Merge pull request #544 from nodiscc/fix-syntax
[user-js.git] / user.js
blobf53f9bd641c105b4f994c2e2792f066ca9698f38
1 //
2 /******************************************************************************
3  * user.js                                                                    *
4  * https://github.com/pyllyukko/user.js                                       *
5  ******************************************************************************/
7 /******************************************************************************
8  * SECTION: HTML5 / APIs / DOM                                                *
9  ******************************************************************************/
11 // PREF: Disable Service Workers
12 // https://developer.mozilla.org/en-US/docs/Web/API/Worker
13 // https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
14 // https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
15 // NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...)
16 // NOTICE: Disabling ServiceWorkers breaks Firefox Sync
17 // Unknown security implications
18 // CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
19 user_pref("dom.serviceWorkers.enabled",                         false);
21 // PREF: Disable web notifications
22 // https://support.mozilla.org/en-US/questions/1140439
23 user_pref("dom.webnotifications.enabled",                       false);
25 // PREF: Disable DOM timing API
26 // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
27 // https://www.w3.org/TR/navigation-timing/#privacy
28 user_pref("dom.enable_performance",                             false);
30 // PREF: Disable resource timing API
31 // https://www.w3.org/TR/resource-timing/#privacy-security
32 // NOTICE: Disabling resource timing API breaks some DDoS protection pages (Cloudflare)
33 user_pref("dom.enable_resource_timing",                         false);
35 // PREF: Make sure the User Timing API does not provide a new high resolution timestamp
36 // https://trac.torproject.org/projects/tor/ticket/16336
37 // https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security
38 user_pref("dom.enable_user_timing",                             false);
40 // PREF: Disable Web Audio API
41 // https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
42 // NOTICE: Web Audio API is required for Unity web player/games
43 user_pref("dom.webaudio.enabled",                               false);
45 // PREF: Disable Location-Aware Browsing (geolocation)
46 // https://www.mozilla.org/en-US/firefox/geolocation/
47 user_pref("geo.enabled",                                        false);
49 // PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
50 // https://bugzilla.mozilla.org/show_bug.cgi?id=689252
51 user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
53 // PREF: When geolocation is enabled, don't log geolocation requests to the console
54 user_pref("geo.wifi.logging.enabled", false);
56 // PREF: Disable raw TCP socket support (mozTCPSocket)
57 // https://trac.torproject.org/projects/tor/ticket/18863
58 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
59 // https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket
60 user_pref("dom.mozTCPSocket.enabled",                           false);
62 // PREF: Disable DOM storage (disabled)
63 // http://kb.mozillazine.org/Dom.storage.enabled
64 // https://html.spec.whatwg.org/multipage/webstorage.html
65 // NOTICE-DISABLED: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
66 //user_pref("dom.storage.enabled",              false);
68 // PREF: Disable leaking network/browser connection information via Javascript
69 // Network Information API provides general information about the system's connection type (WiFi, cellular, etc.)
70 // https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
71 // https://wicg.github.io/netinfo/#privacy-considerations
72 // https://bugzilla.mozilla.org/show_bug.cgi?id=960426
73 user_pref("dom.netinfo.enabled",                                false);
75 // PREF: Disable network API (Firefox < 32)
76 // https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange
77 // https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses
78 user_pref("dom.network.enabled",                                false);
80 // PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox < 42)
81 // NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...)
82 user_pref("media.peerconnection.enabled",                       false);
84 // PREF: Don't reveal your internal IP when WebRTC is enabled (Firefox >= 42)
85 // https://wiki.mozilla.org/Media/WebRTC/Privacy
86 // https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC
87 user_pref("media.peerconnection.ice.default_address_only",      true); // Firefox 42-51
88 user_pref("media.peerconnection.ice.no_host",                   true); // Firefox >= 52
90 // PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
91 // https://wiki.mozilla.org/Media/getUserMedia
92 // https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
93 // https://developer.mozilla.org/en-US/docs/Web/API/Navigator
94 user_pref("media.navigator.enabled",                            false);
95 user_pref("media.navigator.video.enabled",                      false);
96 user_pref("media.getusermedia.screensharing.enabled",           false);
97 user_pref("media.getusermedia.audiocapture.enabled",            false);
99 // PREF: Disable battery API (Firefox < 52)
100 // https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager
101 // https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
102 user_pref("dom.battery.enabled",                                false);
104 // PREF: Disable telephony API
105 // https://wiki.mozilla.org/WebAPI/Security/WebTelephony
106 user_pref("dom.telephony.enabled",                              false);
108 // PREF: Disable "beacon" asynchronous HTTP transfers (used for analytics)
109 // https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
110 user_pref("beacon.enabled",                                     false);
112 // PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
113 // NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
114 // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
115 user_pref("dom.event.clipboardevents.enabled",                  false);
117 // PREF: Disable "copy to clipboard" functionality via Javascript (Firefox >= 41)
118 // NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality
119 // https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3
120 user_pref("dom.allow_cut_copy", false);
122 // PREF: Disable speech recognition
123 // https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
124 // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
125 // https://wiki.mozilla.org/HTML5_Speech_API
126 user_pref("media.webspeech.recognition.enable",                 false);
128 // PREF: Disable speech synthesis
129 // https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis
130 user_pref("media.webspeech.synth.enabled",                      false);
132 // PREF: Disable sensor API
133 // https://wiki.mozilla.org/Sensor_API
134 user_pref("device.sensors.enabled",                             false);
136 // PREF: Disable pinging URIs specified in HTML <a> ping= attributes
137 // http://kb.mozillazine.org/Browser.send_pings
138 user_pref("browser.send_pings",                                 false);
140 // PREF: When browser pings are enabled, only allow pinging the same host as the origin page
141 // http://kb.mozillazine.org/Browser.send_pings.require_same_host
142 user_pref("browser.send_pings.require_same_host",               true);
144 // PREF: Disable IndexedDB (disabled)
145 // https://developer.mozilla.org/en-US/docs/IndexedDB
146 // https://en.wikipedia.org/wiki/Indexed_Database_API
147 // https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review
148 // http://forums.mozillazine.org/viewtopic.php?p=13842047
149 // https://github.com/pyllyukko/user.js/issues/8
150 // NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
151 //user_pref("dom.indexedDB.enabled",            false);
153 // TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications"
155 // PREF: Disable gamepad API to prevent USB device enumeration
156 // https://www.w3.org/TR/gamepad/
157 // https://trac.torproject.org/projects/tor/ticket/13023
158 user_pref("dom.gamepad.enabled",                                false);
160 // PREF: Disable virtual reality devices APIs
161 // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
162 // https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
163 user_pref("dom.vr.enabled",                                     false);
165 // PREF: Disable vibrator API
166 user_pref("dom.vibrator.enabled",           false);
168 // PREF: Disable Archive API (Firefox < 54)
169 // https://wiki.mozilla.org/WebAPI/ArchiveAPI
170 // https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
171 user_pref("dom.archivereader.enabled",                          false);
173 // PREF: Disable webGL
174 // https://en.wikipedia.org/wiki/WebGL
175 // https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
176 // NOTICE: Disabling WebGL breaks WebGL-based websites/applications (windy, meteoblue...)
177 user_pref("webgl.disabled",                                     true);
178 // PREF: When webGL is enabled, use the minimum capability mode
179 user_pref("webgl.min_capability_mode",                          true);
180 // PREF: When webGL is enabled, disable webGL extensions
181 // https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing
182 user_pref("webgl.disable-extensions",                           true);
183 // PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
184 // https://trac.torproject.org/projects/tor/ticket/18603
185 user_pref("webgl.disable-fail-if-major-performance-caveat",     true);
186 // PREF: When webGL is enabled, do not expose information about the graphics driver
187 // https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
188 // https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
189 user_pref("webgl.enable-debug-renderer-info",                   false);
190 // somewhat related...
191 //user_pref("pdfjs.enableWebGL",                                        false);
193 // PREF: Spoof dual-core CPU
194 // https://trac.torproject.org/projects/tor/ticket/21675
195 // https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
196 user_pref("dom.maxHardwareConcurrency",                         2);
198 // PREF: Disable WebAssembly
199 // https://webassembly.org/
200 // https://en.wikipedia.org/wiki/WebAssembly
201 // https://trac.torproject.org/projects/tor/ticket/21549
202 // NOTICE: WebAssembly is required for Unity web player/games
203 user_pref("javascript.options.wasm",                            false);
205 /******************************************************************************
206  * SECTION: Misc                                                              *
207  ******************************************************************************/
209 // PREF: Disable face detection
210 user_pref("camera.control.face_detection.enabled",              false);
212 // PREF: Disable GeoIP lookup on your address to set default search engine region
213 // https://trac.torproject.org/projects/tor/ticket/16254
214 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
215 user_pref("browser.search.countryCode",                         "US");
216 user_pref("browser.search.region",                              "US");
217 user_pref("browser.search.geoip.url",                           "");
219 // PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localization
220 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
221 user_pref("intl.accept_languages",                              "en-US, en");
223 // PREF: Don't use OS values to determine locale, force using Firefox locale setting
224 // http://kb.mozillazine.org/Intl.locale.matchOS
225 user_pref("intl.locale.matchOS",                                false);
227 // Use LANG environment variable to choose locale (disabled)
228 //pref("intl.locale.requested", "");
230 // PREF: Don't use Mozilla-provided location-specific search engines
231 user_pref("browser.search.geoSpecificDefaults",                 false);
233 // PREF: Do not automatically send selection to clipboard on some Linux platforms
234 // http://kb.mozillazine.org/Clipboard.autocopy
235 user_pref("clipboard.autocopy",                                 false);
237 // PREF: Prevent leaking application locale/date format using JavaScript
238 // https://bugzilla.mozilla.org/show_bug.cgi?id=867501
239 // https://hg.mozilla.org/mozilla-central/rev/52d635f2b33d
240 user_pref("javascript.use_us_english_locale",                   true);
242 // PREF: Do not submit invalid URIs entered in the address bar to the default search engine
243 // http://kb.mozillazine.org/Keyword.enabled
244 user_pref("keyword.enabled",                                    false);
246 // PREF: Don't trim HTTP off of URLs in the address bar.
247 // https://bugzilla.mozilla.org/show_bug.cgi?id=665580
248 user_pref("browser.urlbar.trimURLs",                            false);
250 // PREF: Don't try to guess domain names when entering an invalid domain name in URL bar
251 // http://www-archive.mozilla.org/docs/end-user/domain-guessing.html
252 user_pref("browser.fixup.alternate.enabled",                    false);
254 // PREF: When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs
255 // https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851
256 user_pref("browser.fixup.hide_user_pass", true);
258 // PREF: Send DNS request through SOCKS when SOCKS proxying is in use
259 // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
260 user_pref("network.proxy.socks_remote_dns",                     true);
262 // PREF: Don't monitor OS online/offline connection state
263 // https://trac.torproject.org/projects/tor/ticket/18945
264 user_pref("network.manage-offline-status",                      false);
266 // PREF: Enforce Mixed Active Content Blocking
267 // https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990
268 // https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
269 // https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
270 user_pref("security.mixed_content.block_active_content",        true);
272 // PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content)
273 // NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured
274 user_pref("security.mixed_content.block_display_content",       true);
276 // PREF: Disable JAR from opening Unsafe File Types
277 // http://kb.mozillazine.org/Network.jar.open-unsafe-types
278 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7 
279 user_pref("network.jar.open-unsafe-types",                      false);
281 // CIS 2.7.4 Disable Scripting of Plugins by JavaScript
282 // http://forums.mozillazine.org/viewtopic.php?f=7&t=153889
283 user_pref("security.xpconnect.plugin.unrestricted",             false);
285 // PREF: Set File URI Origin Policy
286 // http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
287 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8
288 user_pref("security.fileuri.strict_origin_policy",              true);
290 // PREF: Disable Displaying Javascript in History URLs
291 // http://kb.mozillazine.org/Browser.urlbar.filter.javascript
292 // CIS 2.3.6 
293 user_pref("browser.urlbar.filter.javascript",                   true);
295 // PREF: Disable asm.js
296 // http://asmjs.org/
297 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
298 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
299 // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
300 user_pref("javascript.options.asmjs",                           false);
302 // PREF: Disable SVG in OpenType fonts
303 // https://wiki.mozilla.org/SVGOpenTypeFonts
304 // https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle
305 user_pref("gfx.font_rendering.opentype_svg.enabled",            false);
307 // PREF: Disable in-content SVG rendering (Firefox >= 53) (disabled)
308 // NOTICE-DISABLED: Disabling SVG support breaks many UI elements on many sites
309 // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
310 // https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16
311 //user_pref("svg.disabled", true);
313 // PREF: Disable video stats to reduce fingerprinting threat
314 // https://bugzilla.mozilla.org/show_bug.cgi?id=654550
315 // https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785
316 // https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065
317 user_pref("media.video_stats.enabled",                          false);
319 // PREF: Don't reveal build ID
320 // Value taken from Tor Browser
321 // https://bugzilla.mozilla.org/show_bug.cgi?id=583181
322 user_pref("general.buildID.override",                           "20100101");
323 user_pref("browser.startup.homepage_override.buildID",          "20100101");
325 // PREF: Don't use document specified fonts to prevent installed font enumeration (fingerprinting)
326 // https://github.com/pyllyukko/user.js/issues/395
327 // https://browserleaks.com/fonts
328 // https://github.com/pyllyukko/user.js/issues/120
329 user_pref("browser.display.use_document_fonts",                 0);
331 // PREF: Enable only whitelisted URL protocol handlers
332 // http://kb.mozillazine.org/Network.protocol-handler.external-default
333 // http://kb.mozillazine.org/Network.protocol-handler.warn-external-default
334 // http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29
335 // https://news.ycombinator.com/item?id=13047883
336 // https://bugzilla.mozilla.org/show_bug.cgi?id=167475
337 // https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005
338 // NOTICE: Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols
339 // TODO: Add externally-handled protocols from Windows 8.1 and Windows 10 (currently contains protocols only from Linux and Windows 7) that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
340 // TODO: Add externally-handled protocols from Mac OS X that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
341 // If you want to enable a protocol, set network.protocol-handler.expose.(protocol) to true and network.protocol-handler.external.(protocol) to:
342 //   * true, if the protocol should be handled by an external application
343 //   * false, if the protocol should be handled internally by Firefox
344 user_pref("network.protocol-handler.warn-external-default",     true);
345 user_pref("network.protocol-handler.external.http",             false);
346 user_pref("network.protocol-handler.external.https",            false);
347 user_pref("network.protocol-handler.external.javascript",       false);
348 user_pref("network.protocol-handler.external.moz-extension",    false);
349 user_pref("network.protocol-handler.external.ftp",              false);
350 user_pref("network.protocol-handler.external.file",             false);
351 user_pref("network.protocol-handler.external.about",            false);
352 user_pref("network.protocol-handler.external.chrome",           false);
353 user_pref("network.protocol-handler.external.blob",             false);
354 user_pref("network.protocol-handler.external.data",             false);
355 user_pref("network.protocol-handler.expose-all",                false);
356 user_pref("network.protocol-handler.expose.http",               true);
357 user_pref("network.protocol-handler.expose.https",              true);
358 user_pref("network.protocol-handler.expose.javascript",         true);
359 user_pref("network.protocol-handler.expose.moz-extension",      true);
360 user_pref("network.protocol-handler.expose.ftp",                true);
361 user_pref("network.protocol-handler.expose.file",               true);
362 user_pref("network.protocol-handler.expose.about",              true);
363 user_pref("network.protocol-handler.expose.chrome",             true);
364 user_pref("network.protocol-handler.expose.blob",               true);
365 user_pref("network.protocol-handler.expose.data",               true);
367 /******************************************************************************
368  * SECTION: Extensions / plugins                                                       *
369  ******************************************************************************/
371 // PREF: Ensure you have a security delay when installing add-ons (milliseconds)
372 // http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
373 // http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
374 user_pref("security.dialog_enable_delay",                       1000);
376 // PREF: Require signatures
377 // https://wiki.mozilla.org/Addons/Extension_Signing
378 //user_pref("xpinstall.signatures.required",            true);
380 // PREF: Opt-out of add-on metadata updates
381 // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
382 user_pref("extensions.getAddons.cache.enabled",                 false);
384 // PREF: Opt-out of themes (Persona) updates
385 // https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287
386 user_pref("lightweightThemes.update.enabled",                   false);
388 // PREF: Disable Flash Player NPAPI plugin
389 // http://kb.mozillazine.org/Flash_plugin
390 user_pref("plugin.state.flash",                                 0);
392 // PREF: Disable Java NPAPI plugin
393 user_pref("plugin.state.java",                                  0);
395 // PREF: Disable sending Flash Player crash reports
396 user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled",     false);
398 // PREF: When Flash crash reports are enabled, don't send the visited URL in the crash report
399 user_pref("dom.ipc.plugins.reportCrashURL",                     false);
401 // PREF: When Flash is enabled, download and use Mozilla SWF URIs blocklist
402 // https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
403 // https://github.com/mozilla-services/shavar-plugin-blocklist
404 user_pref("browser.safebrowsing.blockedURIs.enabled", true);
406 // PREF: Disable Gnome Shell Integration NPAPI plugin
407 user_pref("plugin.state.libgnome-shell-browser-plugin",         0);
409 // PREF: Disable the bundled OpenH264 video codec (disabled)
410 // http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077
411 //user_pref("media.gmp-provider.enabled",               false);
413 // PREF: Enable plugins click-to-play
414 // https://wiki.mozilla.org/Firefox/Click_To_Play
415 // https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/
416 user_pref("plugins.click_to_play",                              true);
418 // PREF: Updates addons automatically
419 // https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
420 user_pref("extensions.update.enabled",                          true);
422 // PREF: Enable add-on and certificate blocklists (OneCRL) from Mozilla
423 // https://wiki.mozilla.org/Blocklisting
424 // https://blocked.cdn.mozilla.net/
425 // http://kb.mozillazine.org/Extensions.blocklist.enabled
426 // http://kb.mozillazine.org/Extensions.blocklist.url
427 // https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
428 // Updated at interval defined in extensions.blocklist.interval (default: 86400)
429 user_pref("extensions.blocklist.enabled",                       true);
430 user_pref("services.blocklist.update_enabled",                  true);
432 // PREF: Decrease system information leakage to Mozilla blocklist update servers
433 // https://trac.torproject.org/projects/tor/ticket/16931
434 user_pref("extensions.blocklist.url",                           "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");
436 // PREF: Disable system add-on updates (hidden & always-enabled add-ons from Mozilla)
437 // https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
438 // https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/
439 // https://github.com/pyllyukko/user.js/issues/419
440 // https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1248-1257
441 // NOTICE: Disabling system add-on updates prevents Mozilla from "hotfixing" your browser to patch critical problems (one possible use case from the documentation)
442 user_pref("extensions.systemAddon.update.enabled",              false);
444 /******************************************************************************
445  * SECTION: Firefox (anti-)features / components                              *                            *
446  ******************************************************************************/
448 // PREF: Disable Extension recommendations (Firefox >= 65)
449 // https://support.mozilla.org/en-US/kb/extension-recommendations
450 user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr",  false);
452 // PREF: Trusted Recursive Resolver (DNS-over-HTTPS) (disabled)
453 // https://wiki.mozilla.org/Trusted_Recursive_Resolver
454 //user_pref("network.trr.mode",                                 0);
456 // PREF: Disable WebIDE
457 // https://trac.torproject.org/projects/tor/ticket/16222
458 // https://developer.mozilla.org/docs/Tools/WebIDE
459 user_pref("devtools.webide.enabled",                            false);
460 user_pref("devtools.webide.autoinstallADBHelper",               false);
461 user_pref("devtools.webide.autoinstallFxdtAdapters",            false);
463 // PREF: Disable remote debugging
464 // https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop
465 // https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings
466 user_pref("devtools.debugger.remote-enabled",                   false);
467 user_pref("devtools.chrome.enabled",                            false);
468 user_pref("devtools.debugger.force-local",                      true);
470 // PREF: Disable Mozilla telemetry/experiments
471 // https://wiki.mozilla.org/Platform/Features/Telemetry
472 // https://wiki.mozilla.org/Privacy/Reviews/Telemetry
473 // https://wiki.mozilla.org/Telemetry
474 // https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry
475 // https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715
476 // https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry
477 // https://gecko.readthedocs.io/en/latest/browser/experiments/experiments/manifest.html
478 // https://wiki.mozilla.org/Telemetry/Experiments
479 // https://support.mozilla.org/en-US/questions/1197144
480 // https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html#id1
481 user_pref("toolkit.telemetry.enabled",                          false);
482 user_pref("toolkit.telemetry.unified",                          false);
483 user_pref("toolkit.telemetry.archive.enabled",                  false);
484 user_pref("experiments.supported",                              false);
485 user_pref("experiments.enabled",                                false);
486 user_pref("experiments.manifest.uri",                           "");
488 // PREF: Disallow Necko to do A/B testing
489 // https://trac.torproject.org/projects/tor/ticket/13170
490 user_pref("network.allow-experiments",                          false);
492 // PREF: Disable sending Firefox crash reports to Mozilla servers
493 // https://wiki.mozilla.org/Breakpad
494 // http://kb.mozillazine.org/Breakpad
495 // https://dxr.mozilla.org/mozilla-central/source/toolkit/crashreporter
496 // https://bugzilla.mozilla.org/show_bug.cgi?id=411490
497 // A list of submitted crash reports can be found at about:crashes
498 user_pref("breakpad.reportURL",                                 "");
500 // PREF: Disable sending reports of tab crashes to Mozilla (about:tabcrashed), don't nag user about unsent crash reports
501 // https://hg.mozilla.org/mozilla-central/file/tip/browser/app/profile/firefox.js
502 user_pref("browser.tabs.crashReporting.sendReport",             false);
503 user_pref("browser.crashReports.unsubmittedCheck.enabled",      false);
505 // PREF: Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface)
506 // https://wiki.mozilla.org/FlyWeb
507 // https://wiki.mozilla.org/FlyWeb/Security_scenarios
508 // https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit
509 // http://www.ghacks.net/2016/07/26/firefox-flyweb
510 user_pref("dom.flyweb.enabled",                                 false);
512 // PREF: Disable the UITour backend
513 // https://trac.torproject.org/projects/tor/ticket/19047#comment:3
514 user_pref("browser.uitour.enabled",                             false);
516 // PREF: Enable Firefox Tracking Protection
517 // https://wiki.mozilla.org/Security/Tracking_protection
518 // https://support.mozilla.org/en-US/kb/tracking-protection-firefox
519 // https://support.mozilla.org/en-US/kb/tracking-protection-pbm
520 // https://kontaxis.github.io/trackingprotectionfirefox/
521 // https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
522 user_pref("privacy.trackingprotection.enabled",                 true);
523 user_pref("privacy.trackingprotection.pbmode.enabled",          true);
525 // PREF: Enable contextual identity Containers feature (Firefox >= 52)
526 // NOTICE: Containers are not available in Private Browsing mode
527 // https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
528 user_pref("privacy.userContext.enabled",                        true);
530 // PREF: Enable Firefox's anti-fingerprinting mode ("resist fingerprinting" or RFP) (Tor Uplift project)
531 // https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
532 // https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
533 // https://wiki.mozilla.org/Security/Fingerprinting
534 // NOTICE: RFP breaks some keyboard shortcuts used in certain websites (see #443)
535 // NOTICE: RFP changes your time zone
536 // NOTICE: RFP breaks some DDoS protection pages (Cloudflare)
537 user_pref("privacy.resistFingerprinting",                       true);
539 // PREF: disable mozAddonManager Web API [FF57+]
540 // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330
541 // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1406795
542 // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1415644
543 // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1453988
544 // https://trac.torproject.org/projects/tor/ticket/26114
545 user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
546 user_pref("extensions.webextensions.restrictedDomains", "");
548 // PREF: enable RFP letterboxing / resizing of inner window [FF67+] (disabled)
549 // https://bugzilla.mozilla.org/1407366
550 //user_pref("privacy.resistFingerprinting.letterboxing", true);
551 //user_pref("privacy.resistFingerprinting.letterboxing.dimensions", "800x600, 1000x1000, 1600x900");
553 // PREF: disable showing about:blank/maximized window as soon as possible during startup [FF60+]
554 // https://bugzilla.mozilla.org/1448423
555 user_pref("browser.startup.blankWindow", false);
557 // PREF: Disable the built-in PDF viewer
558 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2743
559 // https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
560 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
561 user_pref("pdfjs.disabled",                                     true);
563 // PREF: Disable collection/sending of the health report (healthreport.sqlite*)
564 // https://support.mozilla.org/en-US/kb/firefox-health-report-understand-your-browser-perf
565 // https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
566 user_pref("datareporting.healthreport.uploadEnabled",           false);
567 user_pref("datareporting.healthreport.service.enabled",         false);
568 user_pref("datareporting.policy.dataSubmissionEnabled",         false);
569 // "Allow Firefox to make personalized extension recommendations"
570 user_pref("browser.discovery.enabled",                          false);
572 // PREF: Disable Shield/Heartbeat/Normandy (Mozilla user rating telemetry)
573 // https://wiki.mozilla.org/Advocacy/heartbeat
574 // https://trac.torproject.org/projects/tor/ticket/19047
575 // https://trac.torproject.org/projects/tor/ticket/18738
576 // https://wiki.mozilla.org/Firefox/Shield
577 // https://github.com/mozilla/normandy
578 // https://support.mozilla.org/en-US/kb/shield
579 // https://bugzilla.mozilla.org/show_bug.cgi?id=1370801
580 // https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout
581 user_pref("app.normandy.enabled", false);
582 user_pref("app.normandy.api_url", "");
583 user_pref("extensions.shield-recipe-client.enabled",            false);
584 user_pref("app.shield.optoutstudies.enabled",                   false);
587 // PREF: Disable Firefox Hello (disabled) (Firefox < 49)
588 // https://wiki.mozilla.org/Loop
589 // https://support.mozilla.org/t5/Chat-and-share/Support-for-Hello-discontinued-in-Firefox-49/ta-p/37946
590 // NOTICE-DISABLED: Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work.
591 //user_pref("loop.enabled",             false);
593 // PREF: Disable Firefox Hello metrics collection
594 // https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
595 user_pref("loop.logDomains",                                    false);
597 // PREF: Enable Auto Update (disabled)
598 // NOTICE: Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting.
599 // CIS 2.1.1
600 //user_pref("app.update.auto",                                  true);
602 // PREF: Enforce checking for Firefox updates
603 // http://kb.mozillazine.org/App.update.enabled
604 // NOTICE: Update check page might incorrectly report Firefox ESR as out-of-date
605 user_pref("app.update.enabled",                 true);
607 // PREF: Enable blocking reported web forgeries
608 // https://wiki.mozilla.org/Security/Safe_Browsing
609 // http://kb.mozillazine.org/Safe_browsing
610 // https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
611 // http://forums.mozillazine.org/viewtopic.php?f=39&t=2711237&p=12896849#p12896849
612 // CIS 2.3.4
613 user_pref("browser.safebrowsing.enabled",                       true); // Firefox < 50
614 user_pref("browser.safebrowsing.phishing.enabled",              true); // firefox >= 50
616 // PREF: Enable blocking reported attack sites
617 // http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled
618 // CIS 2.3.5
619 user_pref("browser.safebrowsing.malware.enabled",               true);
621 // PREF: Disable querying Google Application Reputation database for downloaded binary files
622 // https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
623 // https://wiki.mozilla.org/Security/Application_Reputation
624 user_pref("browser.safebrowsing.downloads.remote.enabled",      false);
626 // PREF: Disable Pocket
627 // https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
628 // https://github.com/pyllyukko/user.js/issues/143
629 user_pref("browser.pocket.enabled",                             false);
630 user_pref("extensions.pocket.enabled",                          false);
632 // PREF: Disable "Recommended by Pocket" in Firefox Quantum
633 user_pref("browser.newtabpage.activity-stream.feeds.section.topstories",        false);
635 /******************************************************************************
636  * SECTION: Automatic connections                                             *
637  ******************************************************************************/
639 // PREF: Limit the connection keep-alive timeout to 15 seconds (disabled)
640 // https://github.com/pyllyukko/user.js/issues/387
641 // http://kb.mozillazine.org/Network.http.keep-alive.timeout
642 // https://httpd.apache.org/docs/current/mod/core.html#keepalivetimeout
643 //user_pref("network.http.keep-alive.timeout",                  15);
645 // PREF: Disable prefetching of <link rel="next"> URLs
646 // http://kb.mozillazine.org/Network.prefetch-next
647 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
648 user_pref("network.prefetch-next",                              false);
650 // PREF: Disable DNS prefetching
651 // http://kb.mozillazine.org/Network.dns.disablePrefetch
652 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
653 user_pref("network.dns.disablePrefetch",                        true);
654 user_pref("network.dns.disablePrefetchFromHTTPS",               true);
656 // PREF: Disable the predictive service (Necko)
657 // https://wiki.mozilla.org/Privacy/Reviews/Necko
658 user_pref("network.predictor.enabled",                          false);
660 // PREF: Reject .onion hostnames before passing the to DNS
661 // https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
662 // RFC 7686
663 user_pref("network.dns.blockDotOnion",                          true);
665 // PREF: Disable search suggestions in the search bar
666 // http://kb.mozillazine.org/Browser.search.suggest.enabled
667 user_pref("browser.search.suggest.enabled",                     false);
669 // PREF: Disable "Show search suggestions in location bar results"
670 user_pref("browser.urlbar.suggest.searches",                    false);
671 // PREF: When using the location bar, don't suggest URLs from browsing history
672 user_pref("browser.urlbar.suggest.history",                     false);
673 // PREF: Disable Firefox Suggest
674 // https://www.ghacks.net/2021/09/09/how-to-disable-firefox-suggest/
675 // https://support.mozilla.org/en-US/kb/navigate-web-faster-firefox-suggest
676 user_pref("browser.urlbar.groupLabels.enabled", false); // Firefox >= 93
678 // PREF: Disable SSDP
679 // https://bugzilla.mozilla.org/show_bug.cgi?id=1111967
680 user_pref("browser.casting.enabled",                            false);
682 // PREF: Disable automatic downloading of OpenH264 codec
683 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
684 // https://andreasgal.com/2014/10/14/openh264-now-in-firefox/
685 user_pref("media.gmp-gmpopenh264.enabled",                      false);
686 user_pref("media.gmp-manager.url",                              "");
688 // PREF: Disable speculative pre-connections
689 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
690 // https://bugzilla.mozilla.org/show_bug.cgi?id=814169
691 user_pref("network.http.speculative-parallel-limit",            0);
693 // PREF: Disable downloading homepage snippets/messages from Mozilla
694 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content
695 // https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
696 user_pref("browser.aboutHomeSnippets.updateUrl",                "");
698 // PREF: Never check updates for search engines
699 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
700 user_pref("browser.search.update",                              false);
702 // PREF: Disable automatic captive portal detection (Firefox >= 52.0)
703 // https://support.mozilla.org/en-US/questions/1157121
704 user_pref("network.captive-portal-service.enabled",             false);
706 // PREF: Disable (parts of?) "TopSites"
707 user_pref("browser.topsites.contile.enabled",                           false);
708 user_pref("browser.newtabpage.activity-stream.feeds.topsites",          false);
709 user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites",   false);
711 /******************************************************************************
712  * SECTION: HTTP                                                              *
713  ******************************************************************************/
715 // PREF: Disallow NTLMv1
716 // https://bugzilla.mozilla.org/show_bug.cgi?id=828183
717 user_pref("network.negotiate-auth.allow-insecure-ntlm-v1",      false);
718 // it is still allowed through HTTPS. uncomment the following to disable it completely.
719 //user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https",              false);
721 // PREF: Enable CSP 1.1 script-nonce directive support
722 // https://bugzilla.mozilla.org/show_bug.cgi?id=855326
723 user_pref("security.csp.experimentalEnabled",                   true);
725 // PREF: Enable Content Security Policy (CSP)
726 // https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
727 // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
728 user_pref("security.csp.enable",                                true);
730 // PREF: Enable Subresource Integrity
731 // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
732 // https://wiki.mozilla.org/Security/Subresource_Integrity
733 user_pref("security.sri.enable",                                true);
735 // PREF: DNT HTTP header (disabled)
736 // https://www.mozilla.org/en-US/firefox/dnt/
737 // https://en.wikipedia.org/wiki/Do_not_track_header
738 // https://dnt-dashboard.mozilla.org
739 // https://github.com/pyllyukko/user.js/issues/11
740 // NOTICE: Do No Track must be enabled manually
741 //user_pref("privacy.donottrackheader.enabled",         true);
743 // PREF: Send a referer header with the target URI as the source (disabled)
744 // https://bugzilla.mozilla.org/show_bug.cgi?id=822869
745 // https://github.com/pyllyukko/user.js/issues/227
746 // NOTICE-DISABLED: Spoofing referers breaks functionality on websites relying on authentic referer headers
747 // NOTICE-DISABLED: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
748 // NOTICE-DISABLED: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
749 // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
750 //user_pref("network.http.referer.spoofSource",                 true);
752 // PREF: Don't send referer headers when following links across different domains
753 // https://github.com/pyllyukko/user.js/issues/227
754 // https://github.com/pyllyukko/user.js/issues/328
755 // https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
756 user_pref("network.http.referer.XOriginPolicy",         2);
758 // PREF: Accept Only 1st Party Cookies
759 // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
760 // NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
761 // CIS 2.5.1
762 user_pref("network.cookie.cookieBehavior",                      1);
764 // PREF: Enable first-party isolation
765 // https://bugzilla.mozilla.org/show_bug.cgi?id=1299996
766 // https://bugzilla.mozilla.org/show_bug.cgi?id=1260931
767 // https://wiki.mozilla.org/Security/FirstPartyIsolation
768 // NOTICE: First-party isolation breaks Microsoft Teams
769 // NOTICE: First-party isolation causes HTTP basic auth to ask for credentials for every new tab (see #425)
770 user_pref("privacy.firstparty.isolate",                         true);
772 // PREF: Make sure that third-party cookies (if enabled) never persist beyond the session.
773 // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
774 // http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
775 // https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly
776 user_pref("network.cookie.thirdparty.sessionOnly",              true);
778 // PREF: Spoof User-agent (disabled)
779 //user_pref("general.useragent.override",                               "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0");
780 //user_pref("general.appname.override",                         "Netscape");
781 //user_pref("general.appversion.override",                      "5.0 (Windows)");
782 //user_pref("general.platform.override",                                "Win32");
783 //user_pref("general.oscpu.override",                           "Windows NT 6.1");
785 /*******************************************************************************
786  * SECTION: Caching                                                            *
787  ******************************************************************************/
789 // PREF: Permanently enable private browsing mode
790 // https://support.mozilla.org/en-US/kb/Private-Browsing
791 // https://wiki.mozilla.org/PrivateBrowsing
792 // NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
793 // NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode
794 // NOTICE: Private browsing breaks Kerberos authentication
795 // NOTICE: Disables "Containers" functionality (see below)
796 // NOTICE: "Always use private browsing mode" (browser.privatebrowsing.autostart) disables the possibility to use password manager: https://support.mozilla.org/en-US/kb/usernames-and-passwords-are-not-saved#w_private-browsing
797 user_pref("browser.privatebrowsing.autostart",                  true);
799 // PREF: Do not download URLs for the offline cache
800 // http://kb.mozillazine.org/Browser.cache.offline.enable
801 user_pref("browser.cache.offline.enable",                       false);
803 // PREF: Clear history when Firefox closes
804 // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically
805 // NOTICE: Installing user.js will remove your browsing history, caches and local storage.
806 // NOTICE: Installing user.js **will remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27)
807 // NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945
808 user_pref("privacy.sanitize.sanitizeOnShutdown",                true);
809 user_pref("privacy.clearOnShutdown.cache",                      true);
810 user_pref("privacy.clearOnShutdown.cookies",                    true);
811 user_pref("privacy.clearOnShutdown.downloads",                  true);
812 user_pref("privacy.clearOnShutdown.formdata",                   true);
813 user_pref("privacy.clearOnShutdown.history",                    true);
814 user_pref("privacy.clearOnShutdown.offlineApps",                true);
815 user_pref("privacy.clearOnShutdown.sessions",                   true);
816 user_pref("privacy.clearOnShutdown.openWindows",                true);
818 // PREF: Set time range to "Everything" as default in "Clear Recent History"
819 user_pref("privacy.sanitize.timeSpan",                          0);
821 // PREF: Clear everything but "Site Preferences" in "Clear Recent History"
822 user_pref("privacy.cpd.offlineApps",                            true);
823 user_pref("privacy.cpd.cache",                                  true);
824 user_pref("privacy.cpd.cookies",                                true);
825 user_pref("privacy.cpd.downloads",                              true);
826 user_pref("privacy.cpd.formdata",                               true);
827 user_pref("privacy.cpd.history",                                true);
828 user_pref("privacy.cpd.sessions",                               true);
830 // PREF: Don't remember browsing history
831 user_pref("places.history.enabled",                             false);
833 // PREF: Disable disk cache
834 // http://kb.mozillazine.org/Browser.cache.disk.enable
835 user_pref("browser.cache.disk.enable",                          false);
837 // PREF: Disable memory cache (disabled)
838 // http://kb.mozillazine.org/Browser.cache.memory.enable
839 //user_pref("browser.cache.memory.enable",              false);
841 // PREF: Disable Caching of SSL Pages
842 // CIS Version 1.2.0 October 21st, 2011 2.5.8
843 // http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
844 user_pref("browser.cache.disk_cache_ssl",                       false);
846 // PREF: Disable download history
847 // CIS Version 1.2.0 October 21st, 2011 2.5.5
848 user_pref("browser.download.manager.retention",                 0);
850 // PREF: Disable password manager (use an external password manager!)
851 // CIS Version 1.2.0 October 21st, 2011 2.5.2
852 user_pref("signon.rememberSignons",                             false);
854 // PREF: Disable form autofill, don't save information entered in web page forms and the Search Bar
855 user_pref("browser.formfill.enable",                            false);
857 // PREF: Cookies expires at the end of the session (when the browser closes)
858 // http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2
859 user_pref("network.cookie.lifetimePolicy",                      2);
861 // PREF: Require manual intervention to autofill known username/passwords sign-in forms
862 // http://kb.mozillazine.org/Signon.autofillForms
863 // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
864 user_pref("signon.autofillForms",                               false);
866 // PREF: Disable formless login capture
867 // https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
868 user_pref("signon.formlessCapture.enabled",                     false);
870 // PREF: When username/password autofill is enabled, still disable it on non-HTTPS sites
871 // https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
872 user_pref("signon.autofillForms.http",                          false);
874 // PREF: Show in-content login form warning UI for insecure login fields
875 // https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
876 user_pref("security.insecure_field_warning.contextual.enabled", true);
878 // PREF: Disable the password manager for pages with autocomplete=off (disabled)
879 // https://bugzilla.mozilla.org/show_bug.cgi?id=956906
880 // OWASP ASVS V9.1
881 // Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
882 //user_pref("signon.storeWhenAutocompleteOff",                  false);
884 // PREF: Delete Search and Form History
885 // CIS Version 1.2.0 October 21st, 2011 2.5.6
886 user_pref("browser.formfill.expire_days",                       0);
888 // PREF: Clear SSL Form Session Data
889 // http://kb.mozillazine.org/Browser.sessionstore.privacy_level#2
890 // Store extra session data for unencrypted (non-HTTPS) sites only.
891 // CIS Version 1.2.0 October 21st, 2011 2.5.7
892 // NOTE: CIS says 1, we use 2
893 user_pref("browser.sessionstore.privacy_level",                 2);
895 // PREF: Delete temporary files on exit
896 // https://bugzilla.mozilla.org/show_bug.cgi?id=238789
897 user_pref("browser.helperApps.deleteTempFileOnExit",            true);
899 // PREF: Do not create screenshots of visited pages (relates to the "new tab page" feature)
900 // https://support.mozilla.org/en-US/questions/973320
901 // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled
902 user_pref("browser.pagethumbnails.capturing_disabled",          true);
904 // PREF: Don't fetch and permanently store favicons for Windows .URL shortcuts created by drag and drop
905 // NOTICE: .URL shortcut files will be created with a generic icon
906 // Favicons are stored as .ico files in $profile_dir\shortcutCache
907 user_pref("browser.shell.shortcutFavicons",                                     false);
909 // PREF: Disable bookmarks backups (default: 15)
910 // http://kb.mozillazine.org/Browser.bookmarks.max_backups
911 user_pref("browser.bookmarks.max_backups", 0);
913 // PREF: Export bookmarks to HTML automatically when closing Firefox (disabled)
914 // https://support.mozilla.org/en-US/questions/1176242
915 //user_pref("browser.bookmarks.autoExportHTML",                                 true);
916 //user_pref("browser.bookmarks.file",   '/path/to/bookmarks-export.html');
918 // PREF: Disable downloading of favicons in response to favicon fingerprinting techniques
919 // https://github.com/jonasstrehle/supercookie
920 // http://kb.mozillazine.org/Browser.chrome.site_icons
921 // https://blog.mozilla.org/security/2021/01/26/supercookie-protections/
922 user_pref("browser.chrome.site_icons",                          false);
924 /*******************************************************************************
925  * SECTION: UI related                                                         *
926  *******************************************************************************/
928 // PREF: Enable insecure password warnings (login forms in non-HTTPS pages)
929 // https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
930 // https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
931 // https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
932 user_pref("security.insecure_password.ui.enabled",              true);
934 // PREF: Disable right-click menu manipulation via JavaScript (disabled)
935 //user_pref("dom.event.contextmenu.enabled",            false);
937 // PREF: Disable "Are you sure you want to leave this page?" popups on page close
938 // https://support.mozilla.org/en-US/questions/1043508
939 // NOTICE: disabling "beforeunload" events may lead to losing data entered in web forms
940 // Does not prevent JS leaks of the page close event.
941 // https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
942 //user_pref("dom.disable_beforeunload",    true);
944 // PREF: Disable Downloading on Desktop
945 // CIS 2.3.2
946 user_pref("browser.download.folderList",                        2);
948 // PREF: Always ask the user where to download
949 // https://developer.mozilla.org/en/Download_Manager_preferences (obsolete)
950 user_pref("browser.download.useDownloadDir",                    false);
952 // PREF: Disable the "new tab page" feature and show a blank tab instead
953 // https://wiki.mozilla.org/Privacy/Reviews/New_Tab
954 // https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off
955 user_pref("browser.newtabpage.enabled",                         false);
956 user_pref("browser.newtab.url",                                 "about:blank");
958 // PREF: Disable Snippets
959 // https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
960 // https://support.mozilla.org/en-US/kb/snippets-firefox-faq
961 user_pref("browser.newtabpage.activity-stream.feeds.snippets",  false);
963 // PREF: Disable Activity Stream
964 // https://wiki.mozilla.org/Firefox/Activity_Stream
965 user_pref("browser.newtabpage.activity-stream.enabled",         false);
967 // PREF: Disable new tab tile ads & preload
968 // http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
969 // http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331
970 // https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
971 // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
972 // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
973 // TODO: deprecated? not in DXR, some dead links
974 user_pref("browser.newtabpage.enhanced",                        false);
975 user_pref("browser.newtab.preload",                             false);
976 user_pref("browser.newtabpage.directory.ping",                  "");
977 user_pref("browser.newtabpage.directory.source",                "data:text/plain,{}");
979 // PREF: Disable Mozilla VPN ads on the about:protections page
980 // https://support.mozilla.org/en-US/kb/what-mozilla-vpn-and-how-does-it-work
981 // https://en.wikipedia.org/wiki/Mozilla_VPN
982 // https://blog.mozilla.org/security/2021/08/31/mozilla-vpn-security-audit/
983 // https://www.mozilla.org/en-US/security/advisories/mfsa2021-31/
984 user_pref("browser.vpn_promo.enabled",                  false);
986 // PREF: Enable Auto Notification of Outdated Plugins (Firefox < 50)
987 // https://wiki.mozilla.org/Firefox3.6/Plugin_Update_Awareness_Security_Review
988 // CIS Version 1.2.0 October 21st, 2011 2.1.2
989 // https://hg.mozilla.org/mozilla-central/rev/304560
990 user_pref("plugins.update.notifyUser",                          true);
992 // PREF: Force Punycode for Internationalized Domain Names
993 // http://kb.mozillazine.org/Network.IDN_show_punycode
994 // https://www.xudongz.com/blog/2017/idn-phishing/
995 // https://wiki.mozilla.org/IDN_Display_Algorithm
996 // https://en.wikipedia.org/wiki/IDN_homograph_attack
997 // https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
998 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6
999 user_pref("network.IDN_show_punycode",                          true);
1001 // PREF: Disable inline autocomplete in URL bar
1002 // http://kb.mozillazine.org/Inline_autocomplete
1003 user_pref("browser.urlbar.autoFill",                            false);
1004 user_pref("browser.urlbar.autoFill.typed",                      false);
1006 // PREF: Disable CSS :visited selectors
1007 // https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/
1008 // https://dbaron.org/mozilla/visited-privacy
1009 user_pref("layout.css.visited_links_enabled",                   false);
1011 // PREF: Disable URL bar autocomplete and history/bookmarks suggestions dropdown
1012 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
1013 user_pref("browser.urlbar.autocomplete.enabled",                false);
1015 // PREF: Do not check if Firefox is the default browser
1016 user_pref("browser.shell.checkDefaultBrowser",                  false);
1018 // PREF: When password manager is enabled, lock the password storage periodically
1019 // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
1020 user_pref("security.ask_for_password",                          2);
1022 // PREF: Lock the password storage every 1 minutes (default: 30)
1023 user_pref("security.password_lifetime",                         1);
1025 // PREF: Display a notification bar when websites offer data for offline use
1026 // http://kb.mozillazine.org/Browser.offline-apps.notify
1027 user_pref("browser.offline-apps.notify",                        true);
1029 /******************************************************************************
1030  * SECTION: Cryptography                                                      *
1031  ******************************************************************************/
1033 // PREF: Enable HTTPS-Only Mode
1034 // https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
1035 // https://www.feistyduck.com/bulletproof-tls-newsletter/issue_71_firefox_introduces_https_only_mode
1036 user_pref("dom.security.https_only_mode",                       true);
1038 // PREF: Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
1039 // https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
1040 // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
1041 // https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
1042 user_pref("network.stricttransportsecurity.preloadlist",        true);
1044 // PREF: Enable Online Certificate Status Protocol
1045 // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
1046 // https://www.imperialviolet.org/2014/04/19/revchecking.html
1047 // https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
1048 // https://wiki.mozilla.org/CA:RevocationPlan
1049 // https://wiki.mozilla.org/CA:ImprovingRevocation
1050 // https://wiki.mozilla.org/CA:OCSP-HardFail
1051 // https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
1052 // https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
1053 // NOTICE: OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
1054 // NOTICE: OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
1055 // NOTICE: OCSP adds latency (performance)
1056 // NOTICE: Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
1057 // CIS Version 1.2.0 October 21st, 2011 2.2.4
1058 user_pref("security.OCSP.enabled",                              1);
1060 // PREF: Enable OCSP Stapling support
1061 // https://en.wikipedia.org/wiki/OCSP_stapling
1062 // https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
1063 // https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
1064 user_pref("security.ssl.enable_ocsp_stapling",                  true);
1066 // PREF: Enable OCSP Must-Staple support (Firefox >= 45)
1067 // https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
1068 // https://www.entrust.com/ocsp-must-staple/
1069 // https://github.com/schomery/privacy-settings/issues/40
1070 // NOTICE: Firefox falls back on plain OCSP when must-staple is not configured on the host certificate
1071 user_pref("security.ssl.enable_ocsp_must_staple",               true);
1073 // PREF: Require a valid OCSP response for OCSP enabled certificates
1074 // https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
1075 // Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
1076 // NOTICE: `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
1077 // NOTICE: `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
1078 user_pref("security.OCSP.require",                              true);
1080 // PREF: Disable TLS Session Tickets
1081 // https://www.blackhat.com/us-13/briefings.html#NextGen
1082 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
1083 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
1084 // https://bugzilla.mozilla.org/show_bug.cgi?id=917049
1085 // https://bugzilla.mozilla.org/show_bug.cgi?id=967977
1086 user_pref("security.ssl.disable_session_identifiers",           true);
1088 // PREF: Only allow TLS 1.[2-3]
1089 // http://kb.mozillazine.org/Security.tls.version.*
1090 // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
1091 // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
1092 // 3 = TLS 1.2 is the minimum required / maximum supported encryption protocol.
1093 // 4 = TLS 1.3 is the minimum required / maximum supported encryption protocol.
1094 user_pref("security.tls.version.min",                           3);
1095 user_pref("security.tls.version.max",                           4);
1097 // PREF: Disable insecure TLS version fallback
1098 // https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
1099 // https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
1100 user_pref("security.tls.version.fallback-limit",                4);
1102 // PREF: Enforce Public Key Pinning
1103 // https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
1104 // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
1105 // "2. Strict. Pinning is always enforced."
1106 user_pref("security.cert_pinning.enforcement_level",            2);
1108 // PREF: Disallow SHA-1
1109 // https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
1110 // https://shattered.io/
1111 user_pref("security.pki.sha1_enforcement_level",                1);
1113 // PREF: Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
1114 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
1115 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
1116 user_pref("security.ssl.treat_unsafe_negotiation_as_broken",    true);
1118 // PREF: Disallow connection to servers not supporting safe renegotiation (disabled)
1119 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation
1120 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
1121 // TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors), so is left disabled
1122 //user_pref("security.ssl.require_safe_negotiation",            true);
1124 // PREF: Disable automatic reporting of TLS connection errors
1125 // https://support.mozilla.org/en-US/kb/certificate-pinning-reports
1126 // we could also disable security.ssl.errorReporting.enabled, but I think it's
1127 // good to leave the option to report potentially malicious sites if the user
1128 // chooses to do so.
1129 // you can test this at https://pinningtest.appspot.com/
1130 user_pref("security.ssl.errorReporting.automatic",              false);
1132 // PREF: Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog
1133 // http://kb.mozillazine.org/Browser.ssl_override_behavior
1134 // https://github.com/pyllyukko/user.js/issues/210
1135 user_pref("browser.ssl_override_behavior",                      1);
1137 // PREF: Encrypted SNI (when TRR is enabled)
1138 // https://www.cloudflare.com/ssl/encrypted-sni/
1139 // https://wiki.mozilla.org/Trusted_Recursive_Resolver#ESNI
1140 // https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications_(ESNI)
1141 user_pref("network.security.esni.enabled",                      true);
1143 /******************************************************************************
1144  * SECTION: Cipher suites                                                     *
1145  ******************************************************************************/
1147 // PREF: Disable null ciphers
1148 user_pref("security.ssl3.rsa_null_sha",                         false);
1149 user_pref("security.ssl3.rsa_null_md5",                         false);
1150 user_pref("security.ssl3.ecdhe_rsa_null_sha",                   false);
1151 user_pref("security.ssl3.ecdhe_ecdsa_null_sha",                 false);
1152 user_pref("security.ssl3.ecdh_rsa_null_sha",                    false);
1153 user_pref("security.ssl3.ecdh_ecdsa_null_sha",                  false);
1155 // PREF: Disable SEED cipher
1156 // https://en.wikipedia.org/wiki/SEED
1157 user_pref("security.ssl3.rsa_seed_sha",                         false);
1159 // PREF: Disable 40/56/128-bit ciphers
1160 // 40-bit ciphers
1161 user_pref("security.ssl3.rsa_rc4_40_md5",                       false);
1162 user_pref("security.ssl3.rsa_rc2_40_md5",                       false);
1163 // 56-bit ciphers
1164 user_pref("security.ssl3.rsa_1024_rc4_56_sha",                  false);
1165 // 128-bit ciphers
1166 user_pref("security.ssl3.rsa_camellia_128_sha",                 false);
1167 user_pref("security.ssl3.ecdhe_rsa_aes_128_sha",                false);
1168 user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha",              false);
1169 user_pref("security.ssl3.ecdh_rsa_aes_128_sha",                 false);
1170 user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha",               false);
1171 user_pref("security.ssl3.dhe_rsa_camellia_128_sha",             false);
1172 user_pref("security.ssl3.dhe_rsa_aes_128_sha",                  false);
1174 // PREF: Disable RC4
1175 // https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
1176 // https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
1177 // https://rc4.io/
1178 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
1179 user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha",               false);
1180 user_pref("security.ssl3.ecdh_rsa_rc4_128_sha",                 false);
1181 user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha",              false);
1182 user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha",                false);
1183 user_pref("security.ssl3.rsa_rc4_128_md5",                      false);
1184 user_pref("security.ssl3.rsa_rc4_128_sha",                      false);
1185 user_pref("security.tls.unrestricted_rc4_fallback",             false);
1187 // PREF: Disable 3DES (effective key size is < 128)
1188 // https://en.wikipedia.org/wiki/3des#Security
1189 // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
1190 // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
1191 user_pref("security.ssl3.dhe_dss_des_ede3_sha",                 false);
1192 user_pref("security.ssl3.dhe_rsa_des_ede3_sha",                 false);
1193 user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha",              false);
1194 user_pref("security.ssl3.ecdh_rsa_des_ede3_sha",                false);
1195 user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha",             false);
1196 user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha",               false);
1197 user_pref("security.ssl3.rsa_des_ede3_sha",                     false);
1198 user_pref("security.ssl3.rsa_fips_des_ede3_sha",                false);
1200 // PREF: Disable ciphers with ECDH (non-ephemeral)
1201 user_pref("security.ssl3.ecdh_rsa_aes_256_sha",                 false);
1202 user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha",               false);
1204 // PREF: Disable 256 bits ciphers without PFS
1205 user_pref("security.ssl3.rsa_camellia_256_sha",                 false);
1207 // PREF: Enable GCM ciphers (TLSv1.2 only)
1208 // https://en.wikipedia.org/wiki/Galois/Counter_Mode
1209 user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",       true); // 0xc02b
1210 user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",         true); // 0xc02f
1212 // PREF: Enable ChaCha20 and Poly1305 (Firefox >= 47)
1213 // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
1214 // https://tools.ietf.org/html/rfc7905
1215 // https://bugzilla.mozilla.org/show_bug.cgi?id=917571
1216 // https://bugzilla.mozilla.org/show_bug.cgi?id=1247860
1217 // https://cr.yp.to/chacha.html
1218 user_pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true);
1219 user_pref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256",   true);
1221 // PREF: Disable ciphers susceptible to the logjam attack
1222 // https://weakdh.org/
1223 user_pref("security.ssl3.dhe_rsa_camellia_256_sha",             false);
1224 user_pref("security.ssl3.dhe_rsa_aes_256_sha",                  false);
1226 // PREF: Disable ciphers with DSA (max 1024 bits)
1227 user_pref("security.ssl3.dhe_dss_aes_128_sha",                  false);
1228 user_pref("security.ssl3.dhe_dss_aes_256_sha",                  false);
1229 user_pref("security.ssl3.dhe_dss_camellia_128_sha",             false);
1230 user_pref("security.ssl3.dhe_dss_camellia_256_sha",             false);
1232 // PREF: Ciphers with CBC & SHA-1 (disabled)
1233 //user_pref("security.ssl3.rsa_aes_256_sha",                    false); // 0x35
1234 //user_pref("security.ssl3.rsa_aes_128_sha",                    false); // 0x2f
1235 //user_pref("security.ssl3.ecdhe_rsa_aes_256_sha",              false); // 0xc014
1236 //user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha",            false); // 0xc00a