· 6 years ago · Apr 14, 2020, 04:56 PM
1user_pref("general.smoothScroll.mouseWheel.durationMaxMS", 150);
2user_pref("general.smoothScroll.mouseWheel.durationMinMS", 125);
3user_pref("apz.frame_delay.enabled", false); // Better scrolling
4user_pref("browser.messaging-system.whatsNewPanel.enabled", false);
5user_pref("full-screen-api.warning.delay", -1);
6user_pref("full-screen-api.warning.timeout", -1);
7user_pref("full-screen-api.transition-duration.enter", 100 100);
8user_pref("full-screen-api.transition-duration.leave", 100 100);
9user_pref("extensions.pocket.enabled", false);
10user_pref("browser.cache.disk.enable", false);
11user_pref("browser.cache.memory.enable", true);
12user_pref("browser.cache.offline.enable", false);
13user_pref("browser.urlbar.update1", false);
14user_pref("network.security.esni.enabled", true);
15user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true);
16user_pref("browser.tabs.allowTabDetach", false);
17user_pref("gfx.color_management.enablev4", true);
18user_pref("gfx.color_management.mode", 1);
19user_pref("general.smoothScroll", false);
20user_pref("identity.fxaccounts.enabled", false);
21user_pref("network.predictor.enable-prefetch", true);
22user_pref("browser.uidensity", 1);
23user_pref("browser.shell.checkDefaultBrowser", false);
24user_pref("browser.aboutConfig.showWarning", false);
25//
26/******************************************************************************
27 * user.js *
28 * https://github.com/pyllyukko/user.js *
29 ******************************************************************************/
30
31/******************************************************************************
32 * SECTION: HTML5 / APIs / DOM *
33 ******************************************************************************/
34
35// PREF: Disable Service Workers
36// https://developer.mozilla.org/en-US/docs/Web/API/Worker
37// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
38// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
39// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...)
40// Unknown security implications
41// CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
42user_pref("dom.serviceWorkers.enabled", false);
43
44// PREF: Disable web notifications
45// https://support.mozilla.org/en-US/questions/1140439
46user_pref("dom.webnotifications.enabled", false);
47
48// PREF: Disable DOM timing API
49// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
50// https://www.w3.org/TR/navigation-timing/#privacy
51user_pref("dom.enable_performance", false);
52
53// PREF: Make sure the User Timing API does not provide a new high resolution timestamp
54// https://trac.torproject.org/projects/tor/ticket/16336
55// https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security
56user_pref("dom.enable_user_timing", false);
57
58// PREF: Disable Web Audio API
59// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
60user_pref("dom.webaudio.enabled", false);
61
62// PREF: Disable Location-Aware Browsing (geolocation)
63// https://www.mozilla.org/en-US/firefox/geolocation/
64user_pref("geo.enabled", false);
65
66// PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
67// https://bugzilla.mozilla.org/show_bug.cgi?id=689252
68user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
69
70// PREF: When geolocation is enabled, don't log geolocation requests to the console
71user_pref("geo.wifi.logging.enabled", false);
72
73// PREF: Disable raw TCP socket support (mozTCPSocket)
74// https://trac.torproject.org/projects/tor/ticket/18863
75// https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
76// https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket
77user_pref("dom.mozTCPSocket.enabled", false);
78
79// PREF: Disable DOM storage (disabled)
80// http://kb.mozillazine.org/Dom.storage.enabled
81// https://html.spec.whatwg.org/multipage/webstorage.html
82// NOTICE-DISABLED: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
83//user_pref("dom.storage.enabled", false);
84
85// PREF: Disable leaking network/browser connection information via Javascript
86// Network Information API provides general information about the system's connection type (WiFi, cellular, etc.)
87// https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
88// https://wicg.github.io/netinfo/#privacy-considerations
89// https://bugzilla.mozilla.org/show_bug.cgi?id=960426
90user_pref("dom.netinfo.enabled", false);
91
92// PREF: Disable network API (Firefox < 32)
93// https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange
94// https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses
95user_pref("dom.network.enabled", false);
96
97// PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox < 42)
98// NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...)
99user_pref("media.peerconnection.enabled", false);
100
101// PREF: Don't reveal your internal IP when WebRTC is enabled (Firefox >= 42)
102// https://wiki.mozilla.org/Media/WebRTC/Privacy
103// https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC
104user_pref("media.peerconnection.ice.default_address_only", true); // Firefox 42-51
105user_pref("media.peerconnection.ice.no_host", true); // Firefox >= 52
106
107// PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
108// https://wiki.mozilla.org/Media/getUserMedia
109// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
110// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
111user_pref("media.navigator.enabled", false);
112user_pref("media.navigator.video.enabled", false);
113user_pref("media.getusermedia.screensharing.enabled", false);
114user_pref("media.getusermedia.audiocapture.enabled", false);
115
116// PREF: Disable battery API (Firefox < 52)
117// https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager
118// https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
119user_pref("dom.battery.enabled", false);
120
121// PREF: Disable telephony API
122// https://wiki.mozilla.org/WebAPI/Security/WebTelephony
123user_pref("dom.telephony.enabled", false);
124
125// PREF: Disable "beacon" asynchronous HTTP transfers (used for analytics)
126// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
127user_pref("beacon.enabled", false);
128
129// PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
130// NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
131// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
132user_pref("dom.event.clipboardevents.enabled", false);
133
134// PREF: Disable "copy to clipboard" functionality via Javascript (Firefox >= 41)
135// NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality
136// https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3
137user_pref("dom.allow_cut_copy", false);
138
139// PREF: Disable speech recognition
140// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
141// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
142// https://wiki.mozilla.org/HTML5_Speech_API
143user_pref("media.webspeech.recognition.enable", false);
144
145// PREF: Disable speech synthesis
146// https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis
147user_pref("media.webspeech.synth.enabled", false);
148
149// PREF: Disable sensor API
150// https://wiki.mozilla.org/Sensor_API
151user_pref("device.sensors.enabled", false);
152
153// PREF: Disable pinging URIs specified in HTML <a> ping= attributes
154// http://kb.mozillazine.org/Browser.send_pings
155user_pref("browser.send_pings", false);
156
157// PREF: When browser pings are enabled, only allow pinging the same host as the origin page
158// http://kb.mozillazine.org/Browser.send_pings.require_same_host
159user_pref("browser.send_pings.require_same_host", true);
160
161// PREF: Disable IndexedDB (disabled)
162// https://developer.mozilla.org/en-US/docs/IndexedDB
163// https://en.wikipedia.org/wiki/Indexed_Database_API
164// https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review
165// http://forums.mozillazine.org/viewtopic.php?p=13842047
166// https://github.com/pyllyukko/user.js/issues/8
167// NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
168//user_pref("dom.indexedDB.enabled", false);
169
170// TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications"
171
172// PREF: Disable gamepad API to prevent USB device enumeration
173// https://www.w3.org/TR/gamepad/
174// https://trac.torproject.org/projects/tor/ticket/13023
175user_pref("dom.gamepad.enabled", false);
176
177// PREF: Disable virtual reality devices APIs
178// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
179// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
180user_pref("dom.vr.enabled", false);
181
182// PREF: Disable vibrator API
183user_pref("dom.vibrator.enabled", false);
184
185// PREF: Disable resource timing API
186// https://www.w3.org/TR/resource-timing/#privacy-security
187user_pref("dom.enable_resource_timing", false);
188
189// PREF: Disable Archive API (Firefox < 54)
190// https://wiki.mozilla.org/WebAPI/ArchiveAPI
191// https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
192user_pref("dom.archivereader.enabled", false);
193
194// PREF: Disable webGL
195// https://en.wikipedia.org/wiki/WebGL
196// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
197user_pref("webgl.disabled", true);
198// PREF: When webGL is enabled, use the minimum capability mode
199user_pref("webgl.min_capability_mode", true);
200// PREF: When webGL is enabled, disable webGL extensions
201// https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing
202user_pref("webgl.disable-extensions", true);
203// PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
204// https://trac.torproject.org/projects/tor/ticket/18603
205user_pref("webgl.disable-fail-if-major-performance-caveat", true);
206// PREF: When webGL is enabled, do not expose information about the graphics driver
207// https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
208// https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
209user_pref("webgl.enable-debug-renderer-info", false);
210// somewhat related...
211//user_pref("pdfjs.enableWebGL", false);
212
213// PREF: Spoof dual-core CPU
214// https://trac.torproject.org/projects/tor/ticket/21675
215// https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
216user_pref("dom.maxHardwareConcurrency", 2);
217
218// PREF: Disable WebAssembly
219// https://webassembly.org/
220// https://en.wikipedia.org/wiki/WebAssembly
221// https://trac.torproject.org/projects/tor/ticket/21549
222user_pref("javascript.options.wasm", false);
223
224/******************************************************************************
225 * SECTION: Misc *
226 ******************************************************************************/
227
228// PREF: Disable face detection
229user_pref("camera.control.face_detection.enabled", false);
230
231// PREF: Disable GeoIP lookup on your address to set default search engine region
232// https://trac.torproject.org/projects/tor/ticket/16254
233// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
234user_pref("browser.search.countryCode", "US");
235user_pref("browser.search.region", "US");
236user_pref("browser.search.geoip.url", "");
237
238// PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localization
239// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
240user_pref("intl.accept_languages", "en-US, en");
241
242// PREF: Don't use OS values to determine locale, force using Firefox locale setting
243// http://kb.mozillazine.org/Intl.locale.matchOS
244user_pref("intl.locale.matchOS", false);
245
246// PREF: Don't use Mozilla-provided location-specific search engines
247user_pref("browser.search.geoSpecificDefaults", false);
248
249// PREF: Do not automatically send selection to clipboard on some Linux platforms
250// http://kb.mozillazine.org/Clipboard.autocopy
251user_pref("clipboard.autocopy", false);
252
253// PREF: Prevent leaking application locale/date format using JavaScript
254// https://bugzilla.mozilla.org/show_bug.cgi?id=867501
255// https://hg.mozilla.org/mozilla-central/rev/52d635f2b33d
256user_pref("javascript.use_us_english_locale", true);
257
258// PREF: Do not submit invalid URIs entered in the address bar to the default search engine
259// http://kb.mozillazine.org/Keyword.enabled
260user_pref("keyword.enabled", false);
261
262// PREF: Don't trim HTTP off of URLs in the address bar.
263// https://bugzilla.mozilla.org/show_bug.cgi?id=665580
264user_pref("browser.urlbar.trimURLs", false);
265
266// PREF: Don't try to guess domain names when entering an invalid domain name in URL bar
267// http://www-archive.mozilla.org/docs/end-user/domain-guessing.html
268user_pref("browser.fixup.alternate.enabled", false);
269
270// PREF: When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs
271// https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851
272user_pref("browser.fixup.hide_user_pass", true);
273
274// PREF: Send DNS request through SOCKS when SOCKS proxying is in use
275// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
276user_pref("network.proxy.socks_remote_dns", true);
277
278// PREF: Don't monitor OS online/offline connection state
279// https://trac.torproject.org/projects/tor/ticket/18945
280user_pref("network.manage-offline-status", false);
281
282// PREF: Enforce Mixed Active Content Blocking
283// https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990
284// https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
285// https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
286user_pref("security.mixed_content.block_active_content", true);
287
288// PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content)
289// NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured
290user_pref("security.mixed_content.block_display_content", true);
291
292// PREF: Disable JAR from opening Unsafe File Types
293// http://kb.mozillazine.org/Network.jar.open-unsafe-types
294// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7
295user_pref("network.jar.open-unsafe-types", false);
296
297// CIS 2.7.4 Disable Scripting of Plugins by JavaScript
298// http://forums.mozillazine.org/viewtopic.php?f=7&t=153889
299user_pref("security.xpconnect.plugin.unrestricted", false);
300
301// PREF: Set File URI Origin Policy
302// http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
303// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8
304user_pref("security.fileuri.strict_origin_policy", true);
305
306// PREF: Disable Displaying Javascript in History URLs
307// http://kb.mozillazine.org/Browser.urlbar.filter.javascript
308// CIS 2.3.6
309user_pref("browser.urlbar.filter.javascript", true);
310
311// PREF: Disable asm.js
312// http://asmjs.org/
313// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
314// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
315// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
316user_pref("javascript.options.asmjs", false);
317
318// PREF: Disable SVG in OpenType fonts
319// https://wiki.mozilla.org/SVGOpenTypeFonts
320// https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle
321user_pref("gfx.font_rendering.opentype_svg.enabled", false);
322
323// PREF: Disable in-content SVG rendering (Firefox >= 53) (disabled)
324// NOTICE-DISABLED: Disabling SVG support breaks many UI elements on many sites
325// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
326// https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16
327//user_pref("svg.disabled", true);
328
329
330// PREF: Disable video stats to reduce fingerprinting threat
331// https://bugzilla.mozilla.org/show_bug.cgi?id=654550
332// https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785
333// https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065
334user_pref("media.video_stats.enabled", false);
335
336// PREF: Don't reveal build ID
337// Value taken from Tor Browser
338// https://bugzilla.mozilla.org/show_bug.cgi?id=583181
339user_pref("general.buildID.override", "20100101");
340user_pref("browser.startup.homepage_override.buildID", "20100101");
341
342// PREF: Prevent font fingerprinting
343// https://browserleaks.com/fonts
344// https://github.com/pyllyukko/user.js/issues/120
345user_pref("browser.display.use_document_fonts", 0);
346
347// PREF: Enable only whitelisted URL protocol handlers
348// http://kb.mozillazine.org/Network.protocol-handler.external-default
349// http://kb.mozillazine.org/Network.protocol-handler.warn-external-default
350// http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29
351// https://news.ycombinator.com/item?id=13047883
352// https://bugzilla.mozilla.org/show_bug.cgi?id=167475
353// https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005
354// NOTICE: Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols
355// TODO: Add externally-handled protocols from Windows 8.1 and Windows 10 (currently contains protocols only from Linux and Windows 7) that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
356// TODO: Add externally-handled protocols from Mac OS X that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
357// If you want to enable a protocol, set network.protocol-handler.expose.(protocol) to true and network.protocol-handler.external.(protocol) to:
358// * true, if the protocol should be handled by an external application
359// * false, if the protocol should be handled internally by Firefox
360user_pref("network.protocol-handler.warn-external-default", true);
361user_pref("network.protocol-handler.external.http", false);
362user_pref("network.protocol-handler.external.https", false);
363user_pref("network.protocol-handler.external.javascript", false);
364user_pref("network.protocol-handler.external.moz-extension", false);
365user_pref("network.protocol-handler.external.ftp", false);
366user_pref("network.protocol-handler.external.file", false);
367user_pref("network.protocol-handler.external.about", false);
368user_pref("network.protocol-handler.external.chrome", false);
369user_pref("network.protocol-handler.external.blob", false);
370user_pref("network.protocol-handler.external.data", false);
371user_pref("network.protocol-handler.expose-all", false);
372user_pref("network.protocol-handler.expose.http", true);
373user_pref("network.protocol-handler.expose.https", true);
374user_pref("network.protocol-handler.expose.javascript", true);
375user_pref("network.protocol-handler.expose.moz-extension", true);
376user_pref("network.protocol-handler.expose.ftp", true);
377user_pref("network.protocol-handler.expose.file", true);
378user_pref("network.protocol-handler.expose.about", true);
379user_pref("network.protocol-handler.expose.chrome", true);
380user_pref("network.protocol-handler.expose.blob", true);
381user_pref("network.protocol-handler.expose.data", true);
382
383/******************************************************************************
384 * SECTION: Extensions / plugins *
385 ******************************************************************************/
386
387// PREF: Ensure you have a security delay when installing add-ons (milliseconds)
388// http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
389// http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
390user_pref("security.dialog_enable_delay", 1000);
391
392// PREF: Require signatures
393// https://wiki.mozilla.org/Addons/Extension_Signing
394//user_pref("xpinstall.signatures.required", true);
395
396// PREF: Opt-out of add-on metadata updates
397// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
398user_pref("extensions.getAddons.cache.enabled", false);
399
400// PREF: Opt-out of themes (Persona) updates
401// https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287
402user_pref("lightweightThemes.update.enabled", false);
403
404// PREF: Disable Flash Player NPAPI plugin
405// http://kb.mozillazine.org/Flash_plugin
406user_pref("plugin.state.flash", 0);
407
408// PREF: Disable Java NPAPI plugin
409user_pref("plugin.state.java", 0);
410
411// PREF: Disable sending Flash Player crash reports
412user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
413
414// PREF: When Flash crash reports are enabled, don't send the visited URL in the crash report
415user_pref("dom.ipc.plugins.reportCrashURL", false);
416
417// PREF: When Flash is enabled, download and use Mozilla SWF URIs blocklist
418// https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
419// https://github.com/mozilla-services/shavar-plugin-blocklist
420user_pref("browser.safebrowsing.blockedURIs.enabled", true);
421
422// PREF: Disable Shumway (Mozilla Flash renderer)
423// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway
424user_pref("shumway.disabled", true);
425
426// PREF: Disable Gnome Shell Integration NPAPI plugin
427user_pref("plugin.state.libgnome-shell-browser-plugin", 0);
428
429// PREF: Disable the bundled OpenH264 video codec (disabled)
430// http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077
431//user_pref("media.gmp-provider.enabled", false);
432
433// PREF: Enable plugins click-to-play
434// https://wiki.mozilla.org/Firefox/Click_To_Play
435// https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/
436user_pref("plugins.click_to_play", true);
437
438// PREF: Updates addons automatically
439// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
440user_pref("extensions.update.enabled", true);
441
442// PREF: Enable add-on and certificate blocklists (OneCRL) from Mozilla
443// https://wiki.mozilla.org/Blocklisting
444// https://blocked.cdn.mozilla.net/
445// http://kb.mozillazine.org/Extensions.blocklist.enabled
446// http://kb.mozillazine.org/Extensions.blocklist.url
447// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
448// Updated at interval defined in extensions.blocklist.interval (default: 86400)
449user_pref("extensions.blocklist.enabled", true);
450user_pref("services.blocklist.update_enabled", true);
451
452// PREF: Decrease system information leakage to Mozilla blocklist update servers
453// https://trac.torproject.org/projects/tor/ticket/16931
454user_pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");
455
456// PREF: Disable system add-on updates (hidden & always-enabled add-ons from Mozilla)
457// https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
458// https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/
459// https://github.com/pyllyukko/user.js/issues/419
460// https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1248-1257
461// NOTICE: Disabling system add-on updates prevents Mozilla from "hotfixing" your browser to patch critical problems (one possible use case from the documentation)
462user_pref("extensions.systemAddon.update.enabled", false);
463
464/******************************************************************************
465 * SECTION: Firefox (anti-)features / components * *
466 ******************************************************************************/
467
468// PREF: Disable Extension recommendations (Firefox >= 65)
469// https://support.mozilla.org/en-US/kb/extension-recommendations
470user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
471
472// PREF: Trusted Recursive Resolver (DNS-over-HTTPS) (disabled)
473// https://wiki.mozilla.org/Trusted_Recursive_Resolver
474//user_pref("network.trr.mode", 0);
475
476// PREF: Disable WebIDE
477// https://trac.torproject.org/projects/tor/ticket/16222
478// https://developer.mozilla.org/docs/Tools/WebIDE
479user_pref("devtools.webide.enabled", false);
480user_pref("devtools.webide.autoinstallADBHelper", false);
481user_pref("devtools.webide.autoinstallFxdtAdapters", false);
482
483// PREF: Disable remote debugging
484// https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop
485// https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings
486user_pref("devtools.debugger.remote-enabled", false);
487user_pref("devtools.chrome.enabled", false);
488user_pref("devtools.debugger.force-local", true);
489
490// PREF: Disable Mozilla telemetry/experiments
491// https://wiki.mozilla.org/Platform/Features/Telemetry
492// https://wiki.mozilla.org/Privacy/Reviews/Telemetry
493// https://wiki.mozilla.org/Telemetry
494// https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry
495// https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715
496// https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry
497// https://gecko.readthedocs.io/en/latest/browser/experiments/experiments/manifest.html
498// https://wiki.mozilla.org/Telemetry/Experiments
499// https://support.mozilla.org/en-US/questions/1197144
500// https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html#id1
501user_pref("toolkit.telemetry.enabled", false);
502user_pref("toolkit.telemetry.unified", false);
503user_pref("toolkit.telemetry.archive.enabled", false);
504user_pref("experiments.supported", false);
505user_pref("experiments.enabled", false);
506user_pref("experiments.manifest.uri", "");
507
508// PREF: Disallow Necko to do A/B testing
509// https://trac.torproject.org/projects/tor/ticket/13170
510user_pref("network.allow-experiments", false);
511
512// PREF: Disable sending Firefox crash reports to Mozilla servers
513// https://wiki.mozilla.org/Breakpad
514// http://kb.mozillazine.org/Breakpad
515// https://dxr.mozilla.org/mozilla-central/source/toolkit/crashreporter
516// https://bugzilla.mozilla.org/show_bug.cgi?id=411490
517// A list of submitted crash reports can be found at about:crashes
518user_pref("breakpad.reportURL", "");
519
520// PREF: Disable sending reports of tab crashes to Mozilla (about:tabcrashed), don't nag user about unsent crash reports
521// https://hg.mozilla.org/mozilla-central/file/tip/browser/app/profile/firefox.js
522user_pref("browser.tabs.crashReporting.sendReport", false);
523user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
524
525// PREF: Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface)
526// https://wiki.mozilla.org/FlyWeb
527// https://wiki.mozilla.org/FlyWeb/Security_scenarios
528// https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit
529// http://www.ghacks.net/2016/07/26/firefox-flyweb
530user_pref("dom.flyweb.enabled", false);
531
532// PREF: Disable the UITour backend
533// https://trac.torproject.org/projects/tor/ticket/19047#comment:3
534user_pref("browser.uitour.enabled", false);
535
536// PREF: Enable Firefox Tracking Protection
537// https://wiki.mozilla.org/Security/Tracking_protection
538// https://support.mozilla.org/en-US/kb/tracking-protection-firefox
539// https://support.mozilla.org/en-US/kb/tracking-protection-pbm
540// https://kontaxis.github.io/trackingprotectionfirefox/
541// https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
542user_pref("privacy.trackingprotection.enabled", true);
543user_pref("privacy.trackingprotection.pbmode.enabled", true);
544
545// PREF: Enable contextual identity Containers feature (Firefox >= 52)
546// NOTICE: Containers are not available in Private Browsing mode
547// https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
548user_pref("privacy.userContext.enabled", true);
549
550// PREF: Enable Firefox's anti-fingerprinting mode ("resist fingerprinting" or RFP) (Tor Uplift project)
551// https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
552// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
553// https://wiki.mozilla.org/Security/Fingerprinting
554// NOTICE: RFP breaks some keyboard shortcuts used in certain websites (see #443)
555// NOTICE: RFP changes your time zone
556user_pref("privacy.resistFingerprinting", true);
557
558// PREF: Disable the built-in PDF viewer
559// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2743
560// https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
561// https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
562user_pref("pdfjs.disabled", true);
563
564// PREF: Disable collection/sending of the health report (healthreport.sqlite*)
565// https://support.mozilla.org/en-US/kb/firefox-health-report-understand-your-browser-perf
566// https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
567user_pref("datareporting.healthreport.uploadEnabled", false);
568user_pref("datareporting.healthreport.service.enabled", false);
569user_pref("datareporting.policy.dataSubmissionEnabled", false);
570// "Allow Firefox to make personalized extension recommendations"
571user_pref("browser.discovery.enabled", false);
572
573// PREF: Disable Heartbeat (Mozilla user rating telemetry)
574// https://wiki.mozilla.org/Advocacy/heartbeat
575// https://trac.torproject.org/projects/tor/ticket/19047
576user_pref("browser.selfsupport.url", "");
577
578// PREF: Disable Firefox Hello (disabled) (Firefox < 49)
579// https://wiki.mozilla.org/Loop
580// https://support.mozilla.org/t5/Chat-and-share/Support-for-Hello-discontinued-in-Firefox-49/ta-p/37946
581// NOTICE-DISABLED: Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work.
582//user_pref("loop.enabled", false);
583
584// PREF: Disable Firefox Hello metrics collection
585// https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
586user_pref("loop.logDomains", false);
587
588// PREF: Enable Auto Update (disabled)
589// NOTICE: Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting.
590// CIS 2.1.1
591//user_pref("app.update.auto", true);
592
593// PREF: Enforce checking for Firefox updates
594// http://kb.mozillazine.org/App.update.enabled
595// NOTICE: Update check page might incorrectly report Firefox ESR as out-of-date
596user_pref("app.update.enabled", true);
597
598// PREF: Enable blocking reported web forgeries
599// https://wiki.mozilla.org/Security/Safe_Browsing
600// http://kb.mozillazine.org/Safe_browsing
601// https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
602// http://forums.mozillazine.org/viewtopic.php?f=39&t=2711237&p=12896849#p12896849
603// CIS 2.3.4
604user_pref("browser.safebrowsing.enabled", true); // Firefox < 50
605user_pref("browser.safebrowsing.phishing.enabled", true); // firefox >= 50
606
607// PREF: Enable blocking reported attack sites
608// http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled
609// CIS 2.3.5
610user_pref("browser.safebrowsing.malware.enabled", true);
611
612// PREF: Disable querying Google Application Reputation database for downloaded binary files
613// https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
614// https://wiki.mozilla.org/Security/Application_Reputation
615user_pref("browser.safebrowsing.downloads.remote.enabled", false);
616
617// PREF: Disable Pocket
618// https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
619// https://github.com/pyllyukko/user.js/issues/143
620user_pref("browser.pocket.enabled", false);
621user_pref("extensions.pocket.enabled", false);
622
623// PREF: Disable SHIELD
624// https://support.mozilla.org/en-US/kb/shield
625// https://bugzilla.mozilla.org/show_bug.cgi?id=1370801
626user_pref("extensions.shield-recipe-client.enabled", false);
627user_pref("app.shield.optoutstudies.enabled", false);
628
629// PREF: Disable "Recommended by Pocket" in Firefox Quantum
630user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
631
632/******************************************************************************
633 * SECTION: Automatic connections *
634 ******************************************************************************/
635
636// PREF: Limit the connection keep-alive timeout to 15 seconds (disabled)
637// https://github.com/pyllyukko/user.js/issues/387
638// http://kb.mozillazine.org/Network.http.keep-alive.timeout
639// https://httpd.apache.org/docs/current/mod/core.html#keepalivetimeout
640//user_pref("network.http.keep-alive.timeout", 15);
641
642// PREF: Disable prefetching of <link rel="next"> URLs
643// http://kb.mozillazine.org/Network.prefetch-next
644// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
645user_pref("network.prefetch-next", false);
646
647// PREF: Disable DNS prefetching
648// http://kb.mozillazine.org/Network.dns.disablePrefetch
649// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
650user_pref("network.dns.disablePrefetch", true);
651user_pref("network.dns.disablePrefetchFromHTTPS", true);
652
653// PREF: Disable the predictive service (Necko)
654// https://wiki.mozilla.org/Privacy/Reviews/Necko
655user_pref("network.predictor.enabled", false);
656
657// PREF: Reject .onion hostnames before passing the to DNS
658// https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
659// RFC 7686
660user_pref("network.dns.blockDotOnion", true);
661
662// PREF: Disable search suggestions in the search bar
663// http://kb.mozillazine.org/Browser.search.suggest.enabled
664user_pref("browser.search.suggest.enabled", false);
665
666// PREF: Disable "Show search suggestions in location bar results"
667user_pref("browser.urlbar.suggest.searches", false);
668// PREF: When using the location bar, don't suggest URLs from browsing history
669user_pref("browser.urlbar.suggest.history", false);
670
671// PREF: Disable SSDP
672// https://bugzilla.mozilla.org/show_bug.cgi?id=1111967
673user_pref("browser.casting.enabled", false);
674
675// PREF: Disable automatic downloading of OpenH264 codec
676// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
677// https://andreasgal.com/2014/10/14/openh264-now-in-firefox/
678user_pref("media.gmp-gmpopenh264.enabled", false);
679user_pref("media.gmp-manager.url", "");
680
681// PREF: Disable speculative pre-connections
682// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
683// https://bugzilla.mozilla.org/show_bug.cgi?id=814169
684user_pref("network.http.speculative-parallel-limit", 0);
685
686// PREF: Disable downloading homepage snippets/messages from Mozilla
687// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content
688// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
689user_pref("browser.aboutHomeSnippets.updateUrl", "");
690
691// PREF: Never check updates for search engines
692// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
693user_pref("browser.search.update", false);
694
695// PREF: Disable automatic captive portal detection (Firefox >= 52.0)
696// https://support.mozilla.org/en-US/questions/1157121
697user_pref("network.captive-portal-service.enabled", false);
698
699/******************************************************************************
700 * SECTION: HTTP *
701 ******************************************************************************/
702
703// PREF: Disallow NTLMv1
704// https://bugzilla.mozilla.org/show_bug.cgi?id=828183
705user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
706// it is still allowed through HTTPS. uncomment the following to disable it completely.
707//user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
708
709// PREF: Enable CSP 1.1 script-nonce directive support
710// https://bugzilla.mozilla.org/show_bug.cgi?id=855326
711user_pref("security.csp.experimentalEnabled", true);
712
713// PREF: Enable Content Security Policy (CSP)
714// https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
715// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
716user_pref("security.csp.enable", true);
717
718// PREF: Enable Subresource Integrity
719// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
720// https://wiki.mozilla.org/Security/Subresource_Integrity
721user_pref("security.sri.enable", true);
722
723// PREF: DNT HTTP header (disabled)
724// https://www.mozilla.org/en-US/firefox/dnt/
725// https://en.wikipedia.org/wiki/Do_not_track_header
726// https://dnt-dashboard.mozilla.org
727// https://github.com/pyllyukko/user.js/issues/11
728// NOTICE: Do No Track must be enabled manually
729//user_pref("privacy.donottrackheader.enabled", true);
730
731// PREF: Send a referer header with the target URI as the source
732// https://bugzilla.mozilla.org/show_bug.cgi?id=822869
733// https://github.com/pyllyukko/user.js/issues/227
734// NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers
735// NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
736// NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
737// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
738user_pref("network.http.referer.spoofSource", true);
739
740// PREF: Don't send referer headers when following links across different domains (disabled)
741// https://github.com/pyllyukko/user.js/issues/227
742// user_pref("network.http.referer.XOriginPolicy", 2);
743
744// PREF: Accept Only 1st Party Cookies
745// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
746// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
747// CIS 2.5.1
748user_pref("network.cookie.cookieBehavior", 1);
749
750// PREF: Enable first-party isolation
751// https://bugzilla.mozilla.org/show_bug.cgi?id=1299996
752// https://bugzilla.mozilla.org/show_bug.cgi?id=1260931
753// https://wiki.mozilla.org/Security/FirstPartyIsolation
754// NOTICE: First-party isolation breaks Microsoft Teams
755// NOTICE: First-party isolation causes HTTP basic auth to ask for credentials for every new tab (see #425)
756user_pref("privacy.firstparty.isolate", true);
757
758// PREF: Make sure that third-party cookies (if enabled) never persist beyond the session.
759// https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
760// http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
761// https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly
762user_pref("network.cookie.thirdparty.sessionOnly", true);
763
764// PREF: Spoof User-agent (disabled)
765//user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0");
766//user_pref("general.appname.override", "Netscape");
767//user_pref("general.appversion.override", "5.0 (Windows)");
768//user_pref("general.platform.override", "Win32");
769//user_pref("general.oscpu.override", "Windows NT 6.1");
770
771/*******************************************************************************
772 * SECTION: Caching *
773 ******************************************************************************/
774
775// PREF: Permanently enable private browsing mode
776// https://support.mozilla.org/en-US/kb/Private-Browsing
777// https://wiki.mozilla.org/PrivateBrowsing
778// NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
779// NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode
780// NOTICE: Private browsing breaks Kerberos authentication
781// NOTICE: Disables "Containers" functionality (see below)
782// NOTICE: "Always use private browsing mode" (browser.privatebrowsing.autostart) disables the possibility to use password manager: https://support.mozilla.org/en-US/kb/usernames-and-passwords-are-not-saved#w_private-browsing
783user_pref("browser.privatebrowsing.autostart", true);
784
785// PREF: Do not download URLs for the offline cache
786// http://kb.mozillazine.org/Browser.cache.offline.enable
787user_pref("browser.cache.offline.enable", false);
788
789// PREF: Clear history when Firefox closes
790// https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically
791// NOTICE: Installing user.js will remove your browsing history, caches and local storage.
792// NOTICE: Installing user.js **will remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27)
793// NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945
794user_pref("privacy.sanitize.sanitizeOnShutdown", true);
795user_pref("privacy.clearOnShutdown.cache", true);
796user_pref("privacy.clearOnShutdown.cookies", true);
797user_pref("privacy.clearOnShutdown.downloads", true);
798user_pref("privacy.clearOnShutdown.formdata", true);
799user_pref("privacy.clearOnShutdown.history", true);
800user_pref("privacy.clearOnShutdown.offlineApps", true);
801user_pref("privacy.clearOnShutdown.sessions", true);
802user_pref("privacy.clearOnShutdown.openWindows", true);
803
804// PREF: Set time range to "Everything" as default in "Clear Recent History"
805user_pref("privacy.sanitize.timeSpan", 0);
806
807// PREF: Clear everything but "Site Preferences" in "Clear Recent History"
808user_pref("privacy.cpd.offlineApps", true);
809user_pref("privacy.cpd.cache", true);
810user_pref("privacy.cpd.cookies", true);
811user_pref("privacy.cpd.downloads", true);
812user_pref("privacy.cpd.formdata", true);
813user_pref("privacy.cpd.history", true);
814user_pref("privacy.cpd.sessions", true);
815
816// PREF: Don't remember browsing history
817user_pref("places.history.enabled", false);
818
819// PREF: Disable disk cache
820// http://kb.mozillazine.org/Browser.cache.disk.enable
821user_pref("browser.cache.disk.enable", false);
822
823// PREF: Disable memory cache (disabled)
824// http://kb.mozillazine.org/Browser.cache.memory.enable
825//user_pref("browser.cache.memory.enable", false);
826
827// PREF: Disable Caching of SSL Pages
828// CIS Version 1.2.0 October 21st, 2011 2.5.8
829// http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
830user_pref("browser.cache.disk_cache_ssl", false);
831
832// PREF: Disable download history
833// CIS Version 1.2.0 October 21st, 2011 2.5.5
834user_pref("browser.download.manager.retention", 0);
835
836// PREF: Disable password manager
837// CIS Version 1.2.0 October 21st, 2011 2.5.2
838user_pref("signon.rememberSignons", false);
839
840// PREF: Disable form autofill, don't save information entered in web page forms and the Search Bar
841user_pref("browser.formfill.enable", false);
842
843// PREF: Cookies expires at the end of the session (when the browser closes)
844// http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2
845user_pref("network.cookie.lifetimePolicy", 2);
846
847// PREF: Require manual intervention to autofill known username/passwords sign-in forms
848// http://kb.mozillazine.org/Signon.autofillForms
849// https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
850user_pref("signon.autofillForms", false);
851
852// PREF: Disable formless login capture
853// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
854user_pref("signon.formlessCapture.enabled", false);
855
856// PREF: When username/password autofill is enabled, still disable it on non-HTTPS sites
857// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
858user_pref("signon.autofillForms.http", false);
859
860// PREF: Show in-content login form warning UI for insecure login fields
861// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
862user_pref("security.insecure_field_warning.contextual.enabled", true);
863
864// PREF: Disable the password manager for pages with autocomplete=off (disabled)
865// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
866// OWASP ASVS V9.1
867// Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
868//user_pref("signon.storeWhenAutocompleteOff", false);
869
870// PREF: Delete Search and Form History
871// CIS Version 1.2.0 October 21st, 2011 2.5.6
872user_pref("browser.formfill.expire_days", 0);
873
874// PREF: Clear SSL Form Session Data
875// http://kb.mozillazine.org/Browser.sessionstore.privacy_level#2
876// Store extra session data for unencrypted (non-HTTPS) sites only.
877// CIS Version 1.2.0 October 21st, 2011 2.5.7
878// NOTE: CIS says 1, we use 2
879user_pref("browser.sessionstore.privacy_level", 2);
880
881// PREF: Delete temporary files on exit
882// https://bugzilla.mozilla.org/show_bug.cgi?id=238789
883user_pref("browser.helperApps.deleteTempFileOnExit", true);
884
885// PREF: Do not create screenshots of visited pages (relates to the "new tab page" feature)
886// https://support.mozilla.org/en-US/questions/973320
887// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled
888user_pref("browser.pagethumbnails.capturing_disabled", true);
889
890// PREF: Don't fetch and permanently store favicons for Windows .URL shortcuts created by drag and drop
891// NOTICE: .URL shortcut files will be created with a generic icon
892// Favicons are stored as .ico files in $profile_dir\shortcutCache
893user_pref("browser.shell.shortcutFavicons", false);
894
895// PREF: Disable bookmarks backups (default: 15)
896// http://kb.mozillazine.org/Browser.bookmarks.max_backups
897user_pref("browser.bookmarks.max_backups", 0);
898
899/*******************************************************************************
900 * SECTION: UI related *
901 *******************************************************************************/
902
903// PREF: Enable insecure password warnings (login forms in non-HTTPS pages)
904// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
905// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
906// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
907user_pref("security.insecure_password.ui.enabled", true);
908
909// PREF: Disable right-click menu manipulation via JavaScript (disabled)
910//user_pref("dom.event.contextmenu.enabled", false);
911
912// PREF: Disable "Are you sure you want to leave this page?" popups on page close
913// https://support.mozilla.org/en-US/questions/1043508
914// Does not prevent JS leaks of the page close event.
915// https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
916//user_pref("dom.disable_beforeunload", true);
917
918// PREF: Disable Downloading on Desktop
919// CIS 2.3.2
920user_pref("browser.download.folderList", 2);
921
922// PREF: Always ask the user where to download
923// https://developer.mozilla.org/en/Download_Manager_preferences (obsolete)
924user_pref("browser.download.useDownloadDir", false);
925
926
927// PREF: Disable Snippets
928// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
929// https://support.mozilla.org/en-US/kb/snippets-firefox-faq
930user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
931
932// PREF: Disable Activity Stream
933// https://wiki.mozilla.org/Firefox/Activity_Stream
934user_pref("browser.newtabpage.activity-stream.enabled", false);
935
936// PREF: Disable new tab tile ads & preload
937// http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
938// http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331
939// https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
940// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
941// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
942// TODO: deprecated? not in DXR, some dead links
943user_pref("browser.newtabpage.enhanced", false);
944user_pref("browser.newtab.preload", false);
945user_pref("browser.newtabpage.directory.ping", "");
946user_pref("browser.newtabpage.directory.source", "data:text/plain,{}");
947
948// PREF: Enable Auto Notification of Outdated Plugins (Firefox < 50)
949// https://wiki.mozilla.org/Firefox3.6/Plugin_Update_Awareness_Security_Review
950// CIS Version 1.2.0 October 21st, 2011 2.1.2
951// https://hg.mozilla.org/mozilla-central/rev/304560
952user_pref("plugins.update.notifyUser", true);
953
954// PREF: Force Punycode for Internationalized Domain Names
955// http://kb.mozillazine.org/Network.IDN_show_punycode
956// https://www.xudongz.com/blog/2017/idn-phishing/
957// https://wiki.mozilla.org/IDN_Display_Algorithm
958// https://en.wikipedia.org/wiki/IDN_homograph_attack
959// https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
960// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6
961user_pref("network.IDN_show_punycode", true);
962
963// PREF: Disable inline autocomplete in URL bar
964// http://kb.mozillazine.org/Inline_autocomplete
965user_pref("browser.urlbar.autoFill", false);
966user_pref("browser.urlbar.autoFill.typed", false);
967
968// PREF: Disable CSS :visited selectors
969// https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/
970// https://dbaron.org/mozilla/visited-privacy
971user_pref("layout.css.visited_links_enabled", false);
972
973// PREF: Disable URL bar autocomplete and history/bookmarks suggestions dropdown
974// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
975user_pref("browser.urlbar.autocomplete.enabled", false);
976
977// PREF: Do not check if Firefox is the default browser
978user_pref("browser.shell.checkDefaultBrowser", false);
979
980// PREF: When password manager is enabled, lock the password storage periodically
981// CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
982user_pref("security.ask_for_password", 2);
983
984// PREF: Lock the password storage every 1 minutes (default: 30)
985user_pref("security.password_lifetime", 1);
986
987// PREF: Display a notification bar when websites offer data for offline use
988// http://kb.mozillazine.org/Browser.offline-apps.notify
989user_pref("browser.offline-apps.notify", true);
990
991/******************************************************************************
992 * SECTION: Cryptography *
993 ******************************************************************************/
994
995// PREF: Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
996// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
997// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
998// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
999user_pref("network.stricttransportsecurity.preloadlist", true);
1000
1001// PREF: Enable Online Certificate Status Protocol
1002// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
1003// https://www.imperialviolet.org/2014/04/19/revchecking.html
1004// https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
1005// https://wiki.mozilla.org/CA:RevocationPlan
1006// https://wiki.mozilla.org/CA:ImprovingRevocation
1007// https://wiki.mozilla.org/CA:OCSP-HardFail
1008// https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
1009// https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
1010// NOTICE: OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
1011// NOTICE: OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
1012// NOTICE: OCSP adds latency (performance)
1013// NOTICE: Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
1014// CIS Version 1.2.0 October 21st, 2011 2.2.4
1015user_pref("security.OCSP.enabled", 1);
1016
1017// PREF: Enable OCSP Stapling support
1018// https://en.wikipedia.org/wiki/OCSP_stapling
1019// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
1020// https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
1021user_pref("security.ssl.enable_ocsp_stapling", true);
1022
1023// PREF: Enable OCSP Must-Staple support (Firefox >= 45)
1024// https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
1025// https://www.entrust.com/ocsp-must-staple/
1026// https://github.com/schomery/privacy-settings/issues/40
1027// NOTICE: Firefox falls back on plain OCSP when must-staple is not configured on the host certificate
1028user_pref("security.ssl.enable_ocsp_must_staple", true);
1029
1030// PREF: Require a valid OCSP response for OCSP enabled certificates
1031// https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
1032// Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
1033// NOTICE: `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
1034// NOTICE: `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
1035user_pref("security.OCSP.require", true);
1036
1037// PREF: Disable TLS Session Tickets
1038// https://www.blackhat.com/us-13/briefings.html#NextGen
1039// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
1040// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
1041// https://bugzilla.mozilla.org/show_bug.cgi?id=917049
1042// https://bugzilla.mozilla.org/show_bug.cgi?id=967977
1043user_pref("security.ssl.disable_session_identifiers", true);
1044
1045// PREF: Only allow TLS 1.[0-3]
1046// http://kb.mozillazine.org/Security.tls.version.*
1047// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
1048// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
1049// 3 = TLS 1.2 is the minimum required / maximum supported encryption protocol.
1050// 4 = TLS 1.3 is the minimum required / maximum supported encryption protocol.
1051user_pref("security.tls.version.min", 1);
1052user_pref("security.tls.version.max", 4);
1053
1054// PREF: Disable insecure TLS version fallback
1055// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
1056// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
1057user_pref("security.tls.version.fallback-limit", 3);
1058
1059// PREF: Enforce Public Key Pinning
1060// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
1061// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
1062// "2. Strict. Pinning is always enforced."
1063user_pref("security.cert_pinning.enforcement_level", 2);
1064
1065// PREF: Disallow SHA-1
1066// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
1067// https://shattered.io/
1068user_pref("security.pki.sha1_enforcement_level", 1);
1069
1070// PREF: Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
1071// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
1072// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
1073user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
1074
1075// PREF: Disallow connection to servers not supporting safe renegotiation (disabled)
1076// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation
1077// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
1078// TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors), so is left disabled
1079//user_pref("security.ssl.require_safe_negotiation", true);
1080
1081// PREF: Disable automatic reporting of TLS connection errors
1082// https://support.mozilla.org/en-US/kb/certificate-pinning-reports
1083// we could also disable security.ssl.errorReporting.enabled, but I think it's
1084// good to leave the option to report potentially malicious sites if the user
1085// chooses to do so.
1086// you can test this at https://pinningtest.appspot.com/
1087user_pref("security.ssl.errorReporting.automatic", false);
1088
1089// PREF: Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog
1090// http://kb.mozillazine.org/Browser.ssl_override_behavior
1091// https://github.com/pyllyukko/user.js/issues/210
1092user_pref("browser.ssl_override_behavior", 1);
1093
1094/******************************************************************************
1095 * SECTION: Cipher suites *
1096 ******************************************************************************/
1097
1098// PREF: Disable null ciphers
1099user_pref("security.ssl3.rsa_null_sha", false);
1100user_pref("security.ssl3.rsa_null_md5", false);
1101user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
1102user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
1103user_pref("security.ssl3.ecdh_rsa_null_sha", false);
1104user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);
1105
1106// PREF: Disable SEED cipher
1107// https://en.wikipedia.org/wiki/SEED
1108user_pref("security.ssl3.rsa_seed_sha", false);
1109
1110// PREF: Disable 40/56/128-bit ciphers
1111// 40-bit ciphers
1112user_pref("security.ssl3.rsa_rc4_40_md5", false);
1113user_pref("security.ssl3.rsa_rc2_40_md5", false);
1114// 56-bit ciphers
1115user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
1116// 128-bit ciphers
1117user_pref("security.ssl3.rsa_camellia_128_sha", false);
1118user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
1119user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
1120user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
1121user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
1122user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
1123user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
1124
1125// PREF: Disable RC4
1126// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
1127// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
1128// https://rc4.io/
1129// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
1130user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
1131user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
1132user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
1133user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
1134user_pref("security.ssl3.rsa_rc4_128_md5", false);
1135user_pref("security.ssl3.rsa_rc4_128_sha", false);
1136user_pref("security.tls.unrestricted_rc4_fallback", false);
1137
1138// PREF: Disable 3DES (effective key size is < 128)
1139// https://en.wikipedia.org/wiki/3des#Security
1140// http://en.citizendium.org/wiki/Meet-in-the-middle_attack
1141// http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
1142user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
1143user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
1144user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
1145user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
1146user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
1147user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
1148user_pref("security.ssl3.rsa_des_ede3_sha", false);
1149user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
1150
1151// PREF: Disable ciphers with ECDH (non-ephemeral)
1152user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
1153user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
1154
1155// PREF: Disable 256 bits ciphers without PFS
1156user_pref("security.ssl3.rsa_camellia_256_sha", false);
1157
1158// PREF: Enable ciphers with ECDHE and key size > 128bits
1159user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // 0xc014
1160user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a
1161
1162// PREF: Enable GCM ciphers (TLSv1.2 only)
1163// https://en.wikipedia.org/wiki/Galois/Counter_Mode
1164user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b
1165user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // 0xc02f
1166
1167// PREF: Enable ChaCha20 and Poly1305 (Firefox >= 47)
1168// https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
1169// https://tools.ietf.org/html/rfc7905
1170// https://bugzilla.mozilla.org/show_bug.cgi?id=917571
1171// https://bugzilla.mozilla.org/show_bug.cgi?id=1247860
1172// https://cr.yp.to/chacha.html
1173user_pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true);
1174user_pref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true);
1175
1176// PREF: Disable ciphers susceptible to the logjam attack
1177// https://weakdh.org/
1178user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
1179user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
1180
1181// PREF: Disable ciphers with DSA (max 1024 bits)
1182user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
1183user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
1184user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
1185user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);
1186
1187// PREF: Fallbacks due compatibility reasons
1188user_pref("security.ssl3.rsa_aes_256_sha", true); // 0x35
1189user_pref("security.ssl3.rsa_aes_128_sha", true); // 0x2f