mirror/ arkenfox-user.js
1
1
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2024-06-05 21:16:09 +02:00
Code Issues Wiki

tidy 

- geo -> warning
- merge container prefs
- remove redundant "see"s
- remove corresponding 4600's item number in RFP mitigations
   - it's pretty clear by the preference names in 4600
   - could be misconstrued that the 4600 pref is the same result
- RFP's language prompt only checks for en*, not en-US (so en-GB, en-CA etc do not get prompted)
   - https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPHelper.jsm#196
This commit is contained in:
Thorin-Oakenpants 2021-08-18 08:24:44 +00:00 committed by GitHub
parent e7e6cfffe8
commit 783786290d
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 49 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
user.js
View File

@ -132,10 +132,10 @@ user_pref("browser.newtabpage.activity-stream.default.sites", "");
user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
/** GEOLOCATION ***/
/* 0201: disable Location-Aware Browsing
* [NOTE] Best left at default "true", fingerprintable, already behind a prompt (see 0202)
* [WARNING] The API state is fingerprintable. Permission is already behind a prompt (0202)
* [1] https://www.mozilla.org/firefox/geolocation/ ***/
// user_pref("geo.enabled", false);
/* 0202: set a default permission for Location (see 0201) [FF58+]
/* 0202: set a default permission for Location (0201) [FF58+]
* 0=always ask (default), 1=allow, 2=block
* [NOTE] Best left at default "always ask", fingerprintable via Permissions API
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location
@ -154,7 +154,7 @@ user_pref("geo.provider.use_gpsd", false); // [LINUX]
user_pref("browser.region.network.url", ""); // [FF78+]
user_pref("browser.region.update.enabled", false); // [[FF79+]
/* 0208: set search region
* [NOTE] May not be hidden if Firefox has changed your settings due to your region (see 0207) ***/
* [NOTE] May not be hidden if Firefox has changed your settings due to your region (0207) ***/
// user_pref("browser.search.region", "US"); // [HIDDEN PREF]
/** LANGUAGE / LOCALE ***/
@ -224,7 +224,7 @@ user_pref("datareporting.healthreport.uploadEnabled", false);
* If disabled, no policy is shown or upload takes place, ever
* [1] https://bugzilla.mozilla.org/1195552 ***/
user_pref("datareporting.policy.dataSubmissionEnabled", false);
/* 0342: disable Studies (see 0503)
/* 0342: disable Studies
* [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/
user_pref("app.shield.optoutstudies.enabled", false);
/* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
@ -364,7 +364,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost
* then this won't make much difference. If you are masking your IP, then it can only help.
* [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
* [TEST] https://ipleak.org/
* [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
* [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
user_pref("network.dns.disableIPv6", true);
/* 0702: disable HTTP2
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
@ -381,7 +381,7 @@ user_pref("network.dns.disableIPv6", true);
// user_pref("network.http.spdy.enabled.http2", false);
// user_pref("network.http.spdy.websockets", false); // [FF65+]
/* 0703: disable HTTP Alternative Services [FF37+]
* [SETUP-PERF] Relax this if you have FPI enabled (see 4000) and you understand the
* [SETUP-PERF] Relax this if you have FPI enabled (4001) and you understand the
* consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
* and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
* [1] https://tools.ietf.org/html/rfc7838#section-9
@ -475,13 +475,13 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
// user_pref("browser.urlbar.autoFill", false);
/* 0860: disable search and form history
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [NOTE] We also clear formdata on exit (see 2803)
* [NOTE] We also clear formdata on exit (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/
user_pref("browser.formfill.enable", false);
/* 0862: disable browsing and download history
* [NOTE] We also clear history and downloads on exiting Firefox (see 2803)
* [NOTE] We also clear history and downloads on exit (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
// user_pref("places.history.enabled", false);
/* 0870: disable Windows jumplist [WINDOWS] ***/
@ -503,11 +503,10 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
* [SETTING] Privacy & Security>Logins and Passwords>Use a Primary Password
* [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/
/* 0903: set how often Firefox should ask for the primary password
* 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/
* 0=the first time (default), 1=every time it's needed, 2=every n minutes (0904) ***/
user_pref("security.ask_for_password", 2);
/* 0904: set how often in minutes Firefox should ask for the primary password (see 0903)
* in minutes, default is 30 ***/
user_pref("security.password_lifetime", 5);
/* 0904: set how often in minutes Firefox should ask for the primary password (0903) ***/
user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
/* 0905: disable auto-filling username & password form fields
* can leak in cross-site forms *and* be spoofed
* [NOTE] Username & password is still available when you enter the field
@ -548,7 +547,7 @@ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is m
/* 1001: disable disk cache
* [SETUP-PERF] If you think disk cache may help (heavy tab user, high-res video),
* or you use a hardened Temporary Containers, then feel free to override this
* [NOTE] We also clear cache on exiting Firefox (see 2803) ***/
* [NOTE] We also clear cache on exit (2803) ***/
user_pref("browser.cache.disk.enable", false);
/* 1003: disable memory cache
* capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/
@ -786,7 +785,7 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
user_pref("gfx.font_rendering.graphite.enabled", false);
/* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
* If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed
* [NOTE] In FF81+ the whitelist overrides RFP's font visibility (see 4620)
* [NOTE] In FF81+ the whitelist overrides RFP's font visibility (4620)
* [WARNING] DO NOT USE: in FF80+ RFP covers this, and non-RFP users should use font vis (4620)
* [1] https://bugzilla.mozilla.org/1121643 ***/
// user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
@ -846,12 +845,10 @@ user_pref("privacy.donottrackheader.enabled", true);
[4] https://github.com/stoically/temporary-containers/wiki
***/
user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
/* 1701: enable Container Tabs setting in preferences (see 1702) [FF50+]
* [1] https://bugzilla.mozilla.org/1279029 ***/
user_pref("privacy.userContext.ui.enabled", true);
/* 1702: enable Container Tabs [FF50+]
/* 1702: enable Container Tabs and it's UI setting [FF50+]
* [SETTING] General>Tabs>Enable Container Tabs ***/
user_pref("privacy.userContext.enabled", true);
user_pref("privacy.userContext.ui.enabled", true);
/* 1703: set behaviour on "+ Tab" button to display container menu on left click [FF74+]
* [NOTE] The menu is always shown on long press and right click
* [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/
@ -903,7 +900,7 @@ user_pref("media.eme.enabled", false);
/* 2031: disable autoplay of HTML5 media if you interacted with the site [FF78+]
* 0=sticky (default), 1=transient, 2=user
* Firefox's Autoplay Policy Documentation [PDF] is linked below via SUMO
* [NOTE] If you have trouble with some video sites, then add an exception (see 2030)
* [NOTE] If you have trouble with some video sites, then add an exception (2030)
* [1] https://support.mozilla.org/questions/1293231 ***/
user_pref("media.autoplay.blocking_policy", 2);
@ -1024,22 +1021,22 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m
// user_pref("gfx.direct2d.disabled", true); // [WINDOWS]
// user_pref("layers.acceleration.disabled", true);
/* 2517: disable Media Capabilities API [FF63+]
* [WARNING] The API state is fingerprintable and disabling may affect performance
* [WARNING] The API state is fingerprintable. Disabling may affect performance
* [1] https://github.com/WICG/media-capabilities
* [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/
// user_pref("media.media-capabilities.enabled", false);
/* 2520: disable virtual reality devices
* [WARNING] The API state is fingerprintable
* [WARNING] The API state is fingerprintable. Permission is already behind a prompt (2521)
* [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/
// user_pref("dom.vr.enabled", false);
/* 2521: set a default permission for Virtual Reality (see 2520) [FF73+]
/* 2521: set a default permission for Virtual Reality (2520) [FF73+]
* 0=always ask (default), 1=allow, 2=block
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/
// user_pref("permissions.default.xr", 2);
/* 2522: disable/limit WebGL (Web Graphics Library)
* [SETUP-WEB] When disabled, will break some websites. When enabled, provides high entropy,
* especially with readPixels(). Some of the other entropy is lessened with RFP (see 4501)
* especially with readPixels(). Some of the other entropy is lessened with RFP (4501)
* [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
* [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/
user_pref("webgl.disabled", true);
@ -1237,11 +1234,10 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true);
// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
// user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
/* 2730: disable offline cache (appCache)
* [NOTE] In FF90+ the storage capability has been removed (1694662)
* [WARNING] The API is easily fingerprinted, do not disable ***/
* [WARNING] The API state is fingerprintable. Storage capability was removed in FF90+ (1694662) ***/
// user_pref("browser.cache.offline.enable", false);
/* 2740: disable service worker cache and cache storage
* [NOTE] We clear service worker cache on exiting Firefox (see 2803)
* [NOTE] We clear service worker cache on exit (2803)
* [1] https://w3c.github.io/ServiceWorker/#privacy ***/
// user_pref("dom.caches.enabled", false);
/* 2750: disable Storage API [FF51+]
@ -1266,7 +1262,7 @@ user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+]
"offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703)
***/
user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
/* 2802: enable Firefox to clear items on shutdown (see 2803)
/* 2802: enable Firefox to clear items on shutdown (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
/* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME]
@ -1298,12 +1294,12 @@ user_pref("privacy.cpd.passwords", false); // this is not listed
user_pref("privacy.cpd.sessions", true); // Active Logins
user_pref("privacy.cpd.siteSettings", false); // Site Preferences
/* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
* [NOTE] Not needed if Session Restore is not used (see 0102) or is already cleared with history (see 2803)
* [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (see 1022)
* [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803)
* [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (1022)
* [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/
// user_pref("privacy.clearOnShutdown.openWindows", true);
// user_pref("privacy.cpd.openWindows", true);
/* 2806: reset default "Time range to clear" for "Clear Recent History" (see 2804)
/* 2806: reset default "Time range to clear" for "Clear Recent History" (2804)
* Firefox remembers your last choice. This will reset the value when you start Firefox
* 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today
* [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown,
@ -1348,7 +1344,7 @@ user_pref("privacy.firstparty.isolate", true);
// user_pref("privacy.firstparty.isolate.block_post_message", true);
/* 4003: enable scheme with FPI [FF78+]
* [NOTE] Experimental: existing data and site permissions are incompatible
* and some site exceptions may not work e.g. HTTPS-only mode (see 1244) ***/
* and some site exceptions may not work e.g. HTTPS-only mode (1244) ***/
// user_pref("privacy.firstparty.isolate.use_site", true);
/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
@ -1366,21 +1362,21 @@ user_pref("privacy.firstparty.isolate", true);
1281963 - hide contents of navigator.plugins and navigator.mimeTypes
FF55+
1330890 - spoof timezone as UTC0
1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601)
1360039 - spoof navigator.hardwareConcurrency as 2
1217238 - reduce precision of time exposed by javascript
FF56+
1369303 - spoof/disable performance API (see 4602, 4603)
1333651 - spoof User Agent & Navigator API (see 4650)
1369303 - spoof/disable performance API
1333651 - spoof User Agent & Navigator API
JS: FF91+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux
HTTP Headers: spoofed as Windows or Android
1369319 - disable device sensor API (see 4604)
1369357 - disable site specific zoom (see 4605)
1337161 - hide gamepads from content (see 4606)
1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607)
1333641 - reduce fingerprinting in WebSpeech API (see 4608)
1369319 - disable device sensor API
1369357 - disable site specific zoom
1337161 - hide gamepads from content
1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true
1333641 - reduce fingerprinting in WebSpeech API
FF57+
1369309 - spoof media statistics (see 4610)
1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611)
1369309 - spoof media statistics
1382499 - reduce screen co-ordinate fingerprinting in Touch API
1217290 & 1409677 - enable some fingerprinting resistance for WebGL
1382545 - reduce fingerprinting in Animation API
1354633 - limit MediaError.message to a whitelist
@ -1390,28 +1386,28 @@ user_pref("privacy.firstparty.isolate", true);
967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction
FF59+
1372073 - spoof/block fingerprinting in MediaDevices API
Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone" (see 4612)
Block: suppresses the ondevicechange event (see 4613)
1039069 - warn when language prefs are set to non en-US (see 0210, 0211)
Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone"
Block: suppresses the ondevicechange event
1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211)
1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events
Spoofing mimics the content language of the document. Currently it only supports en-US.
Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
FF60-67
1337157 - disable WebGL debug renderer info (see 4614) (FF60+)
1337157 - disable WebGL debug renderer info (FF60+)
1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+)
1479239 - return "no-preference" with prefers-reduced-motion (see 4615) (FF63+)
1363508 - spoof/suppress Pointer Events (see 4616) (FF64+)
1479239 - return "no-preference" with prefers-reduced-motion (FF63+)
1363508 - spoof/suppress Pointer Events (FF64+)
FF65: pointerEvent.pointerid (1492766)
1485266 - disable exposure of system colors to CSS or canvas (see 4617) (FF67+)
1407366 - enable inner window letterboxing (see 4504) (FF67+)
1494034 - return "light" with prefers-color-scheme (see 4618) (FF67+)
1485266 - disable exposure of system colors to CSS or canvas (FF67+)
1407366 - enable inner window letterboxing (4504) (FF67+)
1494034 - return "light" with prefers-color-scheme (FF67+)
FF68-77
1564422 - spoof audioContext outputLatency (see 4619) (FF70+)
1595823 - return audioContext sampleRate as 44100 (see 4619) (FF72+)
1564422 - spoof audioContext outputLatency (FF70+)
1595823 - return audioContext sampleRate as 44100 (FF72+)
1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+)
FF78-90
1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+)
1653987 - limit font visibility to bundled and "Base Fonts" (see 4620) (Windows, Mac, some Linux) (FF80+)
1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80+)
1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82+)
FF91+
531915 - use fdlibm's sin, cos and tan in jsmath (FF93+, ESR91.1+)