daily pastebin goal
22%
SHARE
TWEET

Space Pants Oddity

a guest Sep 30th, 2016 181 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /******
  2. * name: ghacks user.js
  3. * date: 01 Oct 2016
  4. * version: 0.11 BETA (Ground Control to Major Tom, take your protein pills and put your helmet on)
  5. * FF version: 49 (DESKTOP)
  6. * author: Pants (v10 special thanks to ghacks contributors: Just me, Conker, earthling, & Rockin' Jerry)
  7. * url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
  8. * required reading: http://kb.mozillazine.org/User.js_file
  9.  
  10. * README/IMPORTANT:
  11.   <font color=#ff3333>End users of this list/file are expected to know what they are doing. These are the author's
  12.   settings. The author does NOT expect (or indeed want) end users to just run with it as is.
  13.   Use it as a comprehensive list, or as a template for your own.</font> Extensive links and comments
  14.   have been added to help. Before using this user.js, if necessary, you should change, remove or
  15.   comment out with two forward slashes any preferences you're not happy with or not sure about.
  16.   The settings in this file (user.js) OVERWRITE the ones in your prefs (prefs.js - these are
  17.   accessed via about:config) when FF is started. See the required reading above.
  18.  
  19. * BACKUP FIRST:
  20.   Backup your profile first, or even just the PREFS.JS. Go to your profile directory and copy
  21.   prefs.js, rename it (eg to prefs.js.backup). That way, if you have problems, to restore FF
  22.   to the state it was in beforehand, close FF, delete the prefs.js, rename your backup copy of
  23.   prefs back to prefs.js, RENAME the user.js so it doesn't overwrite everything again, then
  24.   start FF. IF you have any problems, you can also ask in the comments at ghacks.
  25.  
  26. * PURPOSE:
  27.   This is not a "comprehensive" list of ALL things privacy/security (otherwise it would be huge)
  28.   It is more like a list of settings that generally differ from their defaults, and is aimed at
  29.   improving security and privacy, at making a "quieter" FF, and at reducing fingerprinting and
  30.   tracking; while allowing functionality. There will be trade-offs and conflicts between these.
  31.  
  32. * COMMON ISSUES:
  33.   Some prefs will break some sites (it's inevitable). If you are having issues search for
  34.   "WARNING:" in this document, especially the ones listed just below.
  35.  
  36.   <font color=#ff3333>This user.js uses the author's settings, so you need to check these EACH release because
  37.   the author prefers anonymity, security, and privacy over functionality [eg being able to
  38.   paste in Facebook, downloadable fonts, and other minor inconveniences]. You have been warned.</font>
  39.  
  40.    0202 & 0204 & 0207 & 0208: search, language and locale settings
  41.    0807: disable history manipulation
  42.    0903 & 0904: master password (author set his up to last 5 minutes, default is once per session)
  43.    1007 & 1008: disabling/reducing session store saves affects recently closed tabs history
  44.    1204: security.ssl.require_safe_negotiation
  45.    1206: security.OCSP.require
  46.    1208: security.cert_pinning.enforcement_level
  47.    1209: disable TLS 1.0
  48.    1210: disable 1024-DH Encryption
  49.    1211: disable SHA-1
  50.    1212: disable SSL session tracking
  51.    1401 & 1406: browser.display.use_document_fonts <font color=#ff3333>[author blocked fonts]</font>
  52.    1404: default fonts <font color=#ff3333>[author changed default fonts]</font>
  53.    1805: plugin.scan.plid.all <font color=#ff3333>[author blocked all plugins]</font>
  54.    1807: disable auto-play of HTML5 media (may break some sites' playback)
  55.    2201: dom.event.contextmenu.enabled
  56.    2402: dom.event.clipboardevents.enabled
  57.    2404: dom.indexedDB.enabled
  58.    2421: two js preferences - javascript.options.baselinejit seems to cause the rare odd behvaiour
  59.    2430 & 2431: web/push notifications - may affect twitter and in future other social media sites
  60.    2440: dom.workers and dom.serviceWorkers: eg downloads on mega.nz requires workes
  61.    2507: keyboard fingerprinting (android + physical keyboard)
  62.    2508: hardware acceleration (performance vs lots of video, also fonts render differently)
  63.          <font color=#ff3333>[author killed hardware acceleration]</font>
  64.    2509: dom.w3c_touch_events.enabled (you will want to change this if you use touch)
  65.    2619: network.http.redirection-limit
  66.    2661: privacy.firstparty.isolate
  67.    2705: dom.storage.enabled
  68.  
  69. * THANKS:
  70.   Special thanks to Martin Brinkmann and the ghacks community
  71.   Lots of websites, lots of people, too many to list but here are some excellent resources
  72.   - https://github.com/pyllyukko/user.js
  73.   - http://www.wilderssecurity.com/threads/firefox-lockdown.368003/
  74.   - http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs
  75.   - https://www.privacy-handbuch.de/handbuch_21.htm (German)
  76.  
  77.  ******/
  78.  
  79. // START: internal custom pref to test for syntax errors
  80. user_pref("ghacks_user.js.parrot", "This parrot is no more! He has ceased to be! This is an ex-parrot!");
  81.  
  82. /*** 0100: STARTUP ***/
  83. // 0101: disable "slow startup" options
  84.    // warnings, disk history, welcomes, intros, EULA, default browser check
  85. user_pref("browser.slowStartup.notificationDisabled", true);
  86. user_pref("browser.slowStartup.maxSamples", 0);
  87. user_pref("browser.slowStartup.samples", 0);
  88. user_pref("browser.rights.3.shown", true);
  89. user_pref("browser.startup.homepage_override.mstone", "ignore");
  90. user_pref("startup.homepage_welcome_url", "");
  91. user_pref("startup.homepage_welcome_url.additional", "");
  92. user_pref("startup.homepage_override_url", "");
  93. user_pref("browser.shell.checkDefaultBrowser", false);
  94. user_pref("browser.usedOnWindows10.introURL", "");
  95. // 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
  96.    // home = browser.startup.homepage preference
  97.    // You can set all of this from Options>General>Startup
  98.    // user_pref("browser.startup.page", 0);
  99.  
  100. /*** 0200: GEOLOCATION ***/
  101. // 0201: disable location-aware browsing
  102. user_pref("geo.enabled", false);
  103. user_pref("geo.wifi.uri", "https://127.0.0.1");
  104. user_pref("geo.wifi.logging.enabled", false); // (hidden pref)
  105. user_pref("browser.search.geoip.url", "");
  106. user_pref("geo.wifi.xhr.timeout", 1);
  107. user_pref("browser.search.geoip.timeout", 1);
  108. // 0202: disable GeoIP-based search results
  109.    // https://trac.torproject.org/projects/tor/ticket/16254
  110. user_pref("browser.search.countryCode", "US");
  111. user_pref("browser.search.region", "US");
  112. // 0203: disable using OS locale, force APP locale
  113. user_pref("intl.locale.matchOS", false);
  114. // 0204: set APP local
  115. user_pref("general.useragent.locale", "en-US");
  116. // 0206: disable geographically specific results/search engines eg: "browser.search.*.US"
  117.    // i.e ignore all of mozilla's multiple deals with multiple engines in multiple locales
  118. user_pref("browser.search.geoSpecificDefaults", false);
  119. user_pref("browser.search.geoSpecificDefaults.url", "");
  120. // 0207: set language to match
  121.    // WARNING: reset this to your default if you don't want English
  122. user_pref("intl.accept_languages", "en-US, en");
  123. // 0208: enforce US English locale regardless of the system locale
  124.    // https://bugzilla.mozilla.org/show_bug.cgi?id=867501
  125. user_pref("javascript.use_us_english_locale", true); // (hidden pref)
  126.  
  127. /*** 0300: QUIET FOX [PART 1]
  128.      No auto-phoning home for anything. You can still do manual updates. It is still important
  129.      to do updates for security reasons. If you don't auto update, make sure you do manually.
  130.      There are many legitimate reasons to turn off AUTO updates, including hijacked monetized
  131.      extensions, time constraints, legacy issues, and fear of breakage/bugs  ***/
  132. // 0301: disable browser auto update
  133. user_pref("app.update.enabled", false);
  134. user_pref("app.update.service.enabled", false);
  135. // 0302: disable browser auto installing update when you do a manual check
  136. user_pref("app.update.auto", false);
  137. // 0303: disable search update
  138. user_pref("browser.search.update", false);
  139. // 0304: disable add-ons auto checking for new versions
  140. user_pref("extensions.update.enabled", false);
  141. // 0305: disable add-ons auto update
  142. user_pref("extensions.update.autoUpdateDefault", false);
  143. // 0306: disable add-on metadata updating
  144.    // sends daily pings to mozilla about extensions and recent startups
  145. user_pref("extensions.getAddons.cache.enabled", false);
  146. // 0307: disable auto updating of personas (themes)
  147. user_pref("lightweightThemes.update.enabled", false);
  148. // 0308: disable update plugin notifications
  149.    // if using flash/java/silverlight, it is best to turn on their own auto-update mechanisms.
  150.    // See 1804 below: mozilla only checks a few plugins and will soon do away with NPAPI
  151. user_pref("plugins.update.notifyUser", false);
  152. // 0309: disable sending flash crash reports
  153.    // https://developer.mozilla.org/en-US/Firefox/Releases/43 (supposedly deprecated)
  154.    // leaving this pref enabled because a reset does not remove it
  155. user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
  156. // 0310: (43+?) disable sending the URL of the website where a plugin crashed
  157.    // https://developer.mozilla.org/en-US/Firefox/Releases/43 (supposedly deprecated)
  158.    // leaving this pref enabled because a reset does not remove it
  159. user_pref("dom.ipc.plugins.reportCrashURL", false);
  160. // 0320: disable extension discovery
  161.    // featured extensions for displaying in Get Add-ons panel
  162. user_pref("extensions.webservice.discoverURL", "http://127.0.0.1");
  163. // 0330a: disable telemetry
  164.    // https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
  165.    // the pref (.unified) affects the behaviour of the pref (.enabled)
  166.    // IF unified=false then .enabled controls the telemetry module
  167.    // IF unified=true then .enabled ONLY controls whether to record extended data
  168.    // so make sure to have both set as false
  169. user_pref("toolkit.telemetry.unified", false);
  170. user_pref("toolkit.telemetry.enabled", false);
  171. // 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
  172.    // is enabled ONLY for people that opted into it, even if unified Telemetry is enabled
  173. user_pref("toolkit.telemetry.unifiedIsOptIn", true); // (hidden pref)
  174. // 0331: remove url of server telemetry pings are sent to
  175. user_pref("toolkit.telemetry.server", "");
  176. // 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
  177. user_pref("toolkit.telemetry.archive.enabled", false);
  178. // 0333a: disable health report
  179. user_pref("datareporting.healthreport.uploadEnabled", false);
  180. user_pref("datareporting.healthreport.documentServerURI", "");
  181. user_pref("datareporting.healthreport.service.enabled", false);
  182. // 0333b: disable about:healthreport page (which connects to mozilla for locale/css+js+json)
  183.    // If you have disabled health reports, then this about page is useless - disable it
  184.    // If you want to see what health data is present, then these must be set at default
  185. user_pref("datareporting.healthreport.about.reportUrl", "data:text/plain,");
  186. user_pref("datareporting.healthreport.about.reportUrlUnified", "data:text/plain,");
  187. // 0334a: disable FF41+ new data submission master kill switch
  188.    // If disabled, no policy is shown or upload takes place, ever
  189.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1195552
  190. user_pref("datareporting.policy.dataSubmissionEnabled", false);
  191. // 0334b: disable FHR (Firefox Health Report) v2 data being sent to mozilla servers
  192. user_pref("datareporting.policy.dataSubmissionEnabled.v2", false);
  193. // 0335: remove a telemetry clientID
  194.   // if you haven't got one, be proactive and set it now for future proofing
  195. user_pref("toolkit.telemetry.cachedClientID", "");
  196. // 0340: disable experiments
  197.    // https://wiki.mozilla.org/Telemetry/Experiments
  198. user_pref("experiments.enabled", false);
  199. user_pref("experiments.manifest.uri", "");
  200. user_pref("experiments.supported", false);
  201. user_pref("experiments.activeExperiment", false);
  202. // 0341: disable mozilla permission to silently opt you into tests
  203. user_pref("network.allow-experiments", false);
  204. // 0350: disable crash reports
  205. user_pref("breakpad.reportURL", "");
  206. // 0351: disable sending of crash reports (added in FF44)
  207. user_pref("browser.tabs.crashReporting.sendReport", false);
  208. // 0360: disable new tab tile ads & preload & marketing junk
  209. user_pref("browser.newtab.preload", false);
  210. user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
  211. user_pref("browser.newtabpage.directory.source", "data:text/plain,");
  212. user_pref("browser.newtabpage.enabled", false);
  213. user_pref("browser.newtabpage.enhanced", false);
  214. user_pref("browser.newtabpage.introShown", true);
  215. // 0370: disable "Snippets" (mozilla content shown on about:home screen)
  216.    // https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
  217.    // MUST use HTTPS - arbitrary content injected into this page via http opens up MiTM attacks
  218. user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");
  219. // 0371: disable "Heartbeat" (mozilla user rating telemetry)
  220. user_pref("browser.selfsupport.url", "");
  221. // 0373: disable "Pocket" (third party "save for later" service) & remove urls for good measure
  222.    // NOTE: Important: Remove the pocket icon from your toolbar first
  223.    // https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/
  224. user_pref("extensions.pocket.enabled", false);
  225. user_pref("extensions.pocket.api", "");
  226. user_pref("extensions.pocket.site", "");
  227. user_pref("extensions.pocket.oAuthConsumerKey", "");
  228. // 0374: disable "social" integration
  229.    // https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API
  230. user_pref("social.whitelist", "");
  231. user_pref("social.toast-notifications.enabled", false);
  232. user_pref("social.shareDirectory", "");
  233. user_pref("social.remote-install.enabled", false);
  234. user_pref("social.directories", "");
  235. user_pref("social.share.activationPanelEnabled", false);
  236. user_pref("social.enabled", false); // (hidden pref)
  237. // 0375: disable "Reader View"
  238. user_pref("reader.parse-on-load.enabled", false);
  239. // 0376: disable webfly
  240.    // https://wiki.mozilla.org/FlyWeb
  241.    // http://www.ghacks.net/2016/07/26/firefox-flyweb/
  242. user_pref("dom.flyweb.enabled", false);
  243.  
  244. /*** 0400: QUIET FOX [PART 2]
  245.      This section has security & tracking protection implications vs privacy concerns.
  246.      These settings are geared up to make FF "quiet" & private. I am NOT advocating no protection.
  247.      If you turn these off, then by all means please use something superior, such as uBlock Origin.
  248.      <font color=#ff3333>IMPORTANT: This entire section is rather contentious. Safebrowsing is designed to protect
  249.      users from malicious sites. Tracking protection is designed to lessen the impact of third
  250.      parties on websites to reduce tracking and to speed up your browsing experience. These are
  251.      both very good features provided by Mozilla. They do rely on third parties: Google for
  252.      safebrowsing and Disconnect for tracking protection (someone has to provide the information).
  253.      Additionally, SSL Error Reporting helps makes the internet more secure for everyone.
  254.      If you do not understand the ramifications of disabling all of these, then it is advised that
  255.      you enable them by commenting out the preferences and saving the changes, and then in
  256.      about:config find each entry and right-click and reset the preference's value.</font> ***/
  257. // 0401: DON'T disable extension blocklist, but sanitize blocklist url - SECURITY
  258.    // It now includes updates for "revoked certificates" - security trumps privacy here
  259.    // https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl
  260.    // https://trac.torproject.org/projects/tor/ticket/16931
  261. user_pref("extensions.blocklist.enabled", true);
  262. user_pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");
  263. // 0410: disable safe browsing
  264.    // I have redesigned this sub-section to differentiate between "real-time"/"user initiated"
  265.    // data being sent to google from all other settings such as using local blocklists/whitelists
  266.    // and updating those lists. There SHOULD be NO privacy issues here. Even *IF* an URL was sent
  267.    // to google, they swear it is anonymized and only used to flag malicious sites/activity. Firefox
  268.    // also takes measures such as striping out identifying parameters and storing safe browsing
  269.    // cookies in a separate jar. (#Turn on browser.safebrowsing.debug to monitor this activity)
  270.    // To use safebrowsing but not "leak" binary download info to google, only use 0410e and 0410f
  271.    // #Required reading: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
  272.    // https://wiki.mozilla.org/Security/Safe_Browsing
  273. // 0410a: disable "Block dangerous and deceptive content" This setting is under Options>Security
  274.    // in FF47 and under this is was titled "Block reported web forgeries"
  275.    // this covers deceptive sites such as phishing and social engineering
  276. user_pref("browser.safebrowsing.enabled", false); // FF49 and earlier
  277. user_pref("browser.safebrowsing.malware.enabled", false);
  278.    // user_pref("browser.safebrowsing.phishing.enabled", false); // FF50 and later
  279. // 0410b: disable "Block dangerous downloads" This setting is under Options>Security
  280.    // in FF47 and under this was titled "Block reported attack sites"
  281.    // this covers malware and PUPs (potentially unwanted programs)
  282. user_pref("browser.safebrowsing.downloads.enabled", false);
  283.    // FF48+ disable "Warn me about unwanted and uncommon software" Also under Options>Security
  284. user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
  285. user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
  286. // 0410c: disable google safebrowsing downloads, updates
  287. user_pref("browser.safebrowsing.provider.google.updateURL", ""); // update google lists
  288. user_pref("browser.safebrowsing.provider.google.gethashURL", ""); // list hash check
  289. // 0410d: disable mozilla safebrowsing downloads, updates
  290.    // NOTE: These two prefs are also used for Tracking Protection (see 0420)
  291. user_pref("browser.safebrowsing.provider.mozilla.gethashURL", ""); // resolves hash conflicts
  292. user_pref("browser.safebrowsing.provider.mozilla.updateURL", ""); // update FF lists
  293. // 0410e: disable binaries NOT in local lists being checked by google (real-time checking)
  294. user_pref("browser.safebrowsing.downloads.remote.enabled", false);
  295. user_pref("browser.safebrowsing.downloads.remote.url", "");
  296. user_pref("browser.safebrowsing.appRepURL", ""); // google application reputation check
  297. // 0410f: disable reporting URLs
  298. user_pref("browser.safebrowsing.provider.google.reportURL", "");
  299. user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
  300. user_pref("browser.safebrowsing.reportPhishMistakeURL", "");
  301. user_pref("browser.safebrowsing.reportPhishURL", "");
  302. // 0420: disable tracking protection
  303.    // There SHOULD be NO privacy concerns here, but you are better off using an extension such as
  304.    // uBlock Origin which is not decided by a third party (disconnect) and is far more effective
  305.    // (when used correctly). NOTE: There are two prefs (see 0410d) shared with Safe Browsing
  306.    // https://wiki.mozilla.org/Security/Tracking_protection
  307.    // https://support.mozilla.org/en-US/kb/tracking-protection-firefox
  308. user_pref("privacy.trackingprotection.enabled", false); // all windows pref (not just private)
  309. user_pref("privacy.trackingprotection.pbmode.enabled", false); // private browsing pref
  310. // 0430: disable SSL Error Reporting - PRIVACY
  311.    // https://gecko.readthedocs.org/en/latest/browser/base/sslerrorreport/preferences.html
  312. user_pref("security.ssl.errorReporting.automatic", false);
  313. user_pref("security.ssl.errorReporting.enabled", false);
  314. user_pref("security.ssl.errorReporting.url", "");
  315. // 0440: disable mozilla's blocklist for known FLASH tracking/fingerprinting (48+)
  316.    // If you don't have flash, then you don't need this enabled
  317.    // NOTE: if enabled, you will need to check what prefs (safebrowsing URLs etc) this uses to update
  318.    // http://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/
  319.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
  320. user_pref("browser.safebrowsing.blockedURIs.enabled", false);
  321.  
  322. /*** 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on] ***/
  323. // 0601: disable link prefetching
  324.    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ
  325. user_pref("network.prefetch-next", false);
  326. // 0602: disable dns prefetching
  327.    // http://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
  328.    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
  329. user_pref("network.dns.disablePrefetch", true);
  330. user_pref("network.dns.disablePrefetchFromHTTPS", true); // (hidden pref)
  331. // 0603: disable Seer/Necko
  332. user_pref("network.predictor.enabled", false);
  333. // 0603a: disable more Necko stuff (not sure what this will do but so far no ill effects)
  334.    // https://wiki.mozilla.org/Necko/CaptivePortal
  335. user_pref("captivedetect.canonicalURL", "");
  336. // 0604: disable search suggestions
  337. user_pref("browser.search.suggest.enabled", false);
  338. // 0605: disable link-mouseover opening connection to linked server
  339.    // http://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
  340.    // http://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links
  341. user_pref("network.http.speculative-parallel-limit", 0);
  342. // 0606: disable pings (but enforce same host in case)
  343.    // http://kb.mozillazine.org/Browser.send_pings
  344.    // http://kb.mozillazine.org/Browser.send_pings.require_same_host
  345. user_pref("browser.send_pings", false);
  346. user_pref("browser.send_pings.require_same_host", true);
  347. // 0607: stop links launching Windows Store on Windows 8/8.1/10
  348.    // http://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/
  349. user_pref("network.protocol-handler.external.ms-windows-store", false);
  350. // 0608: disable predictor / prefetching (FF48+) (is this Seer/Necko?)
  351. user_pref("network.predictor.enable-prefetch", false);
  352.  
  353. /*** 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc
  354.      Not ALL of these are strictly needed, some are for the truly paranoid, but
  355.      included for a more comprehensive list (see comments on each one) ***/
  356. // 0801: disable location bar using search - PRIVACY
  357.    // don't leak typos to a search engine, give an error message instead
  358. user_pref("keyword.enabled", false);
  359. // 0802: disable location bar domain guessing - PRIVACY/SECURITY
  360.    // domain guessing intercepts DNS "hostname not found errors" and resends a
  361.    // request (eg by adding www or .com). This is inconsistent use (eg FQDNs), does not work
  362.    // via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
  363.    // as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
  364.    // intend to), can leak sensitive data (eg query strings: eg Princeton attack),
  365.    // and is a security risk (eg common typos & malicious sites set up to exploit this)
  366. user_pref("browser.fixup.alternate.enabled", false);
  367. // 0803: disable locationbar dropdown - PRIVACY (shoulder surfers,forensics/unattended browser)
  368. user_pref("browser.urlbar.maxRichResults", 0);
  369. // 0804: display all parts of the url
  370.    // why rely on just a visual clue - helps SECURITY
  371. user_pref("browser.urlbar.trimURLs", false);
  372. // 0805: disable URLbar autofill -  PRIVACY (shoulder surfers, forensics/unattended browser)
  373.    // http://kb.mozillazine.org/Inline_autocomplete
  374. user_pref("browser.urlbar.autoFill", false);
  375. user_pref("browser.urlbar.autoFill.typed", false);
  376. // 0806: disable autocomplete - PRIVACY (shoulder surfers, forensics/unattended browser)
  377. user_pref("browser.urlbar.autocomplete.enabled", false);
  378. // 0807: disable history manipulation - SECURITY
  379.    // https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history
  380.    // WARNING: if set to false it breaks some sites (youtube) ability to correctly show the
  381.    // url in location bar and for the forward/back tab history to work
  382.    // user_pref("browser.history.allowPopState", false);
  383.    // user_pref("browser.history.allowPushState", false);
  384.    // user_pref("browser.history.allowReplaceState", false);
  385. // 0808: disable history suggestions - PRIVACY (shoulder surfers, forensics/unattended browser)
  386. user_pref("browser.urlbar.suggest.history", false);
  387. // 0809: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
  388.    // This is a PER TAB session history. You still have a full history stored under all history
  389.    // default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
  390.    // use it as a means of referral (eg hotlinking), 4 or 6 may be more practical
  391. user_pref("browser.sessionhistory.max_entries", 4);
  392. // 0810: disable css querying page history - css history leak - PRIVACY
  393.    // NOTE: this has NEVER been fully "resolved": in mozilla/docs it is stated it's only in
  394.    // 'certain circumstances', also see latest comments in the bug link
  395.    // http://dbaron.org/mozilla/visited-privacy
  396.    // https://bugzilla.mozilla.org/show_bug.cgi?id=147777
  397.    // https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector
  398. user_pref("layout.css.visited_links_enabled", false);
  399. // 0811: disable displaying Javascript in history URLs - SECURITY
  400. user_pref("browser.urlbar.filter.javascript", true);
  401. // 0812: disable search and form history
  402.    // Under Options>Privacy> if you set Firefox to "use custom settings" there will be a
  403.    // setting called "remember search and form history".
  404.    // You can clear formdata on exiting firefox (see 2803)
  405.    // user_pref("browser.formfill.enable", false);
  406. // 0813: disable saving form data on secure websites - PRIVACY (shoulder surfers etc)
  407.    // For convenience & functionality, this is best left at default true.
  408.    // You can clear formdata on exiting firefox (see 2803)
  409.    // user_pref("browser.formfill.saveHttpsForms", false);
  410. // 0815: disable live search suggestions in the urlbar and toggle off the Opt-In prompt: FF41+
  411.    // Setting: Options>Privacy>Location Bar>Related searches from the default search engine
  412. user_pref("browser.urlbar.suggest.searches", false);
  413. user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true);
  414. // 0816: disable browsing and download history
  415.    // Under Options>Privacy> if you set Firefox to "use custom settings" there will be a
  416.    // setting called "remember my browsing and download history"
  417.    // You can clear history and downloads on exiting firefox (see 2803)
  418.    // user_pref("places.history.enabled", false);
  419. // 0817: disable Jumplist (Windows7+)
  420. user_pref("browser.taskbar.lists.enabled", false);
  421. user_pref("browser.taskbar.lists.frequent.enabled", false);
  422. user_pref("browser.taskbar.lists.recent.enabled", false);
  423. user_pref("browser.taskbar.lists.tasks.enabled", false);
  424. // 0818: disable taskbar preview
  425.    // user_pref("browser.taskbar.previews.enable", false);
  426.  
  427. /*** 0900: PASSWORDS ***/
  428. // 0901: disable saving passwords
  429.    // Options>Security>Logins>Remember logins for sites
  430.    // NOTE: this does not clear any passwords already saved
  431.    // user_pref("signon.rememberSignons", false);
  432. // 0902: use a master password (recommended if you save passwords)
  433.    // There are no preferences for this. It is all handled internally.
  434.    // https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
  435. // 0903: set how often mozilla should ask for the master password
  436.    // 0=the first time, 1=every time it's needed, 2=every n minutes (as per the next pref)
  437.    // WARNING: the default is 0, author changed his settings
  438. user_pref("security.ask_for_password", 2);
  439. // 0904: how often in minutes mozilla should ask for the master password (see pref above)
  440.    // in minutes, default is 30
  441. user_pref("security.password_lifetime", 5);
  442. // 0905: disable auto-filling username & password form fields - SECURITY
  443.    // can leak in cross-site forms AND be spoofed
  444.    // http://kb.mozillazine.org/Signon.autofillForms
  445.    // password will still be auto-filled after a user name is manually entered
  446. user_pref("signon.autofillForms", false);
  447. // 0906: ignore websites' autocomplete="off" (FF30+)
  448. user_pref("signon.storeWhenAutocompleteOff", true);
  449. // 0907: force warnings for logins on non-secure (non HTTPS) pages
  450.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
  451.    // user_pref("security.insecure_password.ui.enabled", true);
  452.  
  453. /*** 1000: CACHE ***/
  454. // 1001: disable disk cache
  455. user_pref("browser.cache.disk.enable", false);
  456. user_pref("browser.cache.disk.capacity", 0);
  457. user_pref("browser.cache.disk.smart_size.enabled", false);
  458. user_pref("browser.cache.disk.smart_size.first_run", false);
  459. // 1002: disable disk caching of SSL pages
  460.    // http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
  461. user_pref("browser.cache.disk_cache_ssl", false);
  462. // 1003: disable memory cache as well IF you're REALLY paranoid
  463.    // I haven't tried it, but I'm sure you'll take a performance/traffic hit
  464.    // user_pref("browser.cache.memory.enable", false);
  465. // 1004: disable offline cache
  466. user_pref("browser.cache.offline.enable", false);
  467. // 1005: disable storing extra session data 0=all 1=http-only 2=none
  468.    // extra session data contains contents of forms, scrollbar positions, cookies and POST data
  469. user_pref("browser.sessionstore.privacy_level", 2);
  470. // 1006: disable pages being stored in memory. This is not the same as memory cache.
  471.    // Visited pages are stored in memory in such a way that they don't have to be
  472.    // re-parsed. This improves performance when pressing back/forward.
  473.    // For the sake of completeness, this option is listed for the truly paranoid.
  474.    // 0=none, -1=auto (that's minus 1), or any other positive integer
  475.    // http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers
  476.    // user_pref("browser.sessionhistory.max_total_viewers", 0);
  477. // 1007: disable the Session Restore service completely
  478.    // WARNING: This also disables the "Recently Closed Tabs" feature
  479.    // It does not affect "Recently Closed Windows" or any history.
  480. user_pref("browser.sessionstore.max_tabs_undo", 0);
  481. user_pref("browser.sessionstore.max_windows_undo", 0);
  482. // 1008: IF you use session restore (see 1007 above), increasing the minimal interval between
  483.    // two session save operations can help on older machines and some websites.
  484.    // Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc - your choice.
  485.    // WARNING: This can also affect entries in the "Recently Closed Tabs" feature:
  486.    // i.e the longer the interval the more chance a quick tab open/close won't be captured
  487.    // this longer interval *MAY* affect history but I cannot replicate any history not recorded
  488. user_pref("browser.sessionstore.interval", 60000);
  489. // 1009: DNS cache and expiration time (default 400 and 60 - same as TBB)
  490.    // user_pref("network.dnsCacheEntries", 400);
  491.    // user_pref("network.dnsCacheExpiration", 60);
  492. // 1010: disable randomized FF HTTP cache decay experiments
  493.    // https://trac.torproject.org/projects/tor/ticket/13575
  494. user_pref("browser.cache.frecency_experiment", -1);
  495. // 1011: disable permissions manager from writing to disk (requires restart)
  496.   // https://bugzilla.mozilla.org/show_bug.cgi?id=967812
  497.   // user_pref("permissions.memory_only", true); // (hidden pref)
  498. // 1012: disable service workers cache and cache storage
  499. user_pref("dom.caches.enabled", false);
  500.  
  501. /*** 1200: SSL / OCSP / CERTS / ENCRYPTION / HSTS/HPKP ***/
  502. // 1201: block rc4 fallback (default is now false as of at least FF45)
  503. user_pref("security.tls.unrestricted_rc4_fallback", false);
  504. // 1202: disable rc4 ciphers
  505.    // https://trac.torproject.org/projects/tor/ticket/17369
  506. user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
  507. user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
  508. user_pref("security.ssl3.rsa_rc4_128_md5", false);
  509. user_pref("security.ssl3.rsa_rc4_128_sha", false);
  510. // 1203: enable OCSP stapling
  511.    // https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
  512. user_pref("security.ssl.enable_ocsp_stapling", true);
  513. // 1204: reject communication with servers using old SSL/TLS - vulnerable to a MiTM attack
  514.    // https://wiki.mozilla.org/Security:Renegotiation
  515.    // WARNING: leave commented out for now, as when set to true it breaks too many sites
  516.    // user_pref("security.ssl.require_safe_negotiation", true);
  517. // 1205: display warning (red padlock) for "broken security"
  518.    // https://wiki.mozilla.org/Security:Renegotiation
  519. user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
  520. // 1206: require certificate revocation check through OCSP protocol
  521.    // This leaks information about the sites you visit to the CA (cert authority)
  522.    // It's a trade-off between security (checking) and privacy (leaking info to the CA)
  523.    // WARNING: Since FF43 the default is now true. If set to true, this may/will cause some
  524.    // site breakage. Some users have previously mentioned issues with youtube, microsoft etc
  525.    // ...aaaand in FF44 the default reverted back to false. Make up your mind Mozilla!
  526.    // user_pref("security.OCSP.require", true);
  527. // 1207: query OCSP responder servers to confirm current validity of certificates (default=1)
  528.    // 0=disable, 1=validate only certificates that specify an OCSP service URL
  529.    // 2=enable and use values in security.OCSP.URL and security.OCSP.signing
  530. user_pref("security.OCSP.enabled", 1);
  531. // 1208: enforce strict pinning
  532.    // https://trac.torproject.org/projects/tor/ticket/16206
  533.    // PKP (public key pinning) 0-disabled 1=allow user MiTM (such as your antivirus), 2=strict
  534.    // WARNING: If you rely on an AV (antivirus) to protect your web browsing
  535.    // by inspecting ALL your web traffic, then leave at current default =1
  536. user_pref("security.cert_pinning.enforcement_level", 2);
  537. // 1209: disable TLS 1.0
  538.    // 1=min version of TLS 1.0, 2-min version of TLS 1.1, 3=min version of TLS 1.2
  539.    // WARNING: FF/chrome currently allow TLS 1.0 by default, so this is your call.
  540.    // http://kb.mozillazine.org/Security.tls.version.*
  541.    // https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
  542.    // user_pref("security.tls.version.min", 2);
  543. // 1210: disable 1024-DH Encryption
  544.    // https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
  545.    // WARNING: may break obscure sites, but not major sites, which should support ECDH over DHE
  546. user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
  547. user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
  548. // 1211: disable or limit SHA-1
  549.    // 0 = allow SHA-1, 1 = forbid SHA-1, 2 = allow SHA-1 only if before 2016
  550.    // 3 = allow SHA-1 for certificates issued before 2016 OR by an imported root.
  551.    // WARNING: when disabled, some man-in-the-middle devices (eg  security scanners and antivirus
  552.    // products, are failing to connect to HTTPS sites. SHA-1 will eventually become obsolete.
  553. user_pref("security.pki.sha1_enforcement_level", 1);
  554. // 1212: disable SSL session tracking (36+)
  555.    // SSL session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
  556.    // Since the ID is unique, web servers can (and do) use it for tracking. If set to true,
  557.    // this disables sending SSL3 Session IDs and TLS Session Tickets to prevent session tracking
  558.    // WARNING: This will slow down TLS connections (personally I don't notice it at all)
  559.    // https://tools.ietf.org/html/rfc5077
  560.    // https://bugzilla.mozilla.org/show_bug.cgi?id=967977
  561. user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)
  562. // 1213: disable 3DES (effective key size < 128)
  563.    // https://en.wikipedia.org/wiki/3des#Security
  564.    // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
  565.    // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
  566. user_pref("security.ssl3.rsa_des_ede3_sha", false);
  567. // 1214: disable 128 bits
  568. user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
  569. user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
  570.  
  571. /*** 1400: FONTS ***/
  572. // 1401: disable websites downloading their own fonts (0=block, 1=allow)
  573.    // This setting is under Options>Content>Font & Colors>Advanced>Allow pages to choose...
  574.    // If you disallow fonts, this drastically limits/reduces font enumeration (by JS) which
  575.    // is a high entropy fingerprinting vector.
  576.    // WARNING: Disabling fonts can uglify the web a fair bit.
  577. user_pref("browser.display.use_document_fonts", 0);
  578. // 1402: allow icon fonts (glyphs) through FF41+
  579. user_pref("gfx.downloadable_fonts.enabled", true);
  580. // 1403: disable rendering of SVG OpenType fonts
  581.    // https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this
  582. user_pref("gfx.font_rendering.opentype_svg.enabled", false);
  583. // 1404: use more legible default fonts
  584.    // WARNING: These are the author's settings, comment out if you do not require them
  585.    // Been using this for over half a year, it really grows on you
  586. user_pref("font.name.serif.x-unicode", "Georgia");
  587. user_pref("font.name.serif.x-western", "Georgia"); // default Times New Roman
  588. user_pref("font.name.sans-serif.x-unicode", "Arial");
  589. user_pref("font.name.sans-serif.x-western", "Arial");  // default Arial
  590. user_pref("font.name.monospace.x-unicode", "Lucida Console");
  591. user_pref("font.name.monospace.x-western", "Lucida Console"); // default Courier New
  592. // 1405: disable woff2
  593. user_pref("gfx.downloadable_fonts.woff2.enabled", false);
  594. // 1406: disable CSS Font Loading API
  595.    // WARNING: Disabling fonts can uglify the web a fair bit.
  596. user_pref("layout.css.font-loading-api.enabled", false);
  597. // 1407: remove special underline handling for a few fonts which you will probably never use.
  598.    // Any of these fonts on your system can be enumerated for fingerprinting. Requires restart.
  599.    // http://kb.mozillazine.org/Font.blacklist.underline_offset
  600. user_pref("font.blacklist.underline_offset", "");
  601. // 1408: disable graphite (FF49 turned this back on).
  602.    // In the past it had security issues - need citation
  603. user_pref("gfx.font_rendering.graphite.enabled", false);
  604.  
  605. /*** 1600: HEADERS / REFERERS
  606.      Except for 1601 and 1602, these can all be best handled by an extension to block/spoof
  607.      all and then whitelist if needed, otherwise too much of the internet breaks.
  608.      http://www.ghacks.net/2015/01/22/improve-online-privacy-by-controlling-referrer-information/ ***/
  609. // 1601: disable referer from an SSL Website
  610. user_pref("network.http.sendSecureXSiteReferrer", false);
  611. // 1602: DNT HTTP header - essentially USELESS - default is off. I recommend off.
  612.    // NOTE: "Options>Privacy>Tracking>Request that sites not track you"
  613.    // if you use NoScript MAKE SURE to set your noscript.doNotTrack.enabled to match
  614.    // http://kb.mozillazine.org/Privacy.donottrackheader.value (pref required since FF21+)
  615.    // user_pref("privacy.donottrackheader.enabled", true);
  616.    // user_pref("privacy.donottrackheader.value", 1); // (hidden pref)
  617. // 1603: referer, WHEN to send
  618.    // 0=never, 1=send only when links are clicked, 2=for links and images (default)
  619.    // user_pref("network.http.sendRefererHeader", 2);
  620. // 1604: referer, SPOOF or NOT (default=false)
  621.    // user_pref("network.http.referer.spoofSource", false);
  622. // 1605: referer, HOW to handle cross origins
  623.    // 0=always (default), 1=only if base domains match, 2=only if hosts match
  624.    // user_pref("network.http.referer.XOriginPolicy", 0);
  625. // 1606: referer, WHAT to send
  626.    // 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port
  627.    // user_pref("network.http.referer.trimmingPolicy", 0);
  628.  
  629. /*** 1800: PLUGINS ***/
  630. // 1801: set default plugin state (i.e new plugins on discovery) to never activate
  631.    // 0=disabled, 1=ask to activate, 2=active - you can override individual plugins
  632. user_pref("plugin.default.state", 0);
  633. user_pref("plugin.defaultXpi.state", 0);
  634. // 1802: enable click to play and set to 0 minutes
  635. user_pref("plugins.click_to_play", true);
  636. user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);
  637. // 1802a: make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled (flash example)
  638.    // you can just set all these plugin.state's via Add-ons>Plugins
  639.    // NOTE: you can still over-ride individual sites eg youtube via site permissions
  640.    // user_pref("plugin.state.flash", 1);
  641. // 1804: disable plugins using external/untrusted scripts with XPCOM or XPConnect
  642. user_pref("security.xpconnect.plugin.unrestricted", false);
  643. // 1805: disable scanning for plugins
  644.    // http://kb.mozillazine.org/Plugin_scanning
  645.    // plid.all = whether to scan the directories specified in the Windows registry for PLIDs
  646.    // includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash, Antivirus etc
  647.    // WARNING: The author turned off plugins, try it one day. You are not missing much.
  648. user_pref("plugin.scan.plid.all", false);
  649. // 1806: Acrobat, Quicktime, WMP are handled separately from 1805 above.
  650.    // The string refers to min version number allowed
  651. user_pref("plugin.scan.Acrobat", "99999");
  652. user_pref("plugin.scan.Quicktime", "99999");
  653. user_pref("plugin.scan.WindowsMediaPlayer", "99999");
  654. // 1807: disable auto-play of HTML5 media (including webms)
  655.    // WARNING: This may break youtube video playback (and probably other sites). If you block
  656.    // autoplay but occasionally would like to toggle it on, try the following addon
  657.    // https://addons.mozilla.org/en-US/firefox/addon/autoplay-toggle
  658. user_pref("media.autoplay.enabled", false);
  659. // 1809: remove mozilla's plugin update URL (plugins are dying and I have NONE]
  660. user_pref("plugins.update.url", "");
  661. // 1820: disable all GMP (Gecko Media Plugins)
  662.    // https://wiki.mozilla.org/GeckoMediaPlugins
  663.    // user_pref("media.gmp-provider.enabled", false);
  664. // 1830: disable all DRM content (EME: Encryption Media Extension)
  665. user_pref("media.eme.enabled", false); // Options>Content>Play DRM Content
  666. user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox, restart required
  667. user_pref("media.eme.apiVisible", false); // block websites detecting DRM is disabled
  668. // 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
  669.    // This is the bundled codec used for video chat in WebRTC
  670.    // Disable pings to the external update/download server
  671. user_pref("media.gmp-gmpopenh264.enabled", false);
  672. user_pref("media.gmp-manager.url", "data:text/plain,");
  673. // 1850: disable the Adobe EME "Primetime CDM" (Content Decryption Module)
  674.    // https://trac.torproject.org/projects/tor/ticket/16285
  675. user_pref("media.gmp-eme-adobe.enabled", false);
  676. user_pref("media.gmp-eme-adobe.visible", false);
  677. // 1851: delay play of videos until they're visible
  678.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1180563
  679. user_pref("media.block-play-until-visible", true);
  680.  
  681. /*** 2000: MEDIA / CAMERA / MIKE ***/
  682. // 2001: disable WebRTC
  683.    // https://www.privacytools.io/#webrtc
  684. user_pref("media.peerconnection.enabled", false);
  685. user_pref("media.peerconnection.use_document_iceservers", false);
  686. user_pref("media.peerconnection.video.enabled", false);
  687. user_pref("media.peerconnection.identity.enabled", false);
  688. user_pref("media.peerconnection.identity.timeout", 1);
  689. user_pref("media.peerconnection.turn.disable", true);
  690. // 2001a: FF42+ pref which improves the WebRTC IP Leak issue, as opposed to completely
  691.    // disabling WebRTC. You still need to enable WebRTC for this to be applicable.
  692.    // https://wiki.mozilla.org/Media/WebRTC/Privacy
  693. user_pref("media.peerconnection.ice.default_address_only", true); // FF41-FF50
  694. user_pref("media.peerconnection.ice.no_host", true); // FF51+
  695. // 2010: disable WebGL, force bare minimum feature set if used & disable WebGL extensions
  696.    // http://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
  697.    // https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern
  698. user_pref("webgl.disabled", true);
  699. user_pref("pdfjs.enableWebGL", false);
  700. user_pref("webgl.min_capability_mode", true);
  701. user_pref("webgl.disable-extensions", true);
  702. user_pref("webgl.disable-fail-if-major-performance-caveat", true);
  703. // 2011: don't make WebGL debug info available to websites
  704.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
  705.    // https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
  706. user_pref("webgl.enable-debug-renderer-info", false);
  707. // 2021: disable speech recognition
  708. user_pref("media.webspeech.recognition.enable", false);
  709. user_pref("media.webspeech.synth.enabled", false);
  710. // 2022: disable screensharing
  711. user_pref("media.getusermedia.screensharing.enabled", false);
  712. user_pref("media.getusermedia.screensharing.allowed_domains", "");
  713. // 2023: disable camera stuff
  714. user_pref("camera.control.face_detection.enabled", false);
  715.  
  716. /*** 2200: UI MEDDLING
  717.    see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features ***/
  718. // 2201: disable website control over right click context menu
  719.    // WARNING: This will break some sites eg Dropbox, Google Docs?
  720.    // user_pref("dom.event.contextmenu.enabled", false);
  721. // 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
  722. user_pref("dom.disable_window_open_feature.location", true);
  723. user_pref("dom.disable_window_open_feature.menubar", true);
  724. user_pref("dom.disable_window_open_feature.resizable", true);
  725. user_pref("dom.disable_window_open_feature.scrollbars", true); // deprecated FF49+
  726. user_pref("dom.disable_window_open_feature.status", true);
  727. user_pref("dom.disable_window_open_feature.toolbar", true);
  728. // 2203: POPUP windows - prevent or allow javascript UI meddling
  729. user_pref("dom.disable_window_flip", true); // window z-order
  730. user_pref("dom.disable_window_move_resize", true);
  731. user_pref("dom.disable_window_open_feature.close", true);
  732. user_pref("dom.disable_window_open_feature.minimizable", true);
  733. user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar
  734. user_pref("dom.disable_window_open_feature.titlebar", true);
  735. user_pref("dom.disable_window_status_change", true);
  736. user_pref("dom.allow_scripts_to_close_windows", false);
  737. // 2204: disable links opening in a new window
  738.    // https://trac.torproject.org/projects/tor/ticket/9881
  739.    // test url: https://people.torproject.org/~gk/misc/entire_desktop.html
  740.    // You can still right click a link and select open in a new window
  741.    // This is to stop malicious window sizes and screen res leaks etc in conjunction
  742.    // with 2203 dom.disable_window_move_resize=true | 2418 full-screen-api.enabled=false
  743.    // user_pref("browser.link.open_newwindow.restriction", 0);
  744.  
  745. /*** 2400: DOM & JAVASCRIPT ***/
  746. // 2402: disable website access to clipboard events/content
  747.    // http://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/
  748.    // WARNING: This will break some sites functionality such as pasting into Facebook
  749.    // this applies to onCut, onCopy, onPaste events - i.e is you have to interact with
  750.    // the website for it to look at the clipboard
  751. user_pref("dom.event.clipboardevents.enabled", false);
  752. // 2403: disable clipboard commands (cut/copy) from "non-priviledged" content
  753.    // this disables document.execCommand("cut"/"copy") to protect your clipboard
  754.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1170911
  755. user_pref("dom.allow_cut_copy", false); // (hidden pref)
  756. // 2404: disable JS storing data permanently
  757.    // This setting WAS under about:permissions>All Sites>Maintain Offline Storage
  758.    // NOTE: about:permissions is no longer available since FF46 but you can still override
  759.    // individual domains: use info icon in urlbar etc or right click on a web page>view page info
  760.    // WARNING: If set as false (disabled), this WILL break some [old] add-ons and DOES break
  761.    // a lot of sites' functionality. Applies to websites, add-ons and session data.
  762.    // user_pref("dom.indexedDB.enabled", false);
  763. // 2405: https://wiki.mozilla.org/WebAPI/Security/WebTelephony
  764. user_pref("dom.telephony.enabled", false);
  765. // 2410: disable User Timing API
  766.    // https://trac.torproject.org/projects/tor/ticket/16336
  767. user_pref("dom.enable_user_timing", false);
  768. // 2411: disable resource/navigation timing
  769. user_pref("dom.enable_resource_timing", false);
  770. // 2412: disable timing attacks - javascript performance fingerprinting
  771.    // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
  772. user_pref("dom.enable_performance", false);
  773. // 2414: disable shaking the screen
  774. user_pref("dom.vibrator.enabled", false);
  775. // 2415: max popups from a single non-click event - default is 20!
  776. user_pref("dom.popup_maximum", 3);
  777. // 2415b: limit events that can cause a popup
  778.    // default is "change click dblclick mouseup notificationclick reset submit touchend"
  779.    // NOTE: to block all events, you need a single space, not a null or zero-length value
  780.    // http://kb.mozillazine.org/Dom.popup_allowed_events
  781. user_pref("dom.popup_allowed_events", "click dblclick");
  782. // 2416: disable idle observation
  783. user_pref("dom.idle-observers-api.enabled", false);
  784. // 2418: disable full-screen API
  785.    // This setting WAS under about:permissions>All Sites>Fullscreen
  786.    // NOTE: about:permissions is no longer available since FF46 but you can still override
  787.    // individual domains: use info icon in urlbar etc or right click on a web page>view page info
  788.    // set to false=block, set to true=ask
  789. user_pref("full-screen-api.enabled", false);
  790. // 2420: disable support for asm.js (http://asmjs.org/)
  791.    // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
  792.    // https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
  793.    // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
  794. user_pref("javascript.options.asmjs", false);
  795. // 2421: in addition to 2420 above, these settings will help harden JS against exploits
  796.    // such as CVE-2015-0817. They will reduce the performance of Javascript slightly.
  797.    // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
  798.    // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
  799.    // WARNING: this *may* be causing issues, but am not convinced yet
  800. user_pref("javascript.options.ion", false);
  801. user_pref("javascript.options.baselinejit", false);
  802. // 2425: disable ArchiveAPI i.e reading content of archives, such as zip files, directly
  803.    // in the browser, through DOM file objects. Default is false.
  804. user_pref("dom.archivereader.enabled", false);
  805. // 2430: disable web/push notifications
  806.    // https://developer.mozilla.org/en-US/docs/Web/API/notification
  807.    // NOTE: you can still override individual domains under site permissions (FF44+)
  808.    // WARNING: may affect social media sites like Twitter
  809. user_pref("dom.webnotifications.enabled", false);
  810. user_pref("dom.webnotifications.serviceworker.enabled", false);
  811. // 2431: disable push notifications (FF44+?)
  812.    // web apps can receive messages pushed to them from a server, whether or
  813.    // not the web app is in the foreground, or even currently loaded
  814.    // https://developer.mozilla.org/en/docs/Web/API/Push_API
  815.    // WARNING: may affect social media sites like Twitter
  816. user_pref("dom.push.enabled", false);
  817. user_pref("dom.push.connection.enabled", false);
  818. user_pref("dom.push.serverURL", "");
  819. user_pref("dom.push.udp.wakeupEnabled", false);
  820. user_pref("dom.push.userAgentID", "");
  821. // 2440: disable workers API and service workers API
  822.    // https://developer.mozilla.org/en-US/docs/Web/API/Worker
  823.    // https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
  824.    // http://www.ghacks.net/2016/03/02/manage-service-workers-in-firefox-and-chrome/
  825.    // WARNING: WILL break sites as this gains traction: eg mega.nz requires workers
  826. user_pref("dom.workers.enabled", false);
  827. user_pref("dom.serviceWorkers.enabled", false);
  828. // 2450: force FF to tell you if a website asks to store data for offline use
  829.    // https://support.mozilla.org/en-US/questions/1098540
  830.    // https://bugzilla.mozilla.org/show_bug.cgi?id=959985
  831. user_pref("offline-apps.allow_by_default", false);
  832.    // Options>Advanced>Network>Tell me when a website asks to store data for offline use
  833. user_pref("browser.offline-apps.notify", true);
  834.    // change size of warning quota for offline cache (default 51200)
  835.    // Offline cache is only used in rare cases to store data locally. FF will store small amounts
  836.    // (default <50MB) of data in the offline (application) cache without asking for permission.
  837.    // user_pref("offline-apps.quota.warn", 51200);
  838.  
  839. /*** 2500: HARDWARE FINGERPRINTING ***/
  840. // 2501: disable gamepad API - USB device ID enumeration
  841.    // https://trac.torproject.org/projects/tor/ticket/13023
  842. user_pref("dom.gamepad.enabled", false);
  843. // 2502: disable battery API. Initially a Linux issue (high precision readout) that is now fixed.
  844.    // However, it is still another metric for fingerprinting, used to raise entropy.
  845.    // eg: do you have a battery or not, current charging status, charge level, times remaining etc
  846.    // http://techcrunch.com/2015/08/04/battery-attributes-can-be-used-to-track-web-users/
  847.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1124127
  848.    // https://www.w3.org/TR/battery-status/
  849.    // https://www.theguardian.com/technology/2016/aug/02/battery-status-indicators-tracking-online
  850. user_pref("dom.battery.enabled", false);
  851. // 2503: disable giving away network info
  852.    // eg bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
  853.    // https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
  854.    // https://wicg.github.io/netinfo/
  855.    // https://bugzilla.mozilla.org/show_bug.cgi?id=960426
  856. user_pref("dom.netinfo.enabled", false);
  857. // 2504: disable virtual reality devices
  858. user_pref("dom.vr.enabled", false);
  859. user_pref("dom.vr.oculus.enabled", false);
  860. user_pref("dom.vr.oculus050.enabled", false);
  861. user_pref("dom.vr.osvr.enabled", false);
  862. // 2505: disable media device enumeration (FF29+)
  863.    // NOTE: media.peerconnection.enabled should also be set to false (see 2001)
  864.    // https://wiki.mozilla.org/Media/getUserMedia
  865.    // https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/enumerateDevices
  866. user_pref("media.navigator.enabled", false);
  867. // 2506: disable video statistics - JS performance fingerprinting
  868.   // https://trac.torproject.org/projects/tor/ticket/15757
  869. user_pref("media.video_stats.enabled", false);
  870. // 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
  871.    // The Keyboard API allows tracking the "read parameter" of pressed keys in forms on
  872.    // web pages. These parameters vary between types of keyboard layouts such as QWERTY,
  873.    // AZERTY, Dvorak, and between various languages, eg German vs English.
  874.    // WARNING: Don't use if Android + physical keyboard
  875.    // UPDATE: This MAY be incorporated better into the Tor Uplift project (see 2699)
  876.    // https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/code
  877.    // https://www.privacy-handbuch.de/handbuch_21v.htm
  878. user_pref("dom.keyboardevent.code.enabled", false);
  879. user_pref("dom.beforeAfterKeyboardEvent.enabled", false);
  880. user_pref("dom.keyboardevent.dispatch_during_composition", false);
  881. // 2508: disable graphics fingerprinting (the loss of hardware acceleration is negligible)
  882.    // These prefs are under Options>Advanced>General>Use hardware acceleration when available
  883.    // NOTE: changing this option changes BOTH these preferences
  884.    // https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
  885.    // WARNING: This changes text rendering (fonts will look different)
  886.    // WARNING: If you watch a lot of video, this will impact performance
  887. user_pref("gfx.direct2d.disabled", true);
  888. user_pref("layers.acceleration.disabled", true);
  889. // 2509: disable touch events
  890.    // https://developer.mozilla.org/en-US/docs/Web/API/Touch_events
  891.    // https://trac.torproject.org/projects/tor/ticket/10286
  892.    // fingerprinting attack vector - leaks screen res & actual screen coordinates
  893.    // WARNING: If you use touch eg Win8/10 Metro/Smartphone reset this to default
  894. user_pref("dom.w3c_touch_events.enabled", 0);
  895.  
  896. /*** 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY ***/
  897. // 2601: disable sending additional analytics to web servers
  898.    // https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
  899. user_pref("beacon.enabled", false);
  900. // 2602: CIS 2.3.2 disable downloading on desktop
  901. user_pref("browser.download.folderList", 2);
  902. // 2603: always ask the user where to download - enforce user interaction for security
  903. user_pref("browser.download.useDownloadDir", false);
  904. // 2604: https://bugzil.la/238789#c19
  905. user_pref("browser.helperApps.deleteTempFileOnExit", true);
  906. // 2605: don't integrate activity into windows recent documents
  907. user_pref("browser.download.manager.addToRecentDocs", false);
  908. // 2606: disable hiding mime types (Options>Applications) not associated with a plugin
  909. user_pref("browser.download.hide_plugins_without_extensions", false);
  910. // 2607: disable page thumbnail collection
  911.    // look in profile/thumbnails directory - you may want to clean that out
  912. user_pref("browser.pagethumbnails.capturing_disabled", true); // (hidden pref)
  913. // 2608: disable JAR from opening Unsafe File Types
  914. user_pref("network.jar.open-unsafe-types", false);
  915. // 2609: disable insecure active content on https pages - mixed content
  916. user_pref("security.mixed_content.block_active_content", true);
  917. // 2610: disable insecure passive content (such as images) on https pages - mixed context
  918.    // current default=false, leave it this way as too many sites break visually
  919.    // user_pref("security.mixed_content.block_display_content", true);
  920. // 2611: disable WebIDE to prevent remote debugging and addon downloads
  921.    // https://trac.torproject.org/projects/tor/ticket/16222
  922. user_pref("devtools.webide.autoinstallADBHelper", false);
  923. user_pref("devtools.webide.autoinstallFxdtAdapters", false);
  924. user_pref("devtools.debugger.remote-enabled", false);
  925. user_pref("devtools.webide.enabled", false);
  926. // 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
  927.    // https://trac.torproject.org/projects/tor/ticket/16222
  928. user_pref("browser.casting.enabled", false);
  929. user_pref("gfx.layerscope.enabled", false);
  930. // 2613: disable device sensor API - fingerprinting vector
  931.    // https://trac.torproject.org/projects/tor/ticket/15758
  932. user_pref("device.sensors.enabled", false);
  933. // 2614: disable SPDY as it can contain identifiers
  934.    // SPDY will be deprecated in 2016
  935.    // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (no. 10)
  936. user_pref("network.http.spdy.enabled", false);
  937. user_pref("network.http.spdy.enabled.v3-1", false);
  938. user_pref("network.http.spdy.enabled.deps", false);
  939. // 2615: disable http2 for now as well
  940. user_pref("network.http.spdy.enabled.http2", false);
  941. // 2617: disable pdf.js as an option to preview PDFs within Firefox
  942.    // see mime-types under Options>Applications) - EXPLOIT risk
  943.    // Enabling this (set to true) will change your option most likely to "Ask" or "Open with
  944.    // some external pdf reader". This does NOT necessarily prevent pdf.js being used via
  945.    // other means, it only removes the option. I think this should be left at default (false).
  946.    // 1. It won't stop JS bypassing it. 2. Depending on external pdf viewers there is just as
  947.    // much risk or more (acrobat). 3. mozilla are very quick to patch these sorts of exploits,
  948.    // they treat them as severe/critical and 4. for convenience
  949. user_pref("pdfjs.disabled", false);
  950. // 2618: when using SOCKS have the proxy server do the DNS lookup - dns leak issue
  951.    // http://kb.mozillazine.org/Network.proxy.socks_remote_dns
  952.    // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
  953.    // eg in TOR, this stops your local DNS server from knowing your Tor destination
  954.    // as a remote Tor node will handle the DNS request
  955. user_pref("network.proxy.socks_remote_dns", true);
  956. // 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
  957.    // WARNING: a low setting of 5 or under will probably break some sites (eg gmail logins)
  958.    // To control HTML Meta tag and JS redirects, use an addon (eg NoRedirect). Default is 20
  959. user_pref("network.http.redirection-limit", 10);
  960. // 2620: disable middle mouse click opening links from clipboard
  961.    // https://trac.torproject.org/projects/tor/ticket/10089
  962.    // http://kb.mozillazine.org/Middlemouse.contentLoadURL
  963. user_pref("middlemouse.contentLoadURL", false);
  964. // 2621: disable IPv6 (included for knowledge ONLY - not recommended)
  965.    // This is all about covert channels such as MAC addresses being included/abused in the
  966.    // IPv6 protocol for tracking. If you want to mask your IP address, this is not the way
  967.    // to do it. It's 2016, IPv6 is here. Here are some old links
  968.    // 2010: https://www.christopher-parsons.com/ipv6-and-the-future-of-privacy/
  969.    // 2011: https://iapp.org/news/a/2011-09-09-facing-the-privacy-implications-of-ipv6
  970.    // 2012: http://www.zdnet.com/article/security-versus-privacy-with-ipv6-deployment/
  971.    // NOTE: It is a myth that disabling IPv6 will speed up your internet connection
  972.    // http://www.howtogeek.com/195062/no-disabling-ipv6-probably-wont-speed-up-your-internet-connection
  973.    // user_pref("network.dns.disableIPv6", true);
  974.    // user_pref("network.http.fast-fallback-to-IPv4", true);
  975. // 2622: ensure you have a security delay when installing add-ons (milliseconds)
  976.    // default=1000, This also covers the delay in "Save" on downloading files.
  977.    // http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
  978.    // http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
  979. user_pref("security.dialog_enable_delay", 1000);
  980. // 2623: ensure Strict File Origin Policy on local files
  981.    // The default is true. Included for completeness
  982.    // http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
  983. user_pref("security.fileuri.strict_origin_policy", true);
  984. // 2624: enforce Subresource Integrity (SRI) - FF43+
  985.    // The default is true. Included for completeness
  986.    // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
  987.    // https://wiki.mozilla.org/Security/Subresource_Integrity
  988. user_pref("security.sri.enable", true);
  989. // 2625: Applications [non Tor protocol] SHOULD generate an error
  990.    // upon the use of .onion and SHOULD NOT perform a DNS lookup.
  991.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
  992. user_pref("network.dns.blockDotOnion", true);
  993. // 2626: strip optional user agent token, default is false, included for completeness
  994.    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
  995. user_pref("general.useragent.compatMode.firefox", false);
  996. // 2627: don't reveal buildID
  997.    // navigator.buildID (see gecko.buildID in about:config) reveals build time
  998.    // down to the second which defeats user agent spoofing and can compromise OS etc
  999.    // https://bugzilla.mozilla.org/show_bug.cgi?id=583181
  1000.    // test: http://browserspy.dk/showprop.php (see buildID)
  1001. user_pref("general.buildID.override", "20100101"); // (hidden pref)
  1002. // 2628: disable UITour backend so there is no chance that a remote page can use it
  1003. user_pref("browser.uitour.enabled", false);
  1004. user_pref("browser.uitour.url", "");
  1005. // 2629: disable remote JAR files being opened, regardless of content type
  1006.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1215235
  1007. user_pref("network.jar.block-remote-files", true);
  1008. // 2650: start the browser in e10s mode (48+)
  1009.    // After restarting the browser, you can check whether it's enabled by visiting
  1010.    // about:support and checking that "Multiprocess Windows" = 1
  1011.    // use force-enable and extensions.e10sblocksenabling if you have add-ons
  1012.    // user_pref("browser.tabs.remote.autostart", true);
  1013.    // user_pref("browser.tabs.remote.autostart.2", true); // added in FF49
  1014.    // user_pref("browser.tabs.remote.force-enable", true); // (hidden pref)
  1015.    // user_pref("extensions.e10sBlocksEnabling", false);
  1016. // 2651: control e10s number of container processes
  1017.    // http://www.ghacks.net/2016/02/15/change-how-many-processes-multi-process-firefox-uses/
  1018.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1207306
  1019.    // user_pref("dom.ipc.processCount", 4);
  1020. // 2661: enable first party isolation pref and OriginAttribute (FF50?+)
  1021.    // WARNING: this may break lots of stuff - reports it breaks gmail, google calendar etc
  1022.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1260931
  1023. user_pref("privacy.firstparty.isolate", true);
  1024. // 2662: disable "open with" in download dialog (FF49?+)
  1025.    // This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
  1026.    // in such a way that it is forbidden to run external applications.
  1027.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1281959
  1028.    // user_pref("browser.download.forbid_open_with", true);
  1029. // 2663: disable MathML (FF50?+)
  1030.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1173199
  1031.    // test: http://browserspy.dk/mathml.php
  1032. user_pref("mathml.disabled", true);
  1033.  
  1034. /*** 2699: TOR UPLIFT: privacy.resistFingerprinting
  1035.    This preference is getting a LOT of items attached to it ***/
  1036. // 2699a: limit window.screen & CSS media queries providing large amounts of identifiable info.
  1037.    // POC: http://ip-check.info/?lang=en (screen, usable screen, and browser window will match)
  1038.    // https://bugzilla.mozilla.org/show_bug.cgi?id=418986
  1039.    // NOTE: does not cover everything yet - https://bugzilla.mozilla.org/show_bug.cgi?id=1216800
  1040.    // NOTE: this will probably make your values pretty unique until you resize or snap the
  1041.    // inner window width + height into standard/common resolutions (mine is at 1366x768)
  1042.    // To set a size, open a XUL (chrome) page (such as about:config) which is at 100% zoom, hit
  1043.    // Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test
  1044.    // your window size, do some math, resize to allow for all the non inner window elements
  1045.    // Test: http://browserspy.dk/screen.php
  1046.    // Common resolutions: http://www.rapidtables.com/web/dev/screen-resolution-statistics.htm
  1047. // 2699b: spoof screen orientation
  1048.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1281949
  1049. // 2699c: hide the contents of navigator.plugins and navigator.mimeTypes (FF50?+)
  1050.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1281963
  1051. user_pref("privacy.resistFingerprinting", true); // (hidden pref)
  1052.  
  1053. /*** 2700: COOKIES & DOM STORAGE ***/
  1054. // 2701: disable cookies on all sites
  1055.    // you can set exceptions under site permissions or use an extension (eg Cookie Controller)
  1056.    // 0=allow all 1=allow same host 2=disallow all 3=allow 3rd party if it already set a cookie
  1057. user_pref("network.cookie.cookieBehavior", 2);
  1058. // 2702: ensure that third-party cookies (if enabled, see above pref) are session-only
  1059.    // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
  1060.    // http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
  1061. user_pref("network.cookie.thirdparty.sessionOnly", true);
  1062. // 2703: set cookie lifetime policy
  1063.    // 0=until they expire (default), 2=until you close firefox, 3=for n days (see next pref)
  1064.    // If you use custom settings for History in Options, this is the setting under
  1065.    // Privacy>Accept cookies from sites>Keep until <they expire/I close firefox>
  1066.    // user_pref("network.cookie.lifetimePolicy", 0);
  1067. // 2704: set cookie lifetime in days (see above pref) - default is 90 days
  1068.    // user_pref("network.cookie.lifetime.days", 90);
  1069. // 2705: disable dom storage
  1070.    // WARNING: this will break a LOT of sites' functionality.
  1071.    // You are better off using an extension for more granular control
  1072.    // user_pref("dom.storage.enabled", false);
  1073.  
  1074. /*** 2800: SHUTDOWN ***/
  1075. // 2802: enable FF to clear stuff on close
  1076.    // This setting is under Options>Privacy>Clear history when firefox closes
  1077. user_pref("privacy.sanitize.sanitizeOnShutdown", true);
  1078. // 2803: what to clear on shutdown
  1079.    // These settings are under Options>Privacy>Clear history when firefox closes>Settings
  1080.    // These are the settings of the author of this user.js, chose your own
  1081. user_pref("privacy.clearOnShutdown.cache", true);
  1082. user_pref("privacy.clearOnShutdown.cookies", false);
  1083. user_pref("privacy.clearOnShutdown.downloads", true);
  1084. user_pref("privacy.clearOnShutdown.formdata", true);
  1085. user_pref("privacy.clearOnShutdown.history", true);
  1086. user_pref("privacy.clearOnShutdown.offlineApps", true);
  1087. user_pref("privacy.clearOnShutdown.sessions", false); // active logins
  1088. user_pref("privacy.clearOnShutdown.siteSettings", false);
  1089. // 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del
  1090. user_pref("privacy.cpd.cache", true);
  1091. user_pref("privacy.cpd.cookies", false);
  1092. user_pref("privacy.cpd.downloads", true);
  1093. user_pref("privacy.cpd.formdata", true);
  1094. user_pref("privacy.cpd.history", true);
  1095. user_pref("privacy.cpd.offlineApps", true);
  1096. user_pref("privacy.cpd.passwords", false);
  1097. user_pref("privacy.cpd.sessions", false);
  1098. user_pref("privacy.cpd.siteSettings", false);
  1099. // 2805: reset default 'Time range to clear' for 'clear recent history' (see 2804 above)
  1100.    // 0=everything 1=last hour, 2=last 2 hours, 3=last 4 hours, 4=today
  1101. user_pref("privacy.sanitize.timeSpan", 0);
  1102.  
  1103. /*** 3000: PERSONAL SETTINGS
  1104.      Settings that are handy to migrate and/or are not in the Options interface. Users
  1105.      can put their own non-security/privacy/fingerprinting/tracking stuff here ***/
  1106. // 3001: disable annoying warnings
  1107. user_pref("general.warnOnAboutConfig", false);
  1108. user_pref("browser.tabs.warnOnClose", false);
  1109. user_pref("browser.tabs.warnOnCloseOtherTabs", false);
  1110. user_pref("browser.tabs.warnOnOpen", false);
  1111. // 3001a: disable warning when a domain requests full screen
  1112.    // https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Using_full_screen_mode
  1113.    // user_pref("full-screen-api.warning.delay", 0);
  1114.    // user_pref("full-screen-api.warning.timeout", 0);
  1115. // 3002: disable closing browser with last tab
  1116. user_pref("browser.tabs.closeWindowWithLastTab", false);
  1117. // 3004: disable backspace (0 = previous page, 1 = scroll up, 2 = do nothing)
  1118. user_pref("browser.backspace_action", 2);
  1119. // 3005: disable autocopy default (use extensions autocopy 2 & copy plain text 2)
  1120. user_pref("clipboard.autocopy", false);
  1121. // 3007: open new windows in a new tab instead
  1122.    // This setting is under Options>General>Tabs
  1123.    // 1=current window, 2=new window, 3=most recent window
  1124. user_pref("browser.link.open_newwindow", 3);
  1125. // 3008: disable "Do you really want to leave this site?" popups
  1126.    // https://support.mozilla.org/en-US/questions/1043508
  1127. user_pref("dom.disable_beforeunload", true);
  1128. // 3009: turn on APZ (Async Pan/Zoom) - requires e10s
  1129.    // http://www.ghacks.net/2015/07/28/scrolling-in-firefox-to-get-a-lot-better-thanks-to-apz/
  1130.    // user_pref("layers.async-pan-zoom.enabled", true);
  1131. // 3010: enable ctrl-tab previews
  1132. user_pref("browser.ctrlTab.previews", true);
  1133. // 3011: don't open "page/selection source" in a tab. The window used instead is cleaner
  1134.    // and easier to use and move around (eg developers/multi-screen).
  1135. user_pref("view_source.tab", false);
  1136. // 3012: spellchecking: 0=none, 1-multi-line controls, 2=multi-line & single-line controls
  1137. user_pref("layout.spellcheckDefault", 1);
  1138. // 3013: disable automatic "Work Offline" status
  1139.    // https://bugzilla.mozilla.org/show_bug.cgi?id=620472
  1140.    // https://developer.mozilla.org/en-US/docs/Online_and_offline_events
  1141. user_pref("network.manage-offline-status", false);
  1142. // 3014: enable webm
  1143. user_pref("media.mediasource.webm.enabled", true);
  1144. // 3015: disable tab animation, speed things up a little
  1145. user_pref("browser.tabs.animate", false);
  1146. // 3016: disable fullscreeen animation. Test using F11.
  1147.    // Animation is smother but is annoyingly slow, while no animation can be startling
  1148. user_pref("browser.fullscreen.animate", false);
  1149. // 3017: submenu in milliseconds. 0=instant while a small number allows
  1150.    // a mouse pass over menu items without any submenus alarmingly shooting out
  1151. user_pref("ui.submenuDelay", 75); // (hidden pref)
  1152. // 3018: maximum number of daily bookmark backups to keep (default is 15)
  1153. user_pref("browser.bookmarks.max_backups", 2);
  1154. // 3020: FYI: urlbar click behaviour (with defaults)
  1155. user_pref("browser.urlbar.clickSelectsAll", true);
  1156. user_pref("browser.urlbar.doubleClickSelectsAll", false);
  1157. // 3021: FYI: tab behaviours (with defaults)
  1158.    // open links in a new tab immediately to the right of parent tab, not far right
  1159. user_pref("browser.tabs.insertRelatedAfterCurrent", true);
  1160.    // switch to the parent tab (if it has one) on close, rather than to the adjacent right tab if
  1161.    // it exists or to the adjacent left tab if it doesn't. NOTE: requires browser.link.open_newwindow
  1162.    // set to 3 (see pref 3007). NOTE: does not apply to middle-click or Ctrl-clicking links.
  1163. user_pref("browser.tabs.selectOwnerOnClose", true);
  1164.    // Options>General>When I open a link in a new tab, switch to it immediately
  1165.    // default is unchecked = DON'T switch to ti = true
  1166. user_pref("browser.tabs.loadInBackground", true);
  1167.    // set behavior of pages normally meant to open in a new window (such as target="_blank"
  1168.    // or from an external program), but that have instead been loaded in a new tab.
  1169.    // true: load the new tab in the background, leaving focus on the current tab
  1170.    // false: load the new tab in the foreground, taking the focus from the current tab.
  1171. user_pref("browser.tabs.loadDivertedInBackground", false);
  1172. // 3022: hide recently bookmarked items (you still have the original bookmarks where you filed them)
  1173. user_pref("browser.bookmarks.showRecentlyBookmarked", false);
  1174. // 3023: disable automigrate (FF49+, current default is false but may change)
  1175.    // need more info, but lock down for now
  1176. user_pref("browser.migrate.automigrate.enabled", false);
  1177.  
  1178. /*** 9997: PALEMOON SPECIFIC ( https://www.palemoon.org/ )
  1179.      Full list maintained by Moonchild: https://forum.palemoon.org/viewtopic.php?f=24&t=3357
  1180.      If you have issues or questions about any of these, please use the palemoon forums
  1181.      NOTE: This section is no longer maintained [after version 10] ***/
  1182. // 3201: (v25.6+) disable canvas fingerprinting
  1183.    // user_pref("canvas.poisondata", true);
  1184. // 3202: (v25.2+) control HSTS
  1185.    // If editing this in about:config PM needs to be fully closed and then restarted
  1186.    // NOTE: This is a trade-off between privacy vs security. HSTS was designed to increase
  1187.    // security to stop MiTM attacks but can also be misused as a fingerprinting vector, by
  1188.    // scrapping previously visited sites. Recommended: security over privacy. Your choice.
  1189.    // user_pref("network.stricttransportsecurity.enabled", true);
  1190. // 3203: (v25.0+) controls whether to ignore an expired state of stapled OCSP responses
  1191.    // If set to true, breaks with RFC6066 (like Firefox) and ignores the fact that stapled
  1192.    // OCSP responses may be expired. If false (the default) aborts the connection.
  1193.    // user_pref("security.ssl.allow_unsafe_ocsp_response", false);
  1194. // 3204: (v25.6+) Controls whether to completely ignore "autocomplete=off" on login fields
  1195.    // user_pref("signon.ignoreAutocomplete", false);
  1196. // 3205: (v26.0+) read Moonchild's description on the palemoon forum thread linked above
  1197.    // user_pref("dom.disable_beforeunload", true);
  1198.  
  1199. /*** 9998: DEPRECATED
  1200.      Personally confirmed by resetting as well as via documentation and DXR searches.
  1201.      NOTE: numbers may get re-used ***/
  1202. // 2607: (23+) disable page thumbnails, it was around v23, not 100% sure when
  1203.    // this pref was replaced with browser.pagethumbnails.capturing_disabled
  1204.    // user_pref("pageThumbs.enabled", false);
  1205. // 2408: (31+) disable network API - fingerprinting vector
  1206.    // user_pref("dom.network.enabled", false);
  1207. // 2620: (35+) disable WebSockets
  1208.    // https://developer.mozilla.org/en-US/Firefox/Releases/35
  1209.    // user_pref("network.websocket.enabled", false);
  1210. // 2023: (37+) disable camera autofocus callback (was in 36, not in 37)
  1211.    // Not part of any specification, the API will be superceded by the WebRTC Capture
  1212.    // and Stream API ( http://w3c.github.io/mediacapture-main/getusermedia.html )
  1213.    // https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/API/CameraControl/
  1214.    // user_pref("camera.control.autofocus_moving_callback.enabled", false);
  1215. // 1804: (41+) disable plugin enumeration
  1216.    // user_pref("plugins.enumerable_names", "");
  1217. // 0420: (42+) disable tracking protection
  1218.    // this particular pref was never in stable
  1219.    // labelled v42+ because that's when tracking protection landed
  1220.    // user_pref("browser.polaris.enabled", false);
  1221. // 2803: (42+) what to clear on shutdown
  1222.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1102184#c23
  1223.    // user_pref("privacy.clearOnShutdown.passwords", false);
  1224. // 0411: (43+) disable safebrowsing urls & download
  1225.    // user_pref("browser.safebrowsing.gethashURL", "");
  1226.    // user_pref("browser.safebrowsing.malware.reportURL", "");
  1227.    // user_pref("browser.safebrowsing.provider.google.appRepURL", "");
  1228.    // user_pref("browser.safebrowsing.reportErrorURL", "");
  1229.    // user_pref("browser.safebrowsing.reportGenericURL", "");
  1230.    // user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
  1231.    // user_pref("browser.safebrowsing.reportMalwareURL", "");
  1232.    // user_pref("browser.safebrowsing.reportURL", "");
  1233.    // user_pref("browser.safebrowsing.updateURL", "");
  1234. // 0420: (43+) disable tracking protection. FF43+ URLs are now part of safebrowsing
  1235.    // https://wiki.mozilla.org/Security/Tracking_protection (look under Prefs)
  1236.    // NOTE: getupdateURL = WRONG / never existed. updateURL = CORRECT and has been added FYI
  1237.    // user_pref("browser.trackingprotection.gethashURL", "");
  1238.    // user_pref("browser.trackingprotection.getupdateURL", "");
  1239.    // user_pref("browser.trackingprotection.updateURL", "");
  1240. // 1803: (43+) remove plugin finder service
  1241.    // http://kb.mozillazine.org/Pfs.datasource.url
  1242.    // mozilla are dropping NPAPI anyway [except flash/java/silverlight, i think that's all]
  1243.    // user_pref("pfs.datasource.url", "");
  1244. // 2403: (43+) disable scripts changing images - test link below
  1245.    // http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_img_src2
  1246.    // WARNING: will break some sites such as google maps and a lot of web apps
  1247.    // user_pref("dom.disable_image_src_set", true);
  1248. // 2615: (43+) disable http2 for now as well
  1249.    // user_pref("network.http.spdy.enabled.http2draft", false);
  1250. // 3001a: (43+) disable warning when a domain requests full screen
  1251.    // replaced by setting full-screen-api.warning.timeout to zero
  1252.    // user_pref("full-screen-api.approval-required", false);
  1253. // 3003: (43+) disable new search panel UI [Classic Theme Restorer can restore the old search]
  1254.    // user_pref("browser.search.showOneOffButtons", false);
  1255. // 1201: (44+) block rc4 whitelist
  1256.    // https://developer.mozilla.org/en-US/Firefox/Releases/44#Security
  1257.    // user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);
  1258. // 2417: (44+) disable SharedWorkers, which allow the exchange of data between iFrames that
  1259.    // are open in different tabs, even if the sites do not belong to the same domain.
  1260.    // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (no. 8)
  1261.    // https://bugs.torproject.org/15562 - SharedWorker violates first party isolation
  1262.    // is used in FF 45and 46 code once, to set it for a test
  1263.    // user_pref("dom.workers.sharedWorkers.enabled", false);
  1264. // 1005: (45+) disable deferred level of storing extra session data 0=all 1=http-only 2=none
  1265.    // user_pref("browser.sessionstore.privacy_level_deferred", 2);
  1266. // 0373: (46+) disable "Pocket"
  1267.    // FF46 replaced these with extensions.pocket.*
  1268.    // user_pref("browser.pocket.enabled", false);
  1269.    // user_pref("browser.pocket.api", "");
  1270.    // user_pref("browser.pocket.site", "");
  1271.    // user_pref("browser.pocket.oAuthConsumerKey", "");
  1272. // 0806: (48+) disable 'unified complete': 'Search with [default search engine]'
  1273.    // this feature has been added back in Classic Theme Restorer
  1274.    // http://techdows.com/2016/05/firefox-unified-complete-aboutconfig-preference-removed.html
  1275.    // user_pref("browser.urlbar.unifiedcomplete", false);
  1276. // 3006: (48+) disable enforced addon signing
  1277.    // NOTE: the preference is still in FF48, but it's legacy code and does not work
  1278.    // user_pref("xpinstall.signatures.required", false);
  1279. // 0372: (49+) disable "Hello" (TokBox/Telefonica WebRTC voice & video call PUP) WebRTC (IP leak)
  1280.    // https://www.mozilla.org/en-US/privacy/firefox-hello/
  1281.    // https://security.stackexchange.com/questions/94284/how-secure-is-firefox-hello
  1282.    // https://support.mozilla.org/en-US/kb/hello-status
  1283.    // user_pref("loop.enabled", false);
  1284.    // user_pref("loop.server", "");
  1285.    // user_pref("loop.feedback.formURL", "");
  1286.    // user_pref("loop.feedback.manualFormURL", "");
  1287.    // additional facebook loop settings
  1288.    // user_pref("loop.facebook.appId", "");
  1289.    // user_pref("loop.facebook.enabled", false);
  1290.    // user_pref("loop.facebook.fallbackUrl", "");
  1291.    // user_pref("loop.facebook.shareUrl", "");
  1292.    // https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
  1293.    // user_pref("loop.logDomains", false);
  1294.  
  1295. // END: internal custom pref to test for syntax errors
  1296. user_pref("ghacks_user.js.parrot", "No no he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue");
  1297.  
  1298. /*** 9998: TO INVESTIGATE - TOR UPLIFT
  1299.    https://wiki.mozilla.org/Security/Tor_Uplift/Tracking ***/
  1300. // 1200s [Backlog]: compartmentalizing the HSTS cache via containers
  1301.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1253006
  1302. // 1400's [Resolved]: set whitelisted system fonts only (FF50?+)
  1303.    // If whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
  1304.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1121643
  1305.    // user_pref("font.system.whitelist", "");
  1306. // 1400's [Backlog]: prevent local font enumeration
  1307.    // https://bugzilla.mozilla.org/show_bug.cgi?id=732096
  1308. // 1800's [Active]: disable "This Plugin is Disabled" overlay
  1309.    // https://bugzilla.mozilla.org/show_bug.cgi?id=967979
  1310.    // user_pref("privacy.plugin_disabled_barrier.enabled", true);
  1311. // 2400's [Active]: reduce precision of time exposed by javascript
  1312.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1217238
  1313.    // user_pref("javascript.options.privacy.reduce_time_precision", true);
  1314. // 2500's [Backlog]: disable/mitigate canvas fingerprinting
  1315.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1041818
  1316. // 2500's [Backlog]: enable prompt (site permission) before allowing canvas data
  1317.    // https://bugzilla.mozilla.org/show_bug.cgi?id=967895
  1318. // 2600's [Assigned]: disable SVG
  1319.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
  1320.    // user_pref("svg.disabled", true);
  1321. // 2600's [Backlog]: window.name
  1322.    // https://bugzilla.mozilla.org/show_bug.cgi?id=444222
  1323. // 2699-append [Active]: resource://URIs leak - now part of tor uplift project
  1324.    // https://trac.torproject.org/projects/tor/ticket/8725
  1325.    // https://bugzilla.mozilla.org/show_bug.cgi?id=863246
  1326.    // test: https://www.browserleaks.com/firefox
  1327. // 2699-append [Assigned]: enable fingerprinting resistence to WebGL
  1328.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1217290
  1329. // 2699-append [Backlog]: disable keyboard fingerprinting
  1330.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1222285
  1331.  
  1332. /*** 9999: TO INVESTIGATE - OTHER ***/
  1333. // keep an eye on extensions.systemAddon* prefs
  1334. // FF49 new
  1335.    // browser.safebrowsing.forbiddenURIs
  1336.    // https://bugzilla.mozilla.org/show_bug.cgi?id=1269773
  1337.    // also check these
  1338.    // browser.safebrowsing.downloads.remote.block_dangerous
  1339.    // browser.safebrowsing.downloads.remote.block_dangerous_host
  1340. // ex-kinto now all services.blocklist*
  1341. // disable server side events
  1342.    // https://developer.mozilla.org/en-US/docs/Server-sent_events
  1343.    // SSE (server-sent events) is part of HTML5 (EventSource API) and data
  1344.    // pushed by the server is initiated by the client.
  1345.    // user_pref("dom.server-events.enabled", false);
  1346. // user_pref("media.webaudio.enabled", false);
  1347. // user_pref("media.gmp-manager.buildID", "20000101000000");
  1348.  
  1349. /**- APPENDIX A: TEST SITES
  1350.    Here is an exhaustive list of various websites in which to test your browser. You should enable
  1351.    JS on these sites for the tests to present a worse-case scenario. In reality, you should control
  1352.    JS and XSS (cross site scripting) on sites with add-ons such as NoScript, uMatrix, uBlock Origin,
  1353.    among others, to reduce the possibility of fingerprinting attacks.
  1354.    url: http://www.ghacks.net/2015/12/28/the-ultimate-online-privacy-test-resource-list/
  1355.  
  1356. //* 01: Fingerprinting
  1357.    Panopticlick      https://panopticlick.eff.org/
  1358.    JoDonym           http://ip-check.info/?lang=en
  1359.    Am I Unique?      https://amiunique.org/
  1360.    Browserprint      https://browserprint.info/test
  1361. //* 02: Multiple Tests [single page]
  1362.    Whoer             https://whoer.net/
  1363.    5who              http://5who.net/?type=extend
  1364.    IP/DNS Leak       https://ipleak.net/
  1365.    IP Duh            http://ipduh.com/anonymity-check/
  1366. //* 03: Multiple Tests [multi-page]
  1367.    BrowserSpy.dk     http://browserspy.dk/
  1368.    BrowserLeaks      https://www.browserleaks.com/
  1369.    HTML Security     https://html5sec.org/
  1370.    PC Flank          http://www.pcflank.com/index.htm
  1371. //* 04: Encryption / Ciphers / SSL/TLS
  1372.    BadSSL            https://badssl.com/
  1373.    DCSec             https://cc.dcsec.uni-hannover.de/
  1374.    Qualys SSL Labs   https://www.ssllabs.com/ssltest/viewMyClient.html
  1375.    Fortify           https://www.fortify.net/sslcheck.html
  1376.    How's My SSL      https://www.howsmyssl.com/
  1377.    RC4               https://rc4.io/
  1378.    Heartbleed        https://filippo.io/Heartbleed/
  1379.    Freak Attack      https://freakattack.com/clienttest.html
  1380.    Logjam            https://weakdh.org/
  1381. //* 05: Other
  1382.    AudioContext      https://audiofingerprint.openwpm.com/
  1383.    Battery           https://pstadler.sh/battery.js/
  1384.    DNS Leak          https://www.dnsleaktest.com/
  1385.    DNS Spoofability  https://www.grc.com/dns/dns.htm
  1386.    Evercookie        http://samy.pl/evercookie/
  1387.    Firefox Addons    http://thehackerblog.com/addon_scanner/
  1388.    localStorage      http://www.filldisk.com/
  1389.    HSTS Supercookie  http://www.radicalresearch.co.uk/lab/hstssupercookies
  1390.    HSTS [sniffly]    https://zyan.scripts.mit.edu/sniffly/
  1391.    Popup Killer      http://www.kephyr.com/popupkillertest/index.html
  1392.    Popup Test        http://www.popuptest.com/
  1393.    Redirects         https://jigsaw.w3.org/HTTP/300/Overview.html
  1394.    resource://URI    https://www.browserleaks.com/firefox
  1395.    Referer Headers   https://www.darklaunch.com/tools/test-referer
  1396.    Resouce://URI     https://www.browserleaks.com/firefox
  1397.    WebRTC IP Leak    https://www.privacytools.io/webrtc.html
  1398. ***/
  1399.  
  1400. /**- APPENDIX B: FIREFOX ADDONS
  1401.    Maybe next time :)
  1402. ***/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand