user.js 136 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260
  1. /******
  2. * name: ghacks user.js
  3. * date: 17 January 2019
  4. * version 65-alpha: Dancing with My Pants
  5. * "If I had the chance, I'd ask the world to dance, and I'll be dancing with my pants"
  6. * authors: v52+ github | v51- www.ghacks.net
  7. * url: https://github.com/ghacksuserjs/ghacks-user.js
  8. * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
  9. * releases: These are end-of-stable-life-cycle legacy archives.
  10. *Always* use the master branch user.js for a current up-to-date version.
  11. url: https://github.com/ghacksuserjs/ghacks-user.js/releases
  12. * README:
  13. 0. Consider using Tor Browser if it meets your needs or fits your threat model better
  14. * https://www.torproject.org/about/torusers.html.en
  15. 1. READ the full README
  16. * https://github.com/ghacksuserjs/ghacks-user.js/blob/master/README.md
  17. 2. READ this
  18. * https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation
  19. 3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
  20. * Auto-installing updates for Firefox and extensions are disabled (section 0302's)
  21. * Some user data is erased on close (section 2800). Change this to suit your needs
  22. * EACH RELEASE check:
  23. - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
  24. or enable them as an alternative to RFP or for ESR users
  25. - 9999s: reset deprecated prefs in about:config or enable relevant section(s) for ESR
  26. * Site breakage WILL happen
  27. - There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting
  28. and these need to be balanced against Functionality & Convenience & Breakage
  29. * You will need to make changes, and to troubleshoot at times (choose wisely, there is always a trade-off).
  30. While not 100% definitive, search for "[SETUP". If required, add each pref to your overrides section at
  31. default values (or comment them out and reset them in about:config). Here are the main ones:
  32. [SETUP-WEB] can cause some websites to break
  33. [SETUP-CHROME] changes how Firefox itself behaves (i.e. NOT directly website related)
  34. [SETUP-PERF] may impact performance
  35. * [WARNING] tags are extra special and used sparingly, so heed them
  36. 4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
  37. 5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki#small_orange_diamond-maintenance
  38. * INDEX:
  39. 0100: STARTUP
  40. 0200: GEOLOCATION
  41. 0300: QUIET FOX
  42. 0400: BLOCKLISTS / SAFE BROWSING / TRACKING PROTECTION
  43. 0500: SYSTEM ADD-ONS / EXPERIMENTS
  44. 0600: BLOCK IMPLICIT OUTBOUND
  45. 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc
  46. 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
  47. 0900: PASSWORDS
  48. 1000: CACHE / SESSION (RE)STORE / FAVICONS
  49. 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
  50. 1400: FONTS
  51. 1600: HEADERS / REFERERS
  52. 1700: CONTAINERS
  53. 1800: PLUGINS
  54. 2000: MEDIA / CAMERA / MIC
  55. 2200: WINDOW MEDDLING & LEAKS / POPUPS
  56. 2300: WEB WORKERS
  57. 2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT
  58. 2500: HARDWARE FINGERPRINTING
  59. 2600: MISCELLANEOUS
  60. 2700: PERSISTENT STORAGE
  61. 2800: SHUTDOWN
  62. 4000: FPI (FIRST PARTY ISOLATION)
  63. 4500: RFP (RESIST FINGERPRINTING)
  64. 4600: RFP ALTERNATIVES
  65. 4700: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING)
  66. 5000: PERSONAL
  67. 9999: DEPRECATED / REMOVED / LEGACY / RENAMED
  68. ******/
  69. /* START: internal custom pref to test for syntax errors
  70. * [NOTE] In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug
  71. * pref no longer necessarily means that all prefs have been applied. Check the console right
  72. * after startup for any warnings/error messages related to non-applied prefs
  73. * [1] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/
  74. user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");
  75. /*** [SECTION 0100]: STARTUP ***/
  76. user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
  77. /* 0101: disable default browser check
  78. * [SETTING] General>Startup>Always check if Firefox is your default browser ***/
  79. user_pref("browser.shell.checkDefaultBrowser", false);
  80. /* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
  81. * [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804)
  82. * [SETTING] General>Startup>Restore previous session ***/
  83. user_pref("browser.startup.page", 0);
  84. /* 0103: set HOME+NEWWINDOW page
  85. * about:home=Activity Stream (default, see 0105), custom URL, about:blank
  86. * [SETTING] Home>New Windows and Tabs>Homepage and new windows ***/
  87. user_pref("browser.startup.homepage", "about:blank");
  88. /* 0104: set NEWTAB page
  89. * true=Activity Stream (default, see 0105), false=blank page
  90. * [SETTING] Home>New Windows and Tabs>New tabs ***/
  91. user_pref("browser.newtabpage.enabled", false);
  92. user_pref("browser.newtab.preload", false);
  93. /* 0105: disable Activity Stream stuff (AS)
  94. * AS is the default homepage/newtab in FF57+, based on metadata and browsing behavior.
  95. * **NOT LISTING ALL OF THESE: USE THE PREFERENCES UI**
  96. * [SETTING] Home>Firefox Home Content>... to show/hide what you want ***/
  97. /* 0105a: disable Activity Stream telemetry ***/
  98. user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
  99. user_pref("browser.newtabpage.activity-stream.telemetry", false);
  100. user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "");
  101. /* 0105b: disable Activity Stream Snippets
  102. * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server
  103. * [1] https://abouthome-snippets-service.readthedocs.io/ ***/
  104. user_pref("browser.aboutHomeSnippets.updateUrl", "");
  105. user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "");
  106. user_pref("browser.newtabpage.activity-stream.disableSnippets", true);
  107. user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
  108. /* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/
  109. user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
  110. user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
  111. user_pref("browser.newtabpage.activity-stream.showSponsored", false);
  112. /* 0105d: disable Activity Stream recent Highlights in the Library [FF57+] ***/
  113. // user_pref("browser.library.activity-stream.enabled", false);
  114. /* 0110: start Firefox in PB (Private Browsing) mode
  115. * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed
  116. * [WARNING] The P in PB mode is misleading: it means no "persistent" local storage of history,
  117. * caches, searches or cookies (which you can achieve in normal mode). In fact, it limits or
  118. * removes the ability to control these, and you need to quit Firefox to clear them. PB is best
  119. * used as a one off window (File>New Private Window) to provide a temporary self-contained
  120. * new instance. Closing all Private Windows clears all traces. Repeat as required. PB also does
  121. * not allow indexedDB which breaks many Extensions that use it including uBlock Origin and uMatrix
  122. * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode
  123. * [1] https://wiki.mozilla.org/Private_Browsing
  124. * [2] https://spreadprivacy.com/is-private-browsing-really-private/ ***/
  125. // user_pref("browser.privatebrowsing.autostart", true);
  126. /*** [SECTION 0200]: GEOLOCATION ***/
  127. user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
  128. /* 0201: disable Location-Aware Browsing
  129. * [1] https://www.mozilla.org/firefox/geolocation/ ***/
  130. // user_pref("geo.enabled", false);
  131. /* 0201b: set a default permission for Location [FF58+]
  132. * 0=always ask (default), 1=allow, 2=block
  133. * [NOTE] Best left at default "always ask", fingerprintable via Permissions API
  134. * [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location
  135. * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/
  136. // user_pref("permissions.default.geo", 2);
  137. /* 0202: disable GeoIP-based search results
  138. * [NOTE] May not be hidden if Firefox has changed your settings due to your locale
  139. * [1] https://trac.torproject.org/projects/tor/ticket/16254
  140. * [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/
  141. user_pref("browser.search.region", "US"); // [HIDDEN PREF]
  142. user_pref("browser.search.geoip.url", "");
  143. /* 0205: set OS & APP locale [FF59+]
  144. * If set to empty, the OS locales are used. If not set at all, default locale is used ***/
  145. user_pref("intl.locale.requested", "en-US"); // [HIDDEN PREF]
  146. /* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
  147. * i.e. ignore all of Mozilla's various search engines in multiple locales ***/
  148. user_pref("browser.search.geoSpecificDefaults", false);
  149. user_pref("browser.search.geoSpecificDefaults.url", "");
  150. /* 0207: set language to match ***/
  151. user_pref("intl.accept_languages", "en-US, en");
  152. /* 0208: enforce US English locale regardless of the system locale
  153. * [1] https://bugzilla.mozilla.org/867501 ***/
  154. user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
  155. /* 0209: use APP locale over OS locale in regional preferences [FF56+]
  156. * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1379420,1364789 ***/
  157. user_pref("intl.regional_prefs.use_os_locales", false);
  158. /* 0210: use Mozilla geolocation service instead of Google when geolocation is enabled
  159. * Optionally enable logging to the console (defaults to false) ***/
  160. user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
  161. // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF]
  162. /*** [SECTION 0300]: QUIET FOX
  163. We choose to not disable auto-CHECKs (0301's) but to disable auto-INSTALLs (0302's).
  164. There are many legitimate reasons to turn off auto-INSTALLS, including hijacked or
  165. monetized extensions, time constraints, legacy issues, and fear of breakage/bugs.
  166. It is still important to do updates for security reasons, please do so manually. ***/
  167. user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
  168. /* 0301b: disable auto-update checks for extensions
  169. * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
  170. // user_pref("extensions.update.enabled", false);
  171. /* 0302a: disable auto update installing for Firefox [NON-WINDOWS FF65+]
  172. * [NOTE] In FF65+ on Windows this SETTING (below) is now stored in a file and the pref was removed
  173. * [SETTING] General>Firefox Updates>Check for updates but let you choose... ***/
  174. user_pref("app.update.auto", false);
  175. /* 0302b: disable auto update installing for extensions (after the check in 0301b)
  176. * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
  177. user_pref("extensions.update.autoUpdateDefault", false);
  178. /* 0303: disable background update service [WINDOWS]
  179. * [SETTING] General>Firefox Updates>Use a background service to install updates ***/
  180. user_pref("app.update.service.enabled", false);
  181. /* 0304: disable background update staging ***/
  182. user_pref("app.update.staging.enabled", false);
  183. /* 0305: enforce update information is displayed
  184. * This is the update available, downloaded, error and success information ***/
  185. user_pref("app.update.silent", false);
  186. /* 0306: disable extension metadata
  187. * used when installing/updating an extension, and in daily background update checks: if false, it
  188. * hides the expanded text description (if it exists) when you "show more details about an addon" ***/
  189. // user_pref("extensions.getAddons.cache.enabled", false);
  190. /* 0307: disable auto updating of personas (themes) ***/
  191. user_pref("lightweightThemes.update.enabled", false);
  192. /* 0308: disable search update
  193. * [SETTING] General>Firefox Updates>Automatically update search engines ***/
  194. user_pref("browser.search.update", false);
  195. /* 0309: disable sending Flash crash reports ***/
  196. user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
  197. /* 0310: disable sending the URL of the website where a plugin crashed ***/
  198. user_pref("dom.ipc.plugins.reportCrashURL", false);
  199. /* 0320: disable about:addons' Get Add-ons panel (uses Google Analytics) ***/
  200. user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
  201. user_pref("extensions.webservice.discoverURL", "");
  202. /* 0330: disable telemetry
  203. * the pref (.unified) affects the behaviour of the pref (.enabled)
  204. * IF unified=false then .enabled controls the telemetry module
  205. * IF unified=true then .enabled ONLY controls whether to record extended data
  206. * so make sure to have both set as false
  207. * [NOTE] FF58+ `toolkit.telemetry.enabled` is now LOCKED to reflect prerelease
  208. * or release builds (true and false respectively), see [2]
  209. * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
  210. * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
  211. user_pref("toolkit.telemetry.unified", false);
  212. user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+
  213. user_pref("toolkit.telemetry.server", "data:,");
  214. user_pref("toolkit.telemetry.archive.enabled", false);
  215. user_pref("toolkit.telemetry.cachedClientID", "");
  216. user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+]
  217. user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+]
  218. user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+]
  219. user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter
  220. user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
  221. user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+]
  222. /* 0331: disable Telemetry Coverage
  223. * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/
  224. user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
  225. user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF]
  226. user_pref("toolkit.coverage.endpoint.base", "");
  227. /* 0340: disable Health Reports
  228. * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/
  229. user_pref("datareporting.healthreport.uploadEnabled", false);
  230. /* 0341: disable new data submission, master kill switch [FF41+]
  231. * If disabled, no policy is shown or upload takes place, ever
  232. * [1] https://bugzilla.mozilla.org/1195552 ***/
  233. user_pref("datareporting.policy.dataSubmissionEnabled", false);
  234. /* 0342: disable Studies (see 0503)
  235. * [NOTE] This pref has no effect when Health Reports (0340) are disabled
  236. * [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to install and run studies ***/
  237. user_pref("app.shield.optoutstudies.enabled", false);
  238. /* 0343: disable Extension Recommendations [FF65+]
  239. * [NOTE] This pref has no effect when Health Reports (0340) are disabled
  240. * [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to make personalized extension rec.
  241. * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
  242. user_pref("browser.discovery.enabled", false);
  243. /* 0350: disable Crash Reports ***/
  244. user_pref("breakpad.reportURL", "");
  245. user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+]
  246. user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+]
  247. /* 0351: disable backlogged Crash Reports
  248. * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports ***/
  249. user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+]
  250. /* 0370: disable Pocket [FF46+]
  251. * Pocket is a third party (now owned by Mozilla) "save for later" cloud service
  252. * [1] https://en.wikipedia.org/wiki/Pocket_(application)
  253. * [2] https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ ***/
  254. user_pref("extensions.pocket.enabled", false);
  255. /* 0380: disable Browser Error Reporter [FF60+]
  256. * [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
  257. * [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html ***/
  258. user_pref("browser.chrome.errorReporter.enabled", false);
  259. user_pref("browser.chrome.errorReporter.submitUrl", "");
  260. /*** [SECTION 0400]: BLOCKLISTS / SAFE BROWSING / TRACKING PROTECTION
  261. This section has security & tracking protection implications vs privacy concerns vs effectiveness
  262. vs 3rd party 'censorship'. We DO NOT advocate no protection. If you disable Tracking Protection (TP)
  263. and/or Safe Browsing (SB), then SECTION 0400 REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
  264. Safe Browsing is designed to protect users from malicious sites. Tracking Protection is designed
  265. to lessen the impact of third parties on websites to reduce tracking and to speed up your browsing.
  266. These do rely on 3rd parties (Google for SB and Disconnect for TP), but many steps, which are
  267. continually being improved, have been taken to preserve privacy. Disable at your own risk.
  268. ***/
  269. user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
  270. /** BLOCKLISTS ***/
  271. /* 0401: enable Firefox blocklist, but sanitize blocklist url
  272. * [NOTE] It includes updates for "revoked certificates"
  273. * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
  274. * [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/
  275. user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true]
  276. user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");
  277. /* 0403: disable individual unwanted/unneeded parts of the Kinto blocklists
  278. * What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
  279. * As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be
  280. * revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes ***/
  281. // user_pref("services.blocklist.onecrl.collection", ""); // revoked certificates
  282. // user_pref("services.blocklist.addons.collection", "");
  283. // user_pref("services.blocklist.plugins.collection", "");
  284. // user_pref("services.blocklist.gfx.collection", "");
  285. /** SAFE BROWSING (SB)
  286. This sub-section has been redesigned to differentiate between "real-time"/"user initiated" data
  287. being sent to Google from all other settings such as using local blocklists/whitelists and updating
  288. those lists. There are NO privacy issues here. *IF* required, a full url is never sent to Google,
  289. only a PART-hash of the prefix, and this is hidden with noise of other real PART-hashes. Google also
  290. swear it is anonymized and only used to flag malicious sites/activity. Firefox also takes measures
  291. such as striping out identifying parameters and storing safe browsing cookies in a separate jar.
  292. SB v4 (FF57+) doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity)
  293. #Required reading [#] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
  294. [1] https://wiki.mozilla.org/Security/Safe_Browsing ***/
  295. /* 0410: disable "Block dangerous and deceptive content"
  296. * This covers deceptive sites such as phishing and social engineering
  297. * [SETTING] Privacy & Security>Security>Deceptive Content and Software Protection ***/
  298. // user_pref("browser.safebrowsing.malware.enabled", false);
  299. // user_pref("browser.safebrowsing.phishing.enabled", false); // [FF50+]
  300. /* 0411: disable "Block dangerous downloads"
  301. * This covers malware and PUPs (potentially unwanted programs)
  302. * [SETTING] Privacy & Security>Security>Deceptive Content and Software Protection ***/
  303. // user_pref("browser.safebrowsing.downloads.enabled", false);
  304. /* 0412: disable "Warn me about unwanted and uncommon software"
  305. * [SETTING] Privacy & Security>Security>Deceptive Content and Software Protection ***/
  306. // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); // [FF48+]
  307. // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); // [FF48+]
  308. // user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false); // [FF49+]
  309. // user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); // [FF49+]
  310. /* 0413: disable Google safebrowsing updates ***/
  311. // user_pref("browser.safebrowsing.provider.google.updateURL", "");
  312. // user_pref("browser.safebrowsing.provider.google.gethashURL", "");
  313. // user_pref("browser.safebrowsing.provider.google4.updateURL", ""); // [FF50+]
  314. // user_pref("browser.safebrowsing.provider.google4.gethashURL", ""); // [FF50+]
  315. /* 0414: disable binaries NOT in local lists being checked by Google (real-time checking) ***/
  316. user_pref("browser.safebrowsing.downloads.remote.enabled", false);
  317. user_pref("browser.safebrowsing.downloads.remote.url", "");
  318. /* 0415: disable reporting URLs ***/
  319. user_pref("browser.safebrowsing.provider.google.reportURL", "");
  320. user_pref("browser.safebrowsing.reportPhishURL", "");
  321. user_pref("browser.safebrowsing.provider.google4.reportURL", ""); // [FF50+]
  322. user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); // [FF54+]
  323. user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); // [FF54+]
  324. user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); // [FF54+]
  325. user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); // [FF54+]
  326. /* 0416: disable 'ignore this warning' on Safe Browsing warnings
  327. * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB
  328. * [TEST] see github wiki APPENDIX A: Test Sites: Section 5
  329. * [1] https://bugzilla.mozilla.org/1226490 ***/
  330. // user_pref("browser.safebrowsing.allowOverride", false);
  331. /* 0417: disable data sharing [FF58+] ***/
  332. user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
  333. user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
  334. /** TRACKING PROTECTION (TP)
  335. There are NO privacy concerns here, but we strongly recommend to use uBlock Origin as well,
  336. as it offers more comprehensive and specialized lists. It also allows per domain control. ***/
  337. /* 0420: enable Tracking Protection in all windows
  338. * [NOTE] TP sends DNT headers regardless of the DNT pref (see 1610)
  339. * [1] https://wiki.mozilla.org/Security/Tracking_protection
  340. * [2] https://support.mozilla.org/kb/tracking-protection-firefox ***/
  341. // user_pref("privacy.trackingprotection.pbmode.enabled", true); // [DEFAULT: true]
  342. // user_pref("privacy.trackingprotection.enabled", true);
  343. /* 0422: set which Tracking Protection block list to use
  344. * [WARNING] We don't recommend enforcing this from here, as available block lists can change
  345. * [SETTING] Privacy & Security>Content Blocking>All Detected Trackers>Change block list ***/
  346. // user_pref("urlclassifier.trackingTable", "test-track-simple,base-track-digest256"); // basic
  347. /* 0423: disable Mozilla's blocklist for known Flash tracking/fingerprinting [FF48+]
  348. * [1] https://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/
  349. * [2] https://bugzilla.mozilla.org/1237198 ***/
  350. // user_pref("browser.safebrowsing.blockedURIs.enabled", false);
  351. /* 0424: disable Mozilla's tracking protection and Flash blocklist updates ***/
  352. // user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
  353. // user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
  354. /* 0425: disable passive Tracking Protection [FF53+]
  355. * Passive TP annotates channels to lower the priority of network loads for resources on the tracking protection list
  356. * [NOTE] It has no effect if TP is enabled, but keep in mind that by default TP is only enabled in Private Windows
  357. * This is included for people who want to completely disable Tracking Protection.
  358. * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1170190,1141814 ***/
  359. // user_pref("privacy.trackingprotection.annotate_channels", false);
  360. // user_pref("privacy.trackingprotection.lower_network_priority", false);
  361. /*** [SECTION 0500]: SYSTEM ADD-ONS / EXPERIMENTS
  362. System Add-ons are a method for shipping extensions, considered to be
  363. built-in features to Firefox, that are hidden from the about:addons UI.
  364. To view your System Add-ons go to about:support, they are listed under "Firefox Features"
  365. Some System Add-ons have no on-off prefs. Instead you can manually remove them. Note that app
  366. updates will restore them. They may also be updated and possibly restored automatically (see 0505)
  367. * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit)
  368. * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit)
  369. * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\"
  370. [NOTE] On Mac you can right-click on the application and select "Show Package Contents"
  371. * Linux: "/usr/lib/firefox/browser/features" (or similar)
  372. [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
  373. [2] https://dxr.mozilla.org/mozilla-central/source/browser/extensions
  374. ***/
  375. user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!");
  376. /* 0502: disable Mozilla permission to silently opt you into tests ***/
  377. user_pref("network.allow-experiments", false);
  378. /* 0503: disable Normandy/Shield [FF60+]
  379. * Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
  380. * [1] https://wiki.mozilla.org/Firefox/Shield
  381. * [2] https://github.com/mozilla/normandy ***/
  382. user_pref("app.normandy.enabled", false);
  383. user_pref("app.normandy.api_url", "");
  384. /* 0505: disable System Add-on updates ***/
  385. user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
  386. user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
  387. /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
  388. * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/
  389. user_pref("browser.ping-centre.telemetry", false);
  390. /* 0515: disable Screenshots
  391. * alternatively in FF60+, disable uploading to the Screenshots server
  392. * [1] https://github.com/mozilla-services/screenshots
  393. * [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/
  394. // user_pref("extensions.screenshots.disabled", true); // [FF55+]
  395. // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+]
  396. /* 0517: disable Form Autofill
  397. * [NOTE] Stored data is NOT secure (uses a JSON file)
  398. * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
  399. * [SETTING] Privacy & Security>Forms & Passwords>Autofill addresses
  400. * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
  401. * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/
  402. user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
  403. user_pref("extensions.formautofill.available", "off"); // [FF56+]
  404. user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
  405. user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
  406. /* 0518: disable Web Compatibility Reporter [FF56+]
  407. * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/
  408. user_pref("extensions.webcompat-reporter.enabled", false);
  409. /*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/
  410. user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!");
  411. /* 0601: disable link prefetching
  412. * [1] https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ ***/
  413. user_pref("network.prefetch-next", false);
  414. /* 0602: disable DNS prefetching
  415. * [1] https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
  416. * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
  417. user_pref("network.dns.disablePrefetch", true);
  418. user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF]
  419. /* 0603a: disable Seer/Necko
  420. * [1] https://developer.mozilla.org/docs/Mozilla/Projects/Necko ***/
  421. user_pref("network.predictor.enabled", false);
  422. /* 0603b: disable more Necko/Captive Portal
  423. * [1] https://en.wikipedia.org/wiki/Captive_portal
  424. * [2] https://wiki.mozilla.org/Necko/CaptivePortal
  425. * [3] https://trac.torproject.org/projects/tor/ticket/21790 ***/
  426. user_pref("captivedetect.canonicalURL", "");
  427. user_pref("network.captive-portal-service.enabled", false); // [FF52+]
  428. /* 0605: disable link-mouseover opening connection to linked server
  429. * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
  430. * [2] https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links/ ***/
  431. user_pref("network.http.speculative-parallel-limit", 0);
  432. /* 0606: disable pings (but enforce same host in case)
  433. * [1] http://kb.mozillazine.org/Browser.send_pings
  434. * [2] http://kb.mozillazine.org/Browser.send_pings.require_same_host ***/
  435. user_pref("browser.send_pings", false);
  436. user_pref("browser.send_pings.require_same_host", true);
  437. /* 0607: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS]
  438. * [1] https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/ ***/
  439. user_pref("network.protocol-handler.external.ms-windows-store", false);
  440. /* 0608: disable predictor / prefetching [FF48+] ***/
  441. user_pref("network.predictor.enable-prefetch", false);
  442. /* 0609: disable Network Connectivity Service [FF65+] ***/
  443. user_pref("network.connectivity-service.enabled", false);
  444. /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
  445. user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
  446. /* 0701: disable IPv6
  447. * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice
  448. * with VPNs. That's even assuming your ISP and/or router and/or website can handle it
  449. * [NOTE] This is just an application level fallback. Disabling IPv6 is best done
  450. * at an OS/network level, and/or configured properly in VPN setups
  451. * [TEST] http://ipv6leak.com/
  452. * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/437#issuecomment-403740626
  453. * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
  454. user_pref("network.dns.disableIPv6", true);
  455. /* 0702: disable HTTP2 (which was based on SPDY which is now deprecated)
  456. * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance
  457. * privacy, and in fact opens up a number of server-side fingerprinting opportunities
  458. * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
  459. * consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
  460. * and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
  461. * [1] https://http2.github.io/faq/
  462. * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
  463. * [3] https://queue.acm.org/detail.cfm?id=2716278
  464. * [4] https://github.com/ghacksuserjs/ghacks-user.js/issues/107 ***/
  465. user_pref("network.http.spdy.enabled", false);
  466. user_pref("network.http.spdy.enabled.deps", false);
  467. user_pref("network.http.spdy.enabled.http2", false);
  468. user_pref("network.http.spdy.websockets", false); // [FF65+]
  469. /* 0703: disable HTTP Alternative Services [FF37+]
  470. * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
  471. * consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
  472. * and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
  473. * [1] https://tools.ietf.org/html/rfc7838#section-9
  474. * [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/
  475. user_pref("network.http.altsvc.enabled", false);
  476. user_pref("network.http.altsvc.oe", false);
  477. /* 0704: enforce the proxy server to do any DNS lookups when using SOCKS
  478. * e.g. in Tor, this stops your local DNS server from knowing your Tor destination
  479. * as a remote Tor node will handle the DNS request
  480. * [1] http://kb.mozillazine.org/Network.proxy.socks_remote_dns
  481. * [2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
  482. user_pref("network.proxy.socks_remote_dns", true);
  483. /* 0706: remove paths when sending URLs to PAC scripts [FF51+]
  484. * CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
  485. * [1] https://bugzilla.mozilla.org/1255474 ***/
  486. user_pref("network.proxy.autoconfig_url.include_path", false); // [DEFAULT: false]
  487. /* 0707: disable (or setup) DNS-over-HTTPS (DoH) [FF60+]
  488. * TRR = Trusted Recursive Resolver
  489. * .mode: 0=off, 1=race, 2=TRR first, 3=TRR only, 4=race for stats but always use native result
  490. * [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare)
  491. * [1] https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
  492. * [2] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ ***/
  493. // user_pref("network.trr.mode", 0);
  494. // user_pref("network.trr.bootstrapAddress", "");
  495. // user_pref("network.trr.uri", "");
  496. /* 0708: disable FTP [FF60+]
  497. * [1] https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/ ***/
  498. // user_pref("network.ftp.enabled", false);
  499. /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
  500. * [1] https://trac.torproject.org/projects/tor/ticket/26424 ***/
  501. user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
  502. /* 0710: disable GIO as a potential proxy bypass vector
  503. * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
  504. * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
  505. * [1] https://bugzilla.mozilla.org/1433507
  506. * [2] https://trac.torproject.org/23044
  507. * [3] https://en.wikipedia.org/wiki/GVfs
  508. * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
  509. user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
  510. /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS [SETUP-CHROME]
  511. Change items 0850 and above to suit for privacy vs convenience and functionality. Consider
  512. your environment (no unwanted eyeballs), your device (restricted access), your device's
  513. unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check
  514. the items cleared on shutdown in section 2800.
  515. [NOTE] The urlbar is also commonly referred to as the location bar and address bar
  516. #Required reading [#] https://xkcd.com/538/
  517. ***/
  518. user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
  519. /* 0801: disable location bar using search
  520. * don't leak typos to a search engine, give an error message instead ***/
  521. user_pref("keyword.enabled", false);
  522. /* 0802: disable location bar domain guessing
  523. * domain guessing intercepts DNS "hostname not found errors" and resends a
  524. * request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work
  525. * via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
  526. * as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
  527. * intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
  528. * and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
  529. user_pref("browser.fixup.alternate.enabled", false);
  530. /* 0803: display all parts of the url in the location bar ***/
  531. user_pref("browser.urlbar.trimURLs", false);
  532. /* 0804: limit history leaks via enumeration (PER TAB: back/forward)
  533. * This is a PER TAB session history. You still have a full history stored under all history
  534. * default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
  535. * use it as a means of referral (e.g. hotlinking), 4 or 6 or 10 may be more practical ***/
  536. user_pref("browser.sessionhistory.max_entries", 10);
  537. /* 0805: disable CSS querying page history - CSS history leak
  538. * [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's
  539. * only in 'certain circumstances', also see latest comments in [2]
  540. * [TEST] http://lcamtuf.coredump.cx/yahh/ (see github wiki APPENDIX C on how to use)
  541. * [1] https://dbaron.org/mozilla/visited-privacy
  542. * [2] https://bugzilla.mozilla.org/147777
  543. * [3] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector ***/
  544. user_pref("layout.css.visited_links_enabled", false);
  545. /* 0806: disable displaying javascript in history URLs ***/
  546. user_pref("browser.urlbar.filter.javascript", true); // [DEFAULT: true]
  547. /* 0807: disable search bar LIVE search suggestions
  548. * [SETTING] Search>Provide search suggestions ***/
  549. user_pref("browser.search.suggest.enabled", false);
  550. /* 0808: disable location bar LIVE search suggestions (requires 0807 = true)
  551. * Also disable the location bar prompt to enable/disable or learn more about it.
  552. * [SETTING] Search>Show search suggestions in address bar results ***/
  553. user_pref("browser.urlbar.suggest.searches", false);
  554. user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true); // [FF41+]
  555. /* 0809: disable location bar suggesting "preloaded" top websites [FF54+]
  556. * [1] https://bugzilla.mozilla.org/1211726 ***/
  557. user_pref("browser.urlbar.usepreloadedtopurls.enabled", false);
  558. /* 0810: disable location bar making speculative connections [FF56+]
  559. * [1] https://bugzilla.mozilla.org/1348275 ***/
  560. user_pref("browser.urlbar.speculativeConnect.enabled", false);
  561. /* 0850a: disable location bar suggestion types
  562. * [SETUP-CHROME] If all three suggestion types are false, search engine keywords are disabled
  563. * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/
  564. // user_pref("browser.urlbar.suggest.history", false);
  565. // user_pref("browser.urlbar.suggest.bookmark", false);
  566. // user_pref("browser.urlbar.suggest.openpage", false);
  567. /* 0850c: disable location bar dropdown
  568. * This value controls the total number of entries to appear in the location bar dropdown
  569. * [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always
  570. * be displayed (no we do not know how these are calculated or what the threshold is),
  571. * and this does not affect the search by search engine suggestion (see 0808)
  572. * [NOTE] This setting is only useful if you want to enable search engine keywords
  573. * (i.e. at least one of 0850a suggestion types must be true) but you want to *limit* suggestions shown ***/
  574. // user_pref("browser.urlbar.maxRichResults", 0);
  575. /* 0850d: disable location bar autofill
  576. * [1] http://kb.mozillazine.org/Inline_autocomplete ***/
  577. // user_pref("browser.urlbar.autoFill", false);
  578. /* 0850e: disable location bar one-off searches [FF51+]
  579. * [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/
  580. // user_pref("browser.urlbar.oneOffSearches", false);
  581. /* 0860: disable search and form history
  582. * [NOTE] You can clear formdata on exiting Firefox (see 2803)
  583. * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history ***/
  584. user_pref("browser.formfill.enable", false);
  585. /* 0862: disable browsing and download history
  586. * [NOTE] You can clear history and downloads on exiting Firefox (see 2803)
  587. * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
  588. // user_pref("places.history.enabled", false);
  589. /* 0864: disable date/time picker
  590. * This can leak your locale if not en-US
  591. * [1] https://trac.torproject.org/projects/tor/ticket/21787 ***/
  592. user_pref("dom.forms.datetime", false);
  593. /* 0870: disable Windows jumplist [WINDOWS] ***/
  594. user_pref("browser.taskbar.lists.enabled", false);
  595. user_pref("browser.taskbar.lists.frequent.enabled", false);
  596. user_pref("browser.taskbar.lists.recent.enabled", false);
  597. user_pref("browser.taskbar.lists.tasks.enabled", false);
  598. /* 0871: disable Windows taskbar preview [WINDOWS] ***/
  599. user_pref("browser.taskbar.previews.enable", false);
  600. /*** [SECTION 0900]: PASSWORDS ***/
  601. user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
  602. /* 0901: disable saving passwords
  603. * [NOTE] This does not clear any passwords already saved
  604. * [SETTING] Privacy & Security>Forms & Passwords>Ask to save logins and passwords for websites ***/
  605. // user_pref("signon.rememberSignons", false);
  606. /* 0902: use a master password (recommended if you save passwords)
  607. * There are no preferences for this. It is all handled internally.
  608. * [SETTING] Privacy & Security>Forms & Passwords>Use a master password
  609. * [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/
  610. /* 0903: set how often Firefox should ask for the master password
  611. * 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/
  612. user_pref("security.ask_for_password", 2);
  613. /* 0904: set how often in minutes Firefox should ask for the master password (see 0903)
  614. * in minutes, default is 30 ***/
  615. user_pref("security.password_lifetime", 5);
  616. /* 0905: disable auto-filling username & password form fields
  617. * can leak in cross-site forms AND be spoofed
  618. * [NOTE] Password will still be auto-filled after a user name is manually entered
  619. * [1] http://kb.mozillazine.org/Signon.autofillForms ***/
  620. user_pref("signon.autofillForms", false);
  621. /* 0906: disable websites' autocomplete="off" [FF30+]
  622. * Don't let sites dictate use of saved logins and passwords. Increase security through
  623. * stronger password use. The trade-off is the convenience. Some sites should never be
  624. * saved (such as banking sites). Set at true, informed users can make their own choice. ***/
  625. user_pref("signon.storeWhenAutocompleteOff", true); // [DEFAULT: true]
  626. /* 0907: display warnings for logins on non-secure (non HTTPS) pages
  627. * [1] https://bugzilla.mozilla.org/1217156 ***/
  628. user_pref("security.insecure_password.ui.enabled", true);
  629. /* 0909: disable formless login capture for Password Manager [FF51+] ***/
  630. user_pref("signon.formlessCapture.enabled", false);
  631. /* 0910: disable autofilling saved passwords on HTTP pages and show warning [FF52+]
  632. * [1] https://www.fxsitecompat.com/en-CA/docs/2017/insecure-login-forms-now-disable-autofill-show-warning-beneath-input-control/
  633. * [2] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 ***/
  634. user_pref("signon.autofillForms.http", false);
  635. user_pref("security.insecure_field_warning.contextual.enabled", true);
  636. /* 0912: limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources [FF41+]
  637. * hardens against potential credentials phishing
  638. * 0=don't allow sub-resources to open HTTP authentication credentials dialogs
  639. * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs
  640. * 2=allow sub-resources to open HTTP authentication credentials dialogs (default)
  641. * [1] https://www.fxsitecompat.com/en-CA/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ***/
  642. user_pref("network.auth.subresource-http-auth-allow", 1);
  643. /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS [SETUP-CHROME]
  644. ETAG [1] and other [2][3] cache tracking/fingerprinting techniques can be averted by
  645. disabling *BOTH* disk (1001) and memory (1003) cache. ETAGs can also be neutralized
  646. by modifying response headers [4]. Another solution is to use a hardened configuration
  647. with Temporary Containers [5]. Alternatively, you can *LIMIT* exposure by clearing
  648. cache on close (2803). or on a regular basis manually or with an extension.
  649. [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
  650. [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
  651. [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
  652. [4] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor
  653. [5] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
  654. ***/
  655. user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
  656. /** CACHE ***/
  657. /* 1001: disable disk cache ***/
  658. user_pref("browser.cache.disk.enable", false);
  659. user_pref("browser.cache.disk.capacity", 0);
  660. user_pref("browser.cache.disk.smart_size.enabled", false);
  661. user_pref("browser.cache.disk.smart_size.first_run", false);
  662. /* 1002: disable disk cache for SSL pages
  663. * [1] http://kb.mozillazine.org/Browser.cache.disk_cache_ssl ***/
  664. user_pref("browser.cache.disk_cache_ssl", false);
  665. /* 1003: disable memory cache
  666. * [NOTE] Not recommended due to performance issues ***/
  667. // user_pref("browser.cache.memory.enable", false);
  668. // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF]
  669. /* 1005: disable fastback cache
  670. * To improve performance when pressing back/forward Firefox stores visited pages
  671. * so they don't have to be re-parsed. This is not the same as memory cache.
  672. * 0=none, -1=auto (that's minus 1), or for other values see [1]
  673. * [WARNING] Not recommended unless you know what you're doing
  674. * [1] http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers ***/
  675. // user_pref("browser.sessionhistory.max_total_viewers", 0);
  676. /* 1006: disable permissions manager from writing to disk [RESTART]
  677. * [NOTE] This means any permission changes are session only
  678. * [1] https://bugzilla.mozilla.org/967812 ***/
  679. // user_pref("permissions.memory_only", true); // [HIDDEN PREF]
  680. /* 1008: set DNS cache and expiration time (default 400 and 60, same as Tor Browser) ***/
  681. // user_pref("network.dnsCacheEntries", 400);
  682. // user_pref("network.dnsCacheExpiration", 60);
  683. /** SESSIONS & SESSION RESTORE ***/
  684. /* 1020: exclude "Undo Closed Tabs" in Session Restore ***/
  685. // user_pref("browser.sessionstore.max_tabs_undo", 0);
  686. /* 1021: disable storing extra session data [SETUP-CHROME]
  687. * extra session data contains contents of forms, scrollbar positions, cookies and POST data
  688. * define on which sites to save extra session data:
  689. * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
  690. user_pref("browser.sessionstore.privacy_level", 2);
  691. /* 1022: disable resuming session from crash ***/
  692. // user_pref("browser.sessionstore.resume_from_crash", false);
  693. /* 1023: set the minimum interval between session save operations
  694. * Increasing this can help on older machines and some websites, as well as reducing writes, see [1]
  695. * Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc
  696. * [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature:
  697. * i.e. the longer the interval the more chance a quick tab open/close won't be captured.
  698. * This longer interval *may* affect history but we cannot replicate any history not recorded
  699. * [1] https://bugzilla.mozilla.org/1304389 ***/
  700. user_pref("browser.sessionstore.interval", 30000);
  701. /* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS]
  702. * [1] https://bugzilla.mozilla.org/603903 ***/
  703. user_pref("toolkit.winRegisterApplicationRestart", false);
  704. /** FAVICONS ***/
  705. /* 1030: disable favicons in shortcuts
  706. * URL shortcuts use a cached randomly named .ico file which is stored in your
  707. * profile/shortcutCache directory. The .ico remains after the shortcut is deleted.
  708. * If set to false then the shortcuts use a generic Firefox icon ***/
  709. user_pref("browser.shell.shortcutFavicons", false);
  710. /* 1031: disable favicons in tabs and new bookmarks
  711. * bookmark favicons are stored as data blobs in favicons.sqlite ***/
  712. // user_pref("browser.chrome.site_icons", false);
  713. /* 1032: disable favicons in web notifications ***/
  714. user_pref("alerts.showFavicons", false); // [DEFAULT: false]
  715. /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
  716. Note that your cipher and other settings can be used server side as a fingerprint attack
  717. vector, see [1] (It's quite technical but the first part is easy to understand
  718. and you can stop reading when you reach the second section titled "Enter Bro")
  719. Option 1: Use defaults for ciphers (1260's). There is nothing *weak* about these, but
  720. due to breakage, browsers can't deprecate them until the web stops using them
  721. Option 2: Disable the ciphers in 1261, 1262 and 1263. These shouldn't break anything.
  722. Optionally, disable the ciphers in 1264.
  723. [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
  724. ***/
  725. user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
  726. /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
  727. /* 1201: disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack)
  728. * [SETUP-WEB] <2% of secure sites do NOT support the newer "secure" renegotiation, see [2]
  729. * [1] https://wiki.mozilla.org/Security:Renegotiation
  730. * [2] https://www.ssllabs.com/ssl-pulse/ ***/
  731. user_pref("security.ssl.require_safe_negotiation", true);
  732. /* 1202: control TLS versions with min and max
  733. * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
  734. * [NOTE] Jul-2017: Telemetry indicates approx 2% of TLS web traffic uses 1.0 or 1.1
  735. * [1] http://kb.mozillazine.org/Security.tls.version.*
  736. * [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
  737. * [2] archived: https://archive.is/hY2Mm ***/
  738. // user_pref("security.tls.version.min", 3);
  739. user_pref("security.tls.version.max", 4);
  740. /* 1203: disable SSL session tracking [FF36+]
  741. * SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking
  742. * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
  743. * consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
  744. * and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
  745. * [1] https://tools.ietf.org/html/rfc5077
  746. * [2] https://bugzilla.mozilla.org/967977
  747. * [3] https://arxiv.org/abs/1810.07304 ***/
  748. user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
  749. /* 1204: disable SSL Error Reporting
  750. * [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/
  751. user_pref("security.ssl.errorReporting.automatic", false);
  752. user_pref("security.ssl.errorReporting.enabled", false);
  753. user_pref("security.ssl.errorReporting.url", "");
  754. /* 1205: disable TLS1.3 0-RTT (round-trip time) [FF51+]
  755. * [1] https://github.com/tlswg/tls13-spec/issues/1001
  756. * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
  757. user_pref("security.tls.enable_0rtt_data", false);
  758. /** OCSP (Online Certificate Status Protocol)
  759. #Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/
  760. /* 1210: enable OCSP Stapling
  761. * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
  762. user_pref("security.ssl.enable_ocsp_stapling", true);
  763. /* 1211: control when to use OCSP fetching (to confirm current validity of certificates)
  764. * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
  765. * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
  766. * It's a trade-off between security (checking) and privacy (leaking info to the CA)
  767. * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
  768. * [1] https://en.wikipedia.org/wiki/Ocsp ***/
  769. user_pref("security.OCSP.enabled", 1);
  770. /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB]
  771. * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
  772. * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
  773. * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
  774. * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
  775. * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
  776. * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
  777. user_pref("security.OCSP.require", true);
  778. /** CERTS / HPKP (HTTP Public Key Pinning) ***/
  779. /* 1220: disable or limit SHA-1 certificates
  780. * 0=all SHA1 certs are allowed
  781. * 1=all SHA1 certs are blocked
  782. * 2=deprecated option that now maps to 1
  783. * 3=only allowed for locally-added roots (e.g. anti-virus)
  784. * 4=only allowed for locally-added roots or for certs in 2015 and earlier
  785. * [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and
  786. * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
  787. * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
  788. user_pref("security.pki.sha1_enforcement_level", 1);
  789. /* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
  790. * 0=disable detecting Family Safety mode and importing the root
  791. * 1=only attempt to detect Family Safety mode (don't import the root)
  792. * 2=detect Family Safety mode and import the root
  793. * [1] https://trac.torproject.org/projects/tor/ticket/21686 ***/
  794. user_pref("security.family_safety.mode", 0);
  795. /* 1222: disable intermediate certificate caching (fingerprinting attack vector) [RESTART]
  796. * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
  797. * Saved logins and passwords are not available. Reset the pref and restart to return them.
  798. * [TEST] https://fiprinca.0x90.eu/poc/
  799. * [1] https://bugzilla.mozilla.org/1334485 - related bug
  800. * [2] https://bugzilla.mozilla.org/1216882 - related bug (see comment 9) ***/
  801. // user_pref("security.nocertdb", true); // [HIDDEN PREF]
  802. /* 1223: enforce strict pinning
  803. * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
  804. * [WARNING] If you rely on an AV (antivirus) to protect your web browsing
  805. * by inspecting ALL your web traffic, then leave at current default=1
  806. * [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/
  807. user_pref("security.cert_pinning.enforcement_level", 2);
  808. /** MIXED CONTENT ***/
  809. /* 1240: disable insecure active content on https pages
  810. * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
  811. user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
  812. /* 1241: disable insecure passive content (such as images) on https pages ***/
  813. user_pref("security.mixed_content.block_display_content", true);
  814. /* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+]
  815. * [1] https://bugzilla.mozilla.org/1190623 ***/
  816. user_pref("security.mixed_content.block_object_subrequest", true);
  817. /** CIPHERS [see the section 1200 intro] ***/
  818. /* 1261: disable 3DES (effective key size < 128)
  819. * [1] https://en.wikipedia.org/wiki/3des#Security
  820. * [2] http://en.citizendium.org/wiki/Meet-in-the-middle_attack
  821. * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/
  822. // user_pref("security.ssl3.rsa_des_ede3_sha", false);
  823. /* 1262: disable 128 bits ***/
  824. // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
  825. // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
  826. /* 1263: disable DHE (Diffie-Hellman Key Exchange)
  827. * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/
  828. // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
  829. // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
  830. /* 1264: disable the remaining non-modern cipher suites as of FF52 ***/
  831. // user_pref("security.ssl3.rsa_aes_128_sha", false);
  832. // user_pref("security.ssl3.rsa_aes_256_sha", false);
  833. /** UI (User Interface) ***/
  834. /* 1270: display warning (red padlock) for "broken security" (see 1201)
  835. * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
  836. user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
  837. /* 1271: control "Add Security Exception" dialog on SSL warnings
  838. * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
  839. * [1] https://github.com/pyllyukko/user.js/issues/210 ***/
  840. user_pref("browser.ssl_override_behavior", 1);
  841. /* 1272: display advanced information on Insecure Connection warning pages
  842. * only works when it's possible to add an exception
  843. * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
  844. * [TEST] https://expired.badssl.com/ ***/
  845. user_pref("browser.xul.error_pages.expert_bad_cert", true);
  846. /* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/
  847. user_pref("security.insecure_connection_icon.enabled", true); // [FF59+]
  848. user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
  849. // user_pref("security.insecure_connection_icon.pbmode.enabled", true); // [FF59+] private windows only
  850. // user_pref("security.insecure_connection_text.pbmode.enabled", true); // [FF60+] private windows only
  851. /*** [SECTION 1400]: FONTS ***/
  852. user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
  853. /* 1401: disable websites choosing fonts (0=block, 1=allow)
  854. * If you disallow fonts, this drastically limits/reduces font
  855. * enumeration (by JS) which is a high entropy fingerprinting vector.
  856. * [NOTE] Disabling fonts can uglify the web a fair bit.
  857. * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Allow pages to choose... ***/
  858. user_pref("browser.display.use_document_fonts", 0);
  859. /* 1402: set more legible default fonts
  860. * [NOTE] Example below for Windows/Western only
  861. * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Serif|Sans-serif|Monospace ***/
  862. // user_pref("font.name.serif.x-unicode", "Georgia");
  863. // user_pref("font.name.serif.x-western", "Georgia"); // default: Times New Roman
  864. // user_pref("font.name.sans-serif.x-unicode", "Arial");
  865. // user_pref("font.name.sans-serif.x-western", "Arial"); // default: Arial
  866. // user_pref("font.name.monospace.x-unicode", "Lucida Console");
  867. // user_pref("font.name.monospace.x-western", "Lucida Console"); // default: Courier New
  868. /* 1403: disable icon fonts (glyphs) and local fallback rendering
  869. * [1] https://bugzilla.mozilla.org/789788
  870. * [2] https://trac.torproject.org/projects/tor/ticket/8455 ***/
  871. // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
  872. // user_pref("gfx.downloadable_fonts.fallback_delay", -1);
  873. /* 1404: disable rendering of SVG OpenType fonts
  874. * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
  875. user_pref("gfx.font_rendering.opentype_svg.enabled", false);
  876. /* 1405: disable WOFF2 (Web Open Font Format) [FF35+] ***/
  877. user_pref("gfx.downloadable_fonts.woff2.enabled", false);
  878. /* 1406: disable CSS Font Loading API
  879. * [NOTE] Disabling fonts can uglify the web a fair bit. ***/
  880. user_pref("layout.css.font-loading-api.enabled", false);
  881. /* 1407: disable special underline handling for a few fonts which you will probably never use [RESTART]
  882. * Any of these fonts on your system can be enumerated for fingerprinting.
  883. * [1] http://kb.mozillazine.org/Font.blacklist.underline_offset ***/
  884. user_pref("font.blacklist.underline_offset", "");
  885. /* 1408: disable graphite which FF49 turned back on by default
  886. * In the past it had security issues. Update: This continues to be the case, see [1]
  887. * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/
  888. user_pref("gfx.font_rendering.graphite.enabled", false);
  889. /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
  890. * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
  891. * [WARNING] Creating your own probably highly-unique whitelist will raise your entropy.
  892. * Eventually privacy.resistFingerprinting (see 4500) will cover this (and 1401 can be relaxed)
  893. * [1] https://bugzilla.mozilla.org/1121643 ***/
  894. // user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
  895. /*** [SECTION 1600]: HEADERS / REFERERS
  896. Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. Thus we enforce
  897. the default values for 1601, 1602, 1605 and 1606 to minimize breakage, and only tweak 1603 and 1604.
  898. Our default settings provide the best balance between protection and amount of breakage.
  899. To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2).
  900. To fix broken sites (including your modem/router), temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config,
  901. use the site and then change the values back. If you visit those sites regularly (e.g. vimeo), use an extension.
  902. full URI: https://example.com:8888/foo/bar.html?id=1234
  903. scheme+host+port+path: https://example.com:8888/foo/bar.html
  904. scheme+host+port: https://example.com:8888
  905. #Required reading [#] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
  906. ***/
  907. user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
  908. /* 1601: ALL: control when images/links send a referer
  909. * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
  910. user_pref("network.http.sendRefererHeader", 2);
  911. /* 1602: ALL: control the amount of information to send
  912. * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
  913. user_pref("network.http.referer.trimmingPolicy", 0);
  914. /* 1603: CROSS ORIGIN: control when to send a referer [SETUP-WEB]
  915. * 0=always (default), 1=only if base domains match, 2=only if hosts match ***/
  916. user_pref("network.http.referer.XOriginPolicy", 1);
  917. /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
  918. * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
  919. user_pref("network.http.referer.XOriginTrimmingPolicy", 0);
  920. /* 1605: ALL: disable spoofing a referer
  921. * [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF
  922. * (Cross-Site Request Forgery) protections that some sites may rely on ***/
  923. user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
  924. /* 1606: ALL: set the default Referrer Policy [FF59+]
  925. * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
  926. * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
  927. * [1] https://www.w3.org/TR/referrer-policy/
  928. * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
  929. * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
  930. user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3]
  931. user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
  932. /* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+]
  933. * [NOTE] Firefox cannot access .onion sites by default. We recommend you use
  934. * the Tor Browser which is specifically designed for hidden services
  935. * [1] https://bugzilla.mozilla.org/1305144 ***/
  936. user_pref("network.http.referer.hideOnionSource", true);
  937. /* 1610: ALL: enable the DNT (Do Not Track) HTTP header
  938. * [NOTE] DNT is enforced with TP (see 0420) regardless of this pref
  939. * [SETTING] Privacy & Security>Content Blocking>Send websites a "Do Not Track"... ***/
  940. user_pref("privacy.donottrackheader.enabled", true);
  941. /*** [SECTION 1700]: CONTAINERS
  942. If you want to *really* leverage containers, we highly recommend Temporary Containers [2].
  943. Read the article by the extension author [3], and check out the github wiki/repo [4].
  944. [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
  945. [2] https://addons.mozilla.org/firefox/addon/temporary-containers/
  946. [3] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
  947. [4] https://github.com/stoically/temporary-containers/wiki
  948. ***/
  949. user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
  950. /* 1701: enable Container Tabs setting in preferences (see 1702) [FF50+]
  951. * [1] https://bugzilla.mozilla.org/1279029 ***/
  952. user_pref("privacy.userContext.ui.enabled", true);
  953. /* 1702: enable Container Tabs [FF50+]
  954. * [SETTING] General>Tabs>Enable Container Tabs ***/
  955. user_pref("privacy.userContext.enabled", true);
  956. /* 1703: enable a private container for thumbnail loads [FF51+] ***/
  957. user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // [DEFAULT: true in FF61+]
  958. /* 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME]
  959. * 0=no menu (default), 1=show when clicked, 2=show on long press
  960. * [NOTE] The menu does not contain a non-container tab option (use Ctrl+T to open non-container tab)
  961. * [1] https://bugzilla.mozilla.org/1328756 ***/
  962. user_pref("privacy.userContext.longPressBehavior", 2);
  963. /*** [SECTION 1800]: PLUGINS ***/
  964. user_pref("_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!");
  965. /* 1801: set default plugin state (i.e. new plugins on discovery) to never activate
  966. * 0=disabled, 1=ask to activate, 2=active - you can override individual plugins ***/
  967. user_pref("plugin.default.state", 0);
  968. user_pref("plugin.defaultXpi.state", 0);
  969. /* 1802: enable click to play and set to 0 minutes ***/
  970. user_pref("plugins.click_to_play", true);
  971. user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);
  972. /* 1803: disable Flash plugin (Add-ons>Plugins)
  973. * 0=deactivated, 1=ask, 2=enabled
  974. * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash
  975. * [NOTE] You can still override individual sites via site permissions
  976. * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/
  977. user_pref("plugin.state.flash", 0);
  978. /* 1805: disable scanning for plugins [WINDOWS]
  979. * [1] http://kb.mozillazine.org/Plugin_scanning
  980. * plid.all = whether to scan the directories specified in the Windows registry for PLIDs.
  981. * Used to detect RealPlayer, Java, Antivirus etc, but since FF52 only covers Flash ***/
  982. user_pref("plugin.scan.plid.all", false);
  983. /* 1820: disable all GMP (Gecko Media Plugins) [SETUP-WEB]
  984. * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
  985. user_pref("media.gmp-provider.enabled", false);
  986. user_pref("media.gmp.trial-create.enabled", false);
  987. user_pref("media.gmp-manager.url", "data:text/plain,");
  988. user_pref("media.gmp-manager.url.override", "data:text/plain,"); // [HIDDEN PREF]
  989. user_pref("media.gmp-manager.updateEnabled", false); // disable local fallback [HIDDEN PREF]
  990. /* 1825: disable widevine CDM (Content Decryption Module) [SETUP-WEB] ***/
  991. user_pref("media.gmp-widevinecdm.visible", false);
  992. user_pref("media.gmp-widevinecdm.enabled", false);
  993. user_pref("media.gmp-widevinecdm.autoupdate", false);
  994. /* 1830: disable all DRM content (EME: Encryption Media Extension) [SETUP-WEB]
  995. * [SETTING] General>DRM Content>Play DRM-controlled content
  996. * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
  997. user_pref("media.eme.enabled", false);
  998. /* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate" [SETUP-WEB]
  999. * This is the bundled codec used for video chat in WebRTC ***/
  1000. user_pref("media.gmp-gmpopenh264.enabled", false); // [HIDDEN PREF]
  1001. user_pref("media.gmp-gmpopenh264.autoupdate", false);
  1002. /*** [SECTION 2000]: MEDIA / CAMERA / MIC ***/
  1003. user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
  1004. /* 2001: disable WebRTC (Web Real-Time Communication)
  1005. * [1] https://www.privacytools.io/#webrtc ***/
  1006. user_pref("media.peerconnection.enabled", false);
  1007. /* 2002: limit WebRTC IP leaks if using WebRTC
  1008. * [TEST] https://browserleaks.com/webrtc
  1009. * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
  1010. * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
  1011. user_pref("media.peerconnection.ice.default_address_only", true);
  1012. user_pref("media.peerconnection.ice.no_host", true); // [FF51+]
  1013. /* 2010: disable WebGL (Web Graphics Library), force bare minimum feature set if used & disable WebGL extensions
  1014. * [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
  1015. * [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/
  1016. user_pref("webgl.disabled", true);
  1017. user_pref("pdfjs.enableWebGL", false);
  1018. user_pref("webgl.min_capability_mode", true);
  1019. user_pref("webgl.disable-extensions", true);
  1020. user_pref("webgl.disable-fail-if-major-performance-caveat", true);
  1021. /* 2012: disable two more webgl preferences [FF51+] ***/
  1022. user_pref("webgl.dxgl.enabled", false); // [WINDOWS]
  1023. user_pref("webgl.enable-webgl2", false);
  1024. /* 2022: disable screensharing ***/
  1025. user_pref("media.getusermedia.screensharing.enabled", false);
  1026. user_pref("media.getusermedia.browser.enabled", false);
  1027. user_pref("media.getusermedia.audiocapture.enabled", false);
  1028. /* 2024: set a default permission for Camera/Microphone [FF58+]
  1029. * 0=always ask (default), 1=allow, 2=block
  1030. * [SETTING] to add site exceptions: Page Info>Permissions>Use the Camera/Microphone
  1031. * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/
  1032. // user_pref("permissions.default.camera", 2);
  1033. // user_pref("permissions.default.microphone", 2);
  1034. /* 2026: disable canvas capture stream [FF41+]
  1035. * [1] https://developer.mozilla.org/docs/Web/API/HTMLCanvasElement/captureStream ***/
  1036. user_pref("canvas.capturestream.enabled", false);
  1037. /* 2027: disable camera image capture [FF35+]
  1038. * [1] https://trac.torproject.org/projects/tor/ticket/16339 ***/
  1039. user_pref("dom.imagecapture.enabled", false); // [DEFAULT: false]
  1040. /* 2028: disable offscreen canvas [FF44+]
  1041. * [1] https://developer.mozilla.org/docs/Web/API/OffscreenCanvas ***/
  1042. user_pref("gfx.offscreencanvas.enabled", false); // [DEFAULT: false]
  1043. /* 2030: disable auto-play of HTML5 media [FF63+]
  1044. * 0=Allowed (default), 1=Blocked, 2=Prompt
  1045. * [SETUP-WEB] This may break video playback on various sites ***/
  1046. user_pref("media.autoplay.default", 1);
  1047. /* 2031: disable audio auto-play in non-active tabs [FF51+]
  1048. * [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/
  1049. user_pref("media.block-autoplay-until-in-foreground", true);
  1050. /*** [SECTION 2200]: WINDOW MEDDLING & LEAKS / POPUPS ***/
  1051. user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!");
  1052. /* 2201: prevent websites from disabling new window features
  1053. * [1] http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features ***/
  1054. user_pref("dom.disable_window_open_feature.close", true);
  1055. user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true]
  1056. user_pref("dom.disable_window_open_feature.menubar", true);
  1057. user_pref("dom.disable_window_open_feature.minimizable", true);
  1058. user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar
  1059. user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true]
  1060. user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true]
  1061. user_pref("dom.disable_window_open_feature.titlebar", true);
  1062. user_pref("dom.disable_window_open_feature.toolbar", true);
  1063. /* 2202: prevent scripts from moving and resizing open windows ***/
  1064. user_pref("dom.disable_window_move_resize", true);
  1065. /* 2203: open links targeting new windows in a new tab instead
  1066. * This stops malicious window sizes and some screen resolution leaks.
  1067. * You can still right-click a link and open in a new window.
  1068. * [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html
  1069. * [1] https://trac.torproject.org/projects/tor/ticket/9881 ***/
  1070. user_pref("browser.link.open_newwindow", 3);
  1071. user_pref("browser.link.open_newwindow.restriction", 0);
  1072. /* 2204: disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks
  1073. * [NOTE] You can still manually toggle the browser's fullscreen state (F11),
  1074. * but this pref will disable embedded video/game fullscreen controls, e.g. youtube
  1075. * [TEST] https://developer.mozilla.org/samples/domref/fullscreen.html ***/
  1076. // user_pref("full-screen-api.enabled", false);
  1077. /* 2210: block popup windows
  1078. * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/
  1079. user_pref("dom.disable_open_during_load", true);
  1080. /* 2211: set max popups from a single non-click event - default is 20! ***/
  1081. user_pref("dom.popup_maximum", 3);
  1082. /* 2212: limit events that can cause a popup
  1083. * default is "change click dblclick mouseup pointerup notificationclick reset submit touchend"
  1084. * [1] http://kb.mozillazine.org/Dom.popup_allowed_events ***/
  1085. user_pref("dom.popup_allowed_events", "click dblclick");
  1086. /*** [SECTION 2300]: WEB WORKERS
  1087. A worker is a JS "background task" running in a global context, i.e. it is different from
  1088. the current window. Workers can spawn new workers (must be the same origin & scheme),
  1089. including service and shared workers. Shared workers can be utilized by multiple scripts and
  1090. communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
  1091. [SETUP-WEB] Disabling "web workers" might break sites
  1092. [UPDATE] uMatrix 1.2.0+ allows a per-scope control for workers (2301-deprecated) and service workers (2302)
  1093. #Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0
  1094. [1] Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
  1095. [2] Worker: https://developer.mozilla.org/docs/Web/API/Worker
  1096. [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API
  1097. [4] SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker
  1098. [5] ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker
  1099. [6] Notifications: https://support.mozilla.org/questions/1165867#answer-981820
  1100. ***/
  1101. user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
  1102. /* 2302: disable service workers [FF32, FF44-compat]
  1103. * Service workers essentially act as proxy servers that sit between web apps, and the browser
  1104. * and network, are event driven, and can control the web page/site it is associated with,
  1105. * intercepting and modifying navigation and resource requests, and caching resources.
  1106. * [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode.
  1107. * [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access. ***/
  1108. user_pref("dom.serviceWorkers.enabled", false);
  1109. /* 2304: disable web notifications
  1110. * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
  1111. user_pref("dom.webnotifications.enabled", false); // [FF22+]
  1112. user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
  1113. /* 2305: set a default permission for Notifications (see 2304) [FF58+]
  1114. * 0=always ask (default), 1=allow, 2=block
  1115. * [NOTE] Best left at default "always ask", fingerprintable via Permissions API
  1116. * [SETTING] to add site exceptions: Page Info>Permissions>Receive Notifications
  1117. * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/
  1118. // user_pref("permissions.default.desktop-notification", 2);
  1119. /* 2306: disable push notifications [FF44+]
  1120. * web apps can receive messages pushed to them from a server, whether or
  1121. * not the web app is in the foreground, or even currently loaded
  1122. * [1] https://developer.mozilla.org/docs/Web/API/Push_API ***/
  1123. user_pref("dom.push.enabled", false);
  1124. user_pref("dom.push.connection.enabled", false);
  1125. user_pref("dom.push.serverURL", "");
  1126. user_pref("dom.push.userAgentID", "");
  1127. /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/
  1128. user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
  1129. /* 2401: disable website control over browser right-click context menu
  1130. * [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
  1131. // user_pref("dom.event.contextmenu.enabled", false);
  1132. /* 2402: disable website access to clipboard events/content
  1133. * [SETUP-WEB] This will break some sites functionality such as pasting into facebook, wordpress
  1134. * this applies to onCut, onCopy, onPaste events - i.e. you have to interact with
  1135. * the website for it to look at the clipboard
  1136. * [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/
  1137. user_pref("dom.event.clipboardevents.enabled", false);
  1138. /* 2403: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
  1139. * this disables document.execCommand("cut"/"copy") to protect your clipboard
  1140. * [1] https://bugzilla.mozilla.org/1170911 ***/
  1141. user_pref("dom.allow_cut_copy", false); // [HIDDEN PREF]
  1142. /* 2404: disable "Confirm you want to leave" dialog on page close
  1143. * Does not prevent JS leaks of the page close event.
  1144. * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload
  1145. * [2] https://support.mozilla.org/questions/1043508 ***/
  1146. user_pref("dom.disable_beforeunload", true);
  1147. /* 2414: disable shaking the screen ***/
  1148. user_pref("dom.vibrator.enabled", false);
  1149. /* 2420: disable asm.js [FF22+] [SETUP-PERF]
  1150. * [1] http://asmjs.org/
  1151. * [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
  1152. * [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
  1153. * [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
  1154. * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
  1155. * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
  1156. user_pref("javascript.options.asmjs", false);
  1157. /* 2421: disable Ion and baseline JIT to help harden JS against exploits
  1158. * [SETUP-PERF] If false, causes the odd site issue and there is also a performance loss
  1159. * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
  1160. // user_pref("javascript.options.ion", false);
  1161. // user_pref("javascript.options.baselinejit", false);
  1162. /* 2422: disable WebAssembly [FF52+] [SETUP-PERF]
  1163. * [1] https://developer.mozilla.org/docs/WebAssembly ***/
  1164. user_pref("javascript.options.wasm", false);
  1165. /* 2426: disable Intersection Observer API [FF53+]
  1166. * Almost a year to complete, three versions late to stable (as default false),
  1167. * number #1 cause of crashes in nightly numerous times, and is (primarily) an
  1168. * ad network API for "ad viewability checks" down to a pixel level
  1169. * [1] https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API
  1170. * [2] https://w3c.github.io/IntersectionObserver/
  1171. * [3] https://bugzilla.mozilla.org/1243846 ***/
  1172. user_pref("dom.IntersectionObserver.enabled", false);
  1173. /* 2427: disable Shared Memory (Spectre mitigation)
  1174. * [1] https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md
  1175. * [2] https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ ***/
  1176. user_pref("javascript.options.shared_memory", false);
  1177. /* 2428: enforce DOMHighResTimeStamp API
  1178. * [WARNING] Required for normalization of timestamps and any timer resolution mitigations ***/
  1179. user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
  1180. /*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/
  1181. user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
  1182. /* 2502: disable Battery Status API
  1183. * Initially a Linux issue (high precision readout) that was fixed.
  1184. * However, it is still another metric for fingerprinting, used to raise entropy.
  1185. * e.g. do you have a battery or not, current charging status, charge level, times remaining etc
  1186. * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code. see [1]
  1187. * [1] https://bugzilla.mozilla.org/1313580 ***/
  1188. // user_pref("dom.battery.enabled", false);
  1189. /* 2504: disable virtual reality devices
  1190. * Optional protection depending on your connected devices
  1191. * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/
  1192. // user_pref("dom.vr.enabled", false);
  1193. /* 2505: disable media device enumeration [FF29+]
  1194. * [NOTE] media.peerconnection.enabled should also be set to false (see 2001)
  1195. * [1] https://wiki.mozilla.org/Media/getUserMedia
  1196. * [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/
  1197. user_pref("media.navigator.enabled", false);
  1198. /* 2508: disable hardware acceleration to reduce graphics fingerprinting
  1199. * [SETUP-PERF] Affects text rendering (fonts will look different), impacts video performance,
  1200. * and parts of Quantum that utilize the GPU will also be affected as they are rolled out
  1201. * [SETTING] General>Performance>Custom>Use hardware acceleration when available
  1202. * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/
  1203. // user_pref("gfx.direct2d.disabled", true); // [WINDOWS]
  1204. user_pref("layers.acceleration.disabled", true);
  1205. /* 2510: disable Web Audio API [FF51+]
  1206. * [1] https://bugzilla.mozilla.org/1288359 ***/
  1207. user_pref("dom.webaudio.enabled", false);
  1208. /* 2517: disable Media Capabilities API [FF63+]
  1209. * [SETUP-PERF] This *may* affect media performance if disabled, no one is sure
  1210. * [1] https://github.com/WICG/media-capabilities
  1211. * [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/
  1212. // user_pref("media.media-capabilities.enabled", false);
  1213. /*** [SECTION 2600]: MISCELLANEOUS ***/
  1214. user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
  1215. /* 2601: prevent accessibility services from accessing your browser [RESTART]
  1216. * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser
  1217. * [1] https://support.mozilla.org/kb/accessibility-services ***/
  1218. user_pref("accessibility.force_disabled", 1);
  1219. /* 2602: disable sending additional analytics to web servers
  1220. * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
  1221. user_pref("beacon.enabled", false);
  1222. /* 2603: remove temp files opened with an external application
  1223. * [1] https://bugzilla.mozilla.org/302433 ***/
  1224. user_pref("browser.helperApps.deleteTempFileOnExit", true);
  1225. /* 2604: disable page thumbnail collection
  1226. * look in profile/thumbnails directory - you may want to clean that out ***/
  1227. user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF]
  1228. /* 2605: block web content in file processes [FF55+]
  1229. * [SETUP-WEB] You may want to disable this for corporate or developer environments
  1230. * [1] https://bugzilla.mozilla.org/1343184 ***/
  1231. user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
  1232. /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
  1233. user_pref("browser.uitour.enabled", false);
  1234. user_pref("browser.uitour.url", "");
  1235. /* 2607: disable various developer tools in browser context
  1236. * [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
  1237. * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
  1238. user_pref("devtools.chrome.enabled", false);
  1239. /* 2608: disable WebIDE to prevent remote debugging and ADB extension download
  1240. * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
  1241. user_pref("devtools.debugger.remote-enabled", false);
  1242. user_pref("devtools.webide.enabled", false);
  1243. user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
  1244. /* 2609: disable MathML (Mathematical Markup Language) [FF51+]
  1245. * [TEST] http://browserspy.dk/mathml.php
  1246. * [1] https://bugzilla.mozilla.org/1173199 ***/
  1247. user_pref("mathml.disabled", true);
  1248. /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
  1249. * [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
  1250. * [1] https://bugzilla.mozilla.org/1216893 ***/
  1251. // user_pref("svg.disabled", true);
  1252. /* 2611: disable middle mouse click opening links from clipboard
  1253. * [1] https://trac.torproject.org/projects/tor/ticket/10089
  1254. * [2] http://kb.mozillazine.org/Middlemouse.contentLoadURL ***/
  1255. user_pref("middlemouse.contentLoadURL", false);
  1256. /* 2614: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
  1257. * [NOTE] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
  1258. * To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/
  1259. user_pref("network.http.redirection-limit", 10);
  1260. /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
  1261. * 0 (default) or 1=allow, 2=block
  1262. * [NOTE] In FF65 and under, causes issues with delete and backspace keys (see 1445942)
  1263. * [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts ***/
  1264. // user_pref("permissions.default.shortcuts", 2);
  1265. /* 2616: remove special permissions for certain mozilla domains [FF35+]
  1266. * [1] resource://app/defaults/permissions ***/
  1267. user_pref("permissions.manager.defaultsUrl", "");
  1268. /* 2617: remove webchannel whitelist ***/
  1269. user_pref("webchannel.allowObject.urlWhitelist", "");
  1270. /* 2618: disable exposure of system colors to CSS or canvas [FF44+]
  1271. * [NOTE] See second listed bug: may cause black on black for elements with undefined colors
  1272. * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 ***/
  1273. user_pref("ui.use_standins_for_native_colors", true); // [HIDDEN PREF]
  1274. /* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
  1275. * Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also
  1276. * display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets
  1277. * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
  1278. * [1] https://wiki.mozilla.org/IDN_Display_Algorithm
  1279. * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
  1280. * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
  1281. * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
  1282. user_pref("network.IDN_show_punycode", true);
  1283. /* 2620: enable Firefox's built-in PDF reader
  1284. * This setting controls if the option "Display in Firefox" in the above setting is available
  1285. * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
  1286. * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
  1287. * Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly.
  1288. * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
  1289. * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
  1290. * CONS: You may prefer a different pdf reader for security reasons
  1291. * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)
  1292. * [SETTING] General>Applications>Portable Document Format (PDF) ***/
  1293. user_pref("pdfjs.disabled", false);
  1294. /** DOWNLOADS ***/
  1295. /* 2650: discourage downloading to desktop (0=desktop 1=downloads 2=last used)
  1296. * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
  1297. user_pref("browser.download.folderList", 2);
  1298. /* 2651: enforce user interaction for security by always asking the user where to download
  1299. * [SETTING] General>Downloads>Always ask you where to save files ***/
  1300. user_pref("browser.download.useDownloadDir", false);
  1301. /* 2652: disable adding downloads to the system's "recent documents" list ***/
  1302. user_pref("browser.download.manager.addToRecentDocs", false);
  1303. /* 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin ***/
  1304. user_pref("browser.download.hide_plugins_without_extensions", false);
  1305. /* 2654: disable "open with" in download dialog [FF50+]
  1306. * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
  1307. * in such a way that it is forbidden to run external applications.
  1308. * [SETUP-CHROME] This may interfere with some users' workflow or methods
  1309. * [1] https://bugzilla.mozilla.org/1281959 ***/
  1310. user_pref("browser.download.forbid_open_with", true);
  1311. /** EXTENSIONS ***/
  1312. /* 2660: lock down allowed extension directories
  1313. * [SETUP-CHROME] This will break extensions that do not use the default XPI directories
  1314. * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
  1315. * [1] archived: https://archive.is/DYjAM ***/
  1316. user_pref("extensions.enabledScopes", 1); // [HIDDEN PREF]
  1317. user_pref("extensions.autoDisableScopes", 15);
  1318. /* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) [FF60+]
  1319. * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
  1320. // user_pref("extensions.webextensions.restrictedDomains", "");
  1321. /* 2663: enable warning when websites try to install add-ons
  1322. * [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons ***/
  1323. user_pref("xpinstall.whitelist.required", true); // [DEFAULT: true]
  1324. /** SECURITY ***/
  1325. /* 2680: enable CSP (Content Security Policy)
  1326. * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
  1327. user_pref("security.csp.enable", true); // [DEFAULT: true]
  1328. /* 2682: enable CSP 1.1 experimental hash-source directive [FF29+]
  1329. * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975 ***/
  1330. user_pref("security.csp.experimentalEnabled", true);
  1331. /* 2683: block top level window data: URIs [FF56+]
  1332. * [1] https://bugzilla.mozilla.org/1331351
  1333. * [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
  1334. * [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/
  1335. user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true]
  1336. /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
  1337. * [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
  1338. * [2] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
  1339. user_pref("security.dialog_enable_delay", 700);
  1340. /*** [SECTION 2700]: PERSISTENT STORAGE
  1341. Data SET by websites including
  1342. cookies : profile\cookies.sqlite
  1343. localStorage : profile\webappsstore.sqlite
  1344. indexedDB : profile\storage\default
  1345. appCache : profile\OfflineCache
  1346. serviceWorkers :
  1347. [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode
  1348. [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage),
  1349. indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications)
  1350. If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become
  1351. accessible to websites except shared/service workers where the cookie setting *must* be "Allow"
  1352. ***/
  1353. user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
  1354. /* 2701: disable 3rd-party cookies and site-data
  1355. * 0=Accept cookies and site data (default), 1=(Block) All third-party cookies, 2=(Block) All cookies,
  1356. * 3=(Block) Cookies from unvisited sites, 4=(Block) Third-party trackers (FF63+)
  1357. * [NOTE] Value 4 is tied to the Tracking Protection lists
  1358. * [NOTE] You can set exceptions under site permissions or use an extension
  1359. * [SETTING] Privacy & Security>Content Blocking>Custom>Choose what to block>Cookies ***/
  1360. user_pref("network.cookie.cookieBehavior", 1);
  1361. /* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only
  1362. and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
  1363. [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
  1364. .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
  1365. * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
  1366. * [2] http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly ***/
  1367. user_pref("network.cookie.thirdparty.sessionOnly", true);
  1368. user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
  1369. /* 2703: delete cookies and site data on close
  1370. * 0=keep until they expire (default), 2=keep until you close Firefox
  1371. * [NOTE] The setting below is disabled (but not changed) if you block all cookies (2701 = 2)
  1372. * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/
  1373. // user_pref("network.cookie.lifetimePolicy", 2);
  1374. /* 2705: disable HTTP sites setting cookies with the "secure" directive [FF52+]
  1375. * [1] https://developer.mozilla.org/Firefox/Releases/52#HTTP ***/
  1376. user_pref("network.cookie.leave-secure-alone", true); // [DEFAULT: true]
  1377. /* 2706: enable support for same-site cookies [FF60+]
  1378. * [1] https://bugzilla.mozilla.org/795346
  1379. * [2] https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
  1380. * [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
  1381. // user_pref("network.cookie.same-site.enabled", true); // [DEFAULT: true]
  1382. /* 2710: disable DOM (Document Object Model) Storage
  1383. * [WARNING] This will break a LOT of sites' functionality AND extensions!
  1384. * You are better off using an extension for more granular control ***/
  1385. // user_pref("dom.storage.enabled", false);
  1386. /* 2720: enforce IndexedDB (IDB) as enabled
  1387. * IDB is required for extensions and Firefox internals (even before FF63 in [1])
  1388. * To control *website* IDB data, control allowing cookies and service workers, or use
  1389. * Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize
  1390. * on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically
  1391. * via an extension. Note that IDB currently cannot be sanitized by host.
  1392. * [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ ***/
  1393. user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true]
  1394. /* 2730: disable offline cache ***/
  1395. user_pref("browser.cache.offline.enable", false);
  1396. /* 2730b: disable offline cache on insecure sites [FF60+]
  1397. * [1] https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ ***/
  1398. user_pref("browser.cache.offline.insecure.enable", false); // [DEFAULT: false in FF62+]
  1399. /* 2731: enforce websites to ask to store data for offline use
  1400. * [1] https://support.mozilla.org/questions/1098540
  1401. * [2] https://bugzilla.mozilla.org/959985 ***/
  1402. user_pref("offline-apps.allow_by_default", false);
  1403. /* 2740: disable service workers cache and cache storage
  1404. * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
  1405. user_pref("dom.caches.enabled", false);
  1406. /* 2750: disable Storage API [FF51+]
  1407. * The API gives sites the ability to find out how much space they can use, how much
  1408. * they are already using, and even control whether or not they need to be alerted
  1409. * before the user agent disposes of site data in order to make room for other things.
  1410. * [1] https://developer.mozilla.org/docs/Web/API/StorageManager
  1411. * [2] https://developer.mozilla.org/docs/Web/API/Storage_API
  1412. * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
  1413. // user_pref("dom.storageManager.enabled", false);
  1414. /* 2755: disable Storage Access API [FF65+]
  1415. * [1] https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API ***/
  1416. // user_pref("dom.storage_access.enabled", false);
  1417. /*** [SECTION 2800]: SHUTDOWN [SETUP-CHROME]
  1418. You should set the values to what suits you best.
  1419. - "Offline Website Data" includes appCache (2730), localStorage (2710),
  1420. Service Worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache)
  1421. - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the
  1422. Firefox interface as "Browsing & Download History" and their values will be synced
  1423. ***/
  1424. user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
  1425. /* 2802: enable Firefox to clear history items on shutdown
  1426. * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
  1427. user_pref("privacy.sanitize.sanitizeOnShutdown", true);
  1428. /* 2803: set what history items to clear on shutdown
  1429. * [NOTE] If 'history' is true, downloads will also be cleared regardless of the value
  1430. * but if 'history' is false, downloads can still be cleared independently
  1431. * However, this may not always be the case. The interface combines and syncs these
  1432. * prefs when set from there, and the sanitize code may change at any time
  1433. * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings ***/
  1434. user_pref("privacy.clearOnShutdown.cache", true);
  1435. user_pref("privacy.clearOnShutdown.cookies", true);
  1436. user_pref("privacy.clearOnShutdown.downloads", true); // see note above
  1437. user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History
  1438. user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History
  1439. user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data
  1440. user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins
  1441. user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences
  1442. /* 2804: reset default history items to clear with Ctrl-Shift-Del (to match 2803)
  1443. * This dialog can also be accessed from the menu History>Clear Recent History
  1444. * Firefox remembers your last choices. This will reset them when you start Firefox.
  1445. * [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog
  1446. * for "Clear Recent History" is opened, it is synced to the same as 'history' ***/
  1447. user_pref("privacy.cpd.cache", true);
  1448. user_pref("privacy.cpd.cookies", true);
  1449. // user_pref("privacy.cpd.downloads", true); // not used, see note above
  1450. user_pref("privacy.cpd.formdata", true); // Form & Search History
  1451. user_pref("privacy.cpd.history", true); // Browsing & Download History
  1452. user_pref("privacy.cpd.offlineApps", true); // Offline Website Data
  1453. user_pref("privacy.cpd.passwords", false); // this is not listed
  1454. user_pref("privacy.cpd.sessions", true); // Active Logins
  1455. user_pref("privacy.cpd.siteSettings", false); // Site Preferences
  1456. /* 2805: privacy.*.openWindows (clear session restore data) [FF34+]
  1457. * [NOTE] There is a years-old bug that these cause two windows when Firefox restarts.
  1458. * You do not need these anyway if session restore is cleared with history (see 2803) ***/
  1459. // user_pref("privacy.clearOnShutdown.openWindows", true);
  1460. // user_pref("privacy.cpd.openWindows", true);
  1461. /* 2806: reset default 'Time range to clear' for 'Clear Recent History' (see 2804)
  1462. * Firefox remembers your last choice. This will reset the value when you start Firefox.
  1463. * 0=everything, 1=last hour, 2=last two hours, 3=last four hours,
  1464. * 4=today, 5=last five minutes, 6=last twenty-four hours
  1465. * [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a
  1466. * blank value if they are used, but they do work as advertised ***/
  1467. user_pref("privacy.sanitize.timeSpan", 0);
  1468. /*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION)
  1469. ** 1278037 - isolate indexedDB (FF51+)
  1470. ** 1277803 - isolate favicons (FF52+)
  1471. ** 1264562 - isolate OCSP cache (FF52+)
  1472. ** 1268726 - isolate Shared Workers (FF52+)
  1473. ** 1316283 - isolate SSL session cache (FF52+)
  1474. ** 1317927 - isolate media cache (FF53+)
  1475. ** 1323644 - isolate HSTS and HPKP (FF54+)
  1476. ** 1334690 - isolate HTTP Alternative Services (FF54+)
  1477. ** 1334693 - isolate SPDY/HTTP2 (FF55+)
  1478. ** 1337893 - isolate DNS cache (FF55+)
  1479. ** 1344170 - isolate blob: URI (FF55+)
  1480. ** 1300671 - isolate data:, about: URLs (FF55+)
  1481. ** 1473247 - isolate IP addresses (FF63+)
  1482. ** 1492607 - isolate postMessage with targetOrigin "*" (requires 4002) (FF65+)
  1483. ***/
  1484. user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
  1485. /* 4001: enable First Party Isolation [FF51+]
  1486. * [SETUP-WEB] May break cross-domain logins and site functionality until perfected
  1487. * [1] https://bugzilla.mozilla.org/1260931 ***/
  1488. user_pref("privacy.firstparty.isolate", true);
  1489. /* 4002: enforce FPI restriction for window.opener [FF54+]
  1490. * [NOTE] Setting this to false may reduce the breakage in 4001
  1491. * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
  1492. * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute. (see [2],[3])
  1493. * The 2nd pref removes that limitation and will only allow communication if FPDs also match.
  1494. * [1] https://bugzilla.mozilla.org/1319773#c22
  1495. * [2] https://bugzilla.mozilla.org/1492607
  1496. * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
  1497. user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
  1498. // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF]
  1499. /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
  1500. This master switch will be used for a wide range of items, many of which will
  1501. **override** existing prefs from FF55+, often providing a **better** solution
  1502. IMPORTANT: As existing prefs become redundant, and some of them WILL interfere
  1503. with how RFP works, they will be moved to section 4600 and made inactive
  1504. ** 418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+)
  1505. [POC] http://ip-check.info/?lang=en (screen, usable screen, and browser window will match)
  1506. [NOTE] Does not cover everything yet - https://bugzilla.mozilla.org/1216800
  1507. [NOTE] This will probably make your values pretty unique until you resize or snap the
  1508. inner window width + height into standard/common resolutions (such as 1366x768)
  1509. To set a size, open a XUL (chrome) page (such as about:config) which is at 100% zoom, hit
  1510. Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test
  1511. your window size, do some math, resize to allow for all the non inner window elements
  1512. [TEST] http://browserspy.dk/screen.php
  1513. ** 1281949 - spoof screen orientation (FF50+)
  1514. ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
  1515. FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044)
  1516. ** 1330890 - spoof timezone as UTC 0 (FF55+)
  1517. FF58: Date.toLocaleFormat deprecated (818634)
  1518. FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973)
  1519. ** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+)
  1520. This spoof *shouldn't* affect core chrome/Firefox performance
  1521. ** 1217238 - reduce precision of time exposed by javascript (FF55+)
  1522. ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+)
  1523. ** 1333651 & 1383495 & 1396468 - spoof Navigator API (see section 4700) (FF56+)
  1524. FF56: The version number will be rounded down to the nearest multiple of 10
  1525. FF57: The version number will match current ESR (1393283, 1418672, 1418162)
  1526. FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage) (1404608)
  1527. FF66: The OS in HTTP Headers will be reduced to Windows or Android (1509829)
  1528. ** 1369319 - disable device sensor API (see 4604) (FF56+)
  1529. ** 1369357 - disable site specific zoom (see 4605) (FF56+)
  1530. ** 1337161 - hide gamepads from content (see 4606) (FF56+)
  1531. ** 1372072 - spoof network information API as "unknown" (see 4607) (FF56+)
  1532. ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
  1533. ** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0201b) (FF56-62)
  1534. ** 1369309 - spoof media statistics (see 4610) (FF57+)
  1535. ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
  1536. ** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
  1537. ** 1382545 - reduce fingerprinting in Animation API (FF57+)
  1538. ** 1354633 - limit MediaError.message to a whitelist (FF57+)
  1539. ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+)
  1540. This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
  1541. ** 967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
  1542. FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865)
  1543. ** 1372073 - spoof/block fingerprinting in MediaDevices API (see 4612) (FF59+)
  1544. ** 1039069 - warn when language prefs are set to non en-US (see 0207, 0208) (FF59+)
  1545. ** 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59+)
  1546. Spoofing mimics the content language of the document. Currently it only supports en-US.
  1547. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
  1548. FF60: Fix keydown/keyup events (1438795)
  1549. ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
  1550. ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+)
  1551. ** 1363508 - spoof/suppress Pointer Events (see 4614) (FF64+)
  1552. FF65: pointerEvent.pointerid (1492766)
  1553. ** 1485266 - disable exposure of system colors to CSS or canvas (see 2618) (FF67+)
  1554. ***/
  1555. user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
  1556. /* 4501: enable privacy.resistFingerprinting [FF41+]
  1557. * [SETUP-WEB] RFP is not ready for the masses, so expect some website breakage
  1558. * [1] https://bugzilla.mozilla.org/418986 ***/
  1559. user_pref("privacy.resistFingerprinting", true);
  1560. /* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME]
  1561. * Width will round down to multiples of 200s and height to 100s, to fit your screen.
  1562. * The override values are a starting point to round from if you want some control
  1563. * [1] https://bugzilla.mozilla.org/1330882
  1564. * [2] https://hardware.metrics.mozilla.com/ ***/
  1565. // user_pref("privacy.window.maxInnerWidth", 1600); // [HIDDEN PREF]
  1566. // user_pref("privacy.window.maxInnerHeight", 900); // [HIDDEN PREF]
  1567. /* 4503: disable mozAddonManager Web API [FF57+]
  1568. * [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need
  1569. * to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect
  1570. * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
  1571. user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF]
  1572. /* 4504: disable showing about:blank as soon as possible during startup [FF60+]
  1573. * When default true (FF62+) this no longer masks the RFP resizing activity
  1574. * [1] https://bugzilla.mozilla.org/1448423 ***/
  1575. user_pref("browser.startup.blankWindow", false);
  1576. /*** [SECTION 4600]: RFP ALTERNATIVES
  1577. * IF you DO use RFP (see 4500) then you DO NOT need these redundant prefs. In fact,
  1578. some even cause RFP to not behave as you would expect and alter your fingerprint.
  1579. Make sure they are RESET in about:config as per your Firefox version
  1580. * IF you DO NOT use RFP or are on ESR... then turn on each ESR section below
  1581. ***/
  1582. user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
  1583. /* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these
  1584. // FF55+
  1585. // 4601: [2514] spoof (or limit?) number of CPU cores [FF48+]
  1586. // [NOTE] *may* affect core chrome/Firefox performance, will affect content.
  1587. // [1] https://bugzilla.mozilla.org/1008453
  1588. // [2] https://trac.torproject.org/projects/tor/ticket/21675
  1589. // [3] https://trac.torproject.org/projects/tor/ticket/22127
  1590. // [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency
  1591. // user_pref("dom.maxHardwareConcurrency", 2);
  1592. // * * * /
  1593. // FF56+
  1594. // 4602: [2411] disable resource/navigation timing
  1595. user_pref("dom.enable_resource_timing", false);
  1596. // 4603: [2412] disable timing attacks
  1597. // [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
  1598. user_pref("dom.enable_performance", false);
  1599. // 4604: [2512] disable device sensor API
  1600. // Optional protection depending on your device
  1601. // [1] https://trac.torproject.org/projects/tor/ticket/15758
  1602. // [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
  1603. // [3] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
  1604. // user_pref("device.sensors.enabled", false);
  1605. // 4605: [2515] disable site specific zoom
  1606. // Zoom levels affect screen res and are highly fingerprintable. This does not stop you using
  1607. // zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs
  1608. // and new windows are reset to default and only the current tab retains the current zoom
  1609. user_pref("browser.zoom.siteSpecific", false);
  1610. // 4606: [2501] disable gamepad API - USB device ID enumeration
  1611. // Optional protection depending on your connected devices
  1612. // [1] https://trac.torproject.org/projects/tor/ticket/13023
  1613. // user_pref("dom.gamepad.enabled", false);
  1614. // 4607: [2503] disable giving away network info [FF31+]
  1615. // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
  1616. // [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API
  1617. // [2] https://wicg.github.io/netinfo/
  1618. // [3] https://bugzilla.mozilla.org/960426
  1619. user_pref("dom.netinfo.enabled", false);
  1620. // 4608: [2021] disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
  1621. // [1] https://developer.mozilla.org/docs/Web/API/Web_Speech_API
  1622. // [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
  1623. // [3] https://wiki.mozilla.org/HTML5_Speech_API
  1624. user_pref("media.webspeech.synth.enabled", false);
  1625. // * * * /
  1626. // FF57+
  1627. // 4610: [2506] disable video statistics - JS performance fingerprinting [FF25+]
  1628. // [1] https://trac.torproject.org/projects/tor/ticket/15757
  1629. // [2] https://bugzilla.mozilla.org/654550
  1630. user_pref("media.video_stats.enabled", false);
  1631. // 4611: [2509] disable touch events
  1632. // fingerprinting attack vector - leaks screen res & actual screen coordinates
  1633. // 0=disabled, 1=enabled, 2=autodetect
  1634. // Optional protection depending on your device
  1635. // [1] https://developer.mozilla.org/docs/Web/API/Touch_events
  1636. // [2] https://trac.torproject.org/projects/tor/ticket/10286
  1637. // user_pref("dom.w3c_touch_events.enabled", 0);
  1638. // * * * /
  1639. // FF59+
  1640. // 4612: [2511] disable MediaDevices change detection [FF51+]
  1641. // [1] https://developer.mozilla.org/docs/Web/Events/devicechange
  1642. // [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
  1643. user_pref("media.ondevicechange.enabled", false);
  1644. // * * * /
  1645. // FF60+
  1646. // 4613: [2011] disable WebGL debug info being available to websites
  1647. // [1] https://bugzilla.mozilla.org/1171228
  1648. // [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
  1649. user_pref("webgl.enable-debug-renderer-info", false);
  1650. // * * * /
  1651. // FF65+
  1652. // 4614: [2516] disable PointerEvents
  1653. // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent
  1654. user_pref("dom.w3c_pointer_events.enabled", false);
  1655. // * * * /
  1656. // ***/
  1657. /*** [SECTION 4700]: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING)
  1658. This is FYI ONLY. These prefs are INSUFFICIENT(a) on their own, you need
  1659. to use RFP (4500) or an extension, in which case they become POINTLESS.
  1660. (a) Many of the components that make up your UA can be derived by other means.
  1661. And when those values differ, you provide more bits and raise entropy.
  1662. Examples of leaks include navigator objects, date locale/formats, iframes,
  1663. headers, tcp/ip attributes, feature detection, and **many** more.
  1664. ALL values below intentionally left blank - use RFP, or get a vetted, tested
  1665. extension and mimic RFP values to *lower* entropy, or randomize to *raise* it
  1666. ***/
  1667. user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
  1668. /* 4701: navigator.userAgent ***/
  1669. // user_pref("general.useragent.override", ""); // [HIDDEN PREF]
  1670. /* 4702: navigator.buildID
  1671. * Revealed build time down to the second. In FF64+ it now returns a fixed timestamp
  1672. * [1] https://bugzilla.mozilla.org/583181
  1673. * [2] https://www.fxsitecompat.com/en-CA/docs/2018/navigator-buildid-now-returns-a-fixed-timestamp/ ***/
  1674. // user_pref("general.buildID.override", ""); // [HIDDEN PREF]
  1675. /* 4703: navigator.appName ***/
  1676. // user_pref("general.appname.override", ""); // [HIDDEN PREF]
  1677. /* 4704: navigator.appVersion ***/
  1678. // user_pref("general.appversion.override", ""); // [HIDDEN PREF]
  1679. /* 4705: navigator.platform ***/
  1680. // user_pref("general.platform.override", ""); // [HIDDEN PREF]
  1681. /* 4706: navigator.oscpu ***/
  1682. // user_pref("general.oscpu.override", ""); // [HIDDEN PREF]
  1683. /*** [SECTION 5000]: PERSONAL
  1684. Non-project related but useful. If any of these interest you, add them to your overrides ***/
  1685. user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
  1686. /* WELCOME & WHAT's NEW NOTICES ***/
  1687. // user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
  1688. // user_pref("startup.homepage_welcome_url", "");
  1689. // user_pref("startup.homepage_welcome_url.additional", "");
  1690. // user_pref("startup.homepage_override_url", ""); // What's New page after updates
  1691. /* WARNINGS ***/
  1692. // user_pref("browser.tabs.warnOnClose", false);
  1693. // user_pref("browser.tabs.warnOnCloseOtherTabs", false);
  1694. // user_pref("browser.tabs.warnOnOpen", false);
  1695. // user_pref("full-screen-api.warning.delay", 0);
  1696. // user_pref("full-screen-api.warning.timeout", 0);
  1697. // user_pref("general.warnOnAboutConfig", false);
  1698. /* APPEARANCE ***/
  1699. // user_pref("browser.download.autohideButton", false); // [FF57+]
  1700. // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+]
  1701. /* CONTENT BEHAVIOR ***/
  1702. // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type"
  1703. // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX]
  1704. // user_pref("layout.spellcheckDefault", 2); // 0=none, 1-multi-line, 2=multi-line & single-line
  1705. /* UX BEHAVIOR ***/
  1706. // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing
  1707. // user_pref("browser.tabs.closeWindowWithLastTab", false);
  1708. // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+]
  1709. // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+]
  1710. // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [WINDOWS] [MAC]
  1711. // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
  1712. /* OTHER ***/
  1713. // user_pref("browser.bookmarks.max_backups", 2);
  1714. // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false); // disable CFR [FF64+]
  1715. // [SETTING] General>Browsing>Recommend extensions as you browse
  1716. // [1] https://support.mozilla.org/en-US/kb/extension-recommendations
  1717. // user_pref("identity.fxaccounts.enabled", false); // disable and hide Firefox Accounts and Sync [FF60+] [RESTART]
  1718. // user_pref("network.manage-offline-status", false); // see bugzilla 620472
  1719. // user_pref("reader.parse-on-load.enabled", false); // "Reader View"
  1720. // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
  1721. /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
  1722. Documentation denoted as [-]. Numbers may be re-used. See [1] for a link-clickable,
  1723. viewer-friendly version of the deprecated bugzilla tickets. The original state of each pref
  1724. has been preserved, or changed to match the current setup, but you are advised to review them.
  1725. [NOTE] Up to FF53, to enable a section change /* FFxx to // FFxx
  1726. For FF53 on, we have bundled releases to cater for ESR. Change /* to // on the first line
  1727. [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123
  1728. ***/
  1729. user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!");
  1730. /* FF42 and older
  1731. // 2604: (25+) disable page thumbnails - replaced by browser.pagethumbnails.capturing_disabled
  1732. // [-] https://bugzilla.mozilla.org/897811
  1733. user_pref("pageThumbs.enabled", false);
  1734. // 2503: (31+) disable network API - replaced by dom.netinfo.enabled
  1735. // [-] https://bugzilla.mozilla.org/960426
  1736. user_pref("dom.network.enabled", false);
  1737. // 2600's: (35+) disable WebSockets
  1738. // [-] https://bugzilla.mozilla.org/1091016
  1739. user_pref("network.websocket.enabled", false);
  1740. // 1610: (36+) set DNT "value" to "not be tracked" [FF21+]
  1741. // [1] http://kb.mozillazine.org/Privacy.donottrackheader.value
  1742. // [-] https://bugzilla.mozilla.org/1042135#c101
  1743. // user_pref("privacy.donottrackheader.value", 1);
  1744. // 2023: (37+) disable camera autofocus callback
  1745. // The API will be superseded by the WebRTC Capture and Stream API
  1746. // [1] https://developer.mozilla.org/docs/Archive/B2G_OS/API/CameraControl
  1747. // [-] https://bugzilla.mozilla.org/1107683
  1748. user_pref("camera.control.autofocus_moving_callback.enabled", false);
  1749. // 0415: (41+) disable reporting URLs (safe browsing) - removed or replaced by various
  1750. // [-] https://bugzilla.mozilla.org/1109475
  1751. user_pref("browser.safebrowsing.reportErrorURL", ""); // browser.safebrowsing.reportPhishMistakeURL
  1752. user_pref("browser.safebrowsing.reportGenericURL", ""); // removed
  1753. user_pref("browser.safebrowsing.reportMalwareErrorURL", ""); // browser.safebrowsing.reportMalwareMistakeURL
  1754. user_pref("browser.safebrowsing.reportMalwareURL", ""); // removed
  1755. user_pref("browser.safebrowsing.reportURL", ""); // removed
  1756. // 0702: (41+) disable HTTP2 (draft)
  1757. // [-] https://bugzilla.mozilla.org/1132357
  1758. user_pref("network.http.spdy.enabled.http2draft", false);
  1759. // 1804: (41+) disable plugin enumeration
  1760. // [-] https://bugzilla.mozilla.org/1169945
  1761. user_pref("plugins.enumerable_names", "");
  1762. // 2803: (42+) clear passwords on shutdown
  1763. // [-] https://bugzilla.mozilla.org/1102184
  1764. // user_pref("privacy.clearOnShutdown.passwords", false);
  1765. // 5002: (42+) disable warning when a domain requests full screen
  1766. // replaced by setting full-screen-api.warning.timeout to zero
  1767. // [-] https://bugzilla.mozilla.org/1160017
  1768. // user_pref("full-screen-api.approval-required", false);
  1769. // ***/
  1770. /* FF43
  1771. // 0410's: disable safebrowsing urls & updates - replaced by various
  1772. // [-] https://bugzilla.mozilla.org/1107372
  1773. // user_pref("browser.safebrowsing.gethashURL", ""); // browser.safebrowsing.provider.google.gethashURL
  1774. // user_pref("browser.safebrowsing.updateURL", ""); // browser.safebrowsing.provider.google.updateURL
  1775. user_pref("browser.safebrowsing.malware.reportURL", ""); // browser.safebrowsing.provider.google.reportURL
  1776. // 0420's: disable tracking protection - replaced by various
  1777. // [-] https://bugzilla.mozilla.org/1107372
  1778. // user_pref("browser.trackingprotection.gethashURL", ""); // browser.safebrowsing.provider.mozilla.gethashURL
  1779. // user_pref("browser.trackingprotection.updateURL", ""); // browser.safebrowsing.provider.mozilla.updateURL
  1780. // 1803: remove plugin finder service
  1781. // [1] http://kb.mozillazine.org/Pfs.datasource.url
  1782. // [-] https://bugzilla.mozilla.org/1202193
  1783. user_pref("pfs.datasource.url", "");
  1784. // 5003: disable new search panel UI
  1785. // [-] https://bugzilla.mozilla.org/1119250
  1786. // user_pref("browser.search.showOneOffButtons", false);
  1787. // ***/
  1788. /* FF44
  1789. // 0414: disable safebrowsing's real-time binary checking (google) [FF43+]
  1790. // [-] https://bugzilla.mozilla.org/1237103
  1791. user_pref("browser.safebrowsing.provider.google.appRepURL", ""); // browser.safebrowsing.appRepURL
  1792. // 1200's: block rc4 whitelist
  1793. // [-] https://bugzilla.mozilla.org/1215796
  1794. user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);
  1795. // 2300's: disable SharedWorkers
  1796. // [1] https://trac.torproject.org/projects/tor/ticket/15562
  1797. // [-] https://bugzilla.mozilla.org/1207635
  1798. user_pref("dom.workers.sharedWorkers.enabled", false);
  1799. // 2403: disable scripts changing images
  1800. // [TEST] https://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_img_src2
  1801. // [-] https://bugzilla.mozilla.org/773429
  1802. // user_pref("dom.disable_image_src_set", true);
  1803. // ***/
  1804. /* FF45
  1805. // 1021b: disable deferred level of storing extra session data 0=all 1=http-only 2=none
  1806. // extra session data contains contents of forms, scrollbar positions, cookies and POST data
  1807. // [-] https://bugzilla.mozilla.org/1235379
  1808. user_pref("browser.sessionstore.privacy_level_deferred", 2);
  1809. // ***/
  1810. /* FF46
  1811. // 0340: disable health report
  1812. // [-] https://bugzilla.mozilla.org/1234526
  1813. user_pref("datareporting.healthreport.service.enabled", false); // [HIDDEN PREF]
  1814. user_pref("datareporting.healthreport.documentServerURI", ""); // [HIDDEN PREF]
  1815. // 0341: disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers
  1816. // [-] https://bugzilla.mozilla.org/1234522
  1817. user_pref("datareporting.policy.dataSubmissionEnabled.v2", false);
  1818. // 0414: disable safebrowsing pref - replaced by browser.safebrowsing.downloads.remote.url
  1819. // [-] https://bugzilla.mozilla.org/1239587
  1820. user_pref("browser.safebrowsing.appRepURL", ""); // Google application reputation check
  1821. // 0420: disable polaris (part of Tracking Protection, never used in stable)
  1822. // [-] https://bugzilla.mozilla.org/1235565
  1823. // user_pref("browser.polaris.enabled", false);
  1824. // 0510: disable "Pocket" [FF39+] - replaced by extensions.pocket.*
  1825. // [-] https://bugzilla.mozilla.org/1215694
  1826. user_pref("browser.pocket.enabled", false);
  1827. user_pref("browser.pocket.api", "");
  1828. user_pref("browser.pocket.site", "");
  1829. user_pref("browser.pocket.oAuthConsumerKey", "");
  1830. // ***/
  1831. /* FF47
  1832. // 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
  1833. // is enabled ONLY for people that opted into it, even if unified Telemetry is enabled
  1834. // [-] https://bugzilla.mozilla.org/1236580
  1835. user_pref("toolkit.telemetry.unifiedIsOptIn", true); // [HIDDEN PREF]
  1836. // 0340b: disable about:healthreport page UNIFIED
  1837. // [-] https://bugzilla.mozilla.org/1236580
  1838. user_pref("datareporting.healthreport.about.reportUrlUnified", "data:text/plain,");
  1839. // 0807: disable history manipulation
  1840. // [1] https://developer.mozilla.org/docs/Web/API/History_API
  1841. // [-] https://bugzilla.mozilla.org/1249542
  1842. user_pref("browser.history.allowPopState", false);
  1843. user_pref("browser.history.allowPushState", false);
  1844. user_pref("browser.history.allowReplaceState", false);
  1845. // ***/
  1846. /* FF48
  1847. // 0806: disable 'unified complete': 'Search with [default search engine]'
  1848. // [-] http://techdows.com/2016/05/firefox-unified-complete-aboutconfig-preference-removed.html
  1849. // [-] https://bugzilla.mozilla.org/1181078
  1850. user_pref("browser.urlbar.unifiedcomplete", false);
  1851. // ***/
  1852. /* FF49
  1853. // 0372: disable "Hello"
  1854. // [1] https://www.mozilla.org/privacy/archive/hello/2016-03/
  1855. // [2] https://security.stackexchange.com/questions/94284/how-secure-is-firefox-hello
  1856. // [-] https://bugzilla.mozilla.org/1287827
  1857. user_pref("loop.enabled", false);
  1858. user_pref("loop.server", "");
  1859. user_pref("loop.feedback.formURL", "");
  1860. user_pref("loop.feedback.manualFormURL", "");
  1861. user_pref("loop.facebook.appId", "");
  1862. user_pref("loop.facebook.enabled", false);
  1863. user_pref("loop.facebook.fallbackUrl", "");
  1864. user_pref("loop.facebook.shareUrl", "");
  1865. user_pref("loop.logDomains", false);
  1866. // 2201: disable new window scrollbars being hidden
  1867. // [-] https://bugzilla.mozilla.org/1257887
  1868. user_pref("dom.disable_window_open_feature.scrollbars", true);
  1869. // 2303: disable push notification (UDP wake-up)
  1870. // [-] https://bugzilla.mozilla.org/1265914
  1871. user_pref("dom.push.udp.wakeupEnabled", false);
  1872. // ***/
  1873. /* FF50
  1874. // 0101: disable Windows10 intro on startup [WINDOWS]
  1875. // [-] https://bugzilla.mozilla.org/1274633
  1876. user_pref("browser.usedOnWindows10.introURL", "");
  1877. // 0308: disable plugin update notifications
  1878. // [-] https://bugzilla.mozilla.org/1277905
  1879. user_pref("plugins.update.notifyUser", false);
  1880. // 0410: disable "Block dangerous and deceptive content" - replaced by browser.safebrowsing.phishing.enabled
  1881. // [-] https://bugzilla.mozilla.org/1025965
  1882. // user_pref("browser.safebrowsing.enabled", false);
  1883. // 1266: disable rc4 ciphers
  1884. // [1] https://trac.torproject.org/projects/tor/ticket/17369
  1885. // [-] https://bugzilla.mozilla.org/1268728
  1886. // [-] https://www.fxsitecompat.com/en-CA/docs/2016/rc4-support-has-been-completely-removed/
  1887. user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
  1888. user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
  1889. user_pref("security.ssl3.rsa_rc4_128_md5", false);
  1890. user_pref("security.ssl3.rsa_rc4_128_sha", false);
  1891. // 1809: remove Mozilla's plugin update URL
  1892. // [-] https://bugzilla.mozilla.org/1277905
  1893. user_pref("plugins.update.url", "");
  1894. // ***/
  1895. /* FF51
  1896. // 0702: disable SPDY
  1897. // [-] https://bugzilla.mozilla.org/1248197
  1898. user_pref("network.http.spdy.enabled.v3-1", false);
  1899. // 1851: delay play of videos until they're visible
  1900. // [1] https://bugzilla.mozilla.org/1180563
  1901. // [-] https://bugzilla.mozilla.org/1262053
  1902. user_pref("media.block-play-until-visible", true);
  1903. // 2504: disable virtual reality devices
  1904. // [-] https://bugzilla.mozilla.org/1250244
  1905. user_pref("dom.vr.oculus050.enabled", false);
  1906. // ***/
  1907. /* FF52
  1908. // 1601: disable referer from an SSL Website
  1909. // [-] https://bugzilla.mozilla.org/1308725
  1910. user_pref("network.http.sendSecureXSiteReferrer", false);
  1911. // 1850: disable Adobe EME "Primetime CDM" (Content Decryption Module)
  1912. // [1] https://trac.torproject.org/projects/tor/ticket/16285
  1913. // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1329538,1337121 // FF52
  1914. // [-] https://bugzilla.mozilla.org/1329543 // FF53
  1915. user_pref("media.gmp-eme-adobe.enabled", false);
  1916. user_pref("media.gmp-eme-adobe.visible", false);
  1917. user_pref("media.gmp-eme-adobe.autoupdate", false);
  1918. // 2405: disable WebTelephony API
  1919. // [1] https://wiki.mozilla.org/WebAPI/Security/WebTelephony
  1920. // [-] https://bugzilla.mozilla.org/1309719
  1921. user_pref("dom.telephony.enabled", false);
  1922. // ***/
  1923. /* FF53
  1924. // 1265: block rc4 fallback
  1925. // [-] https://bugzilla.mozilla.org/1130670
  1926. user_pref("security.tls.unrestricted_rc4_fallback", false);
  1927. // 1806: disable Acrobat, Quicktime, WMP (the string = min version number allowed)
  1928. // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1317108,1317109,1317110
  1929. user_pref("plugin.scan.Acrobat", "99999");
  1930. user_pref("plugin.scan.Quicktime", "99999");
  1931. user_pref("plugin.scan.WindowsMediaPlayer", "99999");
  1932. // 2022: disable screensharing
  1933. // [-] https://bugzilla.mozilla.org/1329562
  1934. user_pref("media.getusermedia.screensharing.allow_on_old_platforms", false);
  1935. // 2507: disable keyboard fingerprinting
  1936. // [-] https://bugzilla.mozilla.org/1322736
  1937. user_pref("dom.beforeAfterKeyboardEvent.enabled", false);
  1938. // ***/
  1939. /* FF54
  1940. // 0415: disable reporting URLs (safe browsing)
  1941. // [-] https://bugzilla.mozilla.org/1288633
  1942. user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
  1943. user_pref("browser.safebrowsing.reportPhishMistakeURL", "");
  1944. // 1830: block websites detecting DRM is disabled
  1945. // [-] https://bugzilla.mozilla.org/1242321
  1946. user_pref("media.eme.apiVisible", false);
  1947. // 2425: disable Archive Reader API
  1948. // i.e. reading archive contents directly in the browser, through DOM file objects
  1949. // [-] https://bugzilla.mozilla.org/1342361
  1950. user_pref("dom.archivereader.enabled", false);
  1951. // ***/
  1952. /* FF55
  1953. // 0209: disable geolocation on non-secure origins [FF54+]
  1954. // [1] https://bugzilla.mozilla.org/1269531
  1955. // [-] https://bugzilla.mozilla.org/1072859
  1956. user_pref("geo.security.allowinsecure", false);
  1957. // 0336: disable "Heartbeat" (Mozilla user rating telemetry) [FF37+]
  1958. // [1] https://trac.torproject.org/projects/tor/ticket/18738
  1959. // [-] https://bugzilla.mozilla.org/1361578
  1960. user_pref("browser.selfsupport.enabled", false); // [HIDDEN PREF]
  1961. user_pref("browser.selfsupport.url", "");
  1962. // 0360: disable new tab "pings"
  1963. // [-] https://bugzilla.mozilla.org/1241390
  1964. user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
  1965. // 0861: disable saving form history on secure websites
  1966. // [-] https://bugzilla.mozilla.org/1361220
  1967. user_pref("browser.formfill.saveHttpsForms", false);
  1968. // 0863: disable Form Autofill [FF54+] - replaced by extensions.formautofill.*
  1969. // [-] https://bugzilla.mozilla.org/1364334
  1970. user_pref("browser.formautofill.enabled", false);
  1971. // 2410: disable User Timing API
  1972. // [1] https://trac.torproject.org/projects/tor/ticket/16336
  1973. // [-] https://bugzilla.mozilla.org/1344669
  1974. user_pref("dom.enable_user_timing", false);
  1975. // 2507: disable keyboard fingerprinting (physical keyboards) [FF38+]
  1976. // The Keyboard API allows tracking the "read parameter" of pressed keys in forms on
  1977. // web pages. These parameters vary between types of keyboard layouts such as QWERTY,
  1978. // AZERTY, Dvorak, and between various languages, e.g. German vs English.
  1979. // [WARNING] Don't use if Android + physical keyboard
  1980. // [1] https://developer.mozilla.org/docs/Web/API/KeyboardEvent/code
  1981. // [2] https://www.privacy-handbuch.de/handbuch_21v.htm
  1982. // [-] https://bugzilla.mozilla.org/1352949
  1983. user_pref("dom.keyboardevent.code.enabled", false);
  1984. // 5015: disable tab animation - replaced by toolkit.cosmeticAnimations.enabled
  1985. // [-] https://bugzilla.mozilla.org/1352069
  1986. user_pref("browser.tabs.animate", false);
  1987. // 5016: disable fullscreeen animation - replaced by toolkit.cosmeticAnimations.enabled
  1988. // [-] https://bugzilla.mozilla.org/1352069
  1989. user_pref("browser.fullscreen.animate", false);
  1990. // ***/
  1991. /* FF56
  1992. // 0515: disable Screenshots (rollout pref only) [FF54+]
  1993. // [-] https://bugzilla.mozilla.org/1386333
  1994. // user_pref("extensions.screenshots.system-disabled", true);
  1995. // 0517: disable Form Autofill [FF55+] - replaced by extensions.formautofill.available
  1996. // [-] https://bugzilla.mozilla.org/1385201
  1997. user_pref("extensions.formautofill.experimental", false);
  1998. // ***/
  1999. /* FF57
  2000. // 0374: disable "social" integration
  2001. // [1] https://developer.mozilla.org/docs/Mozilla/Projects/Social_API
  2002. // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1388902,1406193 (some leftovers were removed in FF58)
  2003. user_pref("social.whitelist", "");
  2004. user_pref("social.toast-notifications.enabled", false);
  2005. user_pref("social.shareDirectory", "");
  2006. user_pref("social.remote-install.enabled", false);
  2007. user_pref("social.directories", "");
  2008. user_pref("social.share.activationPanelEnabled", false);
  2009. user_pref("social.enabled", false); // [HIDDEN PREF]
  2010. // 1830: disable DRM's EME WideVineAdapter [FF55+]
  2011. // [-] https://bugzilla.mozilla.org/1395468
  2012. user_pref("media.eme.chromium-api.enabled", false);
  2013. // 2608: disable WebIDE extension downloads (Valence)
  2014. // [1] https://trac.torproject.org/projects/tor/ticket/16222
  2015. // [-] https://bugzilla.mozilla.org/1393497
  2016. user_pref("devtools.webide.autoinstallFxdtAdapters", false);
  2017. user_pref("devtools.webide.adaptersAddonURL", "");
  2018. // 2600's: disable SimpleServiceDiscovery - which can bypass proxy settings - e.g. Roku
  2019. // [1] https://trac.torproject.org/projects/tor/ticket/16222
  2020. // [-] https://bugzilla.mozilla.org/1393582
  2021. user_pref("browser.casting.enabled", false);
  2022. // 5022: hide recently bookmarked items (you still have the original bookmarks) [FF49+]
  2023. // [-] https://bugzilla.mozilla.org/1401238
  2024. user_pref("browser.bookmarks.showRecentlyBookmarked", false);
  2025. // ***/
  2026. /* FF58
  2027. // 0351: disable sending of crash reports [FF51+] - replaced by *.autoSubmit2
  2028. // [-] https://bugzilla.mozilla.org/1424373
  2029. user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false);
  2030. // ***/
  2031. /* FF59
  2032. // 0203: disable using OS locale, force APP locale - replaced by intl.locale.requested
  2033. // [-] https://bugzilla.mozilla.org/1414390
  2034. user_pref("intl.locale.matchOS", false);
  2035. // 0204: set APP locale - replaced by intl.locale.requested
  2036. // [-] https://bugzilla.mozilla.org/1414390
  2037. user_pref("general.useragent.locale", "en-US");
  2038. // 0340b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
  2039. // If you have disabled health reports, then this about page is useless - disable it
  2040. // If you want to see what health data is present, then this must be set at default
  2041. // [-] https://bugzilla.mozilla.org/1352497
  2042. user_pref("datareporting.healthreport.about.reportUrl", "data:,");
  2043. // 0511: disable FlyWeb [FF49+]
  2044. // Flyweb is a set of APIs for advertising and discovering local-area web servers
  2045. // [1] https://flyweb.github.io/
  2046. // [2] https://wiki.mozilla.org/FlyWeb/Security_scenarios
  2047. // [3] https://www.ghacks.net/2016/07/26/firefox-flyweb/
  2048. // [-] https://bugzilla.mozilla.org/1374574
  2049. user_pref("dom.flyweb.enabled", false);
  2050. // 1007: disable randomized FF HTTP cache decay experiments
  2051. // [1] https://trac.torproject.org/projects/tor/ticket/13575
  2052. // [-] https://bugzilla.mozilla.org/1430197
  2053. user_pref("browser.cache.frecency_experiment", -1);
  2054. // 1242: enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests [FF51+]
  2055. // Allow resources from domains with an existing HSTS cache record or in the HSTS preload list
  2056. // to be upgraded to HTTPS internally but disable sending out HSTS Priming requests, because
  2057. // those may cause noticeable delays e.g. requests time out or are not handled well by servers
  2058. // [NOTE] If you want to use the priming requests make sure 'use_hsts' is also true
  2059. // [1] https://bugzilla.mozilla.org/1246540#c145
  2060. // [-] https://bugzilla.mozilla.org/1424917
  2061. user_pref("security.mixed_content.use_hsts", true);
  2062. user_pref("security.mixed_content.send_hsts_priming", false);
  2063. // 1606: set the default Referrer Policy [FF53+] - replaced by network.http.referer.defaultPolicy
  2064. // [-] https://bugzilla.mozilla.org/587523
  2065. user_pref("network.http.referer.userControlPolicy", 3);
  2066. // 1804: disable plugins using external/untrusted scripts with XPCOM or XPConnect
  2067. // [-] (part8) https://bugzilla.mozilla.org/1416703#c21
  2068. user_pref("security.xpconnect.plugin.unrestricted", false);
  2069. // 2022: disable screensharing domain whitelist
  2070. // [-] https://bugzilla.mozilla.org/1411742
  2071. user_pref("media.getusermedia.screensharing.allowed_domains", "");
  2072. // 2023: disable camera stuff
  2073. // [-] (part7) https://bugzilla.mozilla.org/1416703#c21
  2074. user_pref("camera.control.face_detection.enabled", false);
  2075. // 2202: prevent scripts from changing the status text
  2076. // [-] https://bugzilla.mozilla.org/1425999
  2077. user_pref("dom.disable_window_status_change", true);
  2078. // 2416: disable idle observation
  2079. // [-] (part7) https://bugzilla.mozilla.org/1416703#c21
  2080. user_pref("dom.idle-observers-api.enabled", false);
  2081. // ***/
  2082. /* FF60
  2083. // 0360: disable new tab tile ads & preload & marketing junk
  2084. // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1370930,1433133
  2085. user_pref("browser.newtabpage.directory.source", "data:text/plain,");
  2086. user_pref("browser.newtabpage.enhanced", false);
  2087. user_pref("browser.newtabpage.introShown", true);
  2088. // 0512: disable Shield [FF53+] - renamed to app.normandy.* (see 0503)
  2089. // Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
  2090. // [1] https://wiki.mozilla.org/Firefox/Shield
  2091. // [2] https://github.com/mozilla/normandy
  2092. // [-] https://bugzilla.mozilla.org/1436113
  2093. user_pref("extensions.shield-recipe-client.enabled", false);
  2094. user_pref("extensions.shield-recipe-client.api_url", "");
  2095. // 0514: disable Activity Stream [FF54+]
  2096. // [-] https://bugzilla.mozilla.org/1433324
  2097. user_pref("browser.newtabpage.activity-stream.enabled", false);
  2098. // 2301: disable workers
  2099. // [SETUP-WEB] Disabling workers *will* break sites (e.g. Google Street View, Twitter)
  2100. // [NOTE] CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
  2101. // [-] https://bugzilla.mozilla.org/1434934
  2102. user_pref("dom.workers.enabled", false);
  2103. // 5000's: open "page/selection source" in a new window
  2104. // [-] https://bugzilla.mozilla.org/1418403
  2105. // user_pref("view_source.tab", false);
  2106. // ***/
  2107. /* ESR60.x still uses all the following prefs
  2108. // [NOTE] replace the * with a slash in the line above to re-enable them
  2109. // FF61
  2110. // 0501: disable experiments
  2111. // [1] https://wiki.mozilla.org/Telemetry/Experiments
  2112. // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801
  2113. user_pref("experiments.enabled", false);
  2114. user_pref("experiments.manifest.uri", "");
  2115. user_pref("experiments.supported", false);
  2116. user_pref("experiments.activeExperiment", false);
  2117. // 2612: disable remote JAR files being opened, regardless of content type [FF42+]
  2118. // [1] https://bugzilla.mozilla.org/1173171
  2119. // [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/
  2120. // [-] https://bugzilla.mozilla.org/1427726
  2121. user_pref("network.jar.block-remote-files", true);
  2122. // 2613: disable JAR from opening Unsafe File Types
  2123. // [-] https://bugzilla.mozilla.org/1427726
  2124. user_pref("network.jar.open-unsafe-types", false);
  2125. // * * * /
  2126. // FF62
  2127. // 1803: disable Java plugin
  2128. // [-] (part5) https://bugzilla.mozilla.org/1461243
  2129. user_pref("plugin.state.java", 0);
  2130. // * * * /
  2131. // FF63
  2132. // 0202: disable GeoIP-based search results
  2133. // [NOTE] May not be hidden if Firefox has changed your settings due to your locale
  2134. // [-] https://bugzilla.mozilla.org/1462015
  2135. user_pref("browser.search.countryCode", "US"); // [HIDDEN PREF]
  2136. // 0301a: disable auto-update checks for Firefox
  2137. // [SETTING] General>Firefox Updates>Never check for updates
  2138. // [-] https://bugzilla.mozilla.org/1420514
  2139. // user_pref("app.update.enabled", false);
  2140. // 0402: enable Kinto blocklist updates [FF50+]
  2141. // What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
  2142. // As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be
  2143. // revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes
  2144. // [-] https://bugzilla.mozilla.org/1458917
  2145. user_pref("services.blocklist.update_enabled", true); // [DEFAULT: true]
  2146. // 0503: disable "Savant" Shield study [FF61+]
  2147. // [-] https://bugzilla.mozilla.org/1457226
  2148. user_pref("shield.savant.enabled", false);
  2149. // 1031: disable favicons in tabs and new bookmarks - merged into browser.chrome.site_icons
  2150. // [-] https://bugzilla.mozilla.org/1453751
  2151. // user_pref("browser.chrome.favicons", false);
  2152. // 2030: disable auto-play of HTML5 media - replaced by media.autoplay.default
  2153. // [SETUP-WEB] This may break video playback on various sites
  2154. // [-] https://bugzilla.mozilla.org/1470082
  2155. user_pref("media.autoplay.enabled", false);
  2156. // 2704: set cookie lifetime in days (see 2703)
  2157. // [-] https://bugzilla.mozilla.org/1457170
  2158. // user_pref("network.cookie.lifetime.days", 90); // [DEFAULT: 90]
  2159. // 5000's: enable "Ctrl+Tab cycles through tabs in recently used order" - replaced by browser.ctrlTab.recentlyUsedOrder
  2160. // [-] https://bugzilla.mozilla.org/1473595
  2161. // user_pref("browser.ctrlTab.previews", true);
  2162. // * * * /
  2163. // FF64
  2164. // 0516: disable Onboarding [FF55+]
  2165. // Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
  2166. // about:home or about:newtab is opened, the onboarding overlay is injected into that page
  2167. // [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]
  2168. // [1] https://wiki.mozilla.org/Firefox/Onboarding
  2169. // [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf
  2170. // [3] https://bugzilla.mozilla.org/863246#c154
  2171. // [-] https://bugzilla.mozilla.org/1462415
  2172. user_pref("browser.onboarding.enabled", false);
  2173. // 2608: disable WebIDE ADB extension downloads - both renamed
  2174. // [1] https://trac.torproject.org/projects/tor/ticket/16222
  2175. // [-] https://bugzilla.mozilla.org/1491315
  2176. user_pref("devtools.webide.autoinstallADBHelper", false);
  2177. user_pref("devtools.webide.adbAddonURL", "");
  2178. // 2681: disable CSP violation events [FF59+]
  2179. // [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent
  2180. // [-] https://bugzilla.mozilla.org/1488165
  2181. user_pref("security.csp.enable_violation_events", false);
  2182. // * * * /
  2183. // FF65
  2184. // 0850a: disable location bar autocomplete and suggestion types
  2185. // If you enforce any of the suggestion types (see the other 0850a), you MUST enforce 'autocomplete'
  2186. // - If *ALL* of the suggestion types are false, 'autocomplete' must also be false
  2187. // - If *ANY* of the suggestion types are true, 'autocomplete' must also be true
  2188. // [-] https://bugzilla.mozilla.org/1502392
  2189. user_pref("browser.urlbar.autocomplete.enabled", false);
  2190. // 0908: remove user & password info when attempting to fix an entered URL (i.e. 0802 is true)
  2191. // e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix)
  2192. // [-] https://bugzilla.mozilla.org/1510580
  2193. user_pref("browser.fixup.hide_user_pass", true); // [DEFAULT: true]
  2194. // * * * /
  2195. // ***/
  2196. /* END: internal custom pref to test for syntax errors ***/
  2197. user_pref("_user.js.parrot", "SUCCESS: No no he's not dead, he's, he's restin'!");