· 6 years ago · Dec 10, 2019, 12:08 PM
1/******
2* name: ghacks user.js
3* date: 06 December 2019
4* version 71-beta: Dancing Pants
5* "Ooh-ooh, see that girl, watch that scene, dig in the dancing pants"
6* authors: v52+ github | v51- www.ghacks.net
7* url: https://github.com/ghacksuserjs/ghacks-user.js
8* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
9
10* releases: These are end-of-stable-life-cycle legacy archives.
11 *Always* use the master branch user.js for a current up-to-date version.
12 url: https://github.com/ghacksuserjs/ghacks-user.js/releases
13
14* README:
15
16 0. Consider using Tor Browser if it meets your needs or fits your threat model better
17 * https://www.torproject.org/about/torusers.html.en
18 1. READ the full README
19 * https://github.com/ghacksuserjs/ghacks-user.js/blob/master/README.md
20 2. READ this
21 * https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation
22 3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
23 * Real time binary checks with Google services are disabled (0412)
24 * You will still get prompts to update Firefox, but auto-installing them is disabled (0302a)
25 * Some user data is erased on close (section 2800). Change this to suit your needs
26 * EACH RELEASE check:
27 - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
28 or enable them as an alternative to RFP (or some of them for ESR users)
29 - 9999s: reset deprecated prefs in about:config or enable the relevant section for ESR
30 * Site breakage WILL happen
31 - There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting
32 and these need to be balanced against Functionality & Convenience & Breakage
33 * You will need to make changes, and to troubleshoot at times (choose wisely, there is always a trade-off).
34 While not 100% definitive, search for "[SETUP". If required, add each pref to your overrides section at
35 default values (or comment them out and reset them in about:config). Here are the main ones:
36 [SETUP-SECURITY] it's one item, read it
37 [SETUP-WEB] can cause some websites to break
38 [SETUP-CHROME] changes how Firefox itself behaves (i.e. NOT directly website related)
39 [SETUP-PERF] may impact performance
40 [SETUP-HARDEN] maybe you should consider using the Tor Browser
41 * [WARNING] tags are extra special and used sparingly, so heed them
42 4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
43 5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki#small_orange_diamond-maintenance
44
45* INDEX:
46
47 0100: STARTUP
48 0200: GEOLOCATION / LANGUAGE / LOCALE
49 0300: QUIET FOX
50 0400: BLOCKLISTS / SAFE BROWSING
51 0500: SYSTEM ADD-ONS / EXPERIMENTS
52 0600: BLOCK IMPLICIT OUTBOUND
53 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc
54 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
55 0900: PASSWORDS
56 1000: CACHE / SESSION (RE)STORE / FAVICONS
57 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
58 1400: FONTS
59 1600: HEADERS / REFERERS
60 1700: CONTAINERS
61 1800: PLUGINS
62 2000: MEDIA / CAMERA / MIC
63 2200: WINDOW MEDDLING & LEAKS / POPUPS
64 2300: WEB WORKERS
65 2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT
66 2500: HARDWARE FINGERPRINTING
67 2600: MISCELLANEOUS
68 2700: PERSISTENT STORAGE
69 2800: SHUTDOWN
70 4000: FPI (FIRST PARTY ISOLATION)
71 4500: RFP (RESIST FINGERPRINTING)
72 4600: RFP ALTERNATIVES
73 4700: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING)
74 5000: PERSONAL
75 9999: DEPRECATED / REMOVED / LEGACY / RENAMED
76
77******/
78
79/* START: internal custom pref to test for syntax errors
80 * [NOTE] In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug
81 * pref no longer necessarily means that all prefs have been applied. Check the console right
82 * after startup for any warnings/error messages related to non-applied prefs
83 * [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/
84user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");
85
86/* 0000: disable about:config warning
87 * The XUL version can still be accessed in FF71+ @ chrome://global/content/config.xul ***/
88user_pref("general.warnOnAboutConfig", false); // for the XUL version
89user_pref("browser.aboutConfig.showWarning", false); // for the new HTML version [FF71+]
90
91/*** [SECTION 0100]: STARTUP ***/
92user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
93/* 0101: disable default browser check
94 * [SETTING] General>Startup>Always check if Firefox is your default browser ***/
95user_pref("browser.shell.checkDefaultBrowser", false);
96/* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
97 * [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804)
98 * [SETTING] General>Startup>Restore previous session ***/
99user_pref("browser.startup.page", 0);
100/* 0103: set HOME+NEWWINDOW page
101 * about:home=Activity Stream (default, see 0105), custom URL, about:blank
102 * [SETTING] Home>New Windows and Tabs>Homepage and new windows ***/
103user_pref("browser.startup.homepage", "about:blank");
104/* 0104: set NEWTAB page
105 * true=Activity Stream (default, see 0105), false=blank page
106 * [SETTING] Home>New Windows and Tabs>New tabs ***/
107user_pref("browser.newtabpage.enabled", false);
108user_pref("browser.newtab.preload", false);
109/* 0105: disable Activity Stream stuff (AS)
110 * AS is the default homepage/newtab in FF57+, based on metadata and browsing behavior.
111 * **NOT LISTING ALL OF THESE: USE THE PREFERENCES UI**
112 * [SETTING] Home>Firefox Home Content>... to show/hide what you want ***/
113/* 0105a: disable Activity Stream telemetry ***/
114user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
115user_pref("browser.newtabpage.activity-stream.telemetry", false);
116user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "");
117/* 0105b: disable Activity Stream Snippets
118 * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server
119 * [1] https://abouthome-snippets-service.readthedocs.io/ ***/
120user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
121user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "");
122/* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/
123user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
124user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
125user_pref("browser.newtabpage.activity-stream.showSponsored", false);
126user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+]
127/* 0105d: disable Activity Stream recent Highlights in the Library [FF57+] ***/
128 // user_pref("browser.library.activity-stream.enabled", false);
129/* 0110: start Firefox in PB (Private Browsing) mode
130 * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed
131 * [WARNING] The P in PB mode is misleading: it means no "persistent" disk storage such as history,
132 * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode).
133 * In fact, PB mode limits or removes the ability to control some of these, and you need to quit
134 * Firefox to clear them. PB is best used as a one off window (File>New Private Window) to provide
135 * a temporary self-contained new session. Close all Private Windows to clear the PB mode session.
136 * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode
137 * [1] https://wiki.mozilla.org/Private_Browsing
138 * [2] https://spreadprivacy.com/is-private-browsing-really-private/ ***/
139 // user_pref("browser.privatebrowsing.autostart", true);
140
141/*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/
142user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
143/** GEOLOCATION ***/
144/* 0201: disable Location-Aware Browsing
145 * [NOTE] Best left at default "true", fingerprintable, is already behind a prompt (see 0202)
146 * [1] https://www.mozilla.org/firefox/geolocation/ ***/
147 // user_pref("geo.enabled", false);
148/* 0202: set a default permission for Location (see 0201) [FF58+]
149 * 0=always ask (default), 1=allow, 2=block
150 * [NOTE] Best left at default "always ask", fingerprintable via Permissions API
151 * [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location
152 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/
153 // user_pref("permissions.default.geo", 2);
154/* 0203: use Mozilla geolocation service instead of Google when geolocation is enabled
155 * Optionally enable logging to the console (defaults to false) ***/
156user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
157 // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF]
158/* 0204: disable using the OS's geolocation service ***/
159user_pref("geo.provider.ms-windows-location", false); // [WINDOWS]
160user_pref("geo.provider.use_corelocation", false); // [MAC]
161user_pref("geo.provider.use_gpsd", false); // [LINUX]
162/* 0205: disable GeoIP-based search results
163 * [NOTE] May not be hidden if Firefox has changed your settings due to your locale
164 * [1] https://trac.torproject.org/projects/tor/ticket/16254
165 * [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/
166user_pref("browser.search.region", "US"); // [HIDDEN PREF]
167user_pref("browser.search.geoip.url", "");
168/* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
169 * i.e. ignore all of Mozilla's various search engines in multiple locales ***/
170user_pref("browser.search.geoSpecificDefaults", false);
171user_pref("browser.search.geoSpecificDefaults.url", "");
172
173/** LANGUAGE / LOCALE ***/
174/* 0210: set preferred language for displaying web pages
175 * [TEST] https://addons.mozilla.org/about ***/
176user_pref("intl.accept_languages", "en-US, en");
177/* 0211: enforce US English locale regardless of the system locale
178 * [1] https://bugzilla.mozilla.org/867501 ***/
179user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
180/* 0212: enforce fallback text encoding to match en-US
181 * When the content or server doesn't declare a charset the browser will
182 * fallback to the "Current locale" based on your application language
183 * [SETTING] General>Language and Appearance>Fonts and Colors>Advanced>Text Encoding for Legacy Content
184 * [TEST] https://hsivonen.com/test/moz/check-charset.htm
185 * [1] https://trac.torproject.org/projects/tor/ticket/20025 ***/
186user_pref("intl.charset.fallback.override", "windows-1252");
187
188/*** [SECTION 0300]: QUIET FOX
189 Starting in user.js v67, we only disable the auto-INSTALL of Firefox. You still get prompts
190 to update, in one click. We have NEVER disabled auto-CHECKING, and highly discourage that.
191 Previously we also disabled auto-INSTALLING of extensions (302b).
192
193 There are many legitimate reasons to turn off auto-INSTALLS, including hijacked or monetized
194 extensions, time constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is
195 still important to do updates for security reasons, please do so manually if you make changes.
196***/
197user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
198/* 0301b: disable auto-CHECKING for extension and theme updates ***/
199 // user_pref("extensions.update.enabled", false);
200/* 0302a: disable auto-INSTALLING Firefox updates [NON-WINDOWS FF65+]
201 * [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed
202 * [SETTING] General>Firefox Updates>Check for updates but let you choose... ***/
203user_pref("app.update.auto", false);
204/* 0302b: disable auto-INSTALLING extension and theme updates (after the check in 0301b)
205 * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
206 // user_pref("extensions.update.autoUpdateDefault", false);
207/* 0306: disable extension metadata
208 * used when installing/updating an extension, and in daily background update checks: if false, it
209 * hides the expanded text description (if it exists) when you "show more details about an addon" ***/
210 // user_pref("extensions.getAddons.cache.enabled", false);
211/* 0308: disable search update
212 * [SETTING] General>Firefox Updates>Automatically update search engines ***/
213user_pref("browser.search.update", false);
214/* 0309: disable sending Flash crash reports ***/
215user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
216/* 0310: disable sending the URL of the website where a plugin crashed ***/
217user_pref("dom.ipc.plugins.reportCrashURL", false);
218/* 0320: disable about:addons' Recommendations pane (uses Google Analytics) ***/
219user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
220/* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/
221user_pref("extensions.htmlaboutaddons.recommendations.enabled", false);
222/* 0330: disable telemetry
223 * the pref (.unified) affects the behaviour of the pref (.enabled)
224 * IF unified=false then .enabled controls the telemetry module
225 * IF unified=true then .enabled ONLY controls whether to record extended data
226 * so make sure to have both set as false
227 * [NOTE] FF58+ 'toolkit.telemetry.enabled' is now LOCKED to reflect prerelease
228 * or release builds (true and false respectively), see [2]
229 * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
230 * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
231user_pref("toolkit.telemetry.unified", false);
232user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+
233user_pref("toolkit.telemetry.server", "data:,");
234user_pref("toolkit.telemetry.archive.enabled", false);
235user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+]
236user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+]
237user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+]
238user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter
239user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
240user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+]
241/* 0331: disable Telemetry Coverage
242 * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/
243user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
244user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF]
245user_pref("toolkit.coverage.endpoint.base", "");
246/* 0340: disable Health Reports
247 * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/
248user_pref("datareporting.healthreport.uploadEnabled", false);
249/* 0341: disable new data submission, master kill switch [FF41+]
250 * If disabled, no policy is shown or upload takes place, ever
251 * [1] https://bugzilla.mozilla.org/1195552 ***/
252user_pref("datareporting.policy.dataSubmissionEnabled", false);
253/* 0342: disable Studies (see 0503)
254 * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/
255user_pref("app.shield.optoutstudies.enabled", false);
256/* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
257 * [NOTE] This pref has no effect when Health Reports (0340) are disabled
258 * [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to make personalized extension rec.
259 * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
260user_pref("browser.discovery.enabled", false);
261/* 0350: disable Crash Reports ***/
262user_pref("breakpad.reportURL", "");
263user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+]
264user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+]
265/* 0351: disable backlogged Crash Reports
266 * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/
267user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+]
268/* 0390: disable Captive Portal detection
269 * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
270 * [2] https://wiki.mozilla.org/Necko/CaptivePortal ***/
271user_pref("captivedetect.canonicalURL", "");
272user_pref("network.captive-portal-service.enabled", false); // [FF52+]
273/* 0391: disable Network Connectivity checks [FF65+]
274 * [1] https://bugzilla.mozilla.org/1460537 ***/
275user_pref("network.connectivity-service.enabled", false);
276
277/*** [SECTION 0400]: BLOCKLISTS / SAFE BROWSING (SB) ***/
278user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
279/** BLOCKLISTS ***/
280/* 0401: enforce Firefox blocklist, but sanitize blocklist url
281 * [NOTE] It includes updates for "revoked certificates"
282 * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
283 * [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/
284user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true]
285user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");
286
287/** SAFE BROWSING (SB)
288 Safe Browsing has taken many steps to preserve privacy. *IF* required, a full url is never
289 sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real
290 PART-hashes. Google also swear it is anonymized and only used to flag malicious sites.
291 Firefox also takes measures such as striping out identifying parameters and since SBv4 (FF57+)
292 doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity)
293
294 #Required reading [#] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
295 [1] https://wiki.mozilla.org/Security/Safe_Browsing
296 [2] https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
297***/
298/* 0410: disable SB (Safe Browsing)
299 * [WARNING] Do this at your own risk! These are the master switches.
300 * [SETTING] Privacy & Security>Security>... "Block dangerous and deceptive content" ***/
301 // user_pref("browser.safebrowsing.malware.enabled", false);
302 // user_pref("browser.safebrowsing.phishing.enabled", false);
303/* 0411: disable SB checks for downloads (both local lookups + remote)
304 * This is the master switch for the safebrowsing.downloads* prefs (0412, 0413)
305 * [SETTING] Privacy & Security>Security>... "Block dangerous downloads" ***/
306 // user_pref("browser.safebrowsing.downloads.enabled", false);
307/* 0412: disable SB checks for downloads (remote)
308 * To verify the safety of certain executable files, Firefox may submit some information about the
309 * file, including the name, origin, size and a cryptographic hash of the contents, to the Google
310 * Safe Browsing service which helps Firefox determine whether or not the file should be blocked
311 * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override it ***/
312user_pref("browser.safebrowsing.downloads.remote.enabled", false);
313user_pref("browser.safebrowsing.downloads.remote.url", "");
314/* 0413: disable SB checks for unwanted software
315 * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/
316 // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
317 // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
318/* 0419: disable 'ignore this warning' on SB warnings
319 * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB
320 * [TEST] see github wiki APPENDIX A: Test Sites: Section 5
321 * [1] https://bugzilla.mozilla.org/1226490 ***/
322 // user_pref("browser.safebrowsing.allowOverride", false);
323
324/*** [SECTION 0500]: SYSTEM ADD-ONS / EXPERIMENTS
325 System Add-ons are a method for shipping extensions, considered to be
326 built-in features to Firefox, that are hidden from the about:addons UI.
327 To view your System Add-ons go to about:support, they are listed under "Firefox Features"
328
329 Some System Add-ons have no on-off prefs. Instead you can manually remove them. Note that app
330 updates will restore them. They may also be updated and possibly restored automatically (see 0505)
331 * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit)
332 * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit)
333 * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\"
334 [NOTE] On Mac you can right-click on the application and select "Show Package Contents"
335 * Linux: "/usr/lib/firefox/browser/features" (or similar)
336
337 [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
338 [2] https://dxr.mozilla.org/mozilla-central/source/browser/extensions
339***/
340user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!");
341/* 0503: disable Normandy/Shield [FF60+]
342 * Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
343 * [1] https://wiki.mozilla.org/Firefox/Shield
344 * [2] https://github.com/mozilla/normandy ***/
345user_pref("app.normandy.enabled", false);
346user_pref("app.normandy.api_url", "");
347/* 0505: disable System Add-on updates ***/
348user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
349user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
350/* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
351 * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/
352user_pref("browser.ping-centre.telemetry", false);
353/* 0515: disable Screenshots
354 * alternatively in FF60+, disable uploading to the Screenshots server
355 * [1] https://github.com/mozilla-services/screenshots
356 * [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/
357 // user_pref("extensions.screenshots.disabled", true); // [FF55+]
358 // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+]
359/* 0517: disable Form Autofill
360 * [NOTE] Stored data is NOT secure (uses a JSON file)
361 * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
362 * [SETTING] Privacy & Security>Forms & Passwords>Autofill addresses
363 * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
364 * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/
365user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
366user_pref("extensions.formautofill.available", "off"); // [FF56+]
367user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
368user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
369/* 0518: disable Web Compatibility Reporter [FF56+]
370 * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/
371user_pref("extensions.webcompat-reporter.enabled", false);
372
373/*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/
374user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!");
375/* 0601: disable link prefetching
376 * [1] https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ ***/
377user_pref("network.prefetch-next", false);
378/* 0602: disable DNS prefetching
379 * [1] https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
380 * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
381user_pref("network.dns.disablePrefetch", true);
382user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF ESR] [DEFAULT: true FF70+]
383/* 0603: disable predictor / prefetching ***/
384user_pref("network.predictor.enabled", false);
385user_pref("network.predictor.enable-prefetch", false); // [FF48+]
386/* 0605: disable link-mouseover opening connection to linked server
387 * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
388 * [2] https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links/ ***/
389user_pref("network.http.speculative-parallel-limit", 0);
390/* 0606: disable "Hyperlink Auditing" (click tracking) and enforce same host in case
391 * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/
392user_pref("browser.send_pings", false); // [DEFAULT: false]
393user_pref("browser.send_pings.require_same_host", true);
394
395/*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
396user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
397/* 0701: disable IPv6
398 * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice
399 * with VPNs. That's even assuming your ISP and/or router and/or website can handle it.
400 * Firefox telemetry (April 2019) shows only 5% of all connections are IPv6.
401 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an
402 * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
403 * then this won't make much difference. If you are masking your IP, then it can only help.
404 * [TEST] https://ipleak.org/
405 * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/437#issuecomment-403740626
406 * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
407user_pref("network.dns.disableIPv6", true);
408/* 0702: disable HTTP2
409 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
410 * enhance privacy, and opens up a number of server-side fingerprinting opportunities.
411 * [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is
412 * at 35% (April 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites
413 * [1] https://http2.github.io/faq/
414 * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
415 * [3] https://http2.github.io/http2-spec/#rfc.section.10.8
416 * [4] https://queue.acm.org/detail.cfm?id=2716278
417 * [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/
418 // user_pref("network.http.spdy.enabled", false);
419 // user_pref("network.http.spdy.enabled.deps", false);
420 // user_pref("network.http.spdy.enabled.http2", false);
421 // user_pref("network.http.spdy.websockets", false); // [FF65+]
422/* 0703: disable HTTP Alternative Services [FF37+]
423 * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
424 * consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
425 * and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
426 * [1] https://tools.ietf.org/html/rfc7838#section-9
427 * [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/
428user_pref("network.http.altsvc.enabled", false);
429user_pref("network.http.altsvc.oe", false);
430/* 0704: enforce the proxy server to do any DNS lookups when using SOCKS
431 * e.g. in Tor, this stops your local DNS server from knowing your Tor destination
432 * as a remote Tor node will handle the DNS request
433 * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
434user_pref("network.proxy.socks_remote_dns", true);
435/* 0708: disable FTP [FF60+]
436 * [1] https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/ ***/
437 // user_pref("network.ftp.enabled", false);
438/* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
439 * [SETUP-CHROME] Can break extensions for profiles on network shares
440 * [1] https://trac.torproject.org/projects/tor/ticket/26424 ***/
441user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
442/* 0710: disable GIO as a potential proxy bypass vector
443 * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
444 * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
445 * [1] https://bugzilla.mozilla.org/1433507
446 * [2] https://trac.torproject.org/23044
447 * [3] https://en.wikipedia.org/wiki/GVfs
448 * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
449user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
450
451/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
452 Change items 0850 and above to suit for privacy vs convenience and functionality. Consider
453 your environment (no unwanted eyeballs), your device (restricted access), your device's
454 unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check
455 the items cleared on shutdown in section 2800.
456 [NOTE] The urlbar is also commonly referred to as the location bar and address bar
457 #Required reading [#] https://xkcd.com/538/
458***/
459user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
460/* 0801: disable location bar using search
461 * Don't leak URL typos to a search engine, give an error message instead.
462 * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com"
463 * [NOTE] Search buttons in the dropdown work, but hitting 'enter' in the location bar will fail
464 * [TIP] You can add keywords to search engines in options (e.g. 'd' for DuckDuckGo) and
465 * the dropdown will now auto-select it and you can then hit 'enter' and it will work
466 * [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search
467 * engine that respects privacy, then you probably don't need this ***/
468user_pref("keyword.enabled", false);
469/* 0802: disable location bar domain guessing
470 * domain guessing intercepts DNS "hostname not found errors" and resends a
471 * request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work
472 * via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
473 * as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
474 * intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
475 * and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
476user_pref("browser.fixup.alternate.enabled", false);
477/* 0803: display all parts of the url in the location bar ***/
478user_pref("browser.urlbar.trimURLs", false);
479/* 0805: disable coloring of visited links - CSS history leak
480 * [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's
481 * only in 'certain circumstances', also see latest comments in [2]
482 * [TEST] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
483 * [1] https://dbaron.org/mozilla/visited-privacy
484 * [2] https://bugzilla.mozilla.org/147777
485 * [3] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector ***/
486user_pref("layout.css.visited_links_enabled", false);
487/* 0807: disable live search suggestions
488/* [NOTE] Both must be true for the location bar to work
489 * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine
490 * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/
491user_pref("browser.search.suggest.enabled", false);
492user_pref("browser.urlbar.suggest.searches", false);
493/* 0809: disable location bar suggesting "preloaded" top websites [FF54+]
494 * [1] https://bugzilla.mozilla.org/1211726 ***/
495user_pref("browser.urlbar.usepreloadedtopurls.enabled", false);
496/* 0810: disable location bar making speculative connections [FF56+]
497 * [1] https://bugzilla.mozilla.org/1348275 ***/
498user_pref("browser.urlbar.speculativeConnect.enabled", false);
499/* 0850a: disable location bar suggestion types
500 * If all three suggestion types are false, search engine keywords are disabled
501 * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/
502 // user_pref("browser.urlbar.suggest.history", false);
503 // user_pref("browser.urlbar.suggest.bookmark", false);
504 // user_pref("browser.urlbar.suggest.openpage", false);
505/* 0850c: disable location bar dropdown
506 * This value controls the total number of entries to appear in the location bar dropdown
507 * [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always
508 * be displayed (no we do not know how these are calculated or what the threshold is),
509 * and this does not affect the search by search engine suggestion (see 0807)
510 * [NOTE] This setting is only useful if you want to enable search engine keywords
511 * (i.e. at least one of 0850a suggestion types must be true) but you want to *limit* suggestions shown ***/
512 // user_pref("browser.urlbar.maxRichResults", 0);
513/* 0850d: disable location bar autofill
514 * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
515 // user_pref("browser.urlbar.autoFill", false);
516/* 0850e: disable location bar one-off searches [FF51+]
517 * [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/
518 // user_pref("browser.urlbar.oneOffSearches", false);
519/* 0860: disable search and form history [SETUP-WEB]
520 * [WARNING] Autocomplete form data is still (in April 2019) easily read by third parties, see [1]
521 * [NOTE] We also clear formdata on exiting Firefox (see 2803)
522 * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
523 * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html ***/
524user_pref("browser.formfill.enable", false);
525/* 0862: disable browsing and download history
526 * [NOTE] We also clear history and downloads on exiting Firefox (see 2803)
527 * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
528 // user_pref("places.history.enabled", false);
529/* 0870: disable Windows jumplist [WINDOWS] ***/
530user_pref("browser.taskbar.lists.enabled", false);
531user_pref("browser.taskbar.lists.frequent.enabled", false);
532user_pref("browser.taskbar.lists.recent.enabled", false);
533user_pref("browser.taskbar.lists.tasks.enabled", false);
534/* 0871: disable Windows taskbar preview [WINDOWS] ***/
535user_pref("browser.taskbar.previews.enable", false);
536
537/*** [SECTION 0900]: PASSWORDS ***/
538user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
539/* 0901: disable saving passwords
540 * [NOTE] This does not clear any passwords already saved
541 * [SETTING] Privacy & Security>Forms & Passwords>Ask to save logins and passwords for websites ***/
542 // user_pref("signon.rememberSignons", false);
543/* 0902: use a master password (recommended if you save passwords)
544 * There are no preferences for this. It is all handled internally.
545 * [SETTING] Privacy & Security>Forms & Passwords>Use a master password
546 * [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/
547/* 0903: set how often Firefox should ask for the master password
548 * 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/
549user_pref("security.ask_for_password", 2);
550/* 0904: set how often in minutes Firefox should ask for the master password (see 0903)
551 * in minutes, default is 30 ***/
552user_pref("security.password_lifetime", 5);
553/* 0905: disable auto-filling username & password form fields
554 * can leak in cross-site forms *and* be spoofed
555 * [NOTE] Username & password is still available when you enter the field ***/
556user_pref("signon.autofillForms", false);
557/* 0909: disable formless login capture for Password Manager [FF51+] ***/
558user_pref("signon.formlessCapture.enabled", false);
559/* 0912: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+]
560 * hardens against potential credentials phishing
561 * 0=don't allow sub-resources to open HTTP authentication credentials dialogs
562 * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs
563 * 2=allow sub-resources to open HTTP authentication credentials dialogs (default)
564 * [1] https://www.fxsitecompat.com/en-CA/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ***/
565user_pref("network.auth.subresource-http-auth-allow", 1);
566
567/*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS
568 Cache tracking/fingerprinting techniques [1][2][3] require a cache. Disabling disk (1001)
569 *and* memory (1003) caches is one solution; but that's extreme and fingerprintable. A hardened
570 Temporary Containers configuration can effectively do the same thing, by isolating every tab [4].
571
572 We consider avoiding disk cache (1001) so cache is session/memory only (like Private Browsing
573 mode), and isolating cache to first party (4001) is sufficient and a good balance between
574 risk and performance. ETAGs can also be neutralized by modifying response headers [5], and
575 you can clear the cache manually or on a regular basis with an extension.
576
577 [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
578 [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
579 [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
580 [4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
581 [5] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor
582***/
583user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
584/** CACHE ***/
585/* 1001: disable disk cache
586 * [SETUP-PERF] If you think disk cache may help (heavy tab user, high-res video),
587 * or you use a hardened Temporary Containers, then feel free to override this
588 * [NOTE] We also clear cache on exiting Firefox (see 2803) ***/
589user_pref("browser.cache.disk.enable", false);
590/* 1003: disable memory cache
591/* capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kilobytes ***/
592 // user_pref("browser.cache.memory.enable", false);
593 // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF ESR]
594/* 1006: disable permissions manager from writing to disk [RESTART]
595 * [NOTE] This means any permission changes are session only
596 * [1] https://bugzilla.mozilla.org/967812 ***/
597 // user_pref("permissions.memory_only", true); // [HIDDEN PREF]
598
599/** SESSIONS & SESSION RESTORE ***/
600/* 1020: exclude "Undo Closed Tabs" in Session Restore ***/
601 // user_pref("browser.sessionstore.max_tabs_undo", 0);
602/* 1021: disable storing extra session data [SETUP-CHROME]
603 * extra session data contains contents of forms, scrollbar positions, cookies and POST data
604 * define on which sites to save extra session data:
605 * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
606user_pref("browser.sessionstore.privacy_level", 2);
607/* 1022: disable resuming session from crash ***/
608 // user_pref("browser.sessionstore.resume_from_crash", false);
609/* 1023: set the minimum interval between session save operations
610 * Increasing this can help on older machines and some websites, as well as reducing writes, see [1]
611 * Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc
612 * [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature:
613 * i.e. the longer the interval the more chance a quick tab open/close won't be captured.
614 * This longer interval *may* affect history but we cannot replicate any history not recorded
615 * [1] https://bugzilla.mozilla.org/1304389 ***/
616user_pref("browser.sessionstore.interval", 30000);
617/* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS]
618 * [1] https://bugzilla.mozilla.org/603903 ***/
619user_pref("toolkit.winRegisterApplicationRestart", false);
620
621/** FAVICONS ***/
622/* 1030: disable favicons in shortcuts
623 * URL shortcuts use a cached randomly named .ico file which is stored in your
624 * profile/shortcutCache directory. The .ico remains after the shortcut is deleted.
625 * If set to false then the shortcuts use a generic Firefox icon ***/
626user_pref("browser.shell.shortcutFavicons", false);
627/* 1031: disable favicons in history and bookmarks
628 * Stored as data blobs in favicons.sqlite, these don't reveal anything that your
629 * actual history (and bookmarks) already do. Your history is more detailed, so
630 * control that instead; e.g. disable history, clear history on close, use PB mode
631 * [NOTE] favicons.sqlite is sanitized on Firefox close, not in-session ***/
632 // user_pref("browser.chrome.site_icons", false);
633/* 1032: disable favicons in web notifications ***/
634 // user_pref("alerts.showFavicons", false); // [DEFAULT: false]
635
636/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
637 Your cipher and other settings can be used in server side fingerprinting
638 [TEST] https://www.ssllabs.com/ssltest/viewMyClient.html
639 [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
640***/
641user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
642/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
643/* 1201: require safe negotiation
644 * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially
645 * vulnerable to a MiTM attack [3]. A server *without* RFC 5746 can be safe from the attack
646 * if it disables renegotiations but the problem is that the browser can't know that.
647 * Setting this pref to true is the only way for the browser to ensure there will be
648 * no unsafe renegotiations on the channel between the browser and the server.
649 * [1] https://wiki.mozilla.org/Security:Renegotiation
650 * [2] https://tools.ietf.org/html/rfc5746
651 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/
652user_pref("security.ssl.require_safe_negotiation", true);
653/* 1202: control TLS versions with min and max
654 * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
655 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint.
656 * Firefox telemetry (April 2019) shows only 0.5% of TLS web traffic uses 1.0 or 1.1
657 * [1] https://www.ssllabs.com/ssl-pulse/ ***/
658 // user_pref("security.tls.version.min", 3);
659 // user_pref("security.tls.version.max", 4);
660/* 1203: disable SSL session tracking [FF36+]
661 * SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking
662 * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
663 * consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
664 * and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
665 * [1] https://tools.ietf.org/html/rfc5077
666 * [2] https://bugzilla.mozilla.org/967977
667 * [3] https://arxiv.org/abs/1810.07304 ***/
668user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
669/* 1204: disable SSL Error Reporting
670 * [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/
671user_pref("security.ssl.errorReporting.automatic", false);
672user_pref("security.ssl.errorReporting.enabled", false);
673user_pref("security.ssl.errorReporting.url", "");
674/* 1205: disable TLS1.3 0-RTT (round-trip time) [FF51+]
675 * [1] https://github.com/tlswg/tls13-spec/issues/1001
676 * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
677user_pref("security.tls.enable_0rtt_data", false);
678
679/** OCSP (Online Certificate Status Protocol)
680 #Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/
681/* 1210: enable OCSP Stapling
682 * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
683user_pref("security.ssl.enable_ocsp_stapling", true);
684/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)
685 * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
686 * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
687 * It's a trade-off between security (checking) and privacy (leaking info to the CA)
688 * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
689 * [1] https://en.wikipedia.org/wiki/Ocsp ***/
690user_pref("security.OCSP.enabled", 1);
691/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB]
692 * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
693 * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
694 * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
695 * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
696 * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
697 * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
698user_pref("security.OCSP.require", true);
699
700/** CERTS / HPKP (HTTP Public Key Pinning) ***/
701/* 1220: disable or limit SHA-1 certificates
702 * 0=all SHA1 certs are allowed
703 * 1=all SHA1 certs are blocked
704 * 2=deprecated option that now maps to 1
705 * 3=only allowed for locally-added roots (e.g. anti-virus)
706 * 4=only allowed for locally-added roots or for certs in 2015 and earlier
707 * [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and
708 * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
709 * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
710user_pref("security.pki.sha1_enforcement_level", 1);
711/* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
712 * 0=disable detecting Family Safety mode and importing the root
713 * 1=only attempt to detect Family Safety mode (don't import the root)
714 * 2=detect Family Safety mode and import the root
715 * [1] https://trac.torproject.org/projects/tor/ticket/21686 ***/
716user_pref("security.family_safety.mode", 0);
717/* 1222: disable intermediate certificate caching (fingerprinting attack vector) [FF41+] [RESTART]
718 * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
719 * Saved logins and passwords are not available. Reset the pref and restart to return them.
720 * [1] https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/ ***/
721 // user_pref("security.nocertdb", true); // [HIDDEN PREF]
722/* 1223: enforce strict pinning
723 * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
724 * [WARNING] If you rely on an AV (antivirus) to protect your web browsing
725 * by inspecting ALL your web traffic, then leave at current default=1
726 * [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/
727user_pref("security.cert_pinning.enforcement_level", 2);
728
729/** MIXED CONTENT ***/
730/* 1240: disable insecure active content on https pages
731 * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
732user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
733/* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/
734user_pref("security.mixed_content.block_display_content", true);
735/* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+]
736 * [1] https://bugzilla.mozilla.org/1190623 ***/
737user_pref("security.mixed_content.block_object_subrequest", true);
738
739/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] ***/
740/* 1261: disable 3DES (effective key size < 128)
741 * [1] https://en.wikipedia.org/wiki/3des#Security
742 * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
743 * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/
744 // user_pref("security.ssl3.rsa_des_ede3_sha", false);
745/* 1262: disable 128 bits ***/
746 // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
747 // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
748/* 1263: disable DHE (Diffie-Hellman Key Exchange)
749 * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/
750 // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
751 // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
752/* 1264: disable the remaining non-modern cipher suites as of FF52 ***/
753 // user_pref("security.ssl3.rsa_aes_128_sha", false);
754 // user_pref("security.ssl3.rsa_aes_256_sha", false);
755
756/** UI (User Interface) ***/
757/* 1270: display warning on the padlock for "broken security" (if 1201 is false)
758 * Bug: warning padlock not indicated for subresources on a secure page! [2]
759 * [1] https://wiki.mozilla.org/Security:Renegotiation
760 * [2] https://bugzilla.mozilla.org/1353705 ***/
761user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
762/* 1271: control "Add Security Exception" dialog on SSL warnings
763 * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
764 * [1] https://github.com/pyllyukko/user.js/issues/210 ***/
765user_pref("browser.ssl_override_behavior", 1);
766/* 1272: display advanced information on Insecure Connection warning pages
767 * only works when it's possible to add an exception
768 * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
769 * [TEST] https://expired.badssl.com/ ***/
770user_pref("browser.xul.error_pages.expert_bad_cert", true);
771/* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/
772user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+]
773user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
774
775/*** [SECTION 1400]: FONTS ***/
776user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
777/* 1401: disable websites choosing fonts (0=block, 1=allow)
778 * This can limit most (but not all) JS font enumeration which is a high entropy fingerprinting vector
779 * [SETUP-WEB] Disabling fonts can uglify the web a fair bit.
780 * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/
781user_pref("browser.display.use_document_fonts", 0);
782/* 1403: disable icon fonts (glyphs) and local fallback rendering
783 * [1] https://bugzilla.mozilla.org/789788
784 * [2] https://trac.torproject.org/projects/tor/ticket/8455 ***/
785 // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
786 // user_pref("gfx.downloadable_fonts.fallback_delay", -1);
787/* 1404: disable rendering of SVG OpenType fonts
788 * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
789user_pref("gfx.font_rendering.opentype_svg.enabled", false);
790/* 1408: disable graphite which FF49 turned back on by default
791 * In the past it had security issues. Update: This continues to be the case, see [1]
792 * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/
793user_pref("gfx.font_rendering.graphite.enabled", false);
794/* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
795 * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
796 * [WARNING] Creating your own probably highly-unique whitelist will raise your entropy.
797 * Eventually privacy.resistFingerprinting (see 4500) will cover this
798 * [1] https://bugzilla.mozilla.org/1121643 ***/
799 // user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
800
801/*** [SECTION 1600]: HEADERS / REFERERS
802 Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone
803 ---
804 harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below)
805 harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage
806 ---
807 If you want any REAL control over referers and breakage, then use an extension. Either:
808 uMatrix: limited by scope, all requests are spoofed or not-spoofed
809 Smart Referrer: granular with source<->destination, whitelists
810 ---
811 full URI: https://example.com:8888/foo/bar.html?id=1234
812 scheme+host+port+path: https://example.com:8888/foo/bar.html
813 scheme+host+port: https://example.com:8888
814 ---
815 #Required reading [#] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
816***/
817user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
818/* 1601: ALL: control when images/links send a referer
819 * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
820 // user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2]
821/* 1602: ALL: control the amount of information to send
822 * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
823 // user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0]
824/* 1603: CROSS ORIGIN: control when to send a referer
825 * 0=always (default), 1=only if base domains match, 2=only if hosts match
826 * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/
827user_pref("network.http.referer.XOriginPolicy", 1);
828/* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
829 * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
830user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0]
831/* 1605: ALL: disable spoofing a referer
832 * [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF
833 * (Cross-Site Request Forgery) protections that some sites may rely on ***/
834 // user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
835/* 1606: ALL: set the default Referrer Policy [FF59+]
836 * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
837 * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
838 * [1] https://www.w3.org/TR/referrer-policy/
839 * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
840 * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
841 // user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3]
842 // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
843/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+]
844 * [NOTE] Firefox cannot access .onion sites by default. We recommend you use
845 * the Tor Browser which is specifically designed for hidden services
846 * [1] https://bugzilla.mozilla.org/1305144 ***/
847user_pref("network.http.referer.hideOnionSource", true);
848/* 1610: ALL: enable the DNT (Do Not Track) HTTP header
849 * [NOTE] DNT is enforced with Tracking Protection regardless of this pref
850 * [SETTING] Privacy & Security>Content Blocking>Send websites a "Do Not Track"... ***/
851user_pref("privacy.donottrackheader.enabled", true);
852
853/*** [SECTION 1700]: CONTAINERS
854 If you want to *really* leverage containers, we highly recommend Temporary Containers [2].
855 Read the article by the extension author [3], and check out the github wiki/repo [4].
856 [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
857 [2] https://addons.mozilla.org/firefox/addon/temporary-containers/
858 [3] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
859 [4] https://github.com/stoically/temporary-containers/wiki
860***/
861user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
862/* 1701: enable Container Tabs setting in preferences (see 1702) [FF50+]
863 * [1] https://bugzilla.mozilla.org/1279029 ***/
864user_pref("privacy.userContext.ui.enabled", true);
865/* 1702: enable Container Tabs [FF50+]
866 * [SETTING] General>Tabs>Enable Container Tabs ***/
867user_pref("privacy.userContext.enabled", true);
868/* 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME]
869 * 0=no menu (default), 1=show when clicked, 2=show on long press
870 * [1] https://bugzilla.mozilla.org/1328756 ***/
871user_pref("privacy.userContext.longPressBehavior", 2);
872
873/*** [SECTION 1800]: PLUGINS ***/
874user_pref("_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!");
875/* 1803: disable Flash plugin
876 * 0=deactivated, 1=ask, 2=enabled
877 * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash
878 * [NOTE] You can still override individual sites via site permissions
879 * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/
880user_pref("plugin.state.flash", 0);
881/* 1820: disable GMP (Gecko Media Plugins)
882 * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
883 // user_pref("media.gmp-provider.enabled", false);
884/* 1825: disable widevine CDM (Content Decryption Module)
885 * [SETUP-WEB] if you *need* CDM, e.g. Netflix, Amazon Prime, Hulu, whatever ***/
886user_pref("media.gmp-widevinecdm.visible", false);
887user_pref("media.gmp-widevinecdm.enabled", false);
888/* 1830: disable all DRM content (EME: Encryption Media Extension)
889 * [SETUP-WEB] if you *need* EME, e.g. Netflix, Amazon Prime, Hulu, whatever
890 * [SETTING] General>DRM Content>Play DRM-controlled content
891 * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
892user_pref("media.eme.enabled", false);
893
894/*** [SECTION 2000]: MEDIA / CAMERA / MIC ***/
895user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
896/* 2001: disable WebRTC (Web Real-Time Communication)
897 * [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not
898 * in your threat model, and you want Real-Time Communication, this is the pref for you
899 * [1] https://www.privacytools.io/#webrtc ***/
900user_pref("media.peerconnection.enabled", false);
901/* 2002: limit WebRTC IP leaks if using WebRTC
902 * In FF70+ these settings match Mode 4 (Mode 3 in older versions) (see [3])
903 * [TEST] https://browserleaks.com/webrtc
904 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
905 * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy
906 * [3] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/
907user_pref("media.peerconnection.ice.default_address_only", true);
908user_pref("media.peerconnection.ice.no_host", true); // [FF51+]
909user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+]
910/* 2010: disable WebGL (Web Graphics Library)
911 * [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy,
912 * especially with readPixels(). Some of the other entropy is lessened with RFP (see 4501)
913 * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
914 * [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/
915user_pref("webgl.disabled", true);
916user_pref("webgl.enable-webgl2", false);
917/* 2012: limit WebGL ***/
918user_pref("webgl.min_capability_mode", true);
919user_pref("webgl.disable-extensions", true);
920user_pref("webgl.disable-fail-if-major-performance-caveat", true);
921/* 2022: disable screensharing ***/
922user_pref("media.getusermedia.screensharing.enabled", false);
923user_pref("media.getusermedia.browser.enabled", false);
924user_pref("media.getusermedia.audiocapture.enabled", false);
925/* 2024: set a default permission for Camera/Microphone [FF58+]
926 * 0=always ask (default), 1=allow, 2=block
927 * [SETTING] to add site exceptions: Page Info>Permissions>Use the Camera/Microphone
928 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/
929 // user_pref("permissions.default.camera", 2);
930 // user_pref("permissions.default.microphone", 2);
931/* 2030: disable autoplay of HTML5 media [FF63+]
932 * 0=Allow all, 1=Block non-muted media (default in FF67+), 2=Prompt (removed in FF66), 5=Block all (FF69+)
933 * [NOTE] You can set exceptions under site permissions
934 * [SETTING] Privacy & Security>Permissions>Autoplay>Settings>Default for all websites ***/
935 // user_pref("media.autoplay.default", 5);
936/* 2031: disable autoplay of HTML5 media if you interacted with the site [FF66+] ***/
937user_pref("media.autoplay.enabled.user-gestures-needed", false);
938/* 2032: disable autoplay of HTML5 media in non-active tabs [FF51+]
939 * [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/
940user_pref("media.block-autoplay-until-in-foreground", true); // [DEFAULT: true]
941
942/*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/
943user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!");
944/* 2201: prevent websites from disabling new window features ***/
945user_pref("dom.disable_window_open_feature.close", true);
946user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true]
947user_pref("dom.disable_window_open_feature.menubar", true);
948user_pref("dom.disable_window_open_feature.minimizable", true);
949user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar
950user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true]
951user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true]
952user_pref("dom.disable_window_open_feature.titlebar", true);
953user_pref("dom.disable_window_open_feature.toolbar", true);
954/* 2202: prevent scripts from moving and resizing open windows ***/
955user_pref("dom.disable_window_move_resize", true);
956/* 2203: open links targeting new windows in a new tab instead
957 * This stops malicious window sizes and some screen resolution leaks.
958 * You can still right-click a link and open in a new window.
959 * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen
960 * [1] https://trac.torproject.org/projects/tor/ticket/9881 ***/
961user_pref("browser.link.open_newwindow", 3);
962user_pref("browser.link.open_newwindow.restriction", 0);
963/* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks
964 * [NOTE] You can still manually toggle the browser's fullscreen state (F11),
965 * but this pref will disable embedded video/game fullscreen controls, e.g. youtube
966 * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen ***/
967 // user_pref("full-screen-api.enabled", false);
968/* 2210: block popup windows
969 * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/
970user_pref("dom.disable_open_during_load", true);
971/* 2212: limit events that can cause a popup [SETUP-WEB]
972 * default is "change click dblclick auxclick mouseup pointerup notificationclick reset submit touchend contextmenu" ***/
973user_pref("dom.popup_allowed_events", "click dblclick");
974
975/*** [SECTION 2300]: WEB WORKERS
976 A worker is a JS "background task" running in a global context, i.e. it is different from
977 the current window. Workers can spawn new workers (must be the same origin & scheme),
978 including service and shared workers. Shared workers can be utilized by multiple scripts and
979 communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
980
981 [NOTE] uMatrix 1.2.0+ allows a per-scope control for workers (2301-deprecated) and service workers (2302)
982 #Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0
983
984 [1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
985 [2] Worker: https://developer.mozilla.org/docs/Web/API/Worker
986 [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API
987 [4] SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker
988 [5] ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker
989 [6] Notifications: https://support.mozilla.org/questions/1165867#answer-981820
990***/
991user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
992/* 2302: disable service workers [FF32, FF44-compat]
993 * Service workers essentially act as proxy servers that sit between web apps, and the
994 * browser and network, are event driven, and can control the web page/site it is associated
995 * with, intercepting and modifying navigation and resource requests, and caching resources.
996 * [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode.
997 * [NOTE] Service workers only run over HTTPS. Service workers have no DOM access.
998 * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for
999 * service worker notifications (2304), push notifications (disabled, 2305) and service worker
1000 * cache (2740). If you enable this pref, then check those settings as well ***/
1001user_pref("dom.serviceWorkers.enabled", false);
1002/* 2304: disable Web Notifications
1003 * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (2306)
1004 * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
1005 // user_pref("dom.webnotifications.enabled", false); // [FF22+]
1006 // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
1007/* 2305: disable Push Notifications [FF44+]
1008 * Push is an API that allows websites to send you (subscribed) messages even when the site
1009 * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server.
1010 * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind
1011 * a prompt (2306). Disabling service workers alone doesn't stop Firefox polling the
1012 * Mozilla Push Server. To remove all subscriptions, reset your userAgentID (in about:config
1013 * or on start), and you will get a new one within a few seconds.
1014 * [1] https://support.mozilla.org/en-US/kb/push-notifications-firefox
1015 * [2] https://developer.mozilla.org/en-US/docs/Web/API/Push_API ***/
1016user_pref("dom.push.enabled", false);
1017 // user_pref("dom.push.userAgentID", "");
1018/* 2306: set a default permission for Notifications (both 2304 and 2305) [FF58+]
1019 * 0=always ask (default), 1=allow, 2=block
1020 * [NOTE] Best left at default "always ask", fingerprintable via Permissions API
1021 * [SETTING] to add site exceptions: Page Info>Permissions>Receive Notifications
1022 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/
1023 // user_pref("permissions.default.desktop-notification", 2);
1024
1025/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/
1026user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
1027/* 2401: disable website control over browser right-click context menu
1028 * [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
1029 // user_pref("dom.event.contextmenu.enabled", false);
1030/* 2402: disable website access to clipboard events/content
1031 * [SETUP-WEB] This will break some sites functionality such as pasting into facebook, wordpress
1032 * this applies to onCut, onCopy, onPaste events - i.e. you have to interact with
1033 * the website for it to look at the clipboard
1034 * [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/
1035user_pref("dom.event.clipboardevents.enabled", false);
1036/* 2403: disable middlemouse paste leaking clipboard content on Linux after autoscroll
1037 * Defense in depth if clipboard events are enabled (see 2402)
1038 * [1] https://bugzilla.mozilla.org/1528289 */
1039user_pref("middlemouse.paste", false); // [DEFAULT: false on Windows]
1040/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
1041 * this disables document.execCommand("cut"/"copy") to protect your clipboard
1042 * [1] https://bugzilla.mozilla.org/1170911 ***/
1043user_pref("dom.allow_cut_copy", false);
1044/* 2405: disable "Confirm you want to leave" dialog on page close
1045 * Does not prevent JS leaks of the page close event.
1046 * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload
1047 * [2] https://support.mozilla.org/questions/1043508 ***/
1048user_pref("dom.disable_beforeunload", true);
1049/* 2414: disable shaking the screen ***/
1050user_pref("dom.vibrator.enabled", false);
1051/* 2420: disable asm.js [FF22+] [SETUP-PERF]
1052 * [1] http://asmjs.org/
1053 * [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
1054 * [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
1055 * [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
1056 * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
1057 * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
1058user_pref("javascript.options.asmjs", false);
1059/* 2421: disable Ion and baseline JIT to help harden JS against exploits
1060 * [WARNING] If false, causes the odd site issue and there is also a performance loss
1061 * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
1062 // user_pref("javascript.options.ion", false);
1063 // user_pref("javascript.options.baselinejit", false);
1064/* 2422: disable WebAssembly [FF52+] [SETUP-PERF]
1065 * [NOTE] In FF71+ this no longer affects extensions (1576254)
1066 * [1] https://developer.mozilla.org/docs/WebAssembly ***/
1067user_pref("javascript.options.wasm", false);
1068/* 2426: disable Intersection Observer API [FF55+]
1069 * [1] https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API
1070 * [2] https://w3c.github.io/IntersectionObserver/
1071 * [3] https://bugzilla.mozilla.org/1243846 ***/
1072 // user_pref("dom.IntersectionObserver.enabled", false);
1073/* 2429: enable (limited but sufficient) window.opener protection [FF65+]
1074 * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
1075user_pref("dom.targetBlankNoOpener.enabled", true);
1076
1077/*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/
1078user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
1079/* 2502: disable Battery Status API
1080 * Initially a Linux issue (high precision readout) that was fixed.
1081 * However, it is still another metric for fingerprinting, used to raise entropy.
1082 * e.g. do you have a battery or not, current charging status, charge level, times remaining etc
1083 * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code. see [1]
1084 * [1] https://bugzilla.mozilla.org/1313580 ***/
1085 // user_pref("dom.battery.enabled", false);
1086/* 2504: disable virtual reality devices
1087 * Optional protection depending on your connected devices
1088 * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/
1089 // user_pref("dom.vr.enabled", false);
1090/* 2505: disable media device enumeration [FF29+]
1091 * [NOTE] media.peerconnection.enabled should also be set to false (see 2001)
1092 * [1] https://wiki.mozilla.org/Media/getUserMedia
1093 * [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/
1094user_pref("media.navigator.enabled", false);
1095/* 2508: disable hardware acceleration to reduce graphics fingerprinting [SETUP-HARDEN]
1096 * [WARNING] Affects text rendering (fonts will look different), impacts video performance,
1097 * and parts of Quantum that utilize the GPU will also be affected as they are rolled out
1098 * [SETTING] General>Performance>Custom>Use hardware acceleration when available
1099 * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/
1100 // user_pref("gfx.direct2d.disabled", true); // [WINDOWS]
1101 // user_pref("layers.acceleration.disabled", true);
1102/* 2510: disable Web Audio API [FF51+]
1103 * [1] https://bugzilla.mozilla.org/1288359 ***/
1104user_pref("dom.webaudio.enabled", false);
1105/* 2517: disable Media Capabilities API [FF63+]
1106 * [WARNING] This *may* affect media performance if disabled, no one is sure
1107 * [1] https://github.com/WICG/media-capabilities
1108 * [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/
1109 // user_pref("media.media-capabilities.enabled", false);
1110
1111/*** [SECTION 2600]: MISCELLANEOUS ***/
1112user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
1113/* 2601: prevent accessibility services from accessing your browser [RESTART]
1114 * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser
1115 * [1] https://support.mozilla.org/kb/accessibility-services ***/
1116user_pref("accessibility.force_disabled", 1);
1117/* 2602: disable sending additional analytics to web servers
1118 * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
1119user_pref("beacon.enabled", false);
1120/* 2603: remove temp files opened with an external application
1121 * [1] https://bugzilla.mozilla.org/302433 ***/
1122user_pref("browser.helperApps.deleteTempFileOnExit", true);
1123/* 2604: disable page thumbnail collection
1124 * look in profile/thumbnails directory - you may want to clean that out ***/
1125user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF]
1126/* 2605: block web content in file processes [FF55+]
1127 * [SETUP-WEB] You may want to disable this for corporate or developer environments
1128 * [1] https://bugzilla.mozilla.org/1343184 ***/
1129user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
1130/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
1131user_pref("browser.uitour.enabled", false);
1132user_pref("browser.uitour.url", "");
1133/* 2607: disable various developer tools in browser context
1134 * [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
1135 * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
1136user_pref("devtools.chrome.enabled", false);
1137/* 2608: disable remote debugging
1138 * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
1139user_pref("devtools.debugger.remote-enabled", false);
1140/* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
1141 * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#misc
1142 * [1] https://bugzilla.mozilla.org/1173199 ***/
1143 // user_pref("mathml.disabled", true);
1144/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
1145 * [NOTE] In FF70+ and ESR68.1.0+ this no longer affects extensions (1564208)
1146 * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
1147 * [1] https://bugzilla.mozilla.org/1216893 ***/
1148 // user_pref("svg.disabled", true);
1149/* 2611: disable middle mouse click opening links from clipboard
1150 * [1] https://trac.torproject.org/projects/tor/ticket/10089 ***/
1151user_pref("middlemouse.contentLoadURL", false);
1152/* 2614: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
1153 * [NOTE] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
1154 * To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/
1155user_pref("network.http.redirection-limit", 10);
1156/* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
1157 * 0 (default) or 1=allow, 2=block
1158 * [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts ***/
1159 // user_pref("permissions.default.shortcuts", 2);
1160/* 2616: remove special permissions for certain mozilla domains [FF35+]
1161 * [1] resource://app/defaults/permissions ***/
1162user_pref("permissions.manager.defaultsUrl", "");
1163/* 2617: remove webchannel whitelist ***/
1164user_pref("webchannel.allowObject.urlWhitelist", "");
1165/* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
1166 * Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also
1167 * display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets
1168 * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
1169 * [1] https://wiki.mozilla.org/IDN_Display_Algorithm
1170 * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
1171 * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
1172 * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
1173user_pref("network.IDN_show_punycode", true);
1174/* 2620: enforce Firefox's built-in PDF reader [SETUP-CHROME]
1175 * This setting controls if the option "Display in Firefox" is available in the setting below
1176 * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
1177 * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
1178 * Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly.
1179 * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
1180 * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
1181 * CONS: You may prefer a different pdf reader for security reasons
1182 * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)
1183 * [SETTING] General>Applications>Portable Document Format (PDF) ***/
1184user_pref("pdfjs.disabled", false); // [DEFAULT: false]
1185/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS]
1186 * [1] https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/ ***/
1187user_pref("network.protocol-handler.external.ms-windows-store", false);
1188
1189/** DOWNLOADS ***/
1190/* 2650: discourage downloading to desktop
1191 * 0=desktop, 1=downloads (default), 2=last used
1192 * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
1193 // user_pref("browser.download.folderList", 2);
1194/* 2651: enforce user interaction for security by always asking where to download
1195 * [SETUP-CHROME] On Android this blocks longtapping and saving images
1196 * [SETTING] General>Downloads>Always ask you where to save files ***/
1197user_pref("browser.download.useDownloadDir", false);
1198/* 2652: disable adding downloads to the system's "recent documents" list ***/
1199user_pref("browser.download.manager.addToRecentDocs", false);
1200/* 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin ***/
1201user_pref("browser.download.hide_plugins_without_extensions", false);
1202/* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN]
1203 * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
1204 * in such a way that it is forbidden to run external applications.
1205 * [WARNING] This may interfere with some users' workflow or methods
1206 * [1] https://bugzilla.mozilla.org/1281959 ***/
1207 // user_pref("browser.download.forbid_open_with", true);
1208
1209/** EXTENSIONS ***/
1210/* 2660: lock down allowed extension directories
1211 * [SETUP-CHROME] This will break extensions, language packs, themes and any other
1212 * XPI files which are installed outside of profile and application directories
1213 * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
1214 * [1] archived: https://archive.is/DYjAM ***/
1215user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF]
1216user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
1217/* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) [FF60+]
1218 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
1219 // user_pref("extensions.webextensions.restrictedDomains", "");
1220
1221/** SECURITY ***/
1222/* 2680: enforce CSP (Content Security Policy)
1223 * [WARNING] CSP is a very important and widespread security feature. Don't disable it!
1224 * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
1225user_pref("security.csp.enable", true); // [DEFAULT: true]
1226/* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
1227 * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
1228user_pref("security.dialog_enable_delay", 700);
1229
1230/*** [SECTION 2700]: PERSISTENT STORAGE
1231 Data SET by websites including
1232 cookies : profile\cookies.sqlite
1233 localStorage : profile\webappsstore.sqlite
1234 indexedDB : profile\storage\default
1235 appCache : profile\OfflineCache
1236 serviceWorkers :
1237
1238 [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode
1239 [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage),
1240 indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications)
1241 If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become
1242 accessible to websites except shared/service workers where the cookie setting *must* be "Allow"
1243***/
1244user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
1245/* 2701: disable 3rd-party cookies and site-data [SETUP-WEB]
1246 * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies,
1247 * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+)
1248 * [NOTE] You can set exceptions under site permissions or use an extension
1249 * [SETTING] Privacy & Security>Content Blocking>Custom>Choose what to block>Cookies ***/
1250user_pref("network.cookie.cookieBehavior", 1);
1251/* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only
1252 and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
1253 [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
1254 .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
1255 * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/
1256user_pref("network.cookie.thirdparty.sessionOnly", true);
1257user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
1258/* 2703: delete cookies and site data on close
1259 * 0=keep until they expire (default), 2=keep until you close Firefox
1260 * [NOTE] The setting below is disabled (but not changed) if you block all cookies (2701 = 2)
1261 * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/
1262 // user_pref("network.cookie.lifetimePolicy", 2);
1263/* 2710: disable DOM (Document Object Model) Storage
1264 * [WARNING] This will break a LOT of sites' functionality AND extensions!
1265 * You are better off using an extension for more granular control ***/
1266 // user_pref("dom.storage.enabled", false);
1267/* 2720: enforce IndexedDB (IDB) as enabled
1268 * IDB is required for extensions and Firefox internals (even before FF63 in [1])
1269 * To control *website* IDB data, control allowing cookies and service workers, or use
1270 * Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize
1271 * on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically
1272 * via an extension. Note that IDB currently cannot be sanitized by host.
1273 * [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ ***/
1274user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true]
1275/* 2730: disable offline cache ***/
1276user_pref("browser.cache.offline.enable", false);
1277/* 2740: disable service worker cache and cache storage
1278 * [NOTE] We clear service worker cache on exiting Firefox (see 2803)
1279 * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
1280 // user_pref("dom.caches.enabled", false);
1281/* 2750: disable Storage API [FF51+]
1282 * The API gives sites the ability to find out how much space they can use, how much
1283 * they are already using, and even control whether or not they need to be alerted
1284 * before the user agent disposes of site data in order to make room for other things.
1285 * [1] https://developer.mozilla.org/docs/Web/API/StorageManager
1286 * [2] https://developer.mozilla.org/docs/Web/API/Storage_API
1287 * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
1288 // user_pref("dom.storageManager.enabled", false);
1289/* 2755: disable Storage Access API [FF65+]
1290 * [1] https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/
1291 // user_pref("dom.storage_access.enabled", false);
1292
1293/*** [SECTION 2800]: SHUTDOWN
1294 You should set the values to what suits you best.
1295 - "Offline Website Data" includes appCache (2730), localStorage (2710),
1296 service worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache)
1297 - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the
1298 Firefox interface as "Browsing & Download History" and their values will be synced
1299***/
1300user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
1301/* 2802: enable Firefox to clear items on shutdown (see 2803)
1302 * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
1303user_pref("privacy.sanitize.sanitizeOnShutdown", true);
1304/* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME]
1305 * [NOTE] If 'history' is true, downloads will also be cleared regardless of the value
1306 * but if 'history' is false, downloads can still be cleared independently
1307 * However, this may not always be the case. The interface combines and syncs these
1308 * prefs when set from there, and the sanitize code may change at any time
1309 * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/
1310user_pref("privacy.clearOnShutdown.cache", true);
1311user_pref("privacy.clearOnShutdown.cookies", true);
1312user_pref("privacy.clearOnShutdown.downloads", true); // see note above
1313user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History
1314user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History
1315user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data
1316user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins
1317user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences
1318/* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME]
1319 * This dialog can also be accessed from the menu History>Clear Recent History
1320 * Firefox remembers your last choices. This will reset them when you start Firefox.
1321 * [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog
1322 * for "Clear Recent History" is opened, it is synced to the same as 'history' ***/
1323user_pref("privacy.cpd.cache", true);
1324user_pref("privacy.cpd.cookies", true);
1325 // user_pref("privacy.cpd.downloads", true); // not used, see note above
1326user_pref("privacy.cpd.formdata", true); // Form & Search History
1327user_pref("privacy.cpd.history", true); // Browsing & Download History
1328user_pref("privacy.cpd.offlineApps", true); // Offline Website Data
1329user_pref("privacy.cpd.passwords", false); // this is not listed
1330user_pref("privacy.cpd.sessions", true); // Active Logins
1331user_pref("privacy.cpd.siteSettings", false); // Site Preferences
1332/* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
1333 * [NOTE] Not needed if Session Restore is not used (see 0102) or is already cleared with history (see 2803)
1334 * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (see 1022)
1335 * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/
1336 // user_pref("privacy.clearOnShutdown.openWindows", true);
1337 // user_pref("privacy.cpd.openWindows", true);
1338/* 2806: reset default 'Time range to clear' for 'Clear Recent History' (see 2804)
1339 * Firefox remembers your last choice. This will reset the value when you start Firefox.
1340 * 0=everything, 1=last hour, 2=last two hours, 3=last four hours,
1341 * 4=today, 5=last five minutes, 6=last twenty-four hours
1342 * [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a
1343 * blank value if they are used, but they do work as advertised ***/
1344user_pref("privacy.sanitize.timeSpan", 0);
1345
1346/*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION)
1347 ** 1278037 - isolate indexedDB (FF51+)
1348 ** 1277803 - isolate favicons (FF52+)
1349 ** 1264562 - isolate OCSP cache (FF52+)
1350 ** 1268726 - isolate Shared Workers (FF52+)
1351 ** 1316283 - isolate SSL session cache (FF52+)
1352 ** 1317927 - isolate media cache (FF53+)
1353 ** 1323644 - isolate HSTS and HPKP (FF54+)
1354 ** 1334690 - isolate HTTP Alternative Services (FF54+)
1355 ** 1334693 - isolate SPDY/HTTP2 (FF55+)
1356 ** 1337893 - isolate DNS cache (FF55+)
1357 ** 1344170 - isolate blob: URI (FF55+)
1358 ** 1300671 - isolate data:, about: URLs (FF55+)
1359 ** 1473247 - isolate IP addresses (FF63+)
1360 ** 1492607 - isolate postMessage with targetOrigin "*" (requires 4002) (FF65+)
1361 ** 1542309 - isolate top-level domain URLs when host is in the public suffix list (FF68+)
1362 ** 1506693 - isolate pdfjs range-based requests (FF68+)
1363 ** 1330467 - isolate site permissions (FF69+)
1364 ** 1534339 - isolate IPv6 (FF73+)
1365***/
1366user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
1367/* 4001: enable First Party Isolation [FF51+]
1368 * [SETUP-WEB] May break cross-domain logins and site functionality until perfected
1369 * [1] https://bugzilla.mozilla.org/1260931 ***/
1370user_pref("privacy.firstparty.isolate", true);
1371/* 4002: enforce FPI restriction for window.opener [FF54+]
1372 * [NOTE] Setting this to false may reduce the breakage in 4001
1373 * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
1374 * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute. (see [2],[3])
1375 * The 2nd pref removes that limitation and will only allow communication if FPDs also match.
1376 * [1] https://bugzilla.mozilla.org/1319773#c22
1377 * [2] https://bugzilla.mozilla.org/1492607
1378 * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
1379user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
1380 // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR]
1381
1382/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
1383 This master switch will be used for a wide range of items, many of which will
1384 **override** existing prefs from FF55+, often providing a **better** solution
1385
1386 IMPORTANT: As existing prefs become redundant, and some of them WILL interfere
1387 with how RFP works, they will be moved to section 4600 and made inactive
1388
1389 ** 418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+)
1390 [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at
1391 100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run.
1392 Test your window size, do some math, resize to allow for all the non inner window elements
1393 [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen
1394 ** 1281949 - spoof screen orientation (FF50+)
1395 ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
1396 FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044)
1397 ** 1330890 - spoof timezone as UTC 0 (FF55+)
1398 FF58: Date.toLocaleFormat deprecated (818634)
1399 FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973)
1400 ** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+)
1401 This spoof *shouldn't* affect core chrome/Firefox performance
1402 ** 1217238 - reduce precision of time exposed by javascript (FF55+)
1403 ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+)
1404 ** 1333651 & 1383495 & 1396468 - spoof Navigator API (see section 4700) (FF56+)
1405 FF56: The version number will be rounded down to the nearest multiple of 10
1406 FF57: The version number will match current ESR (1393283, 1418672, 1418162, 1511763)
1407 FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage) (1404608)
1408 FF66: The OS in HTTP Headers will be reduced to Windows or Android (1509829)
1409 FF68: Reported OS versions updated to Windows 10, OS 10.14, and Adnroid 8.1 (1511434)
1410 ** 1369319 - disable device sensor API (see 4604) (FF56+)
1411 ** 1369357 - disable site specific zoom (see 4605) (FF56+)
1412 ** 1337161 - hide gamepads from content (see 4606) (FF56+)
1413 ** 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) (FF56+)
1414 ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
1415 ** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0202) (FF56-62)
1416 ** 1369309 - spoof media statistics (see 4610) (FF57+)
1417 ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
1418 ** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
1419 ** 1382545 - reduce fingerprinting in Animation API (FF57+)
1420 ** 1354633 - limit MediaError.message to a whitelist (FF57+)
1421 ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+)
1422 This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
1423 ** 967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
1424 FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865)
1425 ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+)
1426 Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if
1427 media.navigator.enabled is true (see 2505 which we chose to keep disabled)
1428 Block: suppresses the ondevicechange event (see 4612)
1429 ** 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) (FF59+)
1430 ** 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59+)
1431 Spoofing mimics the content language of the document. Currently it only supports en-US.
1432 Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
1433 FF60: Fix keydown/keyup events (1438795)
1434 ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
1435 ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+)
1436 ** 1479239 - return "no-preference" with prefers-reduced-motion (FF63+)
1437 ** 1363508 - spoof/suppress Pointer Events (see 4614) (FF64+)
1438 FF65: pointerEvent.pointerid (1492766)
1439 ** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+)
1440 ** 1407366 - enable inner window letterboxing (see 4504) (FF67+)
1441 ** 1540726 - return "light" with prefers-color-scheme (FF67+)
1442 [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme
1443 ** 1564422 - spoof audioContext outputLatency (FF70+)
1444 ** 1595823 - spoof audioContext sampleRate (FF72+)
1445***/
1446user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
1447/* 4501: enable privacy.resistFingerprinting [FF41+]
1448 * This pref is the master switch for all other privacy.resist* prefs unless stated
1449 * [SETUP-WEB] RFP can cause the odd website to break in strange ways, and has a few side affects,
1450 * but is largely robust nowadays. Give it a try. Your choice. Also see 4504 (letterboxing).
1451 * [1] https://bugzilla.mozilla.org/418986 ***/
1452user_pref("privacy.resistFingerprinting", true);
1453/* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME]
1454 * Width will round down to multiples of 200s and height to 100s, to fit your screen.
1455 * The override values are a starting point to round from if you want some control
1456 * [1] https://bugzilla.mozilla.org/1330882
1457 * [2] https://hardware.metrics.mozilla.com/ ***/
1458 // user_pref("privacy.window.maxInnerWidth", 1000);
1459 // user_pref("privacy.window.maxInnerHeight", 1000);
1460/* 4503: disable mozAddonManager Web API [FF57+]
1461 * [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need
1462 * to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect
1463 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
1464user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF]
1465/* 4504: enable RFP letterboxing [FF67+]
1466 * Dynamically resizes the inner window (FF67; 200w x100h: FF68+; stepped ranges) by applying letterboxing,
1467 * using dimensions which waste the least content area, If you use the dimension pref, then it will only apply
1468 * those resolutions. The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900")
1469 * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but you're
1470 * not taking anti-fingerprinting seriously and a little visual change upsets you, then feel free to flip this pref
1471 * [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it
1472 * [1] https://bugzilla.mozilla.org/1407366 ***/
1473user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
1474 // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF]
1475/* 4510: disable showing about:blank as soon as possible during startup [FF60+]
1476 * When default true (FF62+) this no longer masks the RFP chrome resizing activity
1477 * [1] https://bugzilla.mozilla.org/1448423 ***/
1478user_pref("browser.startup.blankWindow", false);
1479
1480/*** [SECTION 4600]: RFP ALTERNATIVES
1481 * non-RFP users:
1482 Enable the whole section (see the SETUP tag below)
1483 * RFP users:
1484 Make sure these are reset in about:config. They are redundant. In fact, some
1485 even cause RFP to not behave as you would expect and alter your fingerprint
1486 * ESR RFP users:
1487 Reset those *up to and including* your version. Add those *after* your version
1488 as active prefs in your overrides. This is assuming that the patch wasn't also
1489 backported to Firefox ESR. Backporting RFP patches to ESR is rare.
1490***/
1491user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
1492/* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these
1493// FF55+
1494// 4601: [2514] spoof (or limit?) number of CPU cores [FF48+]
1495 // [NOTE] *may* affect core chrome/Firefox performance, will affect content.
1496 // [1] https://bugzilla.mozilla.org/1008453
1497 // [2] https://trac.torproject.org/projects/tor/ticket/21675
1498 // [3] https://trac.torproject.org/projects/tor/ticket/22127
1499 // [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency
1500 // user_pref("dom.maxHardwareConcurrency", 2);
1501// * * * /
1502// FF56+
1503// 4602: [2411] disable resource/navigation timing
1504user_pref("dom.enable_resource_timing", false);
1505// 4603: [2412] disable timing attacks
1506 // [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
1507user_pref("dom.enable_performance", false);
1508// 4604: [2512] disable device sensor API
1509 // Optional protection depending on your device
1510 // [1] https://trac.torproject.org/projects/tor/ticket/15758
1511 // [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
1512 // [3] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
1513 // user_pref("device.sensors.enabled", false);
1514// 4605: [2515] disable site specific zoom
1515 // Zoom levels affect screen res and are highly fingerprintable. This does not stop you using
1516 // zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs
1517 // and new windows are reset to default and only the current tab retains the current zoom
1518user_pref("browser.zoom.siteSpecific", false);
1519// 4606: [2501] disable gamepad API - USB device ID enumeration
1520 // Optional protection depending on your connected devices
1521 // [1] https://trac.torproject.org/projects/tor/ticket/13023
1522 // user_pref("dom.gamepad.enabled", false);
1523// 4607: [2503] disable giving away network info [FF31+]
1524 // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
1525 // [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API
1526 // [2] https://wicg.github.io/netinfo/
1527 // [3] https://bugzilla.mozilla.org/960426
1528user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android]
1529// 4608: [2021] disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
1530 // [1] https://developer.mozilla.org/docs/Web/API/Web_Speech_API
1531 // [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
1532 // [3] https://wiki.mozilla.org/HTML5_Speech_API
1533user_pref("media.webspeech.synth.enabled", false);
1534// * * * /
1535// FF57+
1536// 4610: [2506] disable video statistics - JS performance fingerprinting [FF25+]
1537 // [1] https://trac.torproject.org/projects/tor/ticket/15757
1538 // [2] https://bugzilla.mozilla.org/654550
1539user_pref("media.video_stats.enabled", false);
1540// 4611: [2509] disable touch events
1541 // fingerprinting attack vector - leaks screen res & actual screen coordinates
1542 // 0=disabled, 1=enabled, 2=autodetect
1543 // Optional protection depending on your device
1544 // [1] https://developer.mozilla.org/docs/Web/API/Touch_events
1545 // [2] https://trac.torproject.org/projects/tor/ticket/10286
1546 // user_pref("dom.w3c_touch_events.enabled", 0);
1547// * * * /
1548// FF59+
1549// 4612: [2511] disable MediaDevices change detection [FF51+]
1550 // [1] https://developer.mozilla.org/docs/Web/Events/devicechange
1551 // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
1552user_pref("media.ondevicechange.enabled", false);
1553// * * * /
1554// FF60+
1555// 4613: [2011] disable WebGL debug info being available to websites
1556 // [1] https://bugzilla.mozilla.org/1171228
1557 // [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
1558user_pref("webgl.enable-debug-renderer-info", false);
1559// * * * /
1560// FF65+
1561// 4614: [2516] disable PointerEvents
1562 // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent
1563user_pref("dom.w3c_pointer_events.enabled", false);
1564// * * * /
1565// FF67+
1566// 4615: [2618] disable exposure of system colors to CSS or canvas [FF44+]
1567 // [NOTE] See second listed bug: may cause black on black for elements with undefined colors
1568 // [SETUP-CHROME] Might affect CSS in themes and extensions
1569 // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876
1570user_pref("ui.use_standins_for_native_colors", true);
1571// * * * /
1572// ***/
1573
1574/*** [SECTION 4700]: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING)
1575 This is FYI ONLY. These prefs are INSUFFICIENT(a) on their own, you need
1576 to use RFP (4500) or an extension, in which case they become POINTLESS.
1577 (a) Many of the components that make up your UA can be derived by other means.
1578 And when those values differ, you provide more bits and raise entropy.
1579 Examples of leaks include navigator objects, date locale/formats, iframes,
1580 headers, tcp/ip attributes, feature detection, and **many** more.
1581 ALL values below intentionally left blank - use RFP, or get a vetted, tested
1582 extension and mimic RFP values to *lower* entropy, or randomize to *raise* it
1583***/
1584user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
1585/* 4701: navigator.userAgent ***/
1586 // user_pref("general.useragent.override", ""); // [HIDDEN PREF]
1587/* 4702: navigator.buildID
1588 * Revealed build time down to the second. In FF64+ it now returns a fixed timestamp
1589 * [1] https://bugzilla.mozilla.org/583181
1590 * [2] https://www.fxsitecompat.com/en-CA/docs/2018/navigator-buildid-now-returns-a-fixed-timestamp/ ***/
1591 // user_pref("general.buildID.override", ""); // [HIDDEN PREF]
1592/* 4703: navigator.appName ***/
1593 // user_pref("general.appname.override", ""); // [HIDDEN PREF]
1594/* 4704: navigator.appVersion ***/
1595 // user_pref("general.appversion.override", ""); // [HIDDEN PREF]
1596/* 4705: navigator.platform ***/
1597 // user_pref("general.platform.override", ""); // [HIDDEN PREF]
1598/* 4706: navigator.oscpu ***/
1599 // user_pref("general.oscpu.override", ""); // [HIDDEN PREF]
1600
1601/*** [SECTION 5000]: PERSONAL
1602 Non-project related but useful. If any of these interest you, add them to your overrides ***/
1603user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
1604/* WELCOME & WHAT's NEW NOTICES ***/
1605 // user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
1606 // user_pref("startup.homepage_welcome_url", "");
1607 // user_pref("startup.homepage_welcome_url.additional", "");
1608 // user_pref("startup.homepage_override_url", ""); // What's New page after updates
1609/* WARNINGS ***/
1610 // user_pref("browser.tabs.warnOnClose", false);
1611 // user_pref("browser.tabs.warnOnCloseOtherTabs", false);
1612 // user_pref("browser.tabs.warnOnOpen", false);
1613 // user_pref("full-screen-api.warning.delay", 0);
1614 // user_pref("full-screen-api.warning.timeout", 0);
1615/* APPEARANCE ***/
1616 // user_pref("browser.download.autohideButton", false); // [FF57+]
1617 // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+]
1618 // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent
1619/* CONTENT BEHAVIOR ***/
1620 // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type"
1621 // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX]
1622 // user_pref("layout.spellcheckDefault", 2); // 0=none, 1-multi-line, 2=multi-line & single-line
1623/* UX BEHAVIOR ***/
1624 // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing
1625 // user_pref("browser.tabs.closeWindowWithLastTab", false);
1626 // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+]
1627 // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+]
1628 // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [WINDOWS] [MAC]
1629 // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
1630 // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under]
1631/* UX FEATURES: disable and hide the icons and menus ***/
1632 // user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+]
1633 // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
1634 // user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART]
1635 // user_pref("reader.parse-on-load.enabled", false); // Reader View
1636/* OTHER ***/
1637 // user_pref("browser.bookmarks.max_backups", 2);
1638 // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+]
1639 // [SETTING] General>Browsing>Recommend extensions as you browse
1640 // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+]
1641 // [SETTING] General>Browsing>Recommend features as you browse
1642 // user_pref("network.manage-offline-status", false); // see bugzilla 620472
1643 // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
1644
1645/*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
1646 Documentation denoted as [-]. Items deprecated prior to FF61 have been archived at [1], which
1647 also provides a link-clickable, viewer-friendly version of the deprecated bugzilla tickets
1648 [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123
1649***/
1650user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!");
1651/* FF61
1652// 0501: disable experiments
1653 // [1] https://wiki.mozilla.org/Telemetry/Experiments
1654 // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801
1655user_pref("experiments.enabled", false);
1656user_pref("experiments.manifest.uri", "");
1657user_pref("experiments.supported", false);
1658user_pref("experiments.activeExperiment", false);
1659// 2612: disable remote JAR files being opened, regardless of content type [FF42+]
1660 // [1] https://bugzilla.mozilla.org/1173171
1661 // [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/
1662 // [-] https://bugzilla.mozilla.org/1427726
1663user_pref("network.jar.block-remote-files", true);
1664// 2613: disable JAR from opening Unsafe File Types
1665 // [-] https://bugzilla.mozilla.org/1427726
1666user_pref("network.jar.open-unsafe-types", false);
1667// ***/
1668/* FF62
1669// 1803: disable Java plugin
1670 // [-] (part5) https://bugzilla.mozilla.org/1461243
1671user_pref("plugin.state.java", 0);
1672// ***/
1673/* FF63
1674// 0205: disable GeoIP-based search results
1675 // [NOTE] May not be hidden if Firefox has changed your settings due to your locale
1676 // [-] https://bugzilla.mozilla.org/1462015
1677user_pref("browser.search.countryCode", "US"); // [HIDDEN PREF]
1678// 0301a: disable auto-update checks for Firefox
1679 // [SETTING] General>Firefox Updates>Never check for updates
1680 // [-] https://bugzilla.mozilla.org/1420514
1681 // user_pref("app.update.enabled", false);
1682// 0503: disable "Savant" Shield study [FF61+]
1683 // [-] https://bugzilla.mozilla.org/1457226
1684user_pref("shield.savant.enabled", false);
1685// 1031: disable favicons in tabs and new bookmarks - merged into browser.chrome.site_icons
1686 // [-] https://bugzilla.mozilla.org/1453751
1687 // user_pref("browser.chrome.favicons", false);
1688// 2030: disable autoplay of HTML5 media - replaced by media.autoplay.default
1689 // This may break video playback on various sites
1690 // [-] https://bugzilla.mozilla.org/1470082
1691user_pref("media.autoplay.enabled", false);
1692// 2704: set cookie lifetime in days (see 2703)
1693 // [-] https://bugzilla.mozilla.org/1457170
1694 // user_pref("network.cookie.lifetime.days", 90); // [DEFAULT: 90]
1695// 5000's: enable "Ctrl+Tab cycles through tabs in recently used order" - replaced by browser.ctrlTab.recentlyUsedOrder
1696 // [-] https://bugzilla.mozilla.org/1473595
1697 // user_pref("browser.ctrlTab.previews", true);
1698// ***/
1699/* FF64
1700// 0516: disable Onboarding [FF55+]
1701 // Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
1702 // about:home or about:newtab is opened, the onboarding overlay is injected into that page
1703 // [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]
1704 // [1] https://wiki.mozilla.org/Firefox/Onboarding
1705 // [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf
1706 // [3] https://bugzilla.mozilla.org/863246#c154
1707 // [-] https://bugzilla.mozilla.org/1462415
1708user_pref("browser.onboarding.enabled", false);
1709// 2608: disable WebIDE ADB extension downloads - both renamed
1710 // [1] https://trac.torproject.org/projects/tor/ticket/16222
1711 // [-] https://bugzilla.mozilla.org/1491315
1712user_pref("devtools.webide.autoinstallADBHelper", false);
1713user_pref("devtools.webide.adbAddonURL", "");
1714// 2681: disable CSP violation events [FF59+]
1715 // [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent
1716 // [-] https://bugzilla.mozilla.org/1488165
1717user_pref("security.csp.enable_violation_events", false);
1718// ***/
1719/* FF65
1720// 0850a: disable location bar autocomplete and suggestion types
1721 // If you enforce any of the suggestion types (see the other 0850a), you MUST enforce 'autocomplete'
1722 // - If *ALL* of the suggestion types are false, 'autocomplete' must also be false
1723 // - If *ANY* of the suggestion types are true, 'autocomplete' must also be true
1724 // [-] https://bugzilla.mozilla.org/1502392
1725user_pref("browser.urlbar.autocomplete.enabled", false);
1726// 0908: remove user & password info when attempting to fix an entered URL (i.e. 0802 is true)
1727 // e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix)
1728 // [-] https://bugzilla.mozilla.org/1510580
1729user_pref("browser.fixup.hide_user_pass", true); // [DEFAULT: true]
1730// ***/
1731/* FF66
1732// 0380: disable Browser Error Reporter [FF60+]
1733 // [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
1734 // [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html
1735 // [-] https://bugzilla.mozilla.org/1509888
1736user_pref("browser.chrome.errorReporter.enabled", false);
1737user_pref("browser.chrome.errorReporter.submitUrl", "");
1738// 0502: disable Mozilla permission to silently opt you into tests
1739 // [-] https://bugzilla.mozilla.org/1415625
1740user_pref("network.allow-experiments", false);
1741// ***/
1742/* FF67
1743// 2428: enforce DOMHighResTimeStamp API
1744 // [WARNING] Required for normalization of timestamps and any timer resolution mitigations
1745 // [-] https://bugzilla.mozilla.org/1485264
1746user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
1747// 5000's: disable CFR [FF64+] - split into two new prefs: *cfr.addons, *cfr.features
1748 // [SETTING] General>Browsing>Recommend extensions as you browse
1749 // [1] https://support.mozilla.org/en-US/kb/extension-recommendations
1750 // [-] https://bugzilla.mozilla.org/1528953
1751 // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
1752// ***/
1753/* FF68
1754// 0105b: disable Activity Stream Legacy Snippets
1755 // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1546190,1540939
1756user_pref("browser.newtabpage.activity-stream.disableSnippets", true);
1757user_pref("browser.aboutHomeSnippets.updateUrl", "");
1758// 0307: disable auto updating of lightweight themes (LWT)
1759 // Not to be confused with themes in 0301* + 0302*, which use the FF55+ Theme API
1760 // Mozilla plan to convert existing LWTs and remove LWT support in the future, see [1]
1761 // [1] https://blog.mozilla.org/addons/2018/09/20/future-themes-here/
1762 // [-] (part3b) https://bugzilla.mozilla.org/1525762
1763user_pref("lightweightThemes.update.enabled", false);
1764// 2682: enable CSP 1.1 experimental hash-source directive [FF29+]
1765 // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975
1766 // [-] https://bugzilla.mozilla.org/1386214
1767user_pref("security.csp.experimentalEnabled", true);
1768// ***/
1769
1770/* ESR68.x still uses all the following prefs
1771// [NOTE] replace the * with a slash in the line above to re-enable them
1772// FF69
1773// 1405: disable WOFF2 (Web Open Font Format) [FF35+]
1774 // [-] https://bugzilla.mozilla.org/1556991
1775 // user_pref("gfx.downloadable_fonts.woff2.enabled", false);
1776// 1802: enforce click-to-play for plugins
1777 // [-] https://bugzilla.mozilla.org/1519434
1778user_pref("plugins.click_to_play", true); // [DEFAULT: true FF25+]
1779// 2033: disable autoplay for muted videos [FF63+] - replaced by 'media.autoplay.default' options (2030)
1780 // [-] https://bugzilla.mozilla.org/1562331
1781 // user_pref("media.autoplay.allow-muted", false);
1782// * * * /
1783// FF71
1784// 2608: disable WebIDE and ADB extension download
1785 // [1] https://trac.torproject.org/projects/tor/ticket/16222
1786 // [-] https://bugzilla.mozilla.org/1539462
1787user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+]
1788user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
1789// 2731: enforce websites to ask to store data for offline use
1790 // [1] https://support.mozilla.org/questions/1098540
1791 // [2] https://bugzilla.mozilla.org/959985
1792 // [-] https://bugzilla.mozilla.org/1574480
1793user_pref("offline-apps.allow_by_default", false);
1794// * * * /
1795// ***/
1796
1797/* END: internal custom pref to test for syntax errors ***/
1798user_pref("_user.js.parrot", "SUCCESS: No no he's not dead, he's, he's restin'!");
1799
1800/*** MY OVERRIDES ***/
1801user_pref("_user.js.parrot", "overrides section syntax error");
1802user_pref("browser.shell.checkDefaultBrowser", true); // 0101
1803user_pref("security.ask_for_password", 0); // 0903
1804user_pref("security.password_lifetime", 60); // 0904
1805user_pref("browser.sessionstore.privacy_level", 0); // 1021
1806user_pref("browser.sessionstore.interval", 15000); // 1023
1807user_pref("browser.display.use_document_fonts", 1); // 1401
1808user_pref("network.http.referer.XOriginPolicy", 0); // 1603
1809user_pref("dom.popup_allowed_events", "change click dblclick auxclick mouseup pointerup notificationclick reset submit touchend contextmenu"); // 2212
1810user_pref("dom.event.clipboardevents.enabled", true); //2402
1811user_pref("privacy.clearOnShutdown.cookies", false); //2803
1812user_pref("privacy.firstparty.isolate", false); //4001
1813user_pref("privacy.resistFingerprinting", false); //4501
1814user_pref("privacy.resistFingerprinting.letterboxing", false); //4504
1815user_pref("_user.js.parrot", "SUCCESS");