat + * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/ +user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] /* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/ // placeholder From 8bc25b552db5fb1d0fbe5cd248bbc15c4aa216db Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Dec 2021 15:30:53 +0000 Subject: [PATCH 493/657] expand 0650 to include any removed item this should reduce any dependency on the scratchpad script --- user.js | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index bdaf498..77f79c1 100644 --- a/user.js +++ b/user.js @@ -1128,8 +1128,13 @@ user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] * In FF96+ these are listed in about:compat * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/ user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] -/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/ - // placeholder +/* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/ + // user_pref(""dom.caches.enabled", ""); + // user_pref(""dom.storageManager.enabled", ""); + // user_pref(""dom.storage_access.enabled", ""); + // user_pref(""privacy.firstparty.isolate.block_post_message", ""); + // user_pref(""privacy.firstparty.isolate.restrict_opener_access", ""); + // user_pref(""privacy.firstparty.isolate.use_site", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 8de87de0506c7a508958920e24ff2ca0b7026c98 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Dec 2021 15:41:55 +0000 Subject: [PATCH 494/657] update 0704: GIO, closes #1050 (#1300) https://bugzilla.mozilla.org/show_bug.cgi?id=1666725 --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 77f79c1..5560119 100644 --- a/user.js +++ b/user.js @@ -313,9 +313,9 @@ user_pref("network.proxy.socks_remote_dns", true); * [SETUP-CHROME] Can break extensions for profiles on network shares * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF] -/* 0704: disable GIO as a potential proxy bypass vector [FF60+] - * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, - * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64) +/* 0704: disable GIO as a potential proxy bypass vector + * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, + * dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+) * [1] https://bugzilla.mozilla.org/1433507 * [2] https://en.wikipedia.org/wiki/GVfs * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/ From 78297132b421115da2820da133c24f53de3bb658 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 12 Dec 2021 15:44:39 +0000 Subject: [PATCH 495/657] fix syntax --- user.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/user.js b/user.js index 5560119..1ae1f9c 100644 --- a/user.js +++ b/user.js @@ -1129,12 +1129,12 @@ user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/ user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] /* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/ - // user_pref(""dom.caches.enabled", ""); - // user_pref(""dom.storageManager.enabled", ""); - // user_pref(""dom.storage_access.enabled", ""); - // user_pref(""privacy.firstparty.isolate.block_post_message", ""); - // user_pref(""privacy.firstparty.isolate.restrict_opener_access", ""); - // user_pref(""privacy.firstparty.isolate.use_site", ""); + // user_pref("dom.caches.enabled", ""); + // user_pref("dom.storageManager.enabled", ""); + // user_pref("dom.storage_access.enabled", ""); + // user_pref("privacy.firstparty.isolate.block_post_message", ""); + // user_pref("privacy.firstparty.isolate.restrict_opener_access", ""); + // user_pref("privacy.firstparty.isolate.use_site", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From c269ac9f7d8226fdc53da74754a0441809ac3c7b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 13 Dec 2021 03:49:42 +0000 Subject: [PATCH 496/657] remove duplicate --- scratchpad-scripts/arkenfox-cleanup.js | 1 - 1 file changed, 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index 17de71a..c209797 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -152,7 +152,6 @@ 'datareporting.policy.dataSubmissionEnabled.v2', 'devtools.webide.autoinstallFxdtAdapters', 'dom.archivereader.enabled', - 'dom.battery.enabled', 'dom.beforeAfterKeyboardEvent.enabled', 'dom.disable_image_src_set', 'dom.disable_window_open_feature.scrollbars', From 238f1545f4de5b873e9e717c458c200a049c73e5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 13 Dec 2021 14:15:25 +0000 Subject: [PATCH 497/657] =?UTF-8?q?fixup=20thanks=20#fxbrit=20have=20a=20?= =?UTF-8?q?=F0=9F=8D=A5=20fish=20cake?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 1ae1f9c..88af5a7 100644 --- a/user.js +++ b/user.js @@ -1231,7 +1231,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] /* 7017: disable service workers [FF32, FF44-compat] - * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2702) + * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2710) * or blocked with TCP in 3rd parties (FF95 or lower) ***/ // user_pref("dom.serviceWorkers.enabled", false); From 7811e912f479e1b1036ab30328d89f5d1ef7422f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 14 Dec 2021 13:25:46 +0000 Subject: [PATCH 498/657] make push notifications inactive - they require SWers which are already blocked by virtue of permissions being session only - also remove "dom.push.userAgentID" as this means prefsCleaner resets it and would wipe user's subscriptions - not adding "dom.push.userAgentID" to the cleanup script for the same reason --- user.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 88af5a7..3e150a3 100644 --- a/user.js +++ b/user.js @@ -695,11 +695,10 @@ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); * Push allows websites to send you subscribed messages through Mozilla's Push Server, * and requires service workers to subscribe to and display, and is behind a prompt (7002) * [NOTE] Disabling service workers alone doesn't stop Firefox polling the Mozilla Push Server - * [NOTE] To remove all subscriptions, reset your userAgentID + * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" * [1] https://support.mozilla.org/kb/push-notifications-firefox * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ -user_pref("dom.push.enabled", false); - // user_pref("dom.push.userAgentID", ""); + // user_pref("dom.push.enabled", false); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -807,7 +806,7 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" /* 2801: delete cookies and site data on exit * 0=keep until they expire (default), 2=keep until you close Firefox * [NOTE] A "cookie" block permission also controls localStorage/sessionStorage, indexedDB, - * sharedWorkers and serviceWorkers. serviceWorkers require an `Allow` permission + * sharedWorkers and serviceWorkers. serviceWorkers require an "Allow" permission * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow * If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com From 93f0ff89c8ff54e74b1d0cc9e27a41f653c33812 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 15 Dec 2021 00:05:03 +0000 Subject: [PATCH 499/657] move web notifcations to don't bother --- user.js | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/user.js b/user.js index 3e150a3..3e19e34 100644 --- a/user.js +++ b/user.js @@ -687,18 +687,6 @@ user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_open_during_load", true); /* 2404: limit events that can cause a popup [SETUP-WEB] ***/ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); -/* 2410: disable Web Notifications - * [NOTE] Web Notifications are behind a prompt (7002) ***/ - // user_pref("dom.webnotifications.enabled", false); // [FF22+] - // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] -/* 2411: disable Push Notifications [FF44+] - * Push allows websites to send you subscribed messages through Mozilla's Push Server, - * and requires service workers to subscribe to and display, and is behind a prompt (7002) - * [NOTE] Disabling service workers alone doesn't stop Firefox polling the Mozilla Push Server - * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" - * [1] https://support.mozilla.org/kb/push-notifications-firefox - * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/ - // user_pref("dom.push.enabled", false); /*** [SECTION 2600]: MISCELLANEOUS ***/ user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!"); @@ -1179,6 +1167,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies /* 7006: onions * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/ // user_pref("dom.securecontext.whitelist_onions", true); // 1382359 + // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006 // user_pref("network.http.referer.hideOnionSource", true); // 1305144 /* 7007: referers * [WHY] Only cross-origin referers (1600s) need control ***/ @@ -1233,6 +1222,16 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2710) * or blocked with TCP in 3rd parties (FF95 or lower) ***/ // user_pref("dom.serviceWorkers.enabled", false); +/* 7018: disable Web Notifications + * [WHY] Web Notifications are behind a prompt (7002) + * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/ + // user_pref("dom.webnotifications.enabled", false); // [FF22+] + // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+] +/* 7019: disable Push Notifications [FF44+] + * [WHY] Push requires subscription + * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID" + * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/ + // user_pref("dom.push.enabled", false); /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING [WHY] They are insufficient to help anti-fingerprinting and do more harm than good From bb56056a68906ddd178f64ab0b016c8bbe9786fb Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 15 Dec 2021 19:23:03 +0000 Subject: [PATCH 500/657] explain 0-RTT --- user.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 3e19e34..4d70fd3 100644 --- a/user.js +++ b/user.js @@ -481,7 +481,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * safe from the attack if it disables renegotiations but the problem is that the browser can't * know that. Setting this pref to true is the only way for the browser to ensure there will be * no unsafe renegotiations on the channel between the browser and the server. - * [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4] + * [STATS] SSL Labs (July 2021) reports over 99% of top sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://datatracker.ietf.org/doc/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 @@ -490,8 +490,11 @@ user_pref("security.ssl.require_safe_negotiation", true); /* 1203: reset TLS 1.0 and 1.1 downgrades i.e. session only ***/ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] + * This data is not forward secret, as it is encrypted solely under keys derived using + * the offered PSK. There are no guarantees of non-replay between connections * [1] https://github.com/tlswg/tls13-spec/issues/1001 - * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ + * [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt + * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ user_pref("security.tls.enable_0rtt_data", false); /** OCSP (Online Certificate Status Protocol) From 6675225ec4a40bdb7d38b299893cd5b472b60c3a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Dec 2021 06:36:39 +0000 Subject: [PATCH 501/657] make 0301 inactive auto-updating is not a security nor a privacy risk, by default it should be enabled and it's on end-users if they want to disable it - does not affect windows users --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 4d70fd3..56be810 100644 --- a/user.js +++ b/user.js @@ -142,7 +142,7 @@ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the /* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS] * [NOTE] You will still get prompts to update, and should do so in a timely manner * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/ -user_pref("app.update.auto", false); + // user_pref("app.update.auto", false); /* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS] * [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running * [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/ @@ -945,7 +945,7 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid"); // user_pref("privacy.resistFingerprinting.testGranularityMask", 0); /* 4506: set RFP's font visibility level (1402) [FF94+] ***/ - // user_pref("layout.css.font-visibility.resistFingerprinting", 1); + // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1] /* 4507: disable showing about:blank as soon as possible during startup [FF60+] * When default true this no longer masks the RFP chrome resizing activity * [1] https://bugzilla.mozilla.org/1448423 ***/ From d48d3ad29a095eb0bd467040c9db5482a79dc516 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Dec 2021 21:20:28 +0000 Subject: [PATCH 502/657] remove browser.eme.ui.enabled --- scratchpad-scripts/arkenfox-cleanup.js | 1 - 1 file changed, 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index c209797..6aa8c31 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -287,7 +287,6 @@ 'browser.cache.disk.smart_size.first_run', 'browser.cache.offline.insecure.enable', 'browser.contentblocking.enabled', - 'browser.eme.ui.enabled', 'browser.laterrun.enabled', 'browser.offline-apps.notify', 'browser.rights.3.shown', From 87bd8683fa384c0e9932230c8957ac0717a0b430 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Dec 2021 21:22:41 +0000 Subject: [PATCH 503/657] 2022: add browser.eme.ui.enabled for those who want to remove DRM prompts and have no intention of enabling it --- user.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user.js b/user.js index 56be810..3930e10 100644 --- a/user.js +++ b/user.js @@ -660,11 +660,13 @@ user_pref("media.peerconnection.ice.default_address_only", true); * [NOTE] This is covered by the EME master switch (2022) ***/ // user_pref("media.gmp-widevinecdm.enabled", false); /* 2022: disable all DRM content (EME: Encryption Media Extension) + * Optionally hide the setting which also removes the DRM prompt * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV * [SETTING] General>DRM Content>Play DRM-controlled content * [TEST] https://bitmovin.com/demos/drm * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ user_pref("media.eme.enabled", false); + // user_pref("browser.eme.ui.enabled", false); /* 2030: disable autoplay of HTML5 media [FF63+] * 0=Allow all, 1=Block non-muted media (default), 5=Block all * [NOTE] You can set exceptions under site permissions From d2510b014d768d867c9f83ba7cded0a1bf280b52 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 23 Dec 2021 23:42:28 +0000 Subject: [PATCH 504/657] move updates to personal updating (app, extensions, ext cache) is not a privacy issue - if you're willing to use Firefox but not trust updating, then I have two bricks to sell you: users who wish to disable it (to check changes first etc) and update in a timely manner, then that is on them - including any prompt fatigue - same goes for extensions: the end-user installed them (and arkenfox only recommends a very select few) - the onus is on the end-user The remaining ones I will deal with later --- user.js | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/user.js b/user.js index 3930e10..3d95610 100644 --- a/user.js +++ b/user.js @@ -139,23 +139,10 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIETER FOX ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); /** UPDATES ***/ -/* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS] - * [NOTE] You will still get prompts to update, and should do so in a timely manner - * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/ - // user_pref("app.update.auto", false); /* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS] * [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running * [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/ user_pref("app.update.background.scheduling.enabled", false); -/* 0303: disable auto-CHECKING for extension and theme updates ***/ - // user_pref("extensions.update.enabled", false); -/* 0304: disable auto-INSTALLING extension and theme updates (after the check in 0303) - * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/ - // user_pref("extensions.update.autoUpdateDefault", false); -/* 0305: disable extension metadata - * used when installing/updating an extension, and in daily background update checks: - * when false, extension detail tabs will have no description ***/ - // user_pref("extensions.getAddons.cache.enabled", false); /* 0306: disable search engine updates (e.g. OpenSearch) * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ user_pref("browser.search.update", false); @@ -660,7 +647,7 @@ user_pref("media.peerconnection.ice.default_address_only", true); * [NOTE] This is covered by the EME master switch (2022) ***/ // user_pref("media.gmp-widevinecdm.enabled", false); /* 2022: disable all DRM content (EME: Encryption Media Extension) - * Optionally hide the setting which also removes the DRM prompt + * Optionally hide the setting which also disables the DRM prompt * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV * [SETTING] General>DRM Content>Play DRM-controlled content * [TEST] https://bitmovin.com/demos/drm @@ -1286,6 +1273,14 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("browser.warnOnQuitShortcut", false); // [FF94+] // user_pref("full-screen-api.warning.delay", 0); // user_pref("full-screen-api.warning.timeout", 0); +/* UPDATES ***/ + // user_pref("app.update.auto", false); // [NON-WINDOWS] disable auto app updates + // [NOTE] You will still get prompts to update, and should do so in a timely manner + // [SETTING] General>Firefox Updates>Check for updates but let you choose to install them + // user_pref("extensions.update.enabled", false); // disable extension and theme update checks + // user_pref("extensions.update.autoUpdateDefault", false); // disable installing extension and theme updates + // [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) + // user_pref("extensions.getAddons.cache.enabled", false); // disable extension metadata (extension detail tab) /* APPEARANCE ***/ // user_pref("browser.download.autohideButton", false); // [FF57+] // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent From 7e18f8b47365d0b4155b83809830bfd10735c164 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 24 Dec 2021 06:01:41 +0000 Subject: [PATCH 505/657] tweak 2011 - FF85+ switched to using application regional locale - go to about:support > Internationalization & Localization (almost at the very end) - look at Application > Regional Preferences - add test --- user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user.js b/user.js index 3d95610..4e82ff5 100644 --- a/user.js +++ b/user.js @@ -131,8 +131,9 @@ user_pref("browser.region.update.enabled", false); // [FF79+] * [SETTING] General>Language and Appearance>Language>Choose your preferred language... * [TEST] https://addons.mozilla.org/about ***/ user_pref("intl.accept_languages", "en-US, en"); -/* 0211: use US English locale regardless of the system locale +/* 0211: use en-US locale regardless of the system or region locale * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1] + * [TEST] https://arkenfox.github.io/TZP/tests/formatting.html * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] From 2787da7f90b31b19d3549b61a77210b79bd1166b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 24 Dec 2021 06:04:38 +0000 Subject: [PATCH 506/657] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1522a3e..80ceef9 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ Also be aware that the `arkenfox user.js` is made specifically for desktop Firef - [wiki](https://github.com/arkenfox/user.js/wiki) - [stickies](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22) - [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs) + - [common questions and answers](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Aanswered) ### 🟥 acknowledgments Literally thousands of sources, references and suggestions. Many thanks, and much appreciated. From 7016c2050d20d53242c30eaf0b3beca947e172f6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 30 Dec 2021 03:15:56 +0000 Subject: [PATCH 507/657] move TLS 1.0/1.1 downgrades to don't bother https://bugzilla.mozilla.org/show_bug.cgi?id=1745678 --- user.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 4e82ff5..804f901 100644 --- a/user.js +++ b/user.js @@ -475,8 +475,6 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 * [4] https://www.ssllabs.com/ssl-pulse/ ***/ user_pref("security.ssl.require_safe_negotiation", true); -/* 1203: reset TLS 1.0 and 1.1 downgrades i.e. session only ***/ -user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] * This data is not forward secret, as it is encrypted solely under keys derived using * the offered PSK. There are no guarantees of non-replay between connections @@ -1108,6 +1106,10 @@ user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false] * In FF96+ these are listed in about:compat * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/ user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] +/* 6010: enforce/reset TLS 1.0/1.1 downgrades to session only + * [NOTE] In FF97+ the TLS 1.0/1.1 downgrade UX was removed + * [TEST] https://tls-v1-1.badssl.com:1010/ ***/ +user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] /* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/ // user_pref("dom.caches.enabled", ""); // user_pref("dom.storageManager.enabled", ""); @@ -1150,7 +1152,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS /* 7004: control TLS versions - * [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction ***/ + * [WHY] Passive fingerprinting and security ***/ // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] // user_pref("security.tls.version.max", 4); /* 7005: disable SSL session IDs [FF36+] From 06b8d8bfa3a8fd63083be4aaa1afbe0d21df8814 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 7 Jan 2022 17:29:26 +0000 Subject: [PATCH 508/657] move 0362 to don't touch --- user.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 804f901..a6f8472 100644 --- a/user.js +++ b/user.js @@ -219,9 +219,6 @@ user_pref("network.captive-portal-service.enabled", false); // [FF52+] /* 0361: disable Network Connectivity checks [FF65+] * [1] https://bugzilla.mozilla.org/1460537 ***/ user_pref("network.connectivity-service.enabled", false); -/* 0362: enforce disabling of Web Compatibility Reporter [FF56+] - * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/ -user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /*** [SECTION 0400]: SAFE BROWSING (SB) SB has taken many steps to preserve privacy. If required, a full url is never sent @@ -1110,6 +1107,10 @@ user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true] * [NOTE] In FF97+ the TLS 1.0/1.1 downgrade UX was removed * [TEST] https://tls-v1-1.badssl.com:1010/ ***/ user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false] +/* 6011: enforce disabling of Web Compatibility Reporter [FF56+] + * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla + * [WHY] To prevent wasting Mozilla's time with a custom setup ***/ +user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] /* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/ // user_pref("dom.caches.enabled", ""); // user_pref("dom.storageManager.enabled", ""); From ab7380c93b244992234e33c424f4bd7579f8e53e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 11 Jan 2022 09:21:37 +0000 Subject: [PATCH 509/657] HoM: tweak background request info --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a6f8472..0d9bf72 100644 --- a/user.js +++ b/user.js @@ -543,8 +543,8 @@ user_pref("dom.security.https_only_mode", true); // [FF76+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ // user_pref("dom.security.https_only_mode.upgrade_local", true); /* 1246: disable HTTP background requests [FF82+] - * When attempting to upgrade, if the server doesn't respond within 3 seconds, - * Firefox sends HTTP requests in order to check if the server supports HTTPS or not + * When attempting to upgrade, if the server doesn't respond within 3 seconds, Firefox sends + * a top-level HTTP request without path in order to check if the server supports HTTPS or not * This is done to avoid waiting for a timeout which takes 90 seconds * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ user_pref("dom.security.https_only_mode_send_http_background_request", false); From 926a2d4ac8ee7971090583c1ff190b714c227bd9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 12 Jan 2022 05:09:17 +0000 Subject: [PATCH 510/657] v96 deprecated, #1325 also tidy the description to reflect that the setting is hidden --- user.js | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index 0d9bf72..c46cf19 100644 --- a/user.js +++ b/user.js @@ -140,10 +140,6 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIETER FOX ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); /** UPDATES ***/ -/* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS] - * [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running - * [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/ -user_pref("app.update.background.scheduling.enabled", false); /* 0306: disable search engine updates (e.g. OpenSearch) * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ user_pref("browser.search.update", false); @@ -1339,6 +1335,12 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is m // 0807: disable location bar contextual suggestions [FF92+] - replaced by new 0807 // [-] https://bugzilla.mozilla.org/1735976 user_pref("browser.urlbar.suggest.quicksuggest", false); +// FF96 +// 0302: disable auto-INSTALLING Firefox updates via a background service + hide the setting [FF90+] [WINDOWS] + // [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running + // [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows + // [-] https://bugzilla.mozilla.org/1738983 +user_pref("app.update.background.scheduling.enabled", false); // ***/ /* END: internal custom pref to test for syntax errors ***/ From bc2aba3829f6bbe5e5f8739f120cc6f6f251ffba Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 12 Jan 2022 05:25:31 +0000 Subject: [PATCH 511/657] move last update pref to personal --- user.js | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/user.js b/user.js index c46cf19..a9d2a0e 100644 --- a/user.js +++ b/user.js @@ -139,11 +139,6 @@ user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF] /*** [SECTION 0300]: QUIETER FOX ***/ user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!"); -/** UPDATES ***/ -/* 0306: disable search engine updates (e.g. OpenSearch) - * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/ -user_pref("browser.search.update", false); - /** RECOMMENDATIONS ***/ /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/ user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF] @@ -1275,8 +1270,10 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc // user_pref("full-screen-api.warning.timeout", 0); /* UPDATES ***/ // user_pref("app.update.auto", false); // [NON-WINDOWS] disable auto app updates - // [NOTE] You will still get prompts to update, and should do so in a timely manner - // [SETTING] General>Firefox Updates>Check for updates but let you choose to install them + // [NOTE] You will still get prompts to update, and should do so in a timely manner + // [SETTING] General>Firefox Updates>Check for updates but let you choose to install them + // user_pref("browser.search.update", false); // disable search engine updates (e.g. OpenSearch) + // [NOTE] This does not affect Mozilla's built-in or Web Extension search engines // user_pref("extensions.update.enabled", false); // disable extension and theme update checks // user_pref("extensions.update.autoUpdateDefault", false); // disable installing extension and theme updates // [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) From 7a4676fe2dcb5bf55974b5cbc82f8353114175d3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 15 Jan 2022 05:25:11 +0000 Subject: [PATCH 512/657] make 1601 setup tag more explicit, closes #1326 --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index a9d2a0e..d321a4f 100644 --- a/user.js +++ b/user.js @@ -573,7 +573,6 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); // user_pref("layout.css.font-visibility.trackingprotection", 1); /*** [SECTION 1600]: HEADERS / REFERERS - Expect some breakage e.g. banks: use an extension if you need precise control full URI: https://example.com:8888/foo/bar.html?id=1234 scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port: https://example.com:8888 @@ -582,7 +581,8 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false); user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: control when to send a cross-origin referer * 0=always (default), 1=only if base domains match, 2=only if hosts match - * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/ + * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram + * If "2" is too strict, then override to "0" and use Smart Referer (Strict mode + add exceptions) ***/ user_pref("network.http.referer.XOriginPolicy", 2); /* 1602: control the amount of cross-origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ From 09d62d2302c2306f5430a397596667ff167edce7 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 16 Jan 2022 02:31:57 +0000 Subject: [PATCH 513/657] remove 1273: "not Secure" text on insecure sites AF has been using HTTPS-Only mode since v84, the interstitial is more than ample, padlock is still marked as insecure --- user.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/user.js b/user.js index d321a4f..22e5141 100644 --- a/user.js +++ b/user.js @@ -555,8 +555,6 @@ user_pref("browser.ssl_override_behavior", 1); * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/) * [TEST] https://expired.badssl.com/ ***/ user_pref("browser.xul.error_pages.expert_bad_cert", true); -/* 1273: display "Not Secure" text on HTTP sites ***/ -user_pref("security.insecure_connection_text.enabled", true); // [FF60+] /*** [SECTION 1400]: FONTS ***/ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!"); From b5bf2ee0171d6bf4a428f944054f778b47a7deb9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 16 Jan 2022 02:34:21 +0000 Subject: [PATCH 514/657] oophs, add removed item from last commit to 6050 --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 22e5141..0037897 100644 --- a/user.js +++ b/user.js @@ -1107,6 +1107,7 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false] // user_pref("privacy.firstparty.isolate.block_post_message", ""); // user_pref("privacy.firstparty.isolate.restrict_opener_access", ""); // user_pref("privacy.firstparty.isolate.use_site", ""); + // user_pref("security.insecure_connection_text.enabled", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 83b6d64e67d663603ff9e52a5b6627d7927ba86f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 16 Jan 2022 02:36:08 +0000 Subject: [PATCH 515/657] security.insecure_connection_text.enabled AF has been using HTTPS-Only mode since v84, the interstitial is more than ample, padlock is still marked as insecure --- scratchpad-scripts/arkenfox-cleanup.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index 6aa8c31..9d2ec12 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -3,7 +3,7 @@ - removed from the arkenfox user.js - deprecated by Mozilla but listed in the arkenfox user.js in the past - Last updated: 11-December-2021 + Last updated: 16-January-2022 Instructions: - [optional] close Firefox and backup your profile @@ -232,6 +232,7 @@ 'privacy.firstparty.isolate.block_post_message', 'privacy.firstparty.isolate.restrict_opener_access', 'privacy.firstparty.isolate.use_site', + 'security.insecure_connection_text.enabled', /* 79-91 */ 'alerts.showFavicons', 'browser.newtabpage.activity-stream.asrouter.providers.snippets', From ac0820a5dc00e04fe14fc2a74ba75e590883293c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 21 Jan 2022 03:48:06 +0000 Subject: [PATCH 516/657] add last bits about ETP Strict/dFPI, closes #1337 --- user.js | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 0037897..9c60d66 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 9 December 2021 -* version 96-alpha +* date: 21 January 2021 +* version 96 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -757,11 +757,18 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false); /*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!"); /* 2701: enable ETP Strict Mode [FF86+] - * [NOTE] ETP Strict Mode enables Total Cookie Protection (TCP) + * ETP Strict Mode enables Total Cookie Protection (TCP) + * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of + * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ user_pref("browser.contentblocking.category", "strict"); +/* 2702: disable ETP web compat features [FF93+] + * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants + * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/ + * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 ***/ + // user_pref("privacy.antitracking.enableWebcompat", false); /* 2710: enable state partitioning of service workers [FF96+] ***/ user_pref("privacy.partition.serviceWorkers", true); From 10044fcaf77bfe19f2b90c606232f0a9e83401c9 Mon Sep 17 00:00:00 2001 From: fabrizio Date: Sat, 22 Jan 2022 01:49:48 +0000 Subject: [PATCH 517/657] typos #1342 (#1343) --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 9c60d66..e80a95c 100644 --- a/user.js +++ b/user.js @@ -1,6 +1,6 @@ /****** * name: arkenfox user.js -* date: 21 January 2021 +* date: 21 January 2022 * version 96 * url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -1089,7 +1089,7 @@ user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true] * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true] -/* 0607: enforce Local Storage Next Generation (LSNG) [FF65+] ***/ +/* 6007: enforce Local Storage Next Generation (LSNG) [FF65+] ***/ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] /* 6008: enforce no First Party Isolation [FF51+] * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), From cc7ca9d0fa3d4ca4c929ad55c218b9bf3d0daffa Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 29 Jan 2022 05:24:41 +0000 Subject: [PATCH 518/657] cleanup dead images (#1353) --- wikipiki/backup01.png | Bin 5639 -> 0 bytes wikipiki/overview01.png | Bin 19862 -> 0 bytes wikipiki/overview02.png | Bin 11179 -> 0 bytes wikipiki/overview03.png | Bin 18001 -> 0 bytes 4 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 wikipiki/backup01.png delete mode 100644 wikipiki/overview01.png delete mode 100644 wikipiki/overview02.png delete mode 100644 wikipiki/overview03.png diff --git a/wikipiki/backup01.png b/wikipiki/backup01.png deleted file mode 100644 index e10f1ea228659521464f6508b74a1369f0d4dc03..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5639 zcmc&&cTiJrm%b?Ar3XPlY7`q%Rf-_RL=C7^snQ}K-2e)qBtS3(Q4#P{K&1*u6Dbj- zcfqJs=_En~q#Jq&HGJ{6JKxTJJF~O<&Ft(y=iYhCIrq$Y-t#>7eQaW+$Hy(k4FCY& zHT^3$0f4QU_5KCqWLfOm*h>I7)Oqa+%seQC_Cq&XTw_0Jx%N~;L~Xb~=QLT1ZZBe2 zWhh;FjAGX~X{Pj0SYtrMSJHaO_m^1dlCbNG6IZ{Cg{L*2ciw%8SRKq-Y>uiKN;`7x zd{%n)_k|Y|%cohP`d?)506^n25Dr`#_!o_$4p?l}@F=&7yMQs?n~XHx+Z!+3@Yi}W zLG@`}9p8Pq_)w{sid|kAuF|0;FlwpOK00x4(g0H6(H0L_($F z;bSQi5k)&YZnGNcS*6}$gienRt8p8RdN=HXT#l81 z>=q7T%^oj7_|}&~zx7%ew5Z%l$5us{kge!*7BXOA781p+vhX@*j@tVqW?0PgvFt7Y(YDJ(5b8@3hxd<)5HJ@{%Nf`=c&@MzA*`y3QOSAC z1qU>$HyTvAflET{M**nU|Er1M9LrU2c#_){CTN_#d(5GJHFUi+Xm@yfhI_8> zO!ZP{gWvbM9^rHh(e2i=Ctrq?+x)c%Z05NF381*Lk2Rt_y7KTQsg?=G&$BY*y9#Uh zW-EOY+@c=vP&DW@7@tHlxpY+eXC~gPf$4mjB1aEJjsPF$yuBvo5G5n#_2P#1cZF6t zzO1`^#f`9gn+&SX25C=`-TnDfDYLXZl(XIR%5*e}m1I^-HqAUE)=Vj)EM`LUW?KRV zg;VQ%5o|w9wkwJ&{QaQ3!2V&pS8JGLeaJMwz(kV8sBx`s-R`Bjt^WKQNQ4l<(jv=R z>>IjtfER96qRJ1CTJ0Fye9v$KrL#P}^u$x=rs|gy&XpY^basApJ!L;%oqx~J#z6on z{&>23IOqQBebcAPC1g=42ML{;hbUK4_rw@+Za8#N-KtJ9hhrcE+fvOlzZz_XJwBS= z1bte746)x*O@o$2rWO7zx@$OUCcSmuA{FW%r-Izd(R9i|q-$t;XT3;J{G8XSHC3$q zs#pY-Y4>AJU44+-hSikz`<4fqL$14&O0|tNaYl4wNBS-Vex4umlG&9=Y7fm%wLvTX z^0SF=3saP&=#}5AlU3P9n1jLBL+T1L5d;Dz_qXUShTw z+vzgb=e{I%k80Jl-HlPO*1R)GUhe{B(Y;7U*@KUxg<3Ma23~`emOlo|Mo*3%VPCB- z!r{o<4=T4>2Tx=Qcn`O7X84IU2Fj2X?MTmbw-{oq&K0QLgYU*=J!DW(kZKCH63S~Y z&exeyp{;lkbk_72g3VN0+VH_A{OF5aebA6`$=Ez8?j!_R<{SMPsZuptHYcq%J%AYsOOL9 zrpqgjA91Yna3Gy8&SBI{24}IR(+}O4&WPML(P=Zb#t%9lJ!4Y;9MesY0=`t{CqTI1e``8xj(b=848{qDQar`A=6lj`}4^606b zx`i!wp=*gU#26aw*Ab5(tE7iT!-^5zR%&e@op#Oe`2`3XkKWwKBGD`@qdp^byLZR# zULB&J69_DFV%n>v#kXutyxbo-ee zFnlm>=V{>8My!LjZJ^x)j|ByID`On zpZqUR2=Gi5|9@pZ4n!qL@(J+Wn3n@;T4dBw`X+G7k7m*eZ3%Vcy0IGrnp-Yf` zmo)Ld`&bG}Uk_pguqb&JZ03T3Y*0zq1vVDLy_Eq^g+tlH{n^LZS$RAwB0+afE)X_X z=}eP?-o1$%#Id-=@rwALmD}pfN?fQ2lD;ojYS1#QN*?{~D$BjsmH=EO@e8vQI5a8RgY8$zuI+jxI5xN) z;X+;x6bH^_U1Fde~F7+U8f0udp1^QGGi_|oK#H{q9^Ac+uctkDMv<=B?JmRjg753GoDpP&ons&Slk@ZqV#*D(jHnoEPDI#s-+he)z8x$fu|M;( zUsZZ6)I9fQ1M``lsf+%*#bLaOtd%>_pdB0AdXAnZxJAjZgh&~6amKjew$^6u`(Y67 z@^9F}Jtmae3@#Z!&UJ7B0W7=_auLy2&jG-G7L@9#GAUmhPO<^Y5Q0!6GLh{ch>C@# z0IYM+^G|RbyamZbO6!KP1IMA@DW@48E&JX z;=P1Su0CEfV)TPb6$o3n`UEVTwI(}1%>ZF=0<+};FXepIWslo zy5#3}`L8pw77aZPay9?$DEJ^ukidQvcHtcR(QYODGuE))Ln!;!RmedC``8x<;Zg$# zXAMgn!9!+5VEU|KnahxUyT@3&TmJ1F`2`N5O@`vO=}cc{`$)r-mq?2wL7bS<(PD6} zp&A|HEvwc3V3U{uKIo5 z-~Nw(sZs?#%H?r^X0w^Xa`OE4N9%S=ryG#iPG8u@VBoTaRKhix)6}(Wro$1n{24Npjtnk6a+6929?Gm zj#rF(7U9&o?@=8dSE=mYXXb=%{kX3oQaX%l!Ts_`%6vhQ?-+cy>(jZdZCtY%Yah^j z7F|-O__AW?B@u_dUUKH;M?NEzU1*NybbfiRzu~R6Ov7AE+i#7WT&V>=tHibdX1iA- zRqAiB8Q$7DYo%|OWSd=T4)ajfCYd{1@5xrgjxDW8PiaRC{>E^z!~j_hTV>}pjl~RG z7DTRz!DhIcSL4pzJhML&HTHD^>cgDn9#M*;YVUIRh=27QW(kx`8)mU@ekTg5x&I3ST9K8n3)zyPPYOX z-D<$|^;}SS!Lg+$C`-y58awl<3!HSe9Glk4*{a&b95r0sYCD{?bplKf%+OHvAUqUS zt7jy!wA7W;I0x}o3teP=zT+Vf?xTH|lrX9*NzzHM)djUBpRcrE7Z99HCc0?;-U&J7 z#9d-n_C{XptghQg?s^PWl;a5ck+@(r!gcNoVlSnDuM=&q7hrbRn3nWJK6=;h9?8Gl z@czZm<$8A@pJTynQ%ZmZAx_OR*PZF&#Wu9q(!W8 z7<0x(K5NI_>}dwnyt(^>K%3JMw<>tFO9}~H>>IPE4R7mFQBen& zYuz2QU0m8)TD)O+HXy9%ayJM6)4 zd2O(w;PtBxl>*vNzV93?*8c4CiX}aK*I0ViEN z=WMA00DKZRhL9Z!a*Rcs>XfLIXu8u$OG+=UgAq4giHwfaqQ8s$9iS={O}8Y6owT$K ztw|X2bP0SZTlm*r9gyKg?1s0B9`&}mshq$TH0oM&^OJXj!;vOg>D9HAmD?Yo7va`z(aLBRO_&eB5FDMpevT>kk4~# z2X;Ervg%;jH3(;0{J>!#d@M!=Y_mv0ETyDI$n88e3D&8!jt=e3|9<;*5335wTFe3W z|517VxwBhpU+uJKm5JmKg_Q5*H}nyzRuw-)&(zc?W)n0BKU3m-vNVfia`JX diff --git a/wikipiki/overview01.png b/wikipiki/overview01.png deleted file mode 100644 index 2c8f3b60d732604803fe1bd7eef5ec361d5f790f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 19862 zcma&NV_;;>*7x0+*qLO4i6*vfPi)(m*tTukwryJzOl(eUzdduEbKmDY&xiNW!0Du=06_N)4K9K-F&p~|xzFyH~umazpZA8`V0RUK( zKYt*AvQ^7=0;TVnkVdGXn zBE%;_!de~`3Qt}j+~-Ry2?ahhl6VMy?k`li-p}8^gJF&2gn&jx`9z?~QNe}5EJN<$ z=SBJFhlGv2Y`f>1FLpc}OujcR@f=p%WY$kZ_CUcUi89JD`@oe7;C|lnA08Om-lO63 zg(0#5AVJj|;@iIwf&d=9xVR_@dLX+1ATIN;P=Fq(^d36w;19$TfmBTpp8${^hgdcV zD4#C?KDQ`=A^@K-h)-q;i2@)844^x1puY={r3UDddLPUKd@>(X-9Z2v3HYcWIk5md z6r&I!zzav_1_05Ere z?g$~F3m_mB@J0Aqh3ks43h9sn=&95?u2v%U@4gyP)V7c+Dm1ucQ)1|pUs&`$>80_} z^tq;fW$xH6iFwpL9cf5a{dgzVA<$+wcJZ+YVl{ z?^Lw)m_D2kK9=u!#OGi?v|)1`AHt365cwJbImat1H#UEK^F24F_1CZcy}f1e0RauY zF%{2ulRljul{bqgFRs^zyREJrB3}kAUlFj!t-gs{$wKVuIOqWVwS#Dp*Jjv{SDbl* z0WtknRf;dWa>%w(LTM2<421-t0&(Pn#B(2pJDXH5pgfz*fEqI%5cgQ>5-kJJdkIn` zRfnFP2LRx@-MaTD85F3`5C83H=Z_2CH<27-fRC|QoGk#LEks14I9AU)3!!VE2Nr^}@dDvIGba4fF{h3BVZoVB6`ESNI8#1x?oAQ0UVB`KEbz6j{7HEqhM~a}1WWGWO!*JQm1rKpVY;3p3`oWS3p$#iet}vxD(HBF@mhikxbh*) z8s!Sm_Ru?n=~`znWZ&;S&@5oi0(g43{GzIos?y7%C3x6GOrKYvS)oA#4PfXq&itN58YT3w(rw@JQQF1Q4R$uW(6(jQGsqOdYAaUSyr`i}?G>LZ7?&+Cb} z(#bO_bK}P%N6AN^x6W|zL8$)2Atq#B(=i}1Oujl}RHsN5eVq^gI;=>?N`IPin2MNc zt)xoPMB#xNI|h>|o=B32MM0}rT2@rHQ3k7YqcpAkiMw;ejNy$m7<)YLqUn#J0|IR@NS#QXr^!pT7LgZmN^(jLPfkqcO)jP~r*qRUF&w5JrZ1&$HtVXps8cnSG_@Fs z)$OSlshu}S7ufcFSb{<7k@5pm5!G#&ssF;ueoX(Z7Oa4TC=|l zv0Bw++2pBbqK|IUJXqC#9^V=7+2$Gf#tjJ{{0pHRM;*t@zQOJbhcd@T+Em6lujk-x z(lM=x>NL{yGUIL&$~gIeX{JK@yod?9Nvpm8O-OjCgx@$#G7n8U*3kM$=bpI3ovqfk z+uU7ddVPA|S;=bkIm@}}dGK2H1XDJ7mKvk|O#g`BmfZdkmyDo{uSw$} zA*}&ztV-olO>?1h*@NB%I?p|iUG^@|E*I+t!-ks91Zz+8Nb|T%zjc;Q;HIEA;fLXe z+s7=R*oPRz1T@r_-&f<)%cGkIes>fv$EwkN-LEtLh@4h_RQ_ncO27TyO8g%qzhf%# z9}ZKdVy8?I0%g697H1&!4)ntNz2Ha#g9BB9c%y7WR554ilbM}o*97f1g`S0ygf`Mm z=w;Zesl}Noc*!(nA&)UXpGe+7F07;#VjPS*=Z=MSgb6%Heb(ff_E}^V0Yco zQ)oxDY+Q4v`fdY@(MoBMsW_7OBtxXx5-$0XC`!;Gh_6wciKAd#`*8Y92xw4 zOT{;toR}OKJB?Qu1=hU}T7@^$;wD0ln%BovfU8l%GzkrP!uXeccoXf>QRo-;l^*r3kRKu9V}K1fEeg8#MB0Kci+ zaCUe9eU&zOl5Dlzze%t)zniP2!>D+4YLb&zu|V-w@mZ1Od~Ur_Z|Tu$_8iN-(2$8 zIc`Py=tas?5rpAyUGJF}&eZTM@Jf*xLpy{vLauwq573(rxbPe+P7&@E+mQ3$oN!EV zXw3xDuG56m71CZb^flUKCU|BSPd40MMOMEdW-xK7xr*N?j+(9<`_0FjTu(=2CT4ni z(LAl`uI4ql9~w+;nju`cc&wc+0KjiG-oYK5*ak#Eq-A7SrQAw-j(6KymIN^Ga zpO+bK&uCApYSlDvJ$LJDbT@uD#>!%yTEFddy+Zp~T*zYQUhlkdvwj$SxZ6Zq_p&2> zn;LKbS0(0}?p_AVMx5Ij0H zdOQd|=roIshn;X_W5)-qX#DDe_CH+C*;L6l>SY{japV%n~l_uZu>j`tOgsn^YyV`G4~+v|55!P=TC zr^BGo%}sAGz$IS2hjpFh+Gmtb?hz{MM`bau++*m|%b(qlAMvKv23b{02b!vz9UmiE zhTRNiFMFn4bv?Jp&4=B&SQz$$YO-7tisi3nm~4^p5_(Q0N3Ppk`UoNpegZ03o^p5F zW!7X)$Z|2m9Ur2;Rp@Th1;A7+I7*;akJ z<`Nec7T|*(TIyvy$w)e3D#OP1Wu4XI$;J`;k%M9Y+07agtC~B5r^+!aLge@W_I7v( zgFN?~&dOomiED`Z%BL`;73UNx>dgE)_Y!$R00!o%1U>8Wv+YI2PfMjLzyqJVhRl~z znvPb;)O~p4hn$#rN&D7b0%I>o}P(d+_co$<=;vt=|jDtY2FEInZHG%L2NRrsRrF*{J1F;rPcyFxZL& z8xU<9f27i#kBWUtfS_s3DPkdo?(N0nw5g5aV8*fu%Cf79PY>Fz9Y`wFHJ&j;QLJp@ zVZ~(Zbn9bgI+AB$WEmT-Dr$jK4k{F5$0b7FgBD!s4COz>I5WdyKC2u@1$*FANZw%~ zon3IgZ|iEqW=;1tDEmbNc!dymC!608&Uf_vVsi0RKlLVZoyR0n)JhLuNj+JwueW}F zyXQ4r0d&H`j;?*Y66WqTLAhkm4PI-Gu}qvbI>||V=Qw{UokOh{OlDbU>LSoGK}`!< z`T|Z>H-^qVoVsu+kE<_73Ul$6?kRXU#+LWo!t`_{et44Vzb2plxF7@cP?ue37s;KF zs~Lcvu8uwCId$L6eD{)k@wdNJ-*Abaw$?pg-Npvx2V4vAw0b9M7K#pc4{&R1tXMf- z)8V`rxu5gaTdU3wZgxd!N=gIA2~3P76QV7psNTkqf)h~eB8NK6{9WCn%Bu%!x4h_< z7Tju4z?mbBWXCw{X&`eR-lUN3%_+WxyDi2^!Q^ z`vGbYm7XISh^*}a(x$UNPvh4X+YtaZ5gLbMcX<(lnv%4kaK{KmSq$dE3qfTkLrgR( zkI&f6Q%dPl7&wPbo@-{~sPWtfXCmUW>#taHHNU8I+otpu4Py^{4gPpQqUIs+d`8Xl z`F=$nC4A0Npdw#-L5i;>3)5hgd&zo+jd?8Xa@FdNH_2N5^>XqB#)YC?{!$1UlZq_w7YO z1pI?#>$7+ylU5G3@25nrOY#g=3G4V#rC(U0xlE_1L@X-6{@)-jwV4S1p1Gj zP1(#M@jN?bdBK>R2b8) zju;Ur`}4fVV}lIsw!|%Dh~`FVAX6Gv1v=H*io5h=Y%sqyuY^emc4M4kbNg2fl?8Q- zL_?{11~EC;++lZm$?0gVr=TpWjbtgktW*&*|6DwLuDZjX(Yt+yzxix!ui<=CB2IfH zo_rHm+EGh!>8tnzX6avA+r^Yq?01XA&k?cm+ucsf00DAs#NS@Is#QIlZF0|9tL2YL z-42=i;?1SCW%!6a8S5-2P?{?NFO1r9!)Z|Xfs)+A`v#%R(ENJOU#rol z!VFYcM22z9`*h{7rsq5pOw3a(%xrSWsB*mdjUk2`WcN{n4V`XQ#w@g2?qm9k>S}W2 z-Q(#(90c&yr+gZ-@YlIh=G(8)^kE!dR2DIjtvy0DYtniIb0oHU)r(M7B($(sOX3UM zZ@(|>w|qSV{gLNYoY3FeE5|QM*_;ctJ!TYtZHIy^v4tf1xRj=T47Ue|bx0nlE9#n?&%4Gdo?6DX5|!Igbu z*b0h}ZR;|`Jpu;QL*v!J+K@4R4tgXkNI$(9{Dhl?Nms@VGlC31QgOQJ6~U#l{tQZA zjGDY3yja$;xUKuh*uhSDqWGk+P)dA4FE0^{y(+t>BZz&XTyvy?)oP2V12*K&85Ds^ z;u$>;;;F}fSzVw;jBcJ5Vrq2cPFT|;OhOcu#ilkaC5p|uvqyKLZ#8CC-nKl)S2_7J z{ut?No{lmd-Gsvcr3LfqRBng8snXoCN9jY|$x(~}R@j<(h~PR5+M5|6tIc+}&lLSC z>lQ~`_OGR5y04#8`5gnbDh7R1SRklse&_5Fn<(*%cCZbMu8^1SZWS)G>PRxGgk4Lp zVM|1QClHSo%m#X_WhPsLD!%Z*p_2!GF+I)Ma{TvTn!5f95?!m^lbGv1;-DM~X*nK| zw&ac>b;3d!m}zauuMDx<@;*s5WjiN6>Q9xAd6BW=iFw5|${qbBIvLFxu*0I1ICVpR z9HUsF8zH(V?oH$Fg4xMQ_C@8e6;hwiqzsT#m-1gS7}Y|5`{F_KR$+y zWMDJ{q#&?P-489u7}YJvJ@otSxOLGdO7_*f$N4bE!g8Ga7C4axhmlytFdGxB*SC%` zeA*WF=u|s{f8<8c&m%@OcVVCRDWW@rV+8DTs2bp3qCBntKkKj`t|CW z0XTEcI8&J~w>u_Pw_3rGDUvU46h5Ik+3i-40I1f57rVHv_upl-nhv6yj>~MU2@TAo z&^DVdw|N84C&_ogxzorBiGAVSGS*Tp7x1m9X)kVMPaFW3$)EflCp|hAckdX*f!}?7T#W2jz-XyL7w=6I5M5L!_!|4$_(`Ese7pa%ReMI( zMA~n@Ybnc0iQpKWr-tn=eXfCLu7Q*qKgs10uwvUj-pP3jbgRhmKxeKbW^s03Nh>n; zG?pv5X4=AbNb5BTYG$Z68uU0j`)(fgH)^HT0 zY>rFxl=@NTC7@^c#CB%7wJ{t%A%T7Nft>1<;laG6B_KY&*VvT|2BZ9D!RZr_q3Q8F z8z?F_q)a}%Y9eIA5#SxNpJqNAe{9IUL_7iiK5m(7hwkNQ)nkK43vE*mJMYX*4VU>c zLQ`qmetoua$F1n<%BY0r!K8)|8*Ug$QClRLaz>Ms1;hN+*KoR;%YzAI)^H#EwCkn5 z{E&v`;Cd{hW(<4SdrY@ZDN%tY|qnmh6R7j-c{>VsAE%e#?&9|XXv-Sgcv zA7t0*7Y|7gL?&R(%2^-{iVYts)au1rOP&^Gb0SoLRyZ3vo`n;@b{227c^}-`&S)u? zhVeYW*{ex&=r`{lAoiq$FY4O7&eJV{^s2|rjonQ#V@7XH!Cvw+a1i&mHu@?m;y-^uq$9O(Szgw%O$+*Ks%Xux_nP?> z5-1Jbk3`sVWDb09ld`vyRSW)P3WMhO{}7duH#@J} za4z0|#O)V#=0OSw=-K9=7Wi~eo^41+G|`%;CWKyA;7?}xsO67djnIk`KY+nT#G*i_ z&Ydc~c*K!@hFIGAuA`ZUGC=IY{{>Tmf>3R|DSF=NJPmla<@Sp>?+gXnf76mpwf^+b zaLDtVY~R$-FM^0uHHAumEsijFNsRjuVARikD2IQZDmvg$_n^}bl3u(`D%+4)2< z?YJEw>{`%Sm5QD~4IOs+X1S`is3AXkG^ruonT&AF0i2ip7w{s%Y3WHTGypO}R@v*16XEdoVc|Es>CEMPG~m8&5H@k6KwSk5nSh&9$Aw-RGlTcT zJSOd~It#UCs$e2t6nA4hNaBq^)<6FA?OqO>u390BgT5MN8t24Np7=uqDx_w}O_=eA ziZf_&xe2n7p#m^=TDz@?NGmXrDoOtYY5xNg@VzdN!m~_&R9OG;D57HzJ1FXmG&)!& z_n)YvGfD}JZD+Ws-b^ng`_WDA#vOlSesXM9Q{bYJXnYzck{4;BTN>T z#9Lrbp+Ci5HPKh0uJG!qDp=nIpn+kdgLYv;eN&DMt6oiGVe9ek#xG(O;o#Y-gQELD zUfw<`q6(=2A`FKlN@`2)sUPXZX$&fnyxh-{3Nuq;OeSGwF#Za&O`338(HrGg{S5hc zLU#O8mC=nOe|Oai3P2)YDWo4qXVToOE9rpP(0s=R67BjCD{o+94~#XjCeHcsNmT%v zg6Pu^oE=#4F=?={oy>&?HCPJpy`FVT+SZxFi9Q>QajfuoKu(w5 z^qTJJFa>NUUAn@Vr&iQ{igNNVTG}29Zw-ZRUaNa!bxx6e3evXcDeWbdoXSLg->UWHQ5|GA+LR+{(U^W(DC6UFFR`8oHsWc25sf247X`BzeR)&qn* z>zv;e!~G|vl&vRF)r|C|509Q&T19|k5sC1@aI)PbYSKEV?`vwEKfChNC^ThB@J?~x z^@Xl-eB#8XErE*iE~%+S5#$ zUhW9Cek&AoHjcEVA9g2>;1EoF*YL4VR}G)u_uXh$z|_W#N#;xR-ghX7ryAQ0oE{*O z=&~ga9%-ZD`tfww-gbGQ0l>-Evdk~)bZqt8!o4gT(`nI_td9OvPPza3tS)k?)9)=w z%JIm8006YlkxjK?`+QiChqwWriJI@KKmpjhi>-E@P;7u6mSs-Zo^1!>wA&u4+lVyj z33bboGAl{gb#td-z836BaMgnh{Zd_Ruo{n97`1+*7! z+_02gt6IkYuE;>npZ{~dGbC(NA!oiVRCd;@Aa+J-8Rm7t3x_#JzU+C^%*roAa0fo% zB>fUN{u<(M^x(nw1qC!p;X`AWI%$+B{#HpU+e+MlJ;Th*Er#l(Grq=iCXwj*f;&RE zzPe~#KXHDZo@JZm;5qBurCN$ANlei9gFaCtn`&s3z>DrK;i04dSp18Cj(;E;!=wYp zA)GPF7JuC+*#HSf${486_}PGq$!S2X^05-Kx6c*j^d_l>Yw#*{=4`AL!!tTUs%(U9 zKnW7q5uKZ}ELqi*Jt9>L*)9x(k&1c5k*&FW)vcKDK0(i7ymePS!N4!~F5rXh_nmIjXN;`N!`&F3c!_Oan4y$xwjaA!I=qYL_HfCdS(~dmPm=>2h8sKv(wF zXO{8Etio(09{00Qt@;TNcHDR9P!^V#ud+1hQvB+=*XsTwRf zOzSP+Kk|R}tr@~cTU3Jf40kaVzR}u0delap`@2@%HoC}|DMFI>?eINQHBayt|7G7) z$RVCS|G~EZ0o_1MezGZEpnY^OD$(!|A@zKG4wHCB@0lA2mB6TY1JtFru;5eGX zy^X@1XUt8~mn^vKHH($y=E=Ukk#YrOj%~nhQZV76=T5k=kz#So+`5ZkNOWG){}kTR zUdk$@KB{}!mLU6poOkgyys@G#v*ohizjzpJBAd{tDf{Cw{!wDH%@r-l(unYs494Ko zdP1p%StLcbyoC-0wl=k(dN3>u#nX#KFrDpo@N^a~=oY`%Q`DvwFRJVOt#Kg=qOp_p zr<$vuMhflLD9$YW9bKl6%Me?+xmU_#bX#I6JQ^0PfSw@4cKeNVM4HxBqoDP=v!fA? z8ndz^lqy!r%-y8v=+tjCKMxz4Nc&gQ@=fbP!xOAcn`Oy}9%WSo18?cNe>b$8d)rw0Y zfN&f{Z9rbJemhT$^KiI@{N}mAdppc(#`7A$FcFtw$2Ib}p;MIQ-r8hpp*Q71Sy@;0UQl%gu@+KN#itsXow)3xb9^5Du@ zr+1SZ%VVr`gu0c{g}^YJDckNA4It|MOy_@`SLgM|qW$)jmrh;}3%X4aXSrVc&s&>Vu@Myk0j(I1q7p zbr>veGYjiba4BK+@f&1t7CW8GkGMZD_v+U#Z6uC+^6On)&aRt0i4{_NxUKkcxx9FG zZxGwV{fe8d#uQnM%Em5!acbR;^;O!22m;`u_Y$TwtPO=^H$a!tS3CU5uHB`3a@Ype z(vNC@JFwug0mZCiB=#SsG^}akHW7Wc)`sJgV=vRhP#2RD&JbVE%&6if1uJrt!jMiU z1|(V`XD(#uQcZP0W3oUZxqnAOilDCy44pj%vzha1d$#NBDQf>7g!Lu>1u^yV?B&XueO?csPq%o<2o8S=Tx9KF9*tebpX)guDHF-f56N67yIxhE(qn z29Jyo2(vR8>}izx5e`W2qjn#A2gBVMy+*-Kdo2t>{sJT7K(R($AENbcuG$+qY9J93PRlibkrq^!iO z+EZWewM7PmXD&she?b90Ip5>dErx zX%|TvKLY)C{YkU#Y_luAgQqEP+6Pp)A^ovbZLA-t{Xru9;HSgi zys~f!LcHysVq^6?cm=8WB<#noHgjcw8!< zZujsDoedu1Bs6HdiJjC7Y7;a24MA9KalSC{;DlC;3m4ovSc3j}rtxq8{%Bs0o~2ZS)OKwihjYnB6tZ}Cb^CN)D*_!8eXxTsq<=}X@>UFV(>s=it9J_2aZ@K=Ea2C)T;{vwn)xM&7k+kAJ+|KQBLrm4rhl*eO$VNX{`g_FjB0i%R(A z^}fABFQ!AoA#OOgf_DYRs?JgYZXhDv{RYwHS>_j%Swp}tIX6JmNtIIYIY(7{OXi!S zZGb?lfp|(X#@KkP^t{k=?0cX0X8_*dLseRu!hMRBC}m5VDIt?;D8eSE>$$P)YXNn+WfZgdbZ(r_srDeJ%fLu4@~JBA;sUuEkrop zu+fV##$1m0+-U}`%^C19cDUGR!Snn=f-3(sK!lUWLoY@P63?`nt*|5YE&p&vG9hn8|+cWO$X+6_Zu!qAFEl%=-p`Aqz-(Q=+8kgj{ShO+|Th1G92_` z_AoGaCUp5Vc6xZjR9n!-q9zpHVn)lh*I=iYKUyxX?m=O*5b4UKB;TTa6FecaJhpob z4jZa3rygm$-%U2zFZUh_m!9Y6yDeaufEM(Pfzyix-$_c&1&FE&xS8hBkN_!zBe9-- z90}POOHzt<8gQOCjD_x!2d5N3|B)(85&R=$_`k5jR2c}+$m;E7i?f{@8zrx4tn}UL zXkil5{(SE@-TUTm6Yuxk+|M^Tc6ojzvSVubcqGS0;J{c*GBm*Qd!fv0^|v?PY>jvF zr|FN2J(Xgf54H7=>kkw;ew0Oq5V5qBf@JXchUDjoC0XURY+*MAnWd(Ys(6ac28@XG z%d`%0Nm6saZJCdy1KJPob)AkEP>&C9kEc76_uIq6?8nNBZ=o=0eB`86oIF75NRFZW zf<)}Z4=Y(22*k1(5~WgsE9<>9dM88S?-;@D=7uB_q_APT@KTi-5+j@ zS!s`RE+gH@s7$`{(%7_;f3J)Xb|-P_xJ`HJ`0vV8;$WxAuQ&sYY;A%5rB$0$W!2## zIVN_lLzDC{^|<+1GyAABg2^uQjFo2k2KEV{A1C}637nIZt2neIrn+98+-*4qFljp0 zH@4E>Bva+iI3jC4hCjSd!pC-KyDz7byYC`thulAQt^Gd|OLG2<5Ojzbha_-@+`!CD z7H7CF&nucH^K5O#JHHhkN0K&yXCc;z<@>W0TdTu4ReV$4AAmp!S(sIS_oW9wH`P;HCdrzZVULF<|U^6Nf;Z&rh0KC6hA&?+ClM)rKA+7 zC=^}s*voQ+maU!sF#6Y_q>KOmsUkfA+&3&NeF?=5#HTy6q+%TYP8{v({if~6OTNc% ztk&;^l3!EXm3x)iw|A5{i_V?j8c%E|dTYk`_LWhCATY`A%q*Q&eTIhe2NPp~>#HCB z$z_pkG=jv3{-pneWh+M8@@|A;3vzD%50#q|Rn=wj2j9b+Tv3n9}8 zFl0ZTIN|O~A#_&-T5HEOM6}Q6md6b$7AXL3Eb~>ERTXWbF4}W@~Wv2>i^tkmR>lH>DbU@{(5 z{GuF?!$}0@hD&YOtfiZtVJB*AIv=*RrB6o_0>vz7G~ui@k7=NQ2-6>yrdg4AQ2&;b zq%rP)Uu3y={ZG2&okCHPkfPxeE=A3QNQaXL`n;O<{8lf~#XgTOzUxverdRoZ<7wPq zIL?arXz%Q1*KLq=%mLZ#@V}%8naBX>6vQ}KvwNbasN6grwW*2A93^zP3ZDIVg%WW) zz4)UOPIoOGt*G?LZu$iabO3t!Oz%BczoR7M0xp5t6n) z&P`B?K<1?*Bysjy?i~x@&cBh34Thc0s&PMT6!+$yu<*$0J(6tM0*$X)#!lmc1JFZn zl}Wi24tVL3{tp%u>*W-)psCHgs(Vq zM#*O}JqOZe$V|{^EGC>n#>@>XvP$bIL$&^}$uyg5hcd;KvjvdGMw-O}ZUMeGuscmS z|5m3AS7fBlV8eBIGAQW>!uzl%gU-CD!{p)8DB}wSWg!%u?tpLT9%0$wj86YPbx4Vj zU1_zOb|&o>KS@&Hnn{Kfl! z^&$P_-F(wuCrEny4ddmY0%-GF`_IsXxB&&}5xtO>`M*@=t**Y=VoR&!<>=56!+}4! zeaOdAl`+I`0&|H%^z#}~u0fp09BcbZHiB?bLQ>-@Pb9Mjx6kME*` z9?|`41qxI0*tQYzpeh7t6q^O8$q-#5$8=`(7o(1m?ASJhh*N6h?^T<0-%70}fR!cA z^}ku94v$*dRaF*dRNLtbq|~n-z}2DqNCuDe{zXl7+?3{=63;CHH#Vzk zRl64F&E_);stYlsou6z<8i3ZJ)O%Vk#bKJA+JhWxbPA4+Zu5_Sg`!xo@)0JRphwZVnkE&1pTqNBSo9urv z6#h&)Sm$^BC$;byrcr!}#b^f=e=Y0qLSa$PL-G(4Ty8A%AR#}pFfzU{MQKE;mP!J* z!Z$N5+dXBJj4C~~Pf;J4%N>}vPS;P}%zn*3PN>g}Cj6B@Df#16fyYAN#gOH&SXEgT zcd;mGO7^%y0Di7fD%IsXRQBQ1OM=!ZTj~@uY+eG&0=WpvXJ&NzN`JKx8O8}A2a84? zrxRPRbG@%|23CoxaFb~`eGE?gstuC8RW_MFDszM+`MNXx>7l*H=@Hfoc0i z=Vaz3twWMub4$Cux2Q)^`!$W3BOn_=?d8+(G4Xra6_emlYHhM%&F-@;CUK9#{7Oe zh@Rp3c6^0yJ175ovV{Bga(H#p@jrUqFQs%~zs*b!Xb^*Ntk4nzM>%8Yw-Y_?0& zKgpbF_wz=;QO!-rPF@8FeTg((a8`L2c%{?zJUFn=@mu}|Kb#3ZadYkp^3h$vbEP$M|f^HR1_@Ta*f zqPux8{ppCIH0Mbz%*e^ZZqn!#Ws0bijA_|Cz&`C*CNuwk zWSt427>^wcIW_7DSPnk|)kB(1Cyw(m(uHz;H3|zhbFDa(-T_Ry& z#vteZKwwB3G|6^3gtAtoPqpvEP(u=!xxoplGH znwi`{#Q!*PXnk=|JfUVwf?ZGPTSbn<;_J{a(R5vWB}<`PAuuI z$dF0>_Eqp0dj6Zzy@S%dN5Y+pWvf;??|z!f{zFGCdkLndwW4}?3b#d*lPQLHA)=;wb~7;<%@b26k+kE*Y1FfjM8oPQ4V{9g?tnwDz7PJm)y;>Qjfxw znY-9SuL4fY`%57Xz-QE+wtI%@fZNdHaxu3drY}r|m(I!g!tLr3ZR7+O*?!@m6Fx}nK z@gk>9v}+4L7ti_2TKFD8!QILPy`FeF&!%N7fDimPr^61`Z<=;MqSbD+IveY#yP!Br zs%fpvF-)EPjgeP#1{+A}gNdh{jQH)0gKm#|cMm1baaZw_u2!;u83;QRI4sY=0$LHEk@jfCAFp+M2*8z+$qPe>TqG|56i_ItccX3A#rTlcAnWt%}EDn>v^P zrkq7vuKygwYD&0+?J99`5S|m43aEGv-4c1J-0YN(i;jBV%AbA-et#6649=EiP~$1a zMr7!ENG?6puCm0`NMYO%H!m&iq$mvd=J}9D+g^b4%%WYz&4yOHi_@aye))wVy8C4+ zG_1V1!#z6Yz=GevB&(7=-t~1|<KMJikGcFrJwM z<`{kG$4JIW_K)bC&R8~F%Nv)SQvg0;J6g-N<&}5V9p2sX2rh_B&hM?E=C9{#M*yGL zDjlf~r4B?KmDEX8Fw?%FDRMvyYoZ0MlQMtIy|W7tw9nQ5YQ>?#3RA{WgDMSUtC^a#jNk1sHs+WPOnUKuM z*R>Q(|6Yd!Xs}LW;)a~rH5Lt|r=RmCZ|N}On$Q|gx?Vl^r(QhceiD0thMBAfB7Z|| zS8yQWLu!#tlPepoJ|r;k>h$a#yx9E>W_|FZ!Gey2D@w)QYw3#B1cAQ!dIOj4rE@}! z3n@7NYl{-wXTyKEc}2+hQNnJwASc{fm;JC#*P%$|g~e4Co0l>p1YdAec83KpU%1%s z>mRbRI>Sk3+IbuI(13f1QSL>&*w1>f5#z#mRx>lGaYP zX2ro-1-`P4XvlT{dpJKM&u?w?g`UdA(4Mwss`1`4ou~ntA4_=36qP2I^DP(;nzj`; z#ALkuvD$+U&l`tG`hlRNUg}<_!?#e5g}PEwV6DTZz%}5Na&`4f12D6o1~1mK+Yb|# zMXcJv!ut@8elmMU#hzV5^)DRG@1C|+uP)7wtN2=QHmJo+i zhu&7oP%J&pqwCn*-xUwTnuP^AHgd8`zP`Wbiw07D0g8nF6f^Cir)AY3$h^7BZfASb z(;dK6Iq8m1_*1_iSfqw#Zc84UgJ8aqFRe8+)5|QG+dr4#1EVsmwj5iyTip$BLm9iD z^cA(O$`^zDZXu^h{;8DuVfvwi4I&8r}F-5=t^*Q}uy!EwNMpQ(Q+RkHF^qW(cx76VWfv+j;HK9R4Lq{QaAb1%AL zA>H`k$j%0Xeo*l53Mb;!KNU_JI0~hof#|8trE7D0l~D1JIOt2-gUWwkry*(UIK1V^ zQV76bq&32Vi2g-UUL!lawRbVv-K5Ye5+c2l(T*o7+`%fC?pes#)&Cba+1?%uY#QM| z+A1L=A`@fLY+&ut&z}cGVoDuN;en3rk)o2w2ftY`B0{g-hRkqlB8a?%9u%{%=hY z0j-R%YPvedABn=*WP_6%Dy-=g+TQ<2nxdlpS*3s_Wb1RNb?f%G9%~T5^~g4E>H^7F z3KD=ZKeIB&MTxd}CM|RBJmD6jDO*oE+D!lDZgk8qMH=B)A^6vOQ<2w){AoS+|5;*% z@Rgt8eQ(1vm^t}=7Z}V7o6q-o8kJnnA>3Bjf5dh`U6t1OMz*zPoTj(|5%f1gW4e)6 z8qJveX6w3KJRRPZix_Dv9Ob*(hOwduc_PkC`$A(B;WubuBrrf8t}kF~b;akD#=n#Zt>G=;-<3-b7c3x`5apfG)|?jgYJag*IRfT-%mIua6aM1d6HZ?l zu*ed~qo@GE^NBy^K=HdW8a;u4H|nU`)zAr{BVD{ulo-?uh;YZ@OeI; z=kxwNPS2&WKe4IjSDR+)x9)7Xhcwh<1xx<*jmQKHY}ePN{hR zD8u&(RY);RFCvxYg1if5zQSyk?B;wg6RT7UV)1#RZc!~9BmD)5fsN6YJ<+Qtx|;4g z{~IHHS}mlHT4@MIpxp=9@8iXuq!HcL1_W1Ggvl?1Od7(_v2hIHmBr;>3NgpJ;7{$R z9)AY!s}I^X(4v<3%F8YSS!^VHkY%7=dLFHODv;z>E3wQbG3~HX2q|U(9u_Y;eHdZ8(Ons%iXy8UzYl;xJ6<>Qrq7YWu1j~*GWa*MjN}*5Ntw{RV$Pr$+ zkBOs0PIk06L)(iil#lA4DFjn9P<5Gh?M_;0Oj10m{+M2`EwF~7D%((vKQNip|0~W% zz)bk=$1g^1g)S-u87YV7mH~4|oo`Nzis(rO!+$aqKr<+F;Qi01Jg6 z!k2g1Qvi^duLBo=vRiO@#3FK9pRfNz;}pu*-?@LY+S(+dEff(R{QXm<}3gfdMg}qqsL`E}7qJ*tjxM#si=P;QXVYKwK1BN3k zbma;=Y`;=dP=CMj#&L#orV=4G!7a43O_=n_Mkh*<5(h*sOcm}mzx^rbrO@oojyfmi zfn@&mz&j^(X)b37GNAC`U=}6~Zp*ca!|#Zgm;<=; z0ngEiH{0O?@t-)9`N)u2vMx^;_Vu~lCC6cNJ^vSasdU0+)qD* zaG>>65+Xw-t=CrDIJ*QK`WRlP4D~(e;$gQmNjWHT&_L}d;|BQ)bW7;868iRq6~=@I zNi_(k_RR%3Z{NiOo!5B&?bDjTMCP)~T0BXDTZ3v<2~2P%M0DB9=QeYan(I!$S{%{A2H?RCVLD=ZUCE%{gVokoEY}M zAvA7zSxps<0J7)*4-XnJ1wfCPR?2t-cXQ{>WW=iZw&Th;J7cGSVlNULiR(mNYzvk_ z@3<1DK_C$wdOy}(r*7UYS=jq+&F_*c%_YTo$T~8?D;}kz>lj#<0|ROjp7o=_T%q&5 zVA@bv*Sq8??Haw3xoT}qmyh%3g;cewbjP9)%15!<)W{7&E|jU?WNfOveQB<|ICc}& zt}RRy5F=pJ(yFAii5KR^TLb?r->xv3$aSYKOoZ8=&?JYTsyUHonOmgwjG{W< z9#R4r2qe!5tAu6DkEHu@=I%D-m-1(MjOwSfy_dUk%xRQZ5k zcV7SMA#wV9nNj8Zo%vV=F$>Dc#===hm@iBk*rt?H{Eiuno;DRgJ`$Yj;R+$WhO&0Q z*tH%M|_47>q^(I}u{KHz^UwF5Ih!mFG36<5eifnt~^!}m3m-*Uj2n043G5J!l zZZ_fO)M$+&#vwWWZ;)^iO|U7>u|em}gN7B5lrPOgz5%Tcc@>jhGS#vw-TD~;0~sQl z9)7wEl$3tOm%ePib3qz&KGSp;*BT}Y%>hh@pSR+zzf+EM5pY9fh0_w!pNYsXflV~` z@jlDN3$A^oPFl{Lb8ZrwvGlz=!c${;DMgIYyL>IoJjq4*5yIwfaRC@KcCVr>h?ta0 zL1^jLDWp2~f`a4MCN&$UKl)u8u^@g^vnaikLS?-(#buS5h}fd0F$=~QfFGv#HiEk5V=?Yz*)8z-s64(CZhxP z{5xaK5rNwF!7nMZqsn3```y2TQLM# z_fF0Ci+KQtpHn^5(q?;l*kArvZc~Clas#Ql{~@21P2jG0R~}cxdy4HcHhS{hL0XSI zSH(9OBir|(yBms*@UTZ=petkGKDA!>YjB_O#-LKAzG#bblPRYPvbYq;xT0O3Wo^(e4%_$cxG$`Xgpe&tv4-A2zdC6VPu1%{PS{KdSSX#? zqsRS8p>nYe_@4Zaqxn8X@#8NH7bE`%KRURaIdlR|D>NGhjf7nQKE41M8JJxyyJ8#q E2f+KbJOBUy diff --git a/wikipiki/overview02.png b/wikipiki/overview02.png deleted file mode 100644 index 28638fbf1573b81b22378f15a93373b8214557ae..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11179 zcmb8UbyQr>wk^B~A&`(D!QCN2gS$5tER6(r*T!9gLvVM3ySuwfaEIUy!3ox{^E>xD z_ulV}_s6R-x^`9Vs$Hw9_FQxB)gfQxB;LKje**x(J1I$!0sy?AhLziqUcmB*SBluM z%WE4+HG2R+#`yb#15(m(0pN|inW*TOFQyO&h`lMqhEz&al+?x!Vr*t<1OP5e>53*w ziU-*Iw`*4-(!oA)(hvnKBvJ*DFdxilYFe__XrF`0ek@{vyU@kNUJ?vu1;a-~_*tFs{y39z$b8U zz(?SvJD@vALE!@UCj*$`7b<+`bmeG!w6L8@uI6i^8IQ%64fWUMC;((dW5HH?`Q$Q=Qa(P;5mAq#!*JN~3QDf8zxBK`QDP$m z02>Zolh5=_HTXWfuY9bYv#CyBnrb6wIo^gDSECBm0a*u2Dwj5Y_eShTRMX<(&i3}g z=Ux#Fyzxy^_fzoQQetufMVzDe>5V z41FY;ChwKfZ&Ibj+ycM1jR2*5zhucH4-tv^*he)5HQZdMe}ETQX9p_H1>oGH849%w z;BTa9&{Q2dH*W#pq6N}5^8pFo$JB3Q!Wnud_#}}<1^5_C#n=LXHi(i@X}Csk00{s< zS-!ND!UR`cxb&T`2)htgx{x1rIs8Q^d%H!@MBW(s5ZdW}Ed3_(A#kjch*p>5 z6Kon7YlFhrt=x#hZ-aWThm_Ivq1E^GOW{Ez3_Y@?U^x9yRf-5CoaBHzvM$M&@53lb zhk`M|K&aFSvs=#hasf2LYCEkAbZc%yGWeVE&o6b)rp$ocR9Y z*~mW)9hg%hv9nTt+STIof9LqI_p`(lbtzInbl_9xJ}x3_ujMDk{vMGkF8bH81|wDE zrEg36@hiWU!ncH68%$I=zkKg2*7=&_rLzdB900V$^gq40`Yg;rs*>~+bMGTDn9$sVMSD3Z--n2@&@@H8kgCd6ntDGaK4q;y zaX?>`$|i|V5j(VGXi<&G9Y;?}HyE&;zTLCUx=pZ6cA@bmU0=vH_fB#1gTk=+XS^M> z9k!iUMoBEf$~h?ttA#(5(Agu^Maq8ED^!4k3NhFmQ@F?cu%)E)%Ch69@lA0|Z_O(9 z9h%WszkL^o=@TdO zQPN&AYBEGwmA0PN11oy?P5kG0>UaWLCZ(d{{NlA@WaUfc5v9l?ZAH&=ab;G;t)ka6 z2_?$K>0gc%2^39=cngDyO$s4Og1KI5Pa&_=dSrU!MRUPfRXSU({iMhScr`BcWESsA z0v&zXd#S6&7CoG3TauoLTEh5?i+*s6vVLY&sZqF$GZsYLO0vC6bC7$z_n{#1(kpZg z^X%j1M}mAdnI>i@9 zJ;g=E)q*z#*s}aQ*X4}G7I_3eT0qVn)&-|Y8SUCW88VQ9HP^PidqPj9C#5H=`+{qU zx2msd-cr6=emjoK*T-%P;Ui)iSUv}fYV`<-=IO=jC2sgfH%;>8%!-GLqkcE**W9Aq zvg)_$&!K)rO-3y(dnkLFq9EIp|1qCehF4}_Y;-JpY%ZBSm7jT@WiNFvbv|{yL08>H zoxZ-XzR^gkdRskT?X^B2W6q?f^1Obi zzNi7Oa%bVya(TT~y{DduK8{I4UwO}IY+I~nvuF4dKjOQfMU)aEbs{hOT02ahuRLoh z<7uaYo_$vd2TUfa6KE3)tXuUMBOiOs(iKyuB}{Nkn(X~9gTq3kzl|^^3NWS;^sf%K zZGU#Sw$<8jo4QU_sUqIEb`y1* zkTXqkOa?EAYSI$RT}aZ(y2Ttvx3arZ_Oa&C?=<<-6h*blypvf?<;lQKaU!*1;pb^% z_KS&*vK1*NlZ~x6IW*Zdb{Z))3aEbWvkq%uB92EKvZ#qFMNngSQ!kRgucZEAo))p% z#7M=sV=QEtJE0_lZtP^VW_US@Gwm!Bdh)*e{YFfEUZAuJ1Ci=(Td6sBHJ`2P@|!Iz z1iHYluS)qEL+fd+X5~vxR1(X*+Nj-REqt}RhQD>y!C4$3E5F$Z@H|?XKhcs`Wl~$O z)4LB$ClJ622`$H5#!1BTUih%$vO^FA8SY44iK{It>1{HcFrG3#*j;1D&_GEjPTWmI zv3|F>RQqoIYwgMPjo30%;@F4f7QcGYrkoDG##W<(q46&a6B_tqP>d(BY8pId)oppe3y(rMyYgqUqGFtka72r4V z9DN;$DvA)9961vBF7POWOMshuQ_$||;ITk-!f=8*1LryWd88Z%o5|~L_Go^5GHLQh z;zeR?hm}X((_!ZkUd3{McRz9akP9ob_SM&ilP>2KXQH#5byWFn4^r@?3IFJ~f zK5(28-BLew}iDrkj18rFC6|y=?wJY3z^F ziS-#W!l$}cX;TpPw{7KlMMhfMy2A6Z)&d(S&~{lOz?>Q`tS;fs*O@?ctrj)lKH3x8HlGsWK@!rUV~=4?8T}i9=O1! zLYMuURz1#wGUGpg6mP$Fb{2%D?rb?Tsqiny(}`vMdLEmZnbCRvbLOoiAY7ZZr$Y-h z{y-{5@9Ge(UA*>L-y;~(yL4mc7~RowFeXQyP5hDoNU9+#Q1{k)zUVC2AzB;oYY{HN zStoZB2_=Lhzeucj2=bUyBU5+WrbK>wD;khiR8%DNYfdLl{^wmx!uq~({(h4L>UK?TG_s8YlFJ;!xq-CX4%iQ`m{qWO5<*R zPpSTiX~DIE_fextINQN>Y(0c_BgD>%=~Uy!CSE$~ol>F?k;G$@%T31Hd%Hhxk)%K9 z9`TbQ$$DOnDftAS-c+bRgjIXStBj{W?gZ3pb{)6aoBynKq_`ZYNLQdwx(q!(@jg53=8gRbjj?qDy*&eFAagZ1T*pt7TnwKgC7i7QZ%l|#myEraQkMYZ)Z;(31fC^7rWT@Lt!cRu*q_L z+X^hvJ2@^0&E<{z@q=dUD+e-LDuWB{sv;ieRnelc#WBWIvkEoqDCgHHBJs#nxLk`` zVuK4WQ!*XG=tN7K?5gBs7VIk#bF6_+N4+eSyXQC_1rGP2w+G=8D9?IkXWFtIMN=dm^^ zS|7SH$8lNyX@0(3vE@RG?9o(2C>#()+?HkyHCSVobNh4B*Wh(`BF&rG+I%@w0)0Hj z+%*!kZF79$ zBcm`fGBSbogd>1rcj%z}baY35;yJMuPV>SpYiiD%Ebl`5asKq1>Gj#fUJSjk5<|9M zG`Wl~N!b1@ZJ$_LOj+e@R~B2i*N=25|P)4HYA}B6CJvLU;J9XB`qYU^=Y zTH1P|iiyra`Ey*`(b01al*6UMaejw|eElr3Y5*;xE?m?7>^$PP`}(41QFVEFQgdHnui8v#a0g3qX#LnKtX0&VAm z6#@(MxMqH9b0P~?@acY-6ew+{>lEU_ILbH zbZosljJrHx=j?uaxsCDbEi5rAUQ!oC#X42tQQ+<$kBN_%v-Dm`eSCWb$<%PS*}Fix4i%) zC5ClK3KyCnyhIJl@)+R0@$}SSxtw5Q)BRC&9M~dB^#?z?Zg2251TH|If>5q=JYWJz zm~77>6Y_Ag=j_!gPi#f&bZSxRkrX`Wyz<;{mMz<&QJ)xX*Y)ZGthT5!Z~{p~85aUk zbyxH9mp!0dPv@^P5LnlphDm(UsI?tP$U_dMF3;exGY$^^YSmEY`8_zeJky@2L#P&J zFO_$^PV*IWsA%UBxH$b&*R&;+9CC1;Hm48xl0(_dV?e?z-ZhoXc z;A^PonpT-P=S(h}3(m;bn%%aiV-=uYXL|K`r38zm{8Pc0>e^@r zU$=Df1lu#q_3DE!-j9Jt*z{Ub1)AkQV#0ar`P$AeqFF^9HX4t%FrT3M>G48@wmFyp~}p|EjtQ{0J1FVM>rjx)>yO4w@PfziGwQP5M+ z%_6Gu@yh%{b?PzXZ9IK;&*zb`gMiYl_URR& zzzow>HbgFm(9WOBXG(HBpg;y%KB0PQv@EP5)$_PZtnrpKdTj^eKu_$T|X z+6S1cNID{;p`qD3U2WkK1pqt>Pj64%=f^)@9niHlcP=RaNG7APx;=h=ddSPmTU^A2 zIUJ!uDUZP>`#qF#G(f0dhy?bO|8yL>;}{vL1bBGDYA_pEL{QLY=jY|+d z`2x;K5dhH7(phub45z9_>vBYy{yM8RLSThAClTHZ%kJCp{h~WTXaIBoYEyV#rwA^M zGz#T$)jav9IY{u43A#03O=V$Sps%9Km}1Qws?HS_>1Vw3Y%(zUk?~E7*Uefroq7SX zN+jl$T|X1?()E(mQuFORuLX23A+{p@du4rpCgcP0^UwROIVGa;JD2Cc%oFqYGa(4Fy7=IF*sju{nOZ%%E~iw9wurE${yxjUP*wM~w31Eb{|=qh!n4-+ zO3PrT`IXOOXW$1TdZQa4{XBrBX_VX%VCE|%r8XW2QJnP0w{M+yxqigUY7S5d&hd+tPd*m7cw~o^NRJ z^EWq_Pw)B5G*Z2$E6F2+O&7GhU0ojn^|LqAtva;rf9LJS=DIk`(*+FCwemWh--KfI zf!Msxe@Tzgn-@+aFnu|$toZX-eY4c2A;*>(Mx;FbR@rN?CXbHCC za%h&2>d{rcs5KHx?8r{_qGcC&Z`FA{d}YM-=)%T5T=hJ-(6(cNaEbn}Im7sp!_H>j z?z2f>&hY!7v0!Mo*AiLB3rnkeS-;cPMuKhuuO_v*;Hk%_mYW$8wzh}GYTUjV7pWk)5{@9926m+W1KnMw(^7Xs^o2-k?@fQ@& zi1W|G5RY`s1*8t08v@7ZT3bY%o7&sk*Z9*K^zCz0UHcr4OU;dyOjozs+p^`Z<&KE! zQEqLj;yyyeu!xLC%$JV#3+<+(IbY)8Id%`E{#3u6AtC%=WeS0;uMcX!8S_=vG(%kZfN(ir*DKHKubfL&m$uMrwW~@RZ=8J8X9PS@!09&)%A5lh_NBC z9pvwOBr5W1?&2$3Z3AcJr!{&M<&Z8D3t@pBEacb0fzt7MpD$N`yACjU{rn7?adU0V zFV>|)SB~EeapYYw_wyUSxETv~Pymbex+k48p9?V(TM2x$Wc2=ivT&83vxsJx<-G2B z8-Syoq}PgGF~U?e?)l*LCKLmo{nON)yzCex<(0O%T%_>k+(^&K2tkN?k*#a{PlW=4 zN!SunmlG4k7ey3F><)&H-j|d)8Za{P0-(UH#!^4iRVF`pz{+L$&&Pw!z}X>0YLHScdEM2~UE!f&HOu z&zmfk=vo&G2Cx z`FS4sg+b=ot%$OUAANIZFyT)@S2Dr^2vc<%g^{Pde|(#pi^XZF&Lz7uNHs}f_$%{I zdJ_$l6s`|h&%IT&S^MLMvPUIpyxgv`%k%U7+i1ro2s-$MKod&wyM0^xq|;*GIn4!K zluPMhEpKM6)cx_fY~1;nGFLx9b=5+$iM^q}`fRm?)n|Gz_7Dqa^grhLUQT(MYMafn zZVIDnxmwh-rNQo)ij9RHP`q~jRtx(x3l(*3Wbzpa{9qtf|GSgUTj%$<4kw|&N~g$k zgv#c1`IUFUW#80%B+^je3a>UdTH3kK4T>`lwCFIsLt7XV=_QJXP4o^P2|j*e9vC9` z?4A3rOEd53$CWSBWh7F30BlrRI>^CjUsASbqX+voLgkyqFSx}P#I!vI33C*Zax#2; ze0>XO*O7$3Mn2hX#JCVkB-IR7*0k%IU2fn?h0NLbovK&*3?Hf~=L!6QWB$UAG=f46 zFpo{Sq6^ImRkq^R@vnQd68bi6c@T_=CIlYnCoVsr`~2pL;B`ElNnp@m$!Z(DQuVsK zk2X@tEjdEf5maz|IMZ>+=uH0Ra%~6b=JWf>@F$oMDmPC&pQ|V+d}JEO9OZ)vME~y` z<r)Y3soNP3lWo_-8xSvw>J5@#-ChaDwnb?k=6UzV+9!iv3Wl~ z{x^3N9nj3#+5K*U$xq6>#2U**7EBmnP@)Koz()BK!l-EwR`@6TTT8m!wI!4Q@l7yk zx5BidrG4w~RrW}f=OYs9Jj;UbbvMxGMDOyY5Qhb3K*;^&l^w9Vg0;R;narwB_bG8S zqr%%wQx0_;2SAT*>W} zn-HbN>50(M-#KxwhAz{G`39d^@Rro5zxB}37%>g+=TWw>`N1w!?M6_l9(wIoIdX9E za<=~$50g%IVRiK7VIStJupTh_z*6~w1CAP|hAj@QQ)3wY#!`-c#dIEc_$K7c!s0-S zXhS5|b@R&}2D%;Bs%q-A7|f8ND@`kiw1h-hjc93X{+_wJhPax@I5nBDebd3?s8OBB4ehJ-_Y(milu`9cKc?CAPE zxFV7>nJYbGu%z8guV1_kBtFMP%hsP}Y51K6-lUpm81tm!m>XHbLnn2Y`)fICFFv3k zq(!iJ7uU6EqbgEcn{+|#*3hGcPhKlgGfv8g@ip~6xTg6#^4imHoNP+$=QI-4=|jk+ zrZnwAUMpWPnI7GI!MrUy zY~4`jV7OMK2mUmS3}!+0KK<#XA5N!Xg?Wbj>Ota-WA{mT)fXH$Wiiya(JeckmRIq& ziUSeX=e^0Lll&|gt*?A?e>u33PaScME$yFOpM%nh#0&d(m(&ev*}0Y0qL~HAB(g0* z%#Z-18LZDL(QJ*V`>fGXki!Jsy!FFd4K04P7wp?nH1ke$z z&(FO-7h#LVKm?~`FzpS|WP)q~A&(*AZBad-{mmQTwP884ZSQRpI>aZ~cv?jmPWJ|c z{|6UKz#H-Pt2x-`nAE4rSN}tM{#%avMEQ}!6x?6%4So>TL5P>-j-Md{j}|j8>^Qix z?KViRp27+7Xns&|Ov+(zyr87s&h@XFV@$OfwyfFc1wgHs)Q>?UF*R5)RqE8MS3?sX zUYSUoNN1=p+K3|5y{%WY@e+5yzh*cGe!W2TR;Wds3^nX|!rh6~8QgF%u#&?`9eQk9T1$vPnWfxd$f5sX*KIFf zI>e)C74X*=OkbJGAu`RV)tHaURvCK+m>=5t#QBpc^Rq4IW}b1*EtOH1SSh7>iPuz1 z3?JFWjFAz9%Kfx<$J9X2XU4)vvP$^LFe%Nk6Ts~$7vbQOf+g>e-AZgba`^~7!BK={_X3tIDV52nAe%M)EH)$V0Yye z`c`yAMv%!8jNxhaKfwk1FK}_7ORPY@Ae6Ww#Of6FmSo#H;z@Xrkjr_znybBEzL4t1 zh?7ZcjGR6QS)k!1L}wcPeiH6r=SKsPaP-+$ob8zwNEdhRS0!*?%RP2Vb(l{K@i!}E z&j<>4Krmn)_yQIU=BoPntc`NSSuKB!_#jbB^IC;2lsma+W%Q3e--m&R^yTP`wbKw#)6YFnr4nr1qvfN6>@puoH=dELD#i%)pDj~;V z=n4VGSG%`bgpz!bEs(aqU?arN*bCtbciX3$bHzcl{fnz3oBzhuW%R#srAIOr+85)b z1$OLm0y!gK49ua~>VNyV1d#d~qFxxyF{1~b8u*g5!uj+v&nIzhKCC2P1t8pP1NU6a zL&E5Q&GtWQJO!2d3Y z(6*ZpHM)QMq}xM$n0vxNE&MLc)5q3tiW{KkV_*T=XZ<_qHAxO{l?+XNip< z!7d#of;=U;N z{ev3u!-0V)&W|mtb5qQm@|mAV>Y7LS8(VwD?#^~9QSI-lqCc1*Fu7$J4!h1TGR#&P zczRsPk0DgRk)Fc{Hu#E1u7>vB-IEX9q!|6MvZ;O!*NPn_-r4ZG{9yD4jW44bdU%cj z;^+7=#99+sS{GNSp~wY-O*er&I*qNA)rqXDC4|T32fyEo!49K?V$M+bvV8t?gZ9Av za4C#r^m588iS~XaFT=eb+d9>Nu;bCA1O@E5lFQ}Lx)tSxAAgNq$p4Fv65GG{@c)N* zkpF{scC_Tp5;4gVEK$NLzYunxAu-x(YHuPa*1`$B*lx53FZ_6MH7<%Krq#m zspm2R0B-?{XVT-U!h#0>sqlmbVKDkvDAF+QSH-vD{07O*+eS={jEwGYiYMKc84g6G zqFHz%n(o|wT5<)`i|n{h60E+P5FqhF44ji{DGiRZVO}QH+ratH=5xUzUE{`(M( zZ)bKKB4%K;)pM_&Q$TU|zJSrh$ai$RR-`wIRVxZRsO`&TdjNRcRcbKmYJ+@qmKuC8vo?@Kna1k9DK}2%K^_RfgYd3?j)cw^t%-Wumv7e=^!6PwTJS6WH zy)FzWK$b3Iix?@BSsD%nSlI-s6p;UtlB1=!EAzXCPy3bpmxxlkSjO91FcEe$gd)+4 zVQW+pz8&sB?zaaSC<>xfRPKgBtKYMtisPnLYVm~QAOTW-C7aXiB%9gUjhFT{${(s7 zarLA9OKZC}(*u)#c2X>!h1I72?_!$Q!7l6nU~FPsFVs$wQLcc7ye(q7)c;wVM7}rK z+<(cU9IM1_`wb!O*&uFa6a~0GJ*lCap>ki6E}4-OD2=%7OsWa zsSPR~Uejt^nXeLfB>C9)y!!I_v16YZJzsKr!aMyp4|$Z3m%fB;RkrK@R(MJxOjQ{z z|AHCaKQ#0&m@WSg8p<4j(a@=uVwpu^aaueRZ?<3=X&0sy5H)z(bLHpp;cX}C8X)u{ z*+Pc!+|#<3fHYe&5)}Y?-NYLQ!?(PnQTX5Il?(QzZ-5r9vyE_DT2=4BFCg1+M`=32$>$;es zt9oj>tE=9p>bYyezRQZiL1RG!001}%ai9VK@QDln0E3761j=D*lUfA5eYF)=cK`rj zkpKRH0n#!s003w?GhyNH-%V{CZ5&K(YzZWUg$Zo!ZH&z?l7Vr(K&XCaIjTj8@=*`1JP1Ft92>^4Qg@FQe%cOTR;Dmf291Eptf%yi4bvwp# zNJ06c00i8lgo*$HqF}z6DP)R(oG$>qu^$FIfbX;bJ#wG@S%7cmW2y%jKr?|56)Yzf zK!9u%3Iv#P1InjV!bJdT3;+~kseVqt5-os1Le*FtP~8ORp8N(=3xI+JFvy1nQ3Aer z0Q825iCqDKsQ?twYgL{r>dJ2iRG^kht>tMU;S}-Hgrc>BR8^(JqnMOHr$%AZ|D>NL zK-cS*ipk{1g7D{N9016PMFrjM&712aeC6aMTT~;wF70s_#0Qaq!Or{MRGF;+0I=og zJ^fBYUx($(4dH9`o=1BA#Z(6-$LS%$xE4X60g!XFqIzTdw{1jnV_KG%_jY%eB>ROl z^+#2`-c5RSyH(#TpS*cqAMXBiZj<;iY5R$NdHmBmek)ywGZptW&|qypTI{t6=HnH2 zmZ)FCphb-eWk(*#E()0T^M4ha)5N^!*F|(=H)ZrCM%%YoDa++miCwSkI(l~ zuZ$3FxG0049R zsHz3AZ+kFkx*>3Sz}I?UUiH`lg-H5)g}wrs~b3sD45RO3?V(a#CsvUJOv z2FKgN)AcGh!}HoAJnKVc^-#3?ef=Uh427&uxDpCx5UxfX1%;j(^hnqv{sk$5gkU5T zMV?41mQ|clAzX<-SseG8*Zvb{h?Zz;EcY;g$^SLDU5qiouU4LS4z@wKkau0r&nIf!2^9c_zbRS|sGWT0D&<*wp)o{>!jsG!LLsSl1 zHi%WNQvSIu?C!@@jmsA#KauXQY+qc22=ws;#nq(MWS7K$5#W%pAg+96|N1#lzL%UR z{+CoeSu5gGKZXGlV~CnK4ev9Rm`>1k(khDn+^ob2b8VNQr@+@g(IS z6(Q9|S&gcZ$`dtq6gp8dkt`9Lie9Otw5W8W6h`?*c}yv~L`Tu9QdF5)ai`?#TvC~G zY3BD6MQlZr67F9ir6#{@l=ut0)!)J()cd6Seqh$Q(hyp}l?6Nb zvG$YIOe}jkQ?;eM;kHHamX_pl3NuSGtJW#pBpCBU?xff~W;n`zJ)kH~zVQy80u^O}* z%qN2&BP5fOIhHw3Q;=yXqAcQ;=9V6s7@x?SSV(0}=Ve@EI!HfAUrgU@($jF&plSTo z*lZ+GyQ@*8e%{z_9i+jjUZ|$5pP}z4L-x2TC>J|CM3kesp3}1$;f$Qy1Z;!&I!nKh$nQ_kV zHE^4BL~o)t^=)d2d8ZM1jI!S>Q!#y3%mm$}#UbD(G$KsOe~d1fk1id1aDBLASJLs$ zPJ7FJ<}Ne6F1`2c*J{-{+qv0!$XfO|OEzVeI8G*c-S|XHq>>;*}I#Do5tk&Y_fENHidnN zKMX(IKc)f2zNBC#pTqnF{WL$lJi2=lc17`Xts33eE}seh%xMus6^!<;@ZamHAT%95 zjj14fI7pd{oiu|F`tE(W@EcNpUq7PH8#4QrY)nbl=_P1s=*_zX+} zZls$q%5hfFO0rV%mC~8>tgyGTwDJ$q8LN-at7WQ5SW4k=(ot2iSzC5)zMkELY-eu6 z?0BH3&<|_dy5&yx-Ubz;mCzy4a3u*yhsts!Tnc`p`i1tB^cvZPGz!|S7q{1hh<=)F zI&?``iwaNnTAWJ8J?=ENoz;zGfVq%nuO*PYB&J;&PI^6^D+?{nnZSyPm#c#@ATBn> zPNd92(hsP=upI--dlFA;LYqAsQ!T%8uWQK;xpNrPgM3bNM3NY%J& zB5ag1sVs|n;%vNbbTx)O<0AXx45=4sE3UCHSW1-^S8cze+?=zP$IfjPdIuGpI#>mw zoToXwk;-abuIx-Txzf9X%w5L9Pp4c^j5@i)V8P#WrV$F3AJH%$RD|IcQzNDJBWsCZ;@f}3BdKBUOBLe|ReZ0PgM=Ql`V_{PPS zxp~|fUL}R-1?m$q_#ynx_sk0yS~xa1<;aY|ZDL!X+wRfB*Ubk!IIb1vpC08~khA#C zxF)#t=0a)LX`<l&*J1=@3?Wdc^G)O+eBOU zwkLm^9BW&4AwREZmuuI(6*v=I7G4jT=hu8+Te?{DG4FQCxtU%Qdw>WEn0k-Bi$)Lz zk4}vq3x*3m$>QMS-|D7M?PkBFjR5&wC%ML`S3dew;s9oSaUX&P~2fj_l|@qX4JV=c{%HGS#!a?$lpYe+w~;yq4+R;s<~7AUHlS{86W@g z<#Wo->knqyRnUBs;D@+^3;^Ix3IO;9002)Pp!XvHz=;6>IMxFIxKaQBbelNc0Z{;e z+fxE4sN}kG+Tr7z;-uYHXpuIwcwD7X)Ou*)kNJ!hF@!o+@^?t*(D7cQF zu~M=Uji*%5V6|pss3&iB=N+x8t#L*>__eQZuUkgz9^R)8lYA!G9T$m{rBz;M7GFU3 z0RVJMlF`#6WX8ypuXOqFyMuvph++ch{uaf52Hj}cuvgN!TT9o6;<{R*^?1xjO6W76 z$0T>-lPd8lS=Vbgi#iLIjP_)ya#`HEL0Yy`64P_7J$l8rLyai5f6xy6lX9%$F*kx@XWLB1=`kOYuOKfxcgF zL|t1=jU&VoU&Za?0bk|8>s{+;|FX(km4UAzDRi)SVFP3J`cL-9o=f<}+w@=v`(R^e z5?K`Rfpj{YWIr=8aOTsz`Q76q2Lv_%kd&PqpZwxMRBQEt`*B6Bi*=3vf>&vR|H9`J z^)j05Q;K~PWpy8AZM?9J;PWWVf|Z$-WjyG+9H5K@6caPoP(xGsB$X5&A3shV&dgTl z7_9T={bP9t<|6BCA|=-C?j^FVaXP*Yoo>3Uf!;Gsz7`D7otK)ik|$S)|M49CvU1U3 zTeL}`^E6)!9-@P_Q5o(k#*RFF`!~HIbh&7f7eT#E`*^;#`KYoyx&C@>sBFjsm%Ozp zDlYE2s(QbocacV{IC-lw`k=!=rA?Y^4aMKFrp@z8(T%t}esHnEZnN7aPYw-r*S7=! zs26rm739SEv!2ePoHtdG*K=kL@V|9XXhcyUMxMFu@gFdo1pO*FgJy=+C1d8Cot>RN z4Djjr5l*IS`rPuI%&E&n54!1XY1ydmQ`}7Hosk{JLvn!LKspX(7uNCuXD#jdwzD#j zg(t5|2nd`#%|1FZqr&erdtbZo+M6*IA_%aMc_e+hv{OY9svM#@`c4>$4oCO4+aHEZE}PNJ*jRCDi`mxbEQYDgWw+fQ)KtQGXv>gJ(03c7&-sC#x_CASwauJJ#7d=}pH6CW<6`1aRQVE9(k9;SdOX`Qzb;%55!hSti zUM#KLt%ihBkV_{}e2qMhyW7HZo#M;GMH_1LW3up*15^J@EsT&5$D$?4>m zw|1(iXwSaG0szCX^aq1WXu2uL{N86zkee?n>%#PK`0i$pA6{ozFbzRui=kCAH}s(K zT$(XorpjDam!_Ve%*okqHUdg!INn)@VbixSprV6zj%lryv?=j2mA&29gQ-PC-evjM zF4YQ+JNK)D6SK2*ZVP*RyrzpMe=_!GaYv`ieo}* zkC&rEyz|B@vZC)C)hwyC8W+U$cm-a{>Ui0u=Y8~lGVXZG<_ilt3ynifVe7~aSv+65 zD~-V(g#oC2)qzKRd-Or=YIQCuP)>SxkbkupfH|?!U@`r5xxe)K+Wr=FLB1jc>^SiG=%6y1Pn?H;%`gT| z&`WLj8mU_VCg?xFm@livLJr6i8;eyoZ@}sRW$7Vy*WrNP|2b99{_j~S|91Qv9F&0; zvi38PhMfH1{q03An{R*sG%1jt?6v=Rf2;C&J2_db8UkerILEa3H5AKb_ilhbBMtwz zs=qS^0NLLQ{-4LbBcMuRa?AHQWS#Xlr;EBCZ%RRlYUhI6#+wO2`ILL*wgUIvqN{_y z%`#TJpt_nN{<*YZu%=4Sp!>sBr3pkMR7gIip3#xos2PlO1e z+$?ML@(`@65;lw51@$f7PgI zDKX~)3~+O_r-ggDIM?odxJW()H>#B#Tnh&TzQZ3Jl>uL(*yaxDB&t60`rMw) z4IqeSE*J6c*s^)p#X-eqZog^Dj4Q4CZ40VxVGw2DU{-A>Hd;%2oq#}O-Ymq-d;^&2 zBr35jpd5nop=e43fgLxC$I0k)jdwqSex4&a#_(3?>C( zz;JLa@7$>){5kiEl48Tf+Mm}JxfAG?RXjP!#5oQsHP2rKMUuD%h`DiTtsT1cZteyP zg+SF@>fCp4s%bmLepE9Gj5(ANN+zI^f}%3U(N+B&Ol$%D(n@nwgrhr`KaiAbBS-mr z^w4ZJfdr$IJCC4FTogP4>DThaek6gdA#>^Zq{p_jcMHnv!S%=pzx61N zaN)%l#a4xr=13qkuFy;+s56!kg^%+{{~c6l-?@)?On4k?bB`!Ep`eOMb53 zT7*K7T2JOfdRB^c>LMT^V(KzlUi#o%bnqPW`dG(2pj_ss%=q#?SRX|9kpm^vW!yoo+svk!He0(ImA+M1M_bPFR>w z$rez1+XqG9m^Pk+V$)nsDCxy_k|x4bWbJgoSPP=3}^W{G(3Yt%a5wCKSN|Y zvtlE|Bis^)KLP98#1(t(ayQ-yspwXJZPCJ;&DfWQ7NMx@wB#@MPc+a@xvLu3Hg8Qf z=H|6hZGe4+4=O56VW$XHFVI16f#U`PxU%h5A)InM4i94|slsC8@j}h$UBb*e`#%uZ7rNRoeMZ88j&*loM8|?wu%+lf8s#uZ zzyI?FWi?%6q+ZwLI@TW=M~&RNu^^1<=3Lv1RKQO;+DJmkn@9OGv zvyL&nbgbJq4EUyg0WvBs}~^UTe~KCk>0vGAV= z1bVjMABUa%94L80tTsl$LTzPpxf?ko`F-+&r-Uv(qtG}`pfOs~WlmD2dd-h0BhtJM zKg30*_d&D5r0YUDNHVjdkNd6N*`rrpUU6n~TJ8-Ouhg!3k|0elx>;d(Ip0Bv0|%9b zm4`>re4HBKOH?*@4698bl=~YL-Ro+ml8-%vBK(bQv{79=-a9$I0ETtwO=Ls85fM2v zWp9rpiweqZ*XJ(L4?%q5Qz}kMDr)pDj10^4PS1li05D2W4FM9B*lv0WQ0V_B$p423 zbnk*h;9tk_HF10U`+VL%kx9V-1Rld{$pwq$>db6x_qRuiut*?ng>1p3UQX8aE}1>D zxBvDGswyQTh@CSUkGB^Jq%;cv{J-+{kEZ;iR{yOrzNiQvgBlblLb{+6)L`RRz za#=ir(SVq=28+e_>*TK2efF+Y@Eg+fmD(ANrc;^8xw*OBT@v>%zH`9*>GD+i<+-H9 zg;pczti8XLIMS12Mb^rI0rUnt9Gu6KEzQRyEpXfasw6-M927*-NPt&2Fts>Snu}73qo3Q zDQA5AlZUrsfjX5yLiGR`OqWX~-+LYJZO!_IG;n?>8b3@l9ou{D+Wv7ZmSmRfZoSY_ z>IUI-0+V>_wds7rbj&%^wNT%q=dc5xM3bo6eVp5jcdX_5+(z`qkzTd9;V?ujsg{?x zt0n&9`pO)Z#+3~Re(03xP{}RtT-WVk-PlpThzTi+W@$qJDI%a}6qcTxN-Obw)3&rB zL$oC4kG{)W&HgbmKYu%Obf{^4oA<9@PI6%KJ-JEQ9iI0UgVZE#9_6VDyL%VG7d&e% zb-tlw7a3kzbDz7ohr`HnD@&tDEolO+Hr44h`r0>Gp+4w?-wQog2(`gV=yyzBNaHC!lSkQ~&~0MX;BI)6U|AWX znH;LIjINOA5*bG5^d9PYsfp7UKLg!*c86&m^vFRaI3NcoVBFU4q|r2ywBM2Yxc8MLY4YsbjkoKVeYk zd(;bzCp6V%&{bO`Eoih7RJrem3pB1^+XcDrM6%CJE_#-~pN5{>T3DQvK-|Y>!%N%k zVPW{FQeHOt9Q0X-?bFk$V%bEZpSh{RjD5?d4YDu^Z3zta63-)2Sv~VErxS^Wqa3)No>f`ZspLDg_{E^a^+DP_I zPX~8*uE|esJXwy5drc`0o9^LAr-A+ulPDiGYTn)kyA^}uu1PaIEGrsw0&~)EB2TZ< zkurJIkxlnaXh$;{xl%R`<`!dRVQdFdcwffNeM@Wj#zRKJ94hl!+zw7%yj|6&myNUi z*Q@Y7_?>UsZk&=ovfr>TZibAM;?CZp&pmA)hv3#<6OUc^s)22~K5t%Jmy?hUG?7A1 zSIXoSP=DmqZkK z2AaFb_kXMX?vdvnIC>*Sr{XwlFnr-z9`11ItA<#h$(jCutZRtxF5@Qvdh zWS}VIMMsww*(B&9>St@27vhvY7qD=t;b*On$$JO>dR2?n=DE4ww0Uo{!R7OLXJCGE zvYA@czWR_lXLq`2xEk?ace2Tr7A9>I9vU=~E<@Xnc#W+X=bktH*p?2yu^2dV6LmAs9x0DCkU7FESuepp zYU$sUXaH&{VBnS`I2a{rRFLI;r?_3Qs1hMUyoCakY;jc9)zyI(4KVv-maEqt4=atE z$f}DM9g8aOmlvCkx`X0=PuHL|P2C-AZ38W&)?VrA$E6};NeVhKxUmhWfS{z|%Cn8b z=K9{pUQ5&j;K~WmyJ(NGYPnss(UNR_ob7rh6NMg!$I$`BdcEn64AA;Xj~>wdvs}H7 z%wk`Pt-+|U!8#Sm;|DD}`jivsB%1K#Id9&uFc=xd52Fy-GY%Om&D_y815c>+ zGvM4wQUdokk}ALn370npV%wp>4@tgq$1=a|X_wUBE+`my=y-1dZi7q*E@Y zC^{UY!ILtRf3TS+>qPG|(Zq;vU4gGWJgwM3NUKyd&KPf$E+UCQv~~autCh{eK54(I zjGr7awU)0)ruSgmJhbDvgr8{~wgq^dMM+lG-f<$A-Y2g6~jw zzo;_lsFNjwm&6`&rj6!BKY`7d8(GD+E*YFzN3-Wfl4$*bxphU&(>6=Uk0E12Y=xvc zBbzj2MU?+Tc5JCtZErr<$>Fqh?? zsDz%$cD`zp94MkHN%U?0h9##fP4T$S9}(^^vgNPVNXsnkSse_eG>Qm|k_ z*1XG|R&d6%IDEe{4;=+1UX?W|Dq z&c3YezR*x7AEv&mZMt0_qS7B+R!XuzswdbY{d>NGdKmQ?*}EOwjaj`Yvs*`)UDdeY zeW(<}cQlPHv=GlTnRC04vC;IXvUl}gKn*u$fCw+T_PI$aB0-zPNhGUoHvhd2Dq^Y? zTR=5&gw(*%9ThaJyVs6BQH9Fb#gFy?F#W26%N!!>9fzxJ0idhbsGdWs79DvR{c;r3 zlh}5oYWa*IIGM$cP(kc)_l80QtfPn58T)5o#!=3M!0w$RcxZj1rw-qWJ>x)aA6DfG zRijf>0jENFYM$?m#db~=4o9NK5?binpMA%)L{5LsODhRY_>m zG9BU1UQAUc@9a0vonZl(Hcw`~+VE&(&}A~2anjk&N&y4F%2cSW13PGt#`#(Q^ce>i z%xmNPUX=k2&S`Fjd{cYO0(^B2@$2&59huHH$(ccLiN3mt{k3A!t3t3X5&wY3&LZck zA>3Ndv-U&g3kR<=8EvZMc|(^}3Z$@a6Z6LuQ3;%8%<5cZc=(!{@@OG&X@7gyfOT?* zw_VNpL4Lh5(R#a`d6(Kodc6WTuc}I~`gmxN)3|{RjcEm4GAcbS&DWY6dmZ7A(MOdn8YThD)5Gg_3B9^eluj__{!4e z$#s9B;Ogvo=SRoRgF`{M^=6VItpd3K3fYE8P~{+h>VH|k{5uU(o51fy3FG;Ay^$jH zUEX>gjPUz-l0z_dvH&Y^-I=1Hw@J%h+4Udes|lw;iy)P-f=Iuihqsg>6B})dtEC-P zE}-*N884(L@hy4LIIN4jA-_bTzQJ*{M7;Cam?uVNT*~mdiu5t6QG?ZWe((-&@Ch6C z3SL&m)bX!EmpaL$#~g<*bLR7b9sL`7Y4)A7lZW-nl;E^(A6=I#O8wB9T*pgilL$Jh zIz}?vcN1KK90KEAq>g({25=(ca41S0bv8ahx9={Po^v&-Iamd6=#*0O>p~plP_FG+ zUt?LyddxVKbo&Q%V|AfSUdXd-oP#No`fv!Qyved)S|(~ZUy|{6(Zk0)Mx0Z_>b^_> zxRpO~L7)w6Cmgpd^#o|-V`|4S>O?JXmBJzf%8=1Y_>fcHk8S$V{S%+BZ(bIKyh z2L-n*HSF*Wt2t?RWUfEY{197erJ@wjuu|jD^K}73x%V^YYrB1Qs#rIIUV|}hiePHy z-L+K?ZhLhvOIbo+q{tP0_ucDnJp93JdsR7m=1OQ(Z?vqCb1rTu}%Tr94zSO&$&;o{fJwHx8Smznx+##!z%> z$GAc!90@Jv)J4N-2uGIgwBeC{zKueGh(J->kuFWQZVDNPPfi>Fy|!&k5eXTG%%Yjw zy9|&8FPj=2sHR1hLX}9u?cQKY-l3fT7|IH1Ta(ctj6*SS2vZEwT*JeUT^^SEPVLmP zzVStZs$}5o{wl8eW)YRVm@`R@(;T^sQCV~Q0;~P(A9HGRI7B<~Jz^taRqM+1v>Bez zY!TB^mRsI+UtdzxV9U}6~Hj;`*i6^gli0nmQ73sZ+e$5_+DBT!s#b)ZmFpcg) zb#b2K!m3d>VTGEOg>zKcYGHuS)$Zon7TA~hiCZZ>**xDR7DD7H@IKK$4}UKu(zm#< z=)$zcd_q;Zhk1AoaK3J0aZ4o8C)W>;D^S29tSQf1((V)$9&M!9l*v?mT6~^>rw0E- z_Fpztf3-3yrXIxDqBpZ%X@*-$oO4uO;7q4-koqTed1f;45{A)UsmZY&d^0PVJVI!@ z*z_5ZMQ)7HGsmQJv1`;2%7&=eTgYVMEor#VMKhKC5R-ZMNym;bs66RESvkY|-R_Ll zeM8}su*RtpyH;1l644s`nm7_vsS4$KWojvbW_4bLvfLLak08BltENX! zp1zz&WQE+nLO<(R|C|VE75q)P^c9`C3O)WrV!V)jDFZV3?E5Ho%5DAn?f#fQF(+`f zT3KXEa4CzFsACb*b7!mB;e4;@<+Xrct>pUQX?XEK6_b|AfE#nuH6>8Y2|}|liMLy7 zDL~f}G<}Mv-#oSDJaFV{z2xD#FZf>aYtG6osjcRC$-?}M@47)3=es(tvHnf*-p9db zrUV0*b8G~dg8^*I#Ff25l_Qw!q~Oab&mH%T#RKw=fxO~E9%R{?!je0nXSp85yu-Ht za7hY+9%yzr@Hoh73;$N#jP&sIlkmlznw&`F5u$Z8-9E9U4QbL_vps{fmh zw1RZ!|8Hp}PErN*`2Jmj0DM1LER+k9gLWa%E z8z5wNh}4&ze0zDw=JN^{1i5D*Lv0V_`00K;FD_Q;MuW0^PYE18TYvyhPzUHU|8Gry zzyE)*90FnW3A>EbUXb(Zb9JEnHw|vOY`hxcm4ZC|BTeqtMQ;xu=VhW;aeaM#vO8so z$RD~r{k|Vp<<_*mD6BpT#^c%lsgI+e6gOA2toabh@6DHrQ*!YMph9x3i_d_^r7nys zd!S6jgvV7MeQ1tWUsEtBk8@<%hNji)ejpVbmljS7VjfZNZgDkT`CCfKUm^?1$RL|s} zQ^P$Ovj^@T;2j1$Sb?NQL9wgjrKb02HmQe*GSZhTcluN`)PkFz0sFIKEnI)9O5EOl zSIK2zC$#Xv8DWQpzT!^Ks)pU;T9r=6zxLu?$LoBEgxuWD_rn4UwyJoKt@uFRFsOLt zCP!UmLTf#AOI&{ojVKKZt#K=@!$~>lBs7%Forjo9Yyd5fRynFSEDNvncO(P4;I^~r z{X*ip&BMTs5C>=&zLq@$~!;>XI@tZdiI#lhUGl~(0p^DjsJN$5aK9$Y05 z>beb_Lp9je)5;IT;(m^=7n!ghId{G-9!uzodn7<1_#KIYQ{8~Q3S#zl`DKg(| z>3MR&vD)jcIl($n9N{7P~G)sblp`I28fn=@)BdCqTf)(f`^*A#1;ka2z9&(D`_># z_i5tH6znM>%21XMI*5UYkcDQ}U1k3tTM&^D7I9K;|4UqClo@Tlf2$MkptHwz{sg$R z9M;8Oayg8NWv8jaVB>NBR?zbYyZRJ5cODEP#EM0ao#Z>mo zg_x<-)rKJi2?q+%-MIlB3rfMC@1e7acKvK;JuiqWc|XQ#jcu-y!VpPS$s9W>La2@( zucgd!oIF?^V(c?p#ffS5%83f|6q@$b&j(9?RF!DMDEu9{m3c+LOXbGP59Ek+#EW8* z5)0f9XFpI?Xya4>0S%qW`9BUaGBT$=J|Q=21k-_{?*G43J}wwGnw)2jflveEAwzRQCdQMtF>f{{x>4P7o3Tcftea_1U=0(Zz$km z9RNrW)PwuG<$y+oCIow23m>CtR4 z1_@|y47@$FN-cfYt3vVY-Y&r{NS_!uVQlR2c-;dLK}u5&#`gtO`+x5=_&4FB#(R%! z_)Zbn2|A$~gDfQU_~ay;$ITxPjDXc*vGQ$?-sfq;#+w=DKkc{W^o){{l93UKzn);2 zXudkLZfyxIb%oOy3eOlw$*K=^WLdC`(m#QGJCB3Yl>fjxTp+Ixlt37#+9f#oGibI- zV*3xN`SX$eTI>LK;ant-HzhCKk8~6Hv%&eILcFRqP%PC>fV{NnYT;3K<~qMONIgTwl40I($%v3t0;=Av*#l^@ zoGQk$qWv*#+&QN+zX97gL1obGw9j?t053%m9oiPdcP$xO!Y{66)wUw?gg`T1|Mrs8L` zFYok701>GQpRz0Hfz1lp)a0%86h18V~HhQB#AVJW@ugf5&j6V^v+w?}eo5)s)VbKpA4& zbUy9h-a2N0U%T=gRgT#(9(3NJkS=`%hs&UR|55Y$+CQurnR-Q2=w@2q@XPO4DpvUQ zQz}+E5X7L)Y-nc+Ifauq_U9IoRFSPFlX;+0<^jq-yiyS2kq@-Q%&sSwFJ3Qe^Xew} zz}s~B@4Zj=T@Fs@KKNhQHx8o5evz!c;IBXZxs1kceWISf@YD-)?s|WIar~2sV6Ki8 zbi7?AtARMY?W$p5yC2EE@x7jFR4$4B<5K7eGNg%p*zvUcl=bo&q01o^zWqkf;$%zY zJ8+qx}21bEI^1m&5&Jfw_a|;TDL~6x3-rvDizkh3p@V zB0xpLZ+Q5$NN0d9!nD}Pq@1(_Lfp);nvbU~IsX+({;7tj&2|5*YxC7*lgsn{Rp0pf zWFxDpZTlm6&E|N+VkaKF?PP;5KIQ6XZFln8N8#&5XG1&%R%F)GA^aFKCakRFOus7m zn@>@Ax1`8Z?rrMS^{T5;uAWQg3licwOrtt{HowhTr3bhC=PB{?EW6FxM)k?;rf=W@ zf-280n-)7w(mm&`Qqu#LQnjdm;$D&(CWO{)hWb-s4;I5`Z+>3S@x`kX52Vd7E3_%H z&p3p2#hZsU7chVr)cz<{gN6(+_xoYPqD};m=nxU0&}XM*VqyYXG@y+qFE{RaTr^m9 zkylo3dQ?@sZf$lQb^eU~bh8J7@Wv;Yh8CLe&7;aqA6vx+3XJq1DzgFFQXrsUvGe3? zx3PQnvD^G}5^!k`=-zN6T(v){+H6j+y(;#(llh5~g3HkkiuK)j9-N@%Q;!b77ZW5` zG7JA=`Rh!i_k$YNbXg~$lhjb?Og|yN^n5tB;`M$I zYXM=Ek#mUFHM|R=F(c>Za*aGge_n@(fw)9|B>C{s3HW4X?xD6BXbPjx1NMWoCD32S z(&kp;aB0?=KJE97F>-6sCHJ+@-2kcjJR?9RScOJ7Y<)Aj9?|m(Jv=a!BYr>{XdDqn z4DHC;@De%>kDiWY-L$%n`bYXc==gA0AmT60`DRi}f2HO>p5>m(u$e9IeuM`@!%aVA zIY-xlH)5nl5Zk*0Q-5*OunC(|u3=R;(XL!Y8V>T8!$6MV91?izV@1m1tdXO7Ln2!M z`^LE&?>Wk9!<;fIBT-;2NNru3=@Q;jooSr1rnq!jwq6z zq(F-3w4n6RdX?m{rFjvR9?FCGzim?0ugVUC*{@*Khkt1Pbx0!j+p)Ydm$nLBB5Y0c zxnTZSY2=qr1@ogTL{2pWE9-bRLf8_`-ROr`RKT_w3Nb<%OCm=Er4^Zs5p$xvZkdJU zLiZ>NhQr7@sAq-G@+IZJ`n|~|SV>?)DPhY(H3kqxdI=>i;)R6FPDK=S4gZwtcFBc? zR|Wzig+jy)*y8YD3o6*`*X3f_WzP<1MGa*OX`vITM7&WGeoL{GVS=d?B=2+`8pBkM z7+62JO~5k(%&R%i$l89ao!Q0r8O?{^%AlqF{~MLE|; zVVW_tXIIswX^;AEB10q^Ig!JexXXo#myM*nvHC`zvzeE*$=I&aSG)>16vDy8o&wkd z&QRmSD18|Yso4()3~IL3ri4gmMzO2zVSvXiMI=i(@)BQ7xQV-=Sva@s@MHbHjP>xC zSIqC#l0|;Idm<)7E>?)w7+{>V8yush^4AJ_ zWtwp1u~u@k7#eFeVd%Q7L}Y%2fUnmH$DA!Fd7m&O?<{|-o)#Fq+0?e(mRp$QBh?MJ z{q8q|c{0v`8I|NX0X>Ag?Jg!w3?oCN%f>4P6y2B zoD=92Q5tew`IRxKmu`gx9)Jw$VX7-KuRB=#v!;>8*Y3zWI;jDth{<|6H1)l-@J}o0 zYdaw4l^s|0t?qkR{k1V5+?}p0h-uXlLSGCmIehj+83YTT z2m62;6-k>zu8^O5btJX~Mb-unwg>z|FP{^7_8nWaWL0!)agDB{`?0Ik3P+%&7Y2jG ziDUgb3ehkR@1H@;G?ZgjFx_wX#$M}BQF186XO#+-H7E~tk`&O7q(UZOCCb`3a+=aXgEQYnPjq^h zNu0mdHfC2nXeiy&C9xn9CN9_{eWFE9YFp}aZ^Rc!D=(QdooH@DhZVPJlZ}JtmGo96 zy0VdTCV3Jh!nCq^c^pcI8RJ?r-7eFDHI+5 zAMpKjoaW(^G*I_tz;CJQv{pCK7_u;SdCLH8;mjGth(s)361fBCqkQd1kXfJPZIziG#7dxkUz46kf3IFf`j!}x3E3;SoX zG8IiTW}A5niAQCsfC>d_PSUx5@cXMi*YzibY*qeQvwP;7Q_^u&c?pCpO$I+^wek7x*?ehXD`9;ol*NP*uL9>e(^%d!e9E(-?F9`Xd$5 zKwUq*xY55YE93`lHbY5nCPg~U8t2Liz46=l9+gA~k6Jf`Z47aB7=X zO;_Jlp1T1jnAcLYPPitRbQbkR#ZZgjzUPVjy!5owqGYa6#?ja_pNuuAeEQv>Za}uT zQJbTBN!k(toB!?(vLeHlMJ*0$(KSUnqu1>;+=86?U&Ng&WW3lR{H0vZ{UADzjHqH> z|DH;Ye*~{WsfJ?j$AKb(MfiqPBc7CGXrS;o%IJn*3Zo#B{&?x`|JkS0cLlFqs)&{H zd9g9bRz1Ic#iBPot*zGDvrmEwaGwu1R~*s#q-U~ntE;C0c>X;?#pqqkchTIUDc5#O zJ`%`rTD|R7PZU>qX?tkdw)PT{9`w;Z%NQ=+{%(|^qKJuurzP6*c<2C=(rv@1GnUA*3a6Was!1o zQ$^%Lj^x(p#mRJV=&J)K!=|5}`snGT9nKGg&$p!WI~?(vEIQ*H=iARy-ISQCy>*Q) zy!{GnH%$=u^SNpl)1(R!`P`i|l5Pgtl+{U2-1jH*m5?+?rAPmMwN+1R4z9d%Xq&^7 zOUlQl9lI33S;?J#ZuW}j-DYl@Ut$UcYB%TpV|pmd!?C*Y<_h19OpQyw7fqTQCs)p} z8|Xqc-Q%ozRh=0I30Jd@u5G#gSgrkZR{6{yf8^Fb*rFX;Ug(f-p1D@f{r!QSMJH1y z)TJC0J9p%|)Qe9Qli#nqWVx_*-=z;Zn=QX*de&q*R7`xZVD0*qcV8E_184j6f1UXq z1B~bC{F^7l2TniZ$=|z_;Xx3T}u^sH(eqr(#r~Qr3^%h$beed`={Uv`uYnha4f= zO`E Date: Sun, 30 Jan 2022 03:20:59 +0000 Subject: [PATCH 519/657] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 80ceef9..b76dd2e 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ A `user.js` is a configuration file that can control hundreds of Firefox setting The `arkenfox user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen). -Everyone, experts included, should at least read the [implementation](https://github.com/arkenfox/user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `user.js` settings. +Everyone, experts included, should at least read the [wiki](https://github.com/arkenfox/user.js/wiki), as it contains important information regarding a few `user.js` settings. Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services. From 0d9de9174ad011d94645660e2780cf1b1f79d14d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 30 Jan 2022 03:23:06 +0000 Subject: [PATCH 520/657] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b76dd2e..38f7293 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ### 🟪 user.js -A `user.js` is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the [overview](https://github.com/arkenfox/user.js/wiki/1.1-Overview) wiki page. +A `user.js` is a configuration file that can control Firefox settings - for a more technical breakdown and explanation, you can read more in the [wiki](https://github.com/arkenfox/user.js/wiki/2.1-User.js) ### 🟩 the arkenfox user.js From 4c74f1bffb4242ec613168307566d593c6fb4401 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 30 Jan 2022 08:53:08 +0000 Subject: [PATCH 521/657] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 38f7293..2f33ad9 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ The `arkenfox user.js` is a **template** which aims to provide as much privacy a Everyone, experts included, should at least read the [wiki](https://github.com/arkenfox/user.js/wiki), as it contains important information regarding a few `user.js` settings. -Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services. +Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://2019.www.torproject.org/about/torusers.html) calls for it, or for accessing hidden services. Also be aware that the `arkenfox user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser. From 89bee0e3612be471d427cd81540bd54db1955c9d Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 31 Jan 2022 03:08:22 +1300 Subject: [PATCH 522/657] Add files via upload --- wikipiki/rfpCanvas.png | Bin 0 -> 5559 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 wikipiki/rfpCanvas.png diff --git a/wikipiki/rfpCanvas.png b/wikipiki/rfpCanvas.png new file mode 100644 index 0000000000000000000000000000000000000000..97488cc218750d38ec88771429a35f1e323370dd GIT binary patch literal 5559 zcma);RZyHwn1w$A!6CQ=hG2oC+TE+&+KWD?>-5{*)o=C16R)YRh==_W8vp=2WhFUn06+N3NVNtD<>k?+z7)lwrlf==k!rEy zCSZTZ*rh8;i7bsvn7G{zEOlDyLH?Y6XkC`ruf2e^%wh~+;$|uFYVn8RR>{y1{)mK+ zjBW37N`+%Hx&s85EjDzX_Y5e&O^BEn8~p%AAAsVwfP)DPsO1g3rH*}kaVP^dK?#dO z8SqLIQo#%(0i*&_WXb_41(YyY4wDX0ga%klT3aCiO%A|P&gvz|0|sva5<8U-S z76@2;VPNnBqM!hY!nwZK8CyNUKI>Dbpv_{PjKcEa#+V!)82b90G;d~<$=OH*ET38C zN^uVPLn(Q}`Ck0Em;!*JG}5QnUflc5;MdR02&A;(n{yoYqd(GHSs@aOi(2PxPG(5VNXuMgtfSqMbQFpdn#5XfNLgi*h@V5yCec@s0;2x7J1`X&Y98_=?k zNq5KR9MbK;7k7X0*AlZ}@J&xR7Mk=IOkzvA)i@NZ1OtW?Omb-S4c(v;8c`x6?RXrC z7QIRuzY@200+?1;33M+0{+V#Bi9%PJ=of$|;x48~kvk*2SxfvIZmVo(rQpjbg%X^v zHeTGhsbocYU*CUzDV`)yy#KYv{>5slge?5+z%L36-Vx`woMXc>O+xHg>DH4?^tHG( zV=o)^YEir6udHXAe9?%)eOr;S6?KwlC4Uu-)NZ-d(C)x^rV}n3a^rryHG}H`)`9?QEk8U`uI;S+sgjW;e9nL?( z)HJ;keUV`&iGj%RxXJfY$J&2Wk$n-8ut{>tvcp1E z&ZpYRZENCGot2$sP@`0%Rik*+D^P!20W0s7?>4**$Crk`V>V${grv?qhwbaE=xkJA zSCFZRi(J)nRy&nZ6?e<|_PbV`! zOms{tYKLkkx!P)-8a_G=_M$Co;de1&wk#1-g4enyM>XT5qn!@TZgT3 z^R7|3;YnMMYqXKDVVQxhk!g!U9jxy4Qg>Z<1z|;}db)Z|!4hP+@vLpUt*V`}aqm0& zT78>KTd*a>iX75DT0eY}-kToW6`Xu8j)51uf?oqN0)=>feorEzC$gD4lYb%^JbIaR zzy&dwC7Auri)bUBWEpXQ>EtaaLdYSVo{<-EiSa5ClbqQSoOx7Z8((^N-+5hmm~IEm zU%~QP@`jEp*BVX)P8?2R*9)ik3Rwyac|E@lf06y6wKpe;Q<(YIX{$CwLslak(z?&U zWzChQU$@-YUglekv^*u3xR!Wdh>$>t32yRi8k$cD4zz!1pVSz3D=?4Vk_}~ew0R78 zoC7MtUZX%z^l>&t$D_bo0ZgYhpVWO(w>;Q_F|i=Y|~EZ8GJ*z(#MDSuvU+w)%Gc)A19+ zSv3W0)5lXS6Kfv?^G^#OkBNqewm-I&#i;0WfDC^2);bC|i+T93VIxSNv&HD4*NSx{ zw6VG@YSbL-XV-`HG6kqPg_{jdL=3i~I33~WV(&!6} zi)+R`$a{(LzBOGGUA0BKMcZ5D+ZLo`eSG!7P1dc8X`Q-@$1xmr9`zoB0l#gz^V=e5 zUL35Qy2N&*h!20&_W(Qf<-ilb(@oAF+hK5*^WQx{Vr?O5@I+R9k^*bDF&19=fFK|) zN15F7T!lQH+*@NS<1URUiMgf2&44?_wO23l`NRzU-(7&m9aaw_7SbW-vq`W_Sa1mE zpLL71lD5Eo>zOUb7jCCr1YXWv~Ak+2hh;fw1^S??r$cauj*BMYa+0p80-e zvU|ms`J}E#qsRPG>R5V3b|ZFC()eNh`{{b9DCL4-5}b~H;?vznyz%dR@|mjrl&umq2^rN zS@UwNJ@F>3wUV|P00g`SfUrma`1APW2LRyx761+{06-)M0La}wnvW_xVd##soHW>P z^*2mQ)p(f_9$L28tgC~THXi1xNm|369BVoM^9RR8l%1L0e7u;P5f--m#fNz%X=krD zJ*0;-L=o9aN!Xq54`e@$YVTZGu47GCTSa`vs?4_qE94%a@%e@Qs%F{9`n_$oMt=L! z**c;nNRmZ+WN-|5JM*XT5eXwc|8}--<`+kc8S&4ECOsVinl!;S`IE@qJeMXwBMf;G z=_vF6Jr<%U@YklfT! zMgQaPAaz7y=xrU^RhaNa-KlkQPs}Xe)IMJSkI^#0&TmU9scvX}CeyyDL1_zq>|a@= zNw+o5TdoV4qk6W^`K+@;h6M}nGc?|wDU73TI);i@cog6K@&;>azuY_a7R+`9S>Lo= zVBaR>3_xJ zZs%t7Eb*U2#DC|6{}uil4gF6s=2JOTYUk#;#~uCCt|yBS3i-GA$)3*oclpU^Q_Q2x z%Q8I&1stt-RSQ6nJ!OwOkiHO{U^yt-zdNSJ%!vJPt36X|44s@t`lMEldC%RCqz0))zhO>BH5U(X&} z5%3_y9rC92Hug~A$8DI#X7?!7edv^b(AIZTFO1%pbjCuYh@i!Diw7&_^ob<~lHjoC z87-w#qu;PjJSsz(GC3T(dh(CHJGHQ?76gJwGcpF&j$He0WF?0O`Dw)Ba5_cz&t#m3 zf(Ix0^mdW!Y?0!stj5(}ow%3e+His6|O#6s-$X-IGwjt`2w!d51{Fvyg zD@8@lgcP8OP>0Tw66^uN4C<{|Eft}M3O>50Z}lSepTe#S;nY_*UF-byEFN=vwY5%Y z6&nWoNf!v_zcy_FMpZ2XJC88Lvd`T!h3e`*Xtq;irs(?UfjKr&*ZL;lKRofW+vg_i zDUzi+TqB;bW0Xg+uD-nLfxznwOPwYt%kK;WsZPS;rkZ?&W@AE+A9bkD5l=%$%vdMr zS{s5clNwl~$mY;COxTzsO=;`gC_>pICtUrU?>8hNASXJDv*l2!!o|@6s@KJou1QQ? z+|wU>rQiG6fL>Ki%9Q4{0r%z2l}paLibCD*g>1yc8^O+^_$k}JtU8EFHcIAi9mLlN z|9GsE;xPJMK+n0}C6Vk*MR+c6AnRQfUo_K=}OC*kyxXUuj_*N^Qy)<*N(s9~QjkYxQ zCx30jKjW#8W@O8I484=%xZDMU1Q4t7*Bh)t1U^Y?8bPtUiRq z5d^X}gp5OS#6%~@kH~3d28G4og|l6%E{mfExT9;i3v!Xuj<$J5tt+Np-M!ylf*WFyk!rR$xrzx_$E?6XXvlTwVE?%yz+ zqE2%B!70n8%I0pm5qWY_zm#F zt*-UO{4uNASllTC`~0lP*-7Re#TvWQ5&Ni311CA-&*y!MEmI0pQ&oP#MEwr) z9?>T#H9oR~pIXVZ@l~2x${M;Wv6Fe1BxRv>{9N$RoA!WbCW%{9-&Nwg%R)8I%%=>M4&O z+^%YIuNjT3S8(pxRsL%Cl@>J1y@qX5(}^V$%~O~1bR`l_P$U1WVDg*(&69Uz^Vom{ zN%?!8j1(Nl#MGRvu?dSj$o4L#A9t<)$sKKkX8EbixR&}HmzoCLjScnk1e52J6LC8= zLcif{6kX*#T;2H{-gt6}t)FglQmkt&c0b~i?>jSBHvPhX;}vT$=N|Pk5$a+aqXr@7 zk4H_pDPAP=ykGdoQM{FmSCJSaX(jYq$-M@wmEz@ww}z;D!mEiDJbV;HC+01*M9nw# z5nUy@p|Z@GU5130pNU`4Ga+69QsqM{G|lasfWW$inz(Epm=P~3I2ME|c5aJ@1lQx9 z{AFIn92cVsPI3M_F$%RlhH{JKv>g6yKilS{td0d?grOtHN{L}X26cTtaB8JVYscu4 z$?R?MdmH@Z(?978bi0TSPQ=-&9uM`2T?gFlv(JwIlwXHaWm7E2-4Ke^sIX=-55-qC zA#ykd9Oofb*vH!qmGcDekjx_%2Vx^up{7p|wNoM|qxs3JN7Z_7Ciw?rO)B`Zsat3< zrLDjG8)ul1y;y(aXA*!wb literal 0 HcmV?d00001 From 917e3fe1aad0be2ae93787e4cbaeb33112a6f8c1 Mon Sep 17 00:00:00 2001 From: xfzv <78810647+xfzv@users.noreply.github.com> Date: Sun, 6 Feb 2022 12:23:20 +0000 Subject: [PATCH 523/657] Update wiki link for updater options (#1364) --- updater.bat | 4 ++-- updater.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/updater.bat b/updater.bat index badd778..eef06f0 100644 --- a/updater.bat +++ b/updater.bat @@ -3,8 +3,8 @@ TITLE arkenfox user.js updater REM ## arkenfox user.js updater for Windows REM ## author: @claustromaniac -REM ## version: 4.15 -REM ## instructions: https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts +REM ## version: 4.16 +REM ## instructions: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-windows SET v=4.15 diff --git a/updater.sh b/updater.sh index a1f7070..8295720 100755 --- a/updater.sh +++ b/updater.sh @@ -2,7 +2,7 @@ ## arkenfox user.js updater for macOS and Linux -## version: 3.2 +## version: 3.3 ## Author: Pat Johnson (@overdodactyl) ## Additional contributors: @earthlng, @ema-pe, @claustromaniac @@ -62,7 +62,7 @@ show_banner() { #### #### ############################################################################" echo -e "${NC}\n" - echo -e "Documentation for this script is available here: ${CYAN}https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts${NC}\n" + echo -e "Documentation for this script is available here: ${CYAN}https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-maclinux${NC}\n" } ######################### From 562127be87ff1115f1d5c7bebd5890efd801b064 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 6 Feb 2022 15:27:50 +0000 Subject: [PATCH 524/657] Update troubleshooting-help.md --- .../ISSUE_TEMPLATE/troubleshooting-help.md | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index 955c367..5e8c1f6 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -7,23 +7,24 @@ assignees: '' --- -Before you proceed... - - Issues will be closed as invalid if you do not [troubleshoot](https://github.com/arkenfox/user.js/wiki/1.4-Troubleshooting), including - - confirming the problem is caused by the `user.js` - - searching the `[Setup` tags in the `user.js` - - Search the GitHub repository. The information you need is most likely here already. - - Note: We do not support forks + + +https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting +- [ ] _I have read the troubleshooting guide, done the checks and confirmed this is caused by arkenfox:_ + +Information + - Browser version & OS: + - Steps to Reproduce (STR): + - Expected result: + - Actual result: + - Console errors and warnings: + - Anything else you deem worth mentioning: + +--- -Clear all of this when you're ready to type. From d61da93aad93904ba3deaf20ead1f5fcde1369cd Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 6 Feb 2022 15:30:25 +0000 Subject: [PATCH 525/657] Update troubleshooting-help.md --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index 5e8c1f6..a27d59e 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -15,10 +15,10 @@ We do not support forks. --> -https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting -- [ ] _I have read the troubleshooting guide, done the checks and confirmed this is caused by arkenfox:_ +🟥 https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting +- [ ] I have read the troubleshooting guide, done the checks and confirmed this is caused by arkenfox -Information +🟪 INFO - Browser version & OS: - Steps to Reproduce (STR): - Expected result: @@ -27,4 +27,3 @@ Information - Anything else you deem worth mentioning: --- - From 58e2618b9ddb436867f1701733a07ab286eb1b3f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 9 Feb 2022 20:00:43 +0000 Subject: [PATCH 526/657] dom.securecontext.whitelist_onions replaced by dom.securecontext.allowlist_onions - https://bugzilla.mozilla.org/1744006 --- scratchpad-scripts/arkenfox-cleanup.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index 9d2ec12..af6193f 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -3,7 +3,7 @@ - removed from the arkenfox user.js - deprecated by Mozilla but listed in the arkenfox user.js in the past - Last updated: 16-January-2022 + Last updated: 9-February-2022 Instructions: - [optional] close Firefox and backup your profile @@ -34,6 +34,7 @@ /* DEPRECATED */ /* FF92+ */ 'browser.urlbar.suggest.quicksuggest', // 95 + 'dom.securecontext.whitelist_onions', // 97 'layout.css.font-visibility.level', // 94 'security.ssl3.rsa_des_ede3_sha', // 93 /* FF79-91 */ From a98b73c64e2e0b505efb6b23d34e6c5d90abe2c8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 14 Feb 2022 00:15:00 +1300 Subject: [PATCH 527/657] v97 (#1346) --- user.js | 64 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/user.js b/user.js index e80a95c..9098913 100644 --- a/user.js +++ b/user.js @@ -1,25 +1,24 @@ /****** -* name: arkenfox user.js -* date: 21 January 2022 -* version 96 -* url: https://github.com/arkenfox/user.js +* name: arkenfox user.js +* date: 12 February 2022 +* version: 97 +* url: https://github.com/arkenfox/user.js * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt * README: 1. Consider using Tor Browser if it meets your needs or fits your threat model * https://2019.www.torproject.org/about/torusers.html - 2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries + 2. Read the entire wiki * https://github.com/arkenfox/user.js/wiki 3. If you skipped step 2, return to step 2 - 4. Make changes + 4. Make changes in a user-overrides.js * There are often trade-offs and conflicts between security vs privacy vs anti-tracking and these need to be balanced against functionality & convenience & breakage * Some site breakage and unintended consequences will happen. Everyone's experience will differ e.g. some user data is erased on exit (section 2800), change this to suit your needs * While not 100% definitive, search for "[SETUP" tags e.g. third party images/videos not loading on some sites? check 1601 - * Take the wiki link in step 2 and read the Troubleshooting entry 5. Some tag info [SETUP-SECURITY] it's one item, read it [SETUP-WEB] can cause some websites to break @@ -159,7 +158,7 @@ user_pref("datareporting.policy.dataSubmissionEnabled", false); * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/ user_pref("datareporting.healthreport.uploadEnabled", false); /* 0332: disable telemetry - * The "unified" pref affects the behaviour of the "enabled" pref + * The "unified" pref affects the behavior of the "enabled" pref * - If "unified" is false then "enabled" controls the telemetry module * - If "unified" is true then "enabled" only controls whether to record extended data * [NOTE] "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease (true) or release builds (false) [2] @@ -235,16 +234,16 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!"); * To verify the safety of certain executable files, Firefox may submit some information about the * file, including the name, origin, size and a cryptographic hash of the contents, to the Google * Safe Browsing service which helps Firefox determine whether or not the file should be blocked - * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override it ***/ + * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override this ***/ user_pref("browser.safebrowsing.downloads.remote.enabled", false); -user_pref("browser.safebrowsing.downloads.remote.url", ""); + // user_pref("browser.safebrowsing.downloads.remote.url", ""); // Defense-in-depth /* 0404: disable SB checks for unwanted software * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/ // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); /* 0405: disable "ignore this warning" on SB warnings [FF45+] * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB - * [TEST] see github wiki APPENDIX A: Test Sites: Section 5 + * [TEST] see https://github.com/arkenfox/user.js/wiki/Appendix-A-Test-Sites#-mozilla * [1] https://bugzilla.mozilla.org/1226490 ***/ // user_pref("browser.safebrowsing.allowOverride", false); @@ -263,7 +262,9 @@ user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: fals /* 0604: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ user_pref("network.http.speculative-parallel-limit", 0); -/* 0605: enforce no "Hyperlink Auditing" (click tracking) +/* 0605: disable mousedown speculative connections on bookmarks and history [FF98+] ***/ +user_pref("browser.places.speculativeConnect.enabled", false); +/* 0610: enforce no "Hyperlink Auditing" (click tracking) * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/ // user_pref("browser.send_pings", false); // [DEFAULT: false] @@ -306,7 +307,7 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] * [WARNING] If false, this will break the fallback for some security features * [SETUP-CHROME] If you use a proxy and you understand the security impact * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/ - // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF] + // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF FF95-96] /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+] * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3] @@ -323,8 +324,7 @@ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!"); * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" * [NOTE] This does not affect explicit user action such as using search buttons in the * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) - * [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search - * engine that respects privacy, then you probably don't need this ***/ + * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/ user_pref("keyword.enabled", false); /* 0802: disable location bar domain guessing * domain guessing intercepts DNS "hostname not found errors" and resends a @@ -338,7 +338,7 @@ user_pref("browser.fixup.alternate.enabled", false); user_pref("browser.urlbar.trimURLs", false); /* 0804: disable live search suggestions * [NOTE] Both must be true for the location bar to work - * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine + * [SETUP-CHROME] Override these if you trust and use a privacy respecting search engine * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/ user_pref("browser.search.suggest.enabled", false); user_pref("browser.urlbar.suggest.searches", false); @@ -452,11 +452,11 @@ user_pref("browser.shell.shortcutFavicons", false); user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/ /* 1201: require safe negotiation - * Blocks connections (SSL_ERROR_UNSAFE_NEGOTIATION) to servers that don't support RFC 5746 [2] - * as they're potentially vulnerable to a MiTM attack [3]. A server without RFC 5746 can be - * safe from the attack if it disables renegotiations but the problem is that the browser can't - * know that. Setting this pref to true is the only way for the browser to ensure there will be - * no unsafe renegotiations on the channel between the browser and the server. + * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a + * MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations + * but the problem is that the browser can't know that. Setting this pref to true is the only way for the + * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server + * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site? * [STATS] SSL Labs (July 2021) reports over 99% of top sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://datatracker.ietf.org/doc/html/rfc5746 @@ -580,7 +580,7 @@ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); /* 1601: control when to send a cross-origin referer * 0=always (default), 1=only if base domains match, 2=only if hosts match * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram - * If "2" is too strict, then override to "0" and use Smart Referer (Strict mode + add exceptions) ***/ + * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/ user_pref("network.http.referer.XOriginPolicy", 2); /* 1602: control the amount of cross-origin information to send [FF52+] * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ @@ -598,7 +598,7 @@ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!"); * [SETTING] General>Tabs>Enable Container Tabs ***/ user_pref("privacy.userContext.enabled", true); user_pref("privacy.userContext.ui.enabled", true); -/* 1702: set behaviour on "+ Tab" button to display container menu on left click [FF74+] +/* 1702: set behavior on "+ Tab" button to display container menu on left click [FF74+] * [NOTE] The menu is always shown on long press and right click * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/ // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true); @@ -766,8 +766,10 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin user_pref("browser.contentblocking.category", "strict"); /* 2702: disable ETP web compat features [FF93+] * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants + * Opener Heuristics are granted for 30 days and Redirect Heuristics for 15 minutes, see [3] * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/ - * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 ***/ + * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 + * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ // user_pref("privacy.antitracking.enableWebcompat", false); /* 2710: enable state partitioning of service workers [FF96+] ***/ user_pref("privacy.partition.serviceWorkers", true); @@ -781,7 +783,6 @@ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!" * sharedWorkers and serviceWorkers. serviceWorkers require an "Allow" permission * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow - * If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/ user_pref("network.cookie.lifetimePolicy", 2); /* 2802: delete cache on exit [FF96+] @@ -952,7 +953,7 @@ user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3] * [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js ***/ user_pref("browser.link.open_newwindow.restriction", 0); /* 4520: disable WebGL (Web Graphics Library) - * [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/ + * [SETUP-WEB] If you need it then override it. RFP still randomizes canvas for naive scripts ***/ user_pref("webgl.disabled", true); /*** [SECTION 5000]: OPTIONAL OPSEC @@ -1029,8 +1030,8 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow // user_pref("browser.download.folderList", 2); /*** [SECTION 5500]: OPTIONAL HARDENING - Not recommended. Keep in mind that these can cause breakage and performance - issues, are mostly fingerpintable, and the threat model is practically zero + Not recommended. Overriding these can cause breakage and performance issues, + they are mostly fingerprintable, and the threat model is practically nonexistent ***/ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!"); /* 5501: disable MathML (Mathematical Markup Language) [FF51+] @@ -1125,7 +1126,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("geo.enabled", false); // user_pref("full-screen-api.enabled", false); // user_pref("browser.cache.offline.enable", false); - // user_pref("dom.vr.enabled", false); + // user_pref("dom.vr.enabled", false); // [DEFAULT: false FF97+] /* 7002: set default permissions * Location, Camera, Microphone, Notifications [FF58+] Virtual Reality [FF73+] * 0=always ask (default), 1=allow, 2=block @@ -1159,7 +1160,6 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] /* 7006: onions * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/ - // user_pref("dom.securecontext.whitelist_onions", true); // 1382359 // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006 // user_pref("network.http.referer.hideOnionSource", true); // 1305144 /* 7007: referers @@ -1344,6 +1344,10 @@ user_pref("browser.urlbar.suggest.quicksuggest", false); // [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows // [-] https://bugzilla.mozilla.org/1738983 user_pref("app.update.background.scheduling.enabled", false); +// FF97 +// 7006: onions - replaced by new 7006 "allowlist" + // [-] https://bugzilla.mozilla.org/1744006 + // user_pref("dom.securecontext.whitelist_onions", true); // 1382359 // ***/ /* END: internal custom pref to test for syntax errors ***/ From 41468d0d0bf287589e9ab2c012aa0eded1388610 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 13 Feb 2022 13:11:26 +0000 Subject: [PATCH 528/657] Update troubleshooting-help.md --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index a27d59e..ea7f92f 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -11,12 +11,14 @@ assignees: '' Issues will be closed as invalid if you do not troubleshoot first, or if you ignore the steps in the template. -We do not support forks. +We do not support forks or no-longer supported releases. --> + 🟥 https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting - [ ] I have read the troubleshooting guide, done the checks and confirmed this is caused by arkenfox + - _unchecked issues ~~may~~ will closed as invalid_ 🟪 INFO - Browser version & OS: From 4bd17611df133b8ab3077df495ab7197c1844eea Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 13 Feb 2022 13:11:55 +0000 Subject: [PATCH 529/657] Update troubleshooting-help.md --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index ea7f92f..ee0a8c7 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -18,7 +18,7 @@ We do not support forks or no-longer supported releases. 🟥 https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting - [ ] I have read the troubleshooting guide, done the checks and confirmed this is caused by arkenfox - - _unchecked issues ~~may~~ will closed as invalid_ + - _unchecked issues ~~may~~ will be closed as invalid_ 🟪 INFO - Browser version & OS: From ba052105de3c4be2e34cf103f08b2f28c6d5b496 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 14 Feb 2022 05:38:13 +1300 Subject: [PATCH 530/657] Add files via upload --- wikipiki/rfpCanvasException.png | Bin 0 -> 7765 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 wikipiki/rfpCanvasException.png diff --git a/wikipiki/rfpCanvasException.png b/wikipiki/rfpCanvasException.png new file mode 100644 index 0000000000000000000000000000000000000000..6889f80924c3cff60b656dd56ec70f266ebd04f1 GIT binary patch literal 7765 zcmXw8WmFwakR1ZSEx1b{xVyW%yA#|Y1a}X?gF6J5Ai-T9!QCEi4<`ioecztlAJbja zr@QA=*VL`5+c9b?vS`Re$N&JK$;(M;002xNR2D#lhqf)BIXIvllB=A)2LPa8|M$QE zSvdp%fUIgKDXFGr>+;3L!`8)>LS9mm!qwfy+Ro7m0K8XoHEpyskMM-=Hm)TUql14a zx@h1cQfNrT2IC~rFi;|4DnwHjuHdToeUO%hBOWP;hK-L8{*J58g!&D68DWpIC_bz> z`rGK!wqLQsV&~n##B0-%2&DQdw{Z%g7ZEj0j#HgG7_~xz?88G47Z1KbA+2{C@`Md$`#yys95fnMe8UN(}bH;iM6Oe2`!aG2gNNqmZk!8m}J zZ@fe)ASMG7oSQ+T2^7EqW@DBXyMP)qU`88sFb4$Z-e>y30ERy(abXIQ019lYXeq!} z5U8Hg`6dnMu>m;Nii7;XGBdy?uWKy_)U^P;lb9$C03s^DrXC$Z55V~WW+PNo-avRJ zfFtuySLl+l78Ak%J*mtFp*CuM=@3IiW;X;~T^2IBNqKxm93Jy`=2>Da{XUt593fm7 zTUX-%P>_TR)%NPedlJ2Na*`*$8QqlmxCj32qlLxp>;6=gs~7-me+isPjl7i-;sA=U&G9IfhJx&C)H(uIj_D=YhZd&>%g5{BlZx&f~?{ieOT zFOCm^LeFXOrm(R%DYKsIwP=@k?SZH@1YmRiwq#`_j8}2LS&% zT>9qe5MhID!?vfq-Y!I6WD7n4!PfH0ZUA5+Ma`l$+9(P_1OTam5QaK&;_E&Fre1iG zzV~Z=D9>g*;S$t?{SufG$e)8r+|B5#LnY`UC+bKU%vk5eNV$5|Z6i}$(OLSnThWDG zF&@nk^ZMvILy+LaM-Z{iDOaOmEWYVc#UtWpM%+{O$-!a8Qd9hi#!>&Mn8Yo|uJKKa zLR*gXpRoHo{wO1v_9Vd(fFtxdvQw7*M@WOZ@H}dhWLr5eQMgPI%Jk{$tT1=-W? zzlnsu^Atj+t86h=6GS9IY`upB2%LkCY%IeA67_scNGXf{bgE%HVs0#_ z>b>BwLZo|t+DM+ZfKCB|~BEg2M_tSn%DOdbW)BfRMkide2 zJxWiGiE0rm0h<-mFIsYtml`WZl7qG_@tu7APpw(3S(#a94XPuiifk@9BC3=>tDhYj z5cq#EQ811~?B(ta>~Zc9?@|6UM9#GkbNhL(xkINhYOg@JkGapa4{w#hA+BAVrLkUK zsP%z6!9b#>uvz1mdQ>?!muD9LL>QjDVo6O=>Ku_RzU`geufs3xAJ$XJRMMw)XUC3Y z57Q4}uf0&wB5}h&(Kd91*#rm#HiTXTzcQ3c3Fl%7L0W9Q>?awJOpHtyZ9Rr&27lb7 zQRGyGRGL&`23D<#%F@b>N)+uY?J=!{3KPwMS{ZFl&D{#5`LrtS%3QS*O=3-(3c>QI zN}F;QEzzHW`Y$o?`U6S>s**p|3+hdGJBKMyED0OEnJ695svNaXz{je5A*v)Xe&-tQ)1feTSzY6@efpbB>Lr+}FrPRi5W#mwq zmY$|pC0C_hC417vQ+rmHTiPYvq5l+uE)G(lHKLWZNtk?}3(;KBTrWc|!&4R(xT$5S zbSNP%?2z*6aV|U0$m=!<&Qo$J+wkdvJdy;kzG%HTJ(k_bqUymnqEf?yQ6~w6hPd5a zgh*LI;7fH$;{h?r67y8^^zHDZwi%(~1(`S*jPG{CM!VFzPQy;a#We6Vlr)OU$I9nf z8p>^@^reDIf=Zx?@rj~|#Z2yOVfG~sNH!#UDSNZU%)r}#skywl)k?l$&!ANQyt&gk z!hm1DL{HnmxKXAix8~DgM@>iBhq5-66qTyHMVo=T%jQ4L6)l8y`^)g)+GeNb0CO7) ze4Cb`+JWj?l=NE0vlPAIp?AQL)U3XtTuX6m{ZG~ zyUo~R^n-S}n%Q%*HuyGe9${C}u`!CFV=U<+EZM}v>myxz3SVyAjJJJfZ*sF6v-{7= z!N1OV&h5^l*7C=>^6B&RIX$KaMkKe?_h&>=@>AIyHmd_wB~?RgnjloHmaIv-HA{6Z zC0>*mqv=LDex{;#suF-l#GwkWyUNdWw9-C5+QfX2f**5H|{J)qLxEVw$ zS?q;YdE2?#MTc3e^~V?Va`ogL6-oG67;1T(9lJN5&#t0&a(7U6{qQqbM~q#43Mc!o zBg*h9Sg@D`(!`XaRrr4V6~|;K$NT>2AGX)0cx0b`(tewdtTQ|_(aVxX3}h<*>cerjE7J!%Q^9!W2!de;$i;O3- z=pgd$*W3#)W;7l&?YNxb9V%BTpS`0yq|G}rG=bHx-~Fn$5$4FhlG>26+Dl~p%aX~~ z%z84kFl<*H7nxZ+-tc{v1(Rdsa0%)AC|qg%v0FU~olCL#H}yR?H8&uT>YeW*wky%O#+7G`-IGdu}HMYlRQ2V ze*PU%_m`vRGRdjWQ#5(_uSKt8wfK0ff%gk1OOrDhGll8@(o=ez{7YVrdrt^|frtBt z$-4h|bF!OU>pY$Hd98VoUKDR)sP6ew1kt_OKGff6PM1BU5T>NO!NF!+JzH`zgQ58* zg{7Q^G648~0)XH!0C;$V_D2BV$p!$&X3*R;0|4+{l1+zX0028!UP@fcd-XIoNDW7~ z8PszhhNcjFM-!Sgf}Amg{9P2uS(tJ=%FO#U+QCAGqM^IfR~$3iR*cIr+0zDr-2pSv zG_{6_TVF~?(HIUPyj*)mk0^Y$4_P8nBZW@S5~idtk?rM`p!6v7$eD=XN61yhF~h+| zHzd#F;*7Iw>dfxc-^5@vm;y00gH5T3653OMR59Vizgw1~mZ@K`iWYY~!I0evy@MUa z`2Zbu0Bt^vO&!|yNTTOcAX*ghy`G;VU=JUSedgd35U`m2IrAs_=*Cyb{~l8yH(uwX zIHu*&rRcd2mw8TiO3GaMExX+;bu)(hE1b9xeI&`K$`9MknHe{uTWRP=Rd1rDc6aMp zLn#pd@xh5>?%g9nMfYc_!Ic%liVC|{pDR4)jn0Vq`QPeiQ|s%b_BWz4)2?V}XiEh; zZ`kMO=UiauGJ*q))<_90EiMg>ul++q@5%k^P*hYVm)khel9JSyTU=Nb6fyMIkMafY zaEXYU?)OrZfZpM_BtEZmM!5IycW%$XROgmQ8lwK!Gx_X(w~q3VxBK0M`>TA>{!~WK z-#dt*-p9*mH=mrmx?PgKY*cDj6>3#(?d*j1_xt1E;T2R>#dg6iH+(`jY#!WQtTDXb z3NvnX-R{&zecXw~;u93KJX>9$+27yCJv=_{FIApN-t+eMMqJDl@N#-19n|0~sN7{b*DLc)lmqIaLI&#g$ilWJ>OK3fwNz0A*Z z{Ycl{nl8kmrg0{9+k}A$k&}yVp%e9Q#i6Gctg+av)^BwE_xU05SyI&H3i$?k-_tQzrdTW7y)zG$o2%cp(iN zb+Hy1R)d)($> z8e&cWhtR|Ejm#VSNB2^qiLZ9&cvfo!)u3!FXGz!(VXJ5D_t8%4@R_EUDMxBuFdR*p zSH{{%nML=1h+S&O)F5e|7SAfo#$%1>lB;g_V}5w1?;Hbm(0kV&JeDSGe}M~)B(Z@i z(S_m#BAuZe{@G#&Q`0tiL&MLvrz_sKD>llbr>CdG>!EH}sjxNR40n_olcv_TJxK1@{DPRr!)<`1*LAwbqbmx?&l&>5xqX7d z#j}CU63gFDc;{RG+*T3qTW-OjR(2Au;swXJkkBf%_%2i}qBPo$5cYRPKd8 zZ-kN^MiR+ZL)3iuHX09?G$Ly_7%K9>EiR4fo%7K_Kigh9JKyDqzTskF4U%KTegEFy z7xtjn=^e6=(>=3I{H7wm5`PBX1li={ZV$&1Q^oXQ=ClGO`s2?R zn3Uk)F&R*5eh7A82WtLy%rZ5F#KG*F522Q$GYzcgfB(Jf(Uc-ZtfzkvJkqCCIX+ysAk5llR z`MHZkAmf=~v$K-_f!(3Hf$vCVcBiy-5U>2Dx1V2eXD61pcpn|pvt#%y*p0`_jNM^s zey6*Ncuj^5h)@5G>VgG(nW(b<;#3+w^PwMX9V4FmbP3USRJpE*c8=D)qsS? zAvvbm0~Nd+qOhJ>seBXb-@p5i*VBm!bND9Ojrv$UDDW0?Ya&mmcBU6IcPS)rJ2ql|(-yvd`JP}^vQ=_gU&62a zEwZSYt@_&syN`We3)@JAhN#x8W&VEU(NIM_7t74lOxxI03U~fdJVTwzwd_lF#63SL zZ)`l2*?87E)mCNaGLL>GKmz#?WM%dK^>GPRN?Ljs3eGbg#YL!73;CjNsmkaD%h}u$ z9x(3~gTgX!;)<0ZB@QBbhhp|4lC>l+*BJ9vh zKN}kx(=m-lX;fgv)vm9vLnED+~kVm+(fZ;YUlb0emM9#jgydoXEmVY zDR-{gjTF;ukWv;wU1PIz#1{yRjIYHG%P`L$V{L%Aa&vPFbi;8e8r4)JLqL{d1ibB<6ISmGexVH|$Gj5ySSY94WbsxNL$F);pCmK)z+V*SR zPv#NSFW(9iGx>u&KiLcKB)Ys>v5`D#e$>y2(-_#z)bcsns9yqSwu>VUg=hok~v<9q}_jeHubm0|Cy)_CXe^C^6MG z8&O!%w8_Wp4R)GbqhpMh7eTrd?Cf~~Mw%??RJ^?8U%!4$HZ5dJ^S=K}sq@POHZtk9 zITjkrx6ao)7Imfk(3WtaP+yFo!R2o?T~zG`^Fv`*&p|zHBS_ry_W-vW`H$fXy4^Fu zyM8xAz|_{QH6W4WW>f8l)NjMySRbr7`pA#{#GYC9hy5s++bt-_gleT#ku1<^ z><806f)bulzjKe%-&xXN6)&?b=c1rS&eH0jD@`<@BXMpONqGfrwCjXNLp(K-}tZFaSC} z2N?}tgq@en8nBG1q^QUXz1&x)H1vkN8aFg$K<3O?cx~i$tIwawlq?u()l)xT79+ld z@Nn;{67SVj=i;IrYIJfuRTAelf|%Z3-8$Q(dreu3i(~!vc?|NPPJ~A5iR7Q)^$xGg zOAz_D?j7^%jRnqsrg)=Nca%Q|u8R&Bvt5NI$nErFXoVA~E~a>b=miTu1_GzCGtG`M zvIeUxJZM@_4_FA?2oywy2IN!g`YrsWT*2jbZfB_g<2H>bZiiRDP^J$9GHZk>vbXo6 zG(_3zX}FQAduUMj1Zf5hYR29>;nqh7aS@Dt5QTBwe6f@=K#nT7QHswedBgU4h9*5C|C@~i!6v`R(*vN{H|okIxX)Pvb$lQS17u|ioh2Dq2_cL+Iy@qLi&rR{gJJ7T zHlO_||M&8;4~4Zem|nAVYsoaIBvldXDIe^(a^B|BYUAWIu7Yh4K)}!%&P|s2n~&F z3xOP2hR)HW1(uFv6U@AhzORwRZ?>ySYJ)D86=avurd10?ZEb{C2bs=BB|kf-nwRE` z2g<-BwqB*`gRRe-B%sGyp_MQV13(RMb>O9@T@qq4 zRZvp$9(AC1ZZ5WF>4fmJ4WzKD1HpJ*nC=w>v9+@^w_3Bcm(caXh$j(_H@2&&_Alg# z#editnb|!&J~w|u`&pkq6zi|PSzxule_(BRNQ(80y!c`+%qYm@xL@~0NnTlU=#RUO zGqm~nvlMBxvT}B-B;B9sai7fpacMr!^2z@y&a=EiII8xX3=j(l!&_PLsm|+p%H?fu z_meu?ZZwr6^D>IFG}$Z|%66$v;fgvq`Q-8ITWUQc^TKD9hl7bVn%eJFvI)Bryo=C+ zV52+k@hYxk+DH#BrwOP(HY`pYIUu@&u!gA;Y~Kn!m~Ri3kA=>!cwzcB?iCzpiD z{S7GwT(HEcS8wqNsKduM%}z_h>wIny)v0DPDtB{>q45OjKG%~>s-Q3bJs@{2K8lQ) zWM*c*Kgb@7j#d0!XHzavt5=UTG?d>6G49zIIUb@N8yG-=zVB}Jk!)Pz%=Mg_g0@cg zf*XQJ8wrBWA%FiOs{0L|LQ+5rW475*QTVU-ATOnyf@zYhF-E%QjtErtjtQroQMOyF zYTgS&$F+!q{#BloU0RT+GieWWJ^_4rZ7qje;99KQ<)ZH)nNa9?AJzTCgQ7c+gcAXL zC^`xNmbu&dATlvZI^Tz;E8CS9qS1!$gW!?q#fI>!r`tp;4Z6)246=|J&U=h>JLq;h z3vsGJyT8iXnq!Z+ar}OcaQ?E)2=T#mpw$U{@hy%)73n}oVV1V(cEis?aRC1ZVm->U zOCUtD;h~Kskl9mw?sBhu<_RvL1O~q1K~QBu-6HUe{U!r3*dW)PLH17KY_{@h z=-9Rc3}2)(TR3s$V^I3tpOPzW48@|IX1oQid^GA@ z?iD2S&u`nG;LXw_{Pamy`Yi3E;c4Tg%l}zryoNSUMDjJi13O8(N;0WaI6&#d`^uUz z?QO|ot!qgcn`bzadkzV|+u4lwl@?1spFv&!@)L7t8R|>0qI-Ohqb%ct4?^ANqp|Ce z9JCtREXGihHv;S9`HDJN*hoS{)?L#^8q}Mc&AR-c`@$3x3VTMj3|9|s9}d{3id(L` zy?dvyjSbVk_intWLAyew*9@ZimfMQa^;37EUsOgO9*@eLpVz>OC}yZ)*&SHkmqVZU z0@~jRiwcXGk~15H5+DZzbR9k%!Nijaej^WTm4)SiFPJcn8QH(O1aJEGZS20p}f`qlU&5FL4Y88v&x>&;S7|w O1LUPuq-rJ1LjMP~Z54L_ literal 0 HcmV?d00001 From 382b9181dfb9d4d6ae010af526e7410383137fd5 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 20 Feb 2022 19:00:32 +1300 Subject: [PATCH 531/657] Add files via upload --- wikipiki/uboCustom.png | Bin 0 -> 12439 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 wikipiki/uboCustom.png diff --git a/wikipiki/uboCustom.png b/wikipiki/uboCustom.png new file mode 100644 index 0000000000000000000000000000000000000000..2b8c443aa48bb8c40ea41cc80e259d4a554a5e62 GIT binary patch literal 12439 zcmbt)cT`hP*KQOAR1g&b=_(dFN>h51-g^fH>Agcj6#)SO=`~d8CDMBrq9CCYAXF&< zVn9j=5E5?qz4u%9UGM$wU3abfN6tApGqca^J+t>b`(om$l$#4?@08lC`z0m;x zu7ZirwdAD4YvdDB6XNZLyOOaN0C0=?@^=N0mGb}qxT)zNC#R)l@8<31W$)(xP+3my zp}VJ>t%I`-0N_6l*0s~q-KLemE*;6LehN)db z)6qLa}p2=KFI`K0hp#dqPdcv2zW?s^XU!1UJOt*Y7iq2FnR&FZ>#!U1Tf13 zc%f`)s|5Jg4CsN~xm5=srvSXr{uIFhxCR2e{lUiO5BQh~xUXft#@5)xKMx6K8wC{PuzsdT1$Y1<8S~iJe z;OWH0``^plI1^A7t4hN4_z0zU7;eW)|$xwvSA9zs=jH-*Q{Ro$Blzd2TOzN7#*P zGC#|@GkkU(?7`=!3O3Vimo>xVp z%oN%Z#eM+zKb%K)D85VytJ9X4qG*(BEqlfAQK9hG*n97nSqZfH*<+p!3=*G(3y@=# z_Ehr;l5)@&JzEdR1im}J;2rFjt$odXBiVYm_Hh+O3kKVe&mU zgs=I@K77X_qhzFJq%o^h_K@j`;NAHfuWpch)b4x!IJr!<;aS_=)9(+g_+LgDDRHyS z+)JS5y94?p_x;tAd(m?I&s)D-Rj&Q2H*s%5VZv31ZJWD1TTqFCE&1pCd#5@wkreKS zTt6b#!R!6&0_%+Hj}A<4f~}-IzMkm*X4e^VRH5Ivvmv-aYLme)qhFMzvshN3cULIE zM7Fx1Ne7}GRYoo7lO-||POGe1TwRzt$zV@sk9B}-dAHqNOl8qXA2Xa7-d5a7-y%8k zqo9nW35R~NW2eu4K=#0n-tPe2(-3i<-NYvnhl(kk^Uz*;C>MqRsdv9hQNyD~RD zsjtDt_-In&ezks0xv$#!wU%oggAZ?6)7SfRKXRh1jPwZ;`u?nTWG>K`vpoaP+#V}Y zQC=V-C!iu=Sg&)KVk-d7e~;rg2V;q#TI)+2GpCBQ^faSN zrAqBeMO3G74Z0Lu(kb6=j0?Lh166r$_FT~}0d^gX)Sc5^EWKGut1cmmso||~DrPKb zf8*EfTDqH&+hq}&tL9d^6wrx0V+!KK>)~C_N->HQMx^x=Pe>6Ium|D;LLP47%zRM9 zzP6lszqDNOyVQ5-s~;0v$Hj}L72*`AK06GWtvy+D8FU#edPe%}(KA)`9rfKT9re}{ zjuJ67F*WGOuaUx$nM|QW&Wy}G^hZfUDVvPNa@j9ve?{idHy<<0cpHfBi?HBBx}LGSFW=t;_X+R@pydW9c;ij7wNFwC1S$(zkMxcH-UUBw&YVZI8Sz<{&sv-{9x2*|GR zuETEBLf$XIJdRvr0k5(CA95?&8{<;9@={+oEms9=%4vq#H6q#gtoafRtKr|8i~TCF z@Al{n1nzKiV-rg$C^6=4`D74QDZh++I?x{%-af}Gd#o3l4*ZTk%Lexyf$FZqwFx zxXLD?jxgXF+swz3O7_#K{!7($W1gE$vL#!3ChTxdvN}5(L)-3==pm7`%3Q7y^so9M z#Ftk&dwCb=dwus-lbVVnRSkKVjW#>097XEHJpvFn*J!SDMH-M+iMPZwak@-vR-z5l zYl1tU0o9$tEP97N^fq2`Lfz88xe*bBT7aX?HI4X;mmA-mMS>Y6X`*9l?jz{ZX+mb% z7yLIEquhqNGZ#`C$}7LOz8|%nu-)EV;>k6=omP>)nSR@qa&EqXa@n8(jX9P_@THHi zBih58K*Bw=?U*nEH=J_pSX_iGJ-me1^-MVOgpf6$)8;a z{VV$F)3(z#IAvTtR;nhtV*4Zw=VD&1;o^aYl1z}`$=Gf;!CR-MnI|OlbP{H`P>Q#q ztX%}~o*xgTFr|K6&fsr0_csCS+t?e+SQbjrdEd{Vs#UT{R$pd2WFz@NYTSQ?K2x$#l zcBFFKYrEsUIw5}%ixle+gP9$)cpuauHmD6-46`7jmM%NqJK}`oNlj>bPJ32OtC>^l zF0iu^WQ*Nq%zXu0Jn9VCr@fe&&J~eZ>^uazVF$37W!lAH&*ym9aQmF!^WEwW%?`^W zX|&9o++x(Ulqq3hc5flXvBxj}aC|`#OBxYAN=U>cP|00S$V?cHq>M!6zLpdb`7Py% z-##yu8+||eESHW@NEoi6qvZ=enMT23;~C=x=?Ce_-7bN}_?;dUJp?h>H^|cU(_i4F z#gPFH-RrmD$GlgxOr^OV_%MY1!v3@tqdQiLOQugwzPLt`ad>Vmz=I&-&4<=XI_dxb z@F@Tg8V&%QUJ&ow0D#X60AS}W03ezH0MNN5Sq>-w08jgr-^l3s&;MBjx$EnH*xR>s zR-(J6wfY61y)JvTgiR#{`lKnfA^-MU(T2tEiMiS-SzlEWKiqBjQQR4?^WtWf8H+)L zDLH@Bl7=(iw$g-!v~u~_!3%NmkK!wj?3o)j(xH;Jg>8ok5D&=Y>){jb?OO~xj#W!R$Q#Cu5K8p5gXmA-XAHit3>{D zAeK(gG9>K-;Oqeefm+)GtFL_2#1eKm;=28s;HYC3jjPBwM`HW4(@`@2PRaK_w5~qy z<99Y{h@_xbkpTorcrOKoJS)Dc+cggjy+Xo~!6@kugzt|P(B33{SA++A)FA4uRNj*U zIUa{thTPmFMOMa>QG6iK#*z6cV)M_4?rYt?j7^!&CXASQ;Pj6*l+J~JBM z8B|-#Ha$OIK|*%Bvh}oLVnWCJ+&{IVLPN(L9@MGmFjr@nn&DpxZ)j-1355`(9M%ST zMBVdq`mTmDN+&E>@Xek;&JvKjQ@s)wb6y~eE-k+5+5A{=+nDB&_9h_cyWRUS*VYYN zi6gBFF88LUrtQ86h3T1GIF;17dD4A)`f}V}UInq!@(KzSAs4%y1`J}ppZNs@%BnO3 z16$-7U)A_the?2r9oGi^js_VS^|Z9U-lAimp`j_JvotFscFS$yLq@Gp1S)Ur8nSz_ zZbEP4zN-O@V*XL+?lf8ge4X(^KWb_2)L; z>E*h~_vsxjb~P(8AFF0mnzzTtY1K3TF>MVtv(_kbr@&R{S zudAr4j(d$t6it?Pdv!uhb2cHCHFIp@HC%^u_S3vW3;EW0INw&A!QJZt|po1?5JS!Wr6ZcBECF1Al;e~R&t$O+s zmxY!&p&Bp3Ih2IA*%j(I0&ediB!{Re&mC=Ek#?IX&)X!!o|ne6vd=8oU8Iw~S!8^Rj+ zLvpmeg$7EX?lxmA77|Nd9pg3lYRt;sS(y6hSXQ;D4(Law+d9Kh#_<<`r(aQhlp8oZXEt?HaGIht3Uq zOaeOVhv7hwhI3UAl&Epmu~l*LBIJh>R;qV)=2$msCOb2;Ae=10{$L$6kEl`H+p01a z5VZe-&D-`mE@^87K|5dpg9)sa`)km7M379P6IerEzf=t*DK6FWa_qMC>B(F(y-0Q{`2KDeFY9H!eTo<1O7{b}iLcRFq8JN! z(`&hMuhZmb>UzW)H*dyxZ>S`bQn^wMg_BWv-hzdbDQ+*cp0P-6zs}Q<3hv-s0WmT# z*fbh&zV!G|SR_Xdj+t~}dkUuVtt=D**(4nxdB-@d-->msd*$(Y-KrSWDmlNN)joWR z^W4b6(DdB4?_Z!=AMz5Qt$YD$+ze?pGYzNA8ANCN{Wx9|qRMQ8tx>aIz11fT+uokM6$HcKK#5_;bB5x! zrqjDmVPCpL|3>rX;uIJ{O1UG^LC(i5EN+2P=YRdoTgJ9td5bPvpKqtcehpVNyO8qP zX~@dT@6-`YVY>I;|!1oX{hl$feOr23=o9x!c zupzKx2}~6yf(kluk0q`jDa1gqwe_y#kdo>3!;{os{(AL_N*lQ04>_wJe5>4#--;ro zO3wA49gZsL=q&Q$=Y-@kkJD9^b#*(JO^w-_!`Rw~^lR+n+9YQ2e`n)|sE*Dn_%DVr zuksF4w5M2%xUkIni=Wz4#d|Nh)LVEIDk|ZAkv28+Dl6BN=3b>uftdc0`9*8rNjDnArtdPtm^myi*}$}lS+qHJSc7L!&~HVvK*ovd z`qr_D4~7Ho=gB}^PdO!ntCq3eA8XUU5zV{@3R<*!CGh^oTS|ue8$PP%=ci*JCNiq{ z38E8~AcBvbtDSH}kW6+ZOm~jhCO-)}o=dlo z$cJIgJLiAX9ZO$|}8FlRL(;#7Xnk8vfXg~|3U=U*T+eOiWo;yd) zd6K~B?7`1)2CaK#JGP_WG%FFsG@~K;Dw2v${GSf5>Ux>zX6 zpj5I`QUq-&h@DfHERCRjz0qcVPK=ute)zz(Ag+ZGWuctJ67_&5-?t-8$D<^tngu4* z#S|ms+Egn<3*21~L_x0Yzpv!JZE~9ZBLVEpm*XIB0rdVZmwMabphX z@aFS}HaSV3LcK1YswkK9YUr}3++3IYX7xgwnHMom#xTK`fcj| z*t{*a=H;OJ?;6Q4z4j*j@A&DO=OZMMLvzDI)sC4%LkN;1x{xL3SzcU*VKce{k)Pn3 zGes1RiFi~gG!wj0?xi`2f)ONghBbl?=O?ul)zv5(jB{h|7y*AAc|OFYYOYz&NXhCt&IRH23TjN+ zU#)&obL?HlYl3|$hI*+lGDjHh_C#6gOIk$+quTnJN>Aw{1AJ2}&8Sns)(`qcR&Q+l zN;ou`@k8<|u_?BGnEQBoQI-!8^9!nC_F+M3S9p5r;Q8RAfnjimE;s5;zL`L|zK$Th z25$mW^X!#t#j0I^arzgr&Ahs2=R%LjG^Sm~T%o!si&gibs}As}iZWAPSsjo>46Qj8!gcUBm0~)2@G#uUMk$Oj~)EnYR=cyqE)JympE-w zUTJ75X!{FY^KhQnE5=t{)P1_Bt|@y|q)ihL zv+L+t549|p3`xTwjzFD=8q;~Y2I~Pb$*X^C(JgMRPM_Z|#+!4(Kd&_7Pp2o&HX<>z zQTI+PYfb}ooI`!G_Dna>6GN%lh}Z(xbOUkAX8>}AH_m@vXYWVIw=SDK&t4+X$aJ|G zl4UK8W3g8^Zeb?!_Wm4`h0pM`4i_0ZzBd}q6tGLX%}P)pYN2iQ`&wQ|xM`h~zvs!{ zS2a?xbK1F?>w3buq?jPV6~xJ9Llgb=8SY05q@U#%{rcxI;h0x@d&c*ph<#}ws8 z*@=$tuUYDnOSAUn0X?q2hCZ0EV0=wnxoBD$x+dmyQT{`cr`Z;M+2Tfs=Jb~9pLcdH zO0|m=*f}fkl^%{xC{Z5gLhM`{hJ+YJ<#kKcCjPFXc}{!6`X!iz*91fGMWVQlL#LEK z&2ZH1Ahnfi09iZ5z`_IrMEA3DKeCn);Pc5B@m_BONE7AS?+@v8(L56g3tFAF(|ku{tQ#PwA!pr>`P@AA&1wzqLj$B{6O*DyW}Il zaS*jjisBz8=pUZq-*9}I=e^EjWsRE~z_edACIfe3&zphPgfyXwkE={CF z?0pr2qq5P=U=1X&q?d_NemYdRT{&dKV`P=VW{w&fLLZ)(81&x50joCZOqSs~hM|q4 zlK}<9eQ1C=t*C$kReBX!!wj^cP@alozgj|u_a_UB;iA{nl670L%%q{n2fOiGD(VZ* zDj6EZo-0RZwnn}-5M=WkB zmW|e=7AKA=Flg&D>pN|0^SD#Sn3zS7wEBR<$71dFWzVCG8gS|N?>?f`d9I?+iDfDF zSf6aC1^e;BsFZrsECR?{b4$B(gS^~Hp!ug`ZCUWJI7rDtOw+VV=hv3E36U|Bru)19 zaC{MX9%0G#?%Pi$B%#Dm7`@Y{UZHJXgg*|D2~6ULtLW6u)Chq>+7zHlGr!HSpFt%u zl_i?vI?B_MNGCn;J6Rv|B5t+C*wJ)jp$w1#)6K^;vNz5K4+rYER%xp0 zL^M5tCGRab?9o>rs-;aMr^^zji0rB~-7&kD^@;}D)|ALI<*j4^yrnj^f~|cnqStGE+qtg)Szcs zG2S@YdF<56<}UeFUOxBHzCILGVt~S37WU1Fvm)9-+VHmN3{Q+~_fqHjdyAan<4j5~>)A`-1iOd2QLf(0gNUO#m}!uZh(#wBae$|uT1 z;HILkKHlPC%}yL-_q7O^79Kv$#hf8_>0A0uyq%i*DvpkIkJ;E3En?%F*hS|HP2D;N z(3ti0pKX|#Y=@u3(+7Kzu!}aJJgZ9%1iW{FW&F04R@T#|i{cmcD_8`h?o~x^qt_arr?SVEK=@5<{axE# zQV@F>3?*={lgeD`xrQESgqm8wESyw+JnITTdif@Jut#JqI`wQ|N(9{eH^Z1S8z>ze ztvr7@gKfn0ZNY{3Xl0cJor3SB5+6zvQdAI3REh;jkzV?a!>KzxK zScO{zamK;~m7;YU8pt@mmY0iEotl^;>_-5AmBCx!q$BHLo1g}dE(S- z2P&H!1tW2}@~=CGj(-ZOeS%r-%6QGs!e%G{0N0K&5%FUUyzi>Pob!YtBN98&!=cJ7(9E>bWhj%!s$ox5N=_2%1al32sGO^jmJDYE9P7~%h_x+P%C|~ZG2Uo# z$?IUNqG`ma*@5-TTr}*+WxMPG=IdKdo4~+Ga+Ru)7lZQLGx% z)y+$V85ygFOLN&c4ds znZ%skfP;>D_1wUO!8pbu0=_d(4FYi^lIu|zJT|11=28{D^;{S+;4u)$?e&RHCEGs;kwX zYvz_b1OR$`c-9f9%dlDYf53ati1Q<$_IMt<5V6)tO5(mh@}q`w+g=xrU7Pr(MZ|mS z%eJ8FWysARzI(Yh^G{5bW~BlP1#rZC`eCq*X@Uy{sQl!m3^IXeRs6X#B)%ZZITEk+ zMkUwrwSp_fps#syY04*Z`3J$G?LVU?cK__f{XHa%%?G+ezj!U{rhviK9a*R{f~XnQ zAU;7W1_8tIqI!I$d~jnzPQ>{Lu-2{j(~ZzqvG8qG{@V3 zGf7tnf@#8VU@*Qu;=qfTyJu@F8>Cf#w=Maema2bmu%SjjDb;zn`gV}Xo~=bL0rf+z zk>?c`+}E5|{&|Y=o{248!)X$?DbCga;h8Mfy%;sW+vilu%oBUhG!1x=K~>Y~z232| zU*qbtOz$&~!Ht>5OYH@1?H<1O%d_k=&hyKBfQU1tH$cuOEvC55@J?EoW=4G`6O{&Q1iwP|(3aUvJvKQ72DuLh4&YEaXg}vIv0D%3?0~WSrgLkcRDehp~-p zq>^bc55d{_2H(JD+%{_NWl_A@HR9JBu!Id{W=DM+7P#h-z^R-1Zb92g$`!wPCj@yT z1hYhwM+F`yl@lSDxp12nM~~tUHv|5cg!`9qR?_C=s za5j?y?x-8Q$|ImfrScjFCtM_P&mr;>d^hXOK^R~9CPbAvZqbi*gGIKJY^VBf?o2N* z-8pFYv(*rdjhbF+U@QoG2CInn#+rImf<9B zLqr8kU04cfX(<6V=KPsA*IP*|HGH%c5e*WQxxOF&o~8Q@wd#S;B>F15rEs?TsX$PI zpRw*s=(@`Eazpe`wXd1}0FOZzN*y6I96&s>lf1g)@wwm`RCS*6-& z{xnil$ZTUKuqx)4OC&J6{QRB+sQg{PuKw;->uDBCKoPxr{-Sau;5H0zRTE*V;1?zc95?58|eB|Dl zKsj3oW-NSdENC};xyfmXlq8t+qmLR+Y&6P)>D1IR9gM_-hx)lt@u{VmK_>5YN`_C`o%X@^(Eh@+}ZR8f|FMe^rMc5bS3*Eav%x#=LA zb4FS(8l$OY;M%z6gB-Qs*>&0Q>~yvxLv-L6xr#rY0MKU&+@qN$XC+PQUyjx|MIN*ONYa=7%W1xK9tQ|fekb%#3}^jj^RERw9i zGW97v7F`1a1Bio%Ijd-bep{T6H>2=dVf5@h2?u+7bmvE*A=Mi%V7=aIcI7kopKNK@ zTWCx=^qNVi6g#DD8R3kz6P_tKHL>c-o~w;0`>R77;&Ib05Oj_R6n)Jk8Ji{SV_=*; zx-ROjTEEt~p5Zb7tkbqEYC`CGG_oQLXir)5%r*Mq=1kjq%|(C{HJQIln*1e z>>j72FK&!uk#{6>E{y*cNG!aJEDv2@dCYg>i=Lr&o3Fv^k27I+!?P0fzd?#HyL)}l z7Cbrho1hP5ns3QYdTA;)4J^Ohgmj*iOVx`W7*a`i=I;IRa=Mdu1stpvRZB&ffwLh` z-G@XM4n9v7-MAk4!ngvRn-@|O-{SbRgZ9^h-vFpfY2Nd;d>)@8@vXf8nq*<^)e+rEReNJ8V zv9x}rKIjchup_t4@}P*uO18L!7^LycwOI5U-Q4rw4<5`FwP@b+tHC}{ZAR}4E&U1- zBbm|mso|Lu(u{Ue%l67itYt}BG~D#+3iWxPF-ovz%Conav6zgzC6t!wAxYduZc5TZ zl+OA3zRwJXGDWq8pivsIYFAde&Dq_mds66mr{#0!?pkxQS--VFoiv`|*9IdEOZY|< zz(ukOh=s$>!Jw-Rn)NRGpsEu$zA%`vEioDa|7z#{?9H+46T@cg$+^40v4rac3i8v8 z+rP#4K=zhtikbeuoZ7lzQlr_U@Wi^?&EgWx&=WO$Y3`=a{l5aRqgjfh z%*pF{RPRCvry&*tNZ%~ySck~%?~t^=uSx_i(>R`#FD80NrMv_LN@!@9V3e>a2EFGy z!SgXig$IFh$|RIvKA5u3=>)qy_!Ndxb904v9xJ%h<$%sS@wHSr$Z0#3nZ{ZY0F!e6iv&%?DG&1 zGx3Sp^Z3tP=-#8tV39zLN6CT9oba<9`Xv`d_s^fBK~5kZRU!Tlh^ Date: Thu, 24 Feb 2022 00:26:15 +0000 Subject: [PATCH 532/657] Update troubleshooting-help.md --- .github/ISSUE_TEMPLATE/troubleshooting-help.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/troubleshooting-help.md b/.github/ISSUE_TEMPLATE/troubleshooting-help.md index ee0a8c7..b5c7564 100644 --- a/.github/ISSUE_TEMPLATE/troubleshooting-help.md +++ b/.github/ISSUE_TEMPLATE/troubleshooting-help.md @@ -9,7 +9,7 @@ assignees: ''