| blob | e0661a66ddd217cb0aa74f05ce7854d2b8dc884f |
1 //
2 /******************************************************************************
3 * user.js *
4 * https://github.com/pyllyukko/user.js *
5 ******************************************************************************/
7 /******************************************************************************
8 * SECTION: HTML5 / APIs / DOM *
9 ******************************************************************************/
11 // PREF: Disable Service Workers
12 // https://developer.mozilla.org/en-US/docs/Web/API/Worker
13 // https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
14 // https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
15 // NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...)
16 // Unknown security implications
17 // CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
18 user_pref("dom.serviceWorkers.enabled", false);
20 // PREF: Disable Web Workers
21 // https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers
22 // https://www.w3schools.com/html/html5_webworkers.asp
23 // NOTICE: Disabling Web Workers breaks "Download as ZIP" functionality on https://mega.nz/, WhatsApp Web, upload on https://www.virustotal.com/, and probably others
24 user_pref("dom.workers.enabled", false);
26 // PREF: Disable web notifications
27 // https://support.mozilla.org/en-US/questions/1140439
28 user_pref("dom.webnotifications.enabled", false);
30 // PREF: Disable DOM timing API
31 // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
32 // https://www.w3.org/TR/navigation-timing/#privacy
33 user_pref("dom.enable_performance", false);
35 // PREF: Make sure the User Timing API does not provide a new high resolution timestamp
36 // https://trac.torproject.org/projects/tor/ticket/16336
37 // https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security
38 user_pref("dom.enable_user_timing", false);
40 // PREF: Disable Web Audio API
41 // https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
42 user_pref("dom.webaudio.enabled", false);
44 // PREF: Disable Location-Aware Browsing (geolocation)
45 // https://www.mozilla.org/en-US/firefox/geolocation/
46 user_pref("geo.enabled", false);
48 // PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
49 // https://bugzilla.mozilla.org/show_bug.cgi?id=689252
50 user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
52 // PREF: When geolocation is enabled, don't log geolocation requests to the console
53 user_pref("geo.wifi.logging.enabled", false);
55 // PREF: Disable raw TCP socket support (mozTCPSocket)
56 // https://trac.torproject.org/projects/tor/ticket/18863
57 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
58 // https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket
59 user_pref("dom.mozTCPSocket.enabled", false);
61 // PREF: Disable DOM storage (disabled)
62 // http://kb.mozillazine.org/Dom.storage.enabled
63 // https://html.spec.whatwg.org/multipage/webstorage.html
64 // NOTICE-DISABLED: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
65 //user_pref("dom.storage.enabled", false);
67 // PREF: Disable leaking network/browser connection information via Javascript
68 // Network Information API provides general information about the system's connection type (WiFi, cellular, etc.)
69 // https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
70 // https://wicg.github.io/netinfo/#privacy-considerations
71 // https://bugzilla.mozilla.org/show_bug.cgi?id=960426
72 user_pref("dom.netinfo.enabled", false);
74 // PREF: Disable network API (Firefox < 32)
75 // https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange
76 // https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses
77 user_pref("dom.network.enabled", false);
79 // PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox < 42)
80 // NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...)
81 user_pref("media.peerconnection.enabled", false);
83 // PREF: Don't reveal your internal IP when WebRTC is enabled (Firefox >= 42)
84 // https://wiki.mozilla.org/Media/WebRTC/Privacy
85 // https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC
86 user_pref("media.peerconnection.ice.default_address_only", true); // Firefox 42-51
87 user_pref("media.peerconnection.ice.no_host", true); // Firefox >= 52
89 // PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
90 // https://wiki.mozilla.org/Media/getUserMedia
91 // https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
92 // https://developer.mozilla.org/en-US/docs/Web/API/Navigator
93 user_pref("media.navigator.enabled", false);
94 user_pref("media.navigator.video.enabled", false);
95 user_pref("media.getusermedia.screensharing.enabled", false);
96 user_pref("media.getusermedia.audiocapture.enabled", false);
98 // PREF: Disable battery API (Firefox < 52)
99 // https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager
100 // https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
101 user_pref("dom.battery.enabled", false);
103 // PREF: Disable telephony API
104 // https://wiki.mozilla.org/WebAPI/Security/WebTelephony
105 user_pref("dom.telephony.enabled", false);
107 // PREF: Disable "beacon" asynchronous HTTP transfers (used for analytics)
108 // https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
109 user_pref("beacon.enabled", false);
111 // PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
112 // NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
113 // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
114 user_pref("dom.event.clipboardevents.enabled", false);
116 // PREF: Disable "copy to clipboard" functionality via Javascript (Firefox >= 41)
117 // NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality
118 // https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3
119 user_pref("dom.allow_cut_copy", false);
121 // PREF: Disable speech recognition
122 // https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
123 // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
124 // https://wiki.mozilla.org/HTML5_Speech_API
125 user_pref("media.webspeech.recognition.enable", false);
127 // PREF: Disable speech synthesis
128 // https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis
129 user_pref("media.webspeech.synth.enabled", false);
131 // PREF: Disable sensor API
132 // https://wiki.mozilla.org/Sensor_API
133 user_pref("device.sensors.enabled", false);
135 // PREF: Disable pinging URIs specified in HTML <a> ping= attributes
136 // http://kb.mozillazine.org/Browser.send_pings
137 user_pref("browser.send_pings", false);
139 // PREF: When browser pings are enabled, only allow pinging the same host as the origin page
140 // http://kb.mozillazine.org/Browser.send_pings.require_same_host
141 user_pref("browser.send_pings.require_same_host", true);
143 // PREF: Disable IndexedDB (disabled)
144 // https://developer.mozilla.org/en-US/docs/IndexedDB
145 // https://en.wikipedia.org/wiki/Indexed_Database_API
146 // https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review
147 // http://forums.mozillazine.org/viewtopic.php?p=13842047
148 // https://github.com/pyllyukko/user.js/issues/8
149 // NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
150 //user_pref("dom.indexedDB.enabled", false);
152 // TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications"
154 // PREF: Disable gamepad API to prevent USB device enumeration
155 // https://www.w3.org/TR/gamepad/
156 // https://trac.torproject.org/projects/tor/ticket/13023
157 user_pref("dom.gamepad.enabled", false);
159 // PREF: Disable virtual reality devices APIs
160 // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
161 // https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
162 user_pref("dom.vr.enabled", false);
164 // PREF: Disable vibrator API
165 user_pref("dom.vibrator.enabled", false);
167 // PREF: Disable resource timing API
168 // https://www.w3.org/TR/resource-timing/#privacy-security
169 user_pref("dom.enable_resource_timing", false);
171 // PREF: Disable Archive API (Firefox < 54)
172 // https://wiki.mozilla.org/WebAPI/ArchiveAPI
173 // https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
174 user_pref("dom.archivereader.enabled", false);
176 // PREF: Disable webGL
177 // https://en.wikipedia.org/wiki/WebGL
178 // https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
179 user_pref("webgl.disabled", true);
180 // PREF: When webGL is enabled, use the minimum capability mode
181 user_pref("webgl.min_capability_mode", true);
182 // PREF: When webGL is enabled, disable webGL extensions
183 // https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing
184 user_pref("webgl.disable-extensions", true);
185 // PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
186 // https://trac.torproject.org/projects/tor/ticket/18603
187 user_pref("webgl.disable-fail-if-major-performance-caveat", true);
188 // PREF: When webGL is enabled, do not expose information about the graphics driver
189 // https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
190 // https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
191 user_pref("webgl.enable-debug-renderer-info", false);
192 // somewhat related...
193 //user_pref("pdfjs.enableWebGL", false);
195 // PREF: Spoof dual-core CPU
196 // https://trac.torproject.org/projects/tor/ticket/21675
197 // https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
198 user_pref("dom.maxHardwareConcurrency", 2);
200 // PREF: Disable WebAssembly
201 // https://webassembly.org/
202 // https://en.wikipedia.org/wiki/WebAssembly
203 // https://trac.torproject.org/projects/tor/ticket/21549
204 user_pref("javascript.options.wasm", false);
206 /******************************************************************************
207 * SECTION: Misc *
208 ******************************************************************************/
210 // PREF: Disable face detection
211 user_pref("camera.control.face_detection.enabled", false);
213 // PREF: Disable GeoIP lookup on your address to set default search engine region
214 // https://trac.torproject.org/projects/tor/ticket/16254
215 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
216 user_pref("browser.search.countryCode", "US");
217 user_pref("browser.search.region", "US");
218 user_pref("browser.search.geoip.url", "");
220 // PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localization
221 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
222 user_pref("intl.accept_languages", "en-US, en");
224 // PREF: Don't use OS values to determine locale, force using Firefox locale setting
225 // http://kb.mozillazine.org/Intl.locale.matchOS
226 user_pref("intl.locale.matchOS", false);
228 // PREF: Don't use Mozilla-provided location-specific search engines
229 user_pref("browser.search.geoSpecificDefaults", false);
231 // PREF: Do not automatically send selection to clipboard on some Linux platforms
232 // http://kb.mozillazine.org/Clipboard.autocopy
233 user_pref("clipboard.autocopy", false);
235 // PREF: Prevent leaking application locale/date format using JavaScript
236 // https://bugzilla.mozilla.org/show_bug.cgi?id=867501
237 // https://hg.mozilla.org/mozilla-central/rev/52d635f2b33d
238 user_pref("javascript.use_us_english_locale", true);
240 // PREF: Do not submit invalid URIs entered in the address bar to the default search engine
241 // http://kb.mozillazine.org/Keyword.enabled
242 user_pref("keyword.enabled", false);
244 // PREF: Don't trim HTTP off of URLs in the address bar.
245 // https://bugzilla.mozilla.org/show_bug.cgi?id=665580
246 user_pref("browser.urlbar.trimURLs", false);
248 // PREF: Don't try to guess domain names when entering an invalid domain name in URL bar
249 // http://www-archive.mozilla.org/docs/end-user/domain-guessing.html
250 user_pref("browser.fixup.alternate.enabled", false);
252 // PREF: When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs
253 // https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851
254 user_pref("browser.fixup.hide_user_pass", true);
256 // PREF: Send DNS request through SOCKS when SOCKS proxying is in use
257 // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
258 user_pref("network.proxy.socks_remote_dns", true);
260 // PREF: Don't monitor OS online/offline connection state
261 // https://trac.torproject.org/projects/tor/ticket/18945
262 user_pref("network.manage-offline-status", false);
264 // PREF: Enforce Mixed Active Content Blocking
265 // https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990
266 // https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
267 // https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
268 user_pref("security.mixed_content.block_active_content", true);
270 // PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content)
271 // NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured
272 user_pref("security.mixed_content.block_display_content", true);
274 // PREF: Disable JAR from opening Unsafe File Types
275 // http://kb.mozillazine.org/Network.jar.open-unsafe-types
276 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7
277 user_pref("network.jar.open-unsafe-types", false);
279 // CIS 2.7.4 Disable Scripting of Plugins by JavaScript
280 // http://forums.mozillazine.org/viewtopic.php?f=7&t=153889
281 user_pref("security.xpconnect.plugin.unrestricted", false);
283 // PREF: Set File URI Origin Policy
284 // http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
285 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8
286 user_pref("security.fileuri.strict_origin_policy", true);
288 // PREF: Disable Displaying Javascript in History URLs
289 // http://kb.mozillazine.org/Browser.urlbar.filter.javascript
290 // CIS 2.3.6
291 user_pref("browser.urlbar.filter.javascript", true);
293 // PREF: Disable asm.js
294 // http://asmjs.org/
295 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
296 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
297 // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
298 user_pref("javascript.options.asmjs", false);
300 // PREF: Disable SVG in OpenType fonts
301 // https://wiki.mozilla.org/SVGOpenTypeFonts
302 // https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle
303 user_pref("gfx.font_rendering.opentype_svg.enabled", false);
305 // PREF: Disable in-content SVG rendering (Firefox >= 53) (disabled)
306 // NOTICE-DISABLED: Disabling SVG support breaks many UI elements on many sites
307 // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
308 // https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16
309 //user_pref("svg.disabled", true);
312 // PREF: Disable video stats to reduce fingerprinting threat
313 // https://bugzilla.mozilla.org/show_bug.cgi?id=654550
314 // https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785
315 // https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065
316 user_pref("media.video_stats.enabled", false);
318 // PREF: Don't reveal build ID
319 // Value taken from Tor Browser
320 // https://bugzilla.mozilla.org/show_bug.cgi?id=583181
321 user_pref("general.buildID.override", "20100101");
322 user_pref("browser.startup.homepage_override.buildID", "20100101");
324 // PREF: Prevent font fingerprinting
325 // https://browserleaks.com/fonts
326 // https://github.com/pyllyukko/user.js/issues/120
327 user_pref("browser.display.use_document_fonts", 0);
329 // PREF: Enable only whitelisted URL protocol handlers
330 // http://kb.mozillazine.org/Network.protocol-handler.external-default
331 // http://kb.mozillazine.org/Network.protocol-handler.warn-external-default
332 // http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29
333 // https://news.ycombinator.com/item?id=13047883
334 // https://bugzilla.mozilla.org/show_bug.cgi?id=167475
335 // https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005
336 // NOTICE: Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols
337 // TODO: Add externally-handled protocols from Windows 8.1 and Windows 10 (currently contains protocols only from Linux and Windows 7) that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
338 // TODO: Add externally-handled protocols from Mac OS X that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
339 // If you want to enable a protocol, set network.protocol-handler.expose.(protocol) to true and network.protocol-handler.external.(protocol) to:
340 // * true, if the protocol should be handled by an external application
341 // * false, if the protocol should be handled internally by Firefox
342 user_pref("network.protocol-handler.warn-external-default", true);
343 user_pref("network.protocol-handler.external.http", false);
344 user_pref("network.protocol-handler.external.https", false);
345 user_pref("network.protocol-handler.external.javascript", false);
346 user_pref("network.protocol-handler.external.moz-extension", false);
347 user_pref("network.protocol-handler.external.ftp", false);
348 user_pref("network.protocol-handler.external.file", false);
349 user_pref("network.protocol-handler.external.about", false);
350 user_pref("network.protocol-handler.external.chrome", false);
351 user_pref("network.protocol-handler.external.blob", false);
352 user_pref("network.protocol-handler.external.data", false);
353 user_pref("network.protocol-handler.expose-all", false);
354 user_pref("network.protocol-handler.expose.http", true);
355 user_pref("network.protocol-handler.expose.https", true);
356 user_pref("network.protocol-handler.expose.javascript", true);
357 user_pref("network.protocol-handler.expose.moz-extension", true);
358 user_pref("network.protocol-handler.expose.ftp", true);
359 user_pref("network.protocol-handler.expose.file", true);
360 user_pref("network.protocol-handler.expose.about", true);
361 user_pref("network.protocol-handler.expose.chrome", true);
362 user_pref("network.protocol-handler.expose.blob", true);
363 user_pref("network.protocol-handler.expose.data", true);
365 /******************************************************************************
366 * SECTION: Extensions / plugins *
367 ******************************************************************************/
369 // PREF: Ensure you have a security delay when installing add-ons (milliseconds)
370 // http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
371 // http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
372 user_pref("security.dialog_enable_delay", 1000);
374 // PREF: Require signatures
375 // https://wiki.mozilla.org/Addons/Extension_Signing
376 //user_pref("xpinstall.signatures.required", true);
378 // PREF: Opt-out of add-on metadata updates
379 // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
380 user_pref("extensions.getAddons.cache.enabled", false);
382 // PREF: Opt-out of themes (Persona) updates
383 // https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287
384 user_pref("lightweightThemes.update.enabled", false);
386 // PREF: Disable Flash Player NPAPI plugin
387 // http://kb.mozillazine.org/Flash_plugin
388 user_pref("plugin.state.flash", 0);
390 // PREF: Disable Java NPAPI plugin
391 user_pref("plugin.state.java", 0);
393 // PREF: Disable sending Flash Player crash reports
394 user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
396 // PREF: When Flash crash reports are enabled, don't send the visited URL in the crash report
397 user_pref("dom.ipc.plugins.reportCrashURL", false);
399 // PREF: When Flash is enabled, download and use Mozilla SWF URIs blocklist
400 // https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
401 // https://github.com/mozilla-services/shavar-plugin-blocklist
402 user_pref("browser.safebrowsing.blockedURIs.enabled", true);
404 // PREF: Disable Shumway (Mozilla Flash renderer)
405 // https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway
406 user_pref("shumway.disabled", true);
408 // PREF: Disable Gnome Shell Integration NPAPI plugin
409 user_pref("plugin.state.libgnome-shell-browser-plugin", 0);
411 // PREF: Disable the bundled OpenH264 video codec (disabled)
412 // http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077
413 //user_pref("media.gmp-provider.enabled", false);
415 // PREF: Enable plugins click-to-play
416 // https://wiki.mozilla.org/Firefox/Click_To_Play
417 // https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/
418 user_pref("plugins.click_to_play", true);
420 // PREF: Updates addons automatically
421 // https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
422 user_pref("extensions.update.enabled", true);
424 // PREF: Enable add-on and certificate blocklists (OneCRL) from Mozilla
425 // https://wiki.mozilla.org/Blocklisting
426 // https://blocked.cdn.mozilla.net/
427 // http://kb.mozillazine.org/Extensions.blocklist.enabled
428 // http://kb.mozillazine.org/Extensions.blocklist.url
429 // https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
430 // Updated at interval defined in extensions.blocklist.interval (default: 86400)
431 user_pref("extensions.blocklist.enabled", true);
432 user_pref("services.blocklist.update_enabled", true);
434 // PREF: Decrease system information leakage to Mozilla blocklist update servers
435 // https://trac.torproject.org/projects/tor/ticket/16931
436 user_pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");
438 // PREF: Disable system add-on updates (hidden & always-enabled add-ons from Mozilla)
439 // https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
440 // https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/
441 // https://github.com/pyllyukko/user.js/issues/419
442 // https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1248-1257
443 // NOTICE: Disabling system add-on updates prevents Mozilla from "hotfixing" your browser to patch critical problems (one possible use case from the documentation)
444 user_pref("extensions.systemAddon.update.enabled", false);
446 /******************************************************************************
447 * SECTION: Firefox (anti-)features / components * *
448 ******************************************************************************/
450 // PREF: Disable WebIDE
451 // https://trac.torproject.org/projects/tor/ticket/16222
452 // https://developer.mozilla.org/docs/Tools/WebIDE
453 user_pref("devtools.webide.enabled", false);
454 user_pref("devtools.webide.autoinstallADBHelper", false);
455 user_pref("devtools.webide.autoinstallFxdtAdapters", false);
457 // PREF: Disable remote debugging
458 // https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop
459 // https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings
460 user_pref("devtools.debugger.remote-enabled", false);
461 user_pref("devtools.chrome.enabled", false);
462 user_pref("devtools.debugger.force-local", true);
464 // PREF: Disable Mozilla telemetry/experiments
465 // https://wiki.mozilla.org/Platform/Features/Telemetry
466 // https://wiki.mozilla.org/Privacy/Reviews/Telemetry
467 // https://wiki.mozilla.org/Telemetry
468 // https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry
469 // https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715
470 // https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry
471 // https://gecko.readthedocs.io/en/latest/browser/experiments/experiments/manifest.html
472 // https://wiki.mozilla.org/Telemetry/Experiments
473 // https://support.mozilla.org/en-US/questions/1197144
474 user_pref("toolkit.telemetry.enabled", false);
475 user_pref("toolkit.telemetry.unified", false);
476 user_pref("toolkit.telemetry.archive.enabled", false);
477 user_pref("experiments.supported", false);
478 user_pref("experiments.enabled", false);
479 user_pref("experiments.manifest.uri", "");
481 // PREF: Disallow Necko to do A/B testing
482 // https://trac.torproject.org/projects/tor/ticket/13170
483 user_pref("network.allow-experiments", false);
485 // PREF: Disable sending Firefox crash reports to Mozilla servers
486 // https://wiki.mozilla.org/Breakpad
487 // http://kb.mozillazine.org/Breakpad
488 // https://dxr.mozilla.org/mozilla-central/source/toolkit/crashreporter
489 // https://bugzilla.mozilla.org/show_bug.cgi?id=411490
490 // A list of submitted crash reports can be found at about:crashes
491 user_pref("breakpad.reportURL", "");
493 // PREF: Disable sending reports of tab crashes to Mozilla (about:tabcrashed), don't nag user about unsent crash reports
494 // https://hg.mozilla.org/mozilla-central/file/tip/browser/app/profile/firefox.js
495 user_pref("browser.tabs.crashReporting.sendReport", false);
496 user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
498 // PREF: Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface)
499 // https://wiki.mozilla.org/FlyWeb
500 // https://wiki.mozilla.org/FlyWeb/Security_scenarios
501 // https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit
502 // http://www.ghacks.net/2016/07/26/firefox-flyweb
503 user_pref("dom.flyweb.enabled", false);
505 // PREF: Disable the UITour backend
506 // https://trac.torproject.org/projects/tor/ticket/19047#comment:3
507 user_pref("browser.uitour.enabled", false);
509 // PREF: Enable Firefox Tracking Protection
510 // https://wiki.mozilla.org/Security/Tracking_protection
511 // https://support.mozilla.org/en-US/kb/tracking-protection-firefox
512 // https://support.mozilla.org/en-US/kb/tracking-protection-pbm
513 // https://kontaxis.github.io/trackingprotectionfirefox/
514 // https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
515 user_pref("privacy.trackingprotection.enabled", true);
516 user_pref("privacy.trackingprotection.pbmode.enabled", true);
518 // PREF: Enable contextual identity Containers feature (Firefox >= 52)
519 // NOTICE: Containers are not available in Private Browsing mode
520 // https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
521 user_pref("privacy.userContext.enabled", true);
523 // PREF: Enable hardening against various fingerprinting vectors (Tor Uplift project)
524 // https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
525 // https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
526 user_pref("privacy.resistFingerprinting", true);
528 // PREF: Disable the built-in PDF viewer
529 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2743
530 // https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
531 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
532 user_pref("pdfjs.disabled", true);
534 // PREF: Disable collection/sending of the health report (healthreport.sqlite*)
535 // https://support.mozilla.org/en-US/kb/firefox-health-report-understand-your-browser-perf
536 // https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
537 user_pref("datareporting.healthreport.uploadEnabled", false);
538 user_pref("datareporting.healthreport.service.enabled", false);
539 user_pref("datareporting.policy.dataSubmissionEnabled", false);
541 // PREF: Disable Heartbeat (Mozilla user rating telemetry)
542 // https://wiki.mozilla.org/Advocacy/heartbeat
543 // https://trac.torproject.org/projects/tor/ticket/19047
544 user_pref("browser.selfsupport.url", "");
546 // PREF: Disable Firefox Hello (disabled) (Firefox < 49)
547 // https://wiki.mozilla.org/Loop
548 // https://support.mozilla.org/t5/Chat-and-share/Support-for-Hello-discontinued-in-Firefox-49/ta-p/37946
549 // NOTICE-DISABLED: Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work.
550 //user_pref("loop.enabled", false);
552 // PREF: Disable Firefox Hello metrics collection
553 // https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
554 user_pref("loop.logDomains", false);
556 // PREF: Enable Auto Update (disabled)
557 // NOTICE: Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting.
558 // CIS 2.1.1
559 //user_pref("app.update.auto", true);
561 // PREF: Enforce checking for Firefox updates
562 // http://kb.mozillazine.org/App.update.enabled
563 // NOTICE: Update check page might incorrectly report Firefox ESR as out-of-date
564 user_pref("app.update.enabled", true);
566 // PREF: Enable blocking reported web forgeries
567 // https://wiki.mozilla.org/Security/Safe_Browsing
568 // http://kb.mozillazine.org/Safe_browsing
569 // https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
570 // http://forums.mozillazine.org/viewtopic.php?f=39&t=2711237&p=12896849#p12896849
571 // CIS 2.3.4
572 user_pref("browser.safebrowsing.enabled", true); // Firefox < 50
573 user_pref("browser.safebrowsing.phishing.enabled", true); // firefox >= 50
575 // PREF: Enable blocking reported attack sites
576 // http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled
577 // CIS 2.3.5
578 user_pref("browser.safebrowsing.malware.enabled", true);
580 // PREF: Disable querying Google Application Reputation database for downloaded binary files
581 // https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
582 // https://wiki.mozilla.org/Security/Application_Reputation
583 user_pref("browser.safebrowsing.downloads.remote.enabled", false);
585 // PREF: Disable Pocket
586 // https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
587 // https://github.com/pyllyukko/user.js/issues/143
588 user_pref("browser.pocket.enabled", false);
589 user_pref("extensions.pocket.enabled", false);
591 // PREF: Disable SHIELD
592 // https://support.mozilla.org/en-US/kb/shield
593 // https://bugzilla.mozilla.org/show_bug.cgi?id=1370801
594 user_pref("extensions.shield-recipe-client.enabled", false);
595 user_pref("app.shield.optoutstudies.enabled", false);
597 // PREF: Disable "Recommended by Pocket" in Firefox Quantum
598 user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
600 /******************************************************************************
601 * SECTION: Automatic connections *
602 ******************************************************************************/
604 // PREF: Limit the connection keep-alive timeout to 15 seconds (disabled)
605 // https://github.com/pyllyukko/user.js/issues/387
606 // http://kb.mozillazine.org/Network.http.keep-alive.timeout
607 // https://httpd.apache.org/docs/current/mod/core.html#keepalivetimeout
608 //user_pref("network.http.keep-alive.timeout", 15);
610 // PREF: Disable prefetching of <link rel="next"> URLs
611 // http://kb.mozillazine.org/Network.prefetch-next
612 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
613 user_pref("network.prefetch-next", false);
615 // PREF: Disable DNS prefetching
616 // http://kb.mozillazine.org/Network.dns.disablePrefetch
617 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
618 user_pref("network.dns.disablePrefetch", true);
619 user_pref("network.dns.disablePrefetchFromHTTPS", true);
621 // PREF: Disable the predictive service (Necko)
622 // https://wiki.mozilla.org/Privacy/Reviews/Necko
623 user_pref("network.predictor.enabled", false);
625 // PREF: Reject .onion hostnames before passing the to DNS
626 // https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
627 // RFC 7686
628 user_pref("network.dns.blockDotOnion", true);
630 // PREF: Disable search suggestions in the search bar
631 // http://kb.mozillazine.org/Browser.search.suggest.enabled
632 user_pref("browser.search.suggest.enabled", false);
634 // PREF: Disable "Show search suggestions in location bar results"
635 user_pref("browser.urlbar.suggest.searches", false);
636 // PREF: When using the location bar, don't suggest URLs from browsing history
637 user_pref("browser.urlbar.suggest.history", false);
639 // PREF: Disable SSDP
640 // https://bugzilla.mozilla.org/show_bug.cgi?id=1111967
641 user_pref("browser.casting.enabled", false);
643 // PREF: Disable automatic downloading of OpenH264 codec
644 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
645 // https://andreasgal.com/2014/10/14/openh264-now-in-firefox/
646 user_pref("media.gmp-gmpopenh264.enabled", false);
647 user_pref("media.gmp-manager.url", "");
649 // PREF: Disable speculative pre-connections
650 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
651 // https://bugzilla.mozilla.org/show_bug.cgi?id=814169
652 user_pref("network.http.speculative-parallel-limit", 0);
654 // PREF: Disable downloading homepage snippets/messages from Mozilla
655 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content
656 // https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
657 user_pref("browser.aboutHomeSnippets.updateUrl", "");
659 // PREF: Never check updates for search engines
660 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
661 user_pref("browser.search.update", false);
663 // PREF: Disable automatic captive portal detection (Firefox >= 52.0)
664 // https://support.mozilla.org/en-US/questions/1157121
665 user_pref("network.captive-portal-service.enabled", false);
667 /******************************************************************************
668 * SECTION: HTTP *
669 ******************************************************************************/
671 // PREF: Disallow NTLMv1
672 // https://bugzilla.mozilla.org/show_bug.cgi?id=828183
673 user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
674 // it is still allowed through HTTPS. uncomment the following to disable it completely.
675 //user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
677 // PREF: Enable CSP 1.1 script-nonce directive support
678 // https://bugzilla.mozilla.org/show_bug.cgi?id=855326
679 user_pref("security.csp.experimentalEnabled", true);
681 // PREF: Enable Content Security Policy (CSP)
682 // https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
683 // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
684 user_pref("security.csp.enable", true);
686 // PREF: Enable Subresource Integrity
687 // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
688 // https://wiki.mozilla.org/Security/Subresource_Integrity
689 user_pref("security.sri.enable", true);
691 // PREF: DNT HTTP header (disabled)
692 // https://www.mozilla.org/en-US/firefox/dnt/
693 // https://en.wikipedia.org/wiki/Do_not_track_header
694 // https://dnt-dashboard.mozilla.org
695 // https://github.com/pyllyukko/user.js/issues/11
696 // NOTICE: Do No Track must be enabled manually
697 //user_pref("privacy.donottrackheader.enabled", true);
699 // PREF: Send a referer header with the target URI as the source
700 // https://bugzilla.mozilla.org/show_bug.cgi?id=822869
701 // https://github.com/pyllyukko/user.js/issues/227
702 // NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers
703 // NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
704 // NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
705 // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
706 user_pref("network.http.referer.spoofSource", true);
708 // PREF: Don't send referer headers when following links across different domains (disabled)
709 // https://github.com/pyllyukko/user.js/issues/227
710 // user_pref("network.http.referer.XOriginPolicy", 2);
712 // PREF: Accept Only 1st Party Cookies
713 // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
714 // NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
715 // CIS 2.5.1
716 user_pref("network.cookie.cookieBehavior", 1);
718 // PREF: Enable first-party isolation
719 // https://bugzilla.mozilla.org/show_bug.cgi?id=1299996
720 // https://bugzilla.mozilla.org/show_bug.cgi?id=1260931
721 // https://wiki.mozilla.org/Security/FirstPartyIsolation
722 user_pref("privacy.firstparty.isolate", true);
724 // PREF: Make sure that third-party cookies (if enabled) never persist beyond the session.
725 // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
726 // http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
727 // https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly
728 user_pref("network.cookie.thirdparty.sessionOnly", true);
730 // PREF: Spoof User-agent (disabled)
731 //user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0");
732 //user_pref("general.appname.override", "Netscape");
733 //user_pref("general.appversion.override", "5.0 (Windows)");
734 //user_pref("general.platform.override", "Win32");
735 //user_pref("general.oscpu.override", "Windows NT 6.1");
737 /*******************************************************************************
738 * SECTION: Caching *
739 ******************************************************************************/
741 // PREF: Permanently enable private browsing mode
742 // https://support.mozilla.org/en-US/kb/Private-Browsing
743 // https://wiki.mozilla.org/PrivateBrowsing
744 // NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
745 // NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode
746 // NOTICE: Private browsing breaks Kerberos authentication
747 // NOTICE: Disables "Containers" functionality (see below)
748 // NOTICE: "Always use private browsing mode" (browser.privatebrowsing.autostart) disables the possibility to use password manager: https://support.mozilla.org/en-US/kb/usernames-and-passwords-are-not-saved#w_private-browsing
749 user_pref("browser.privatebrowsing.autostart", true);
751 // PREF: Do not download URLs for the offline cache
752 // http://kb.mozillazine.org/Browser.cache.offline.enable
753 user_pref("browser.cache.offline.enable", false);
755 // PREF: Clear history when Firefox closes
756 // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically
757 // NOTICE: Installing user.js will remove your browsing history, caches and local storage.
758 // NOTICE: Installing user.js **will remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27)
759 // NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945
760 user_pref("privacy.sanitize.sanitizeOnShutdown", true);
761 user_pref("privacy.clearOnShutdown.cache", true);
762 user_pref("privacy.clearOnShutdown.cookies", true);
763 user_pref("privacy.clearOnShutdown.downloads", true);
764 user_pref("privacy.clearOnShutdown.formdata", true);
765 user_pref("privacy.clearOnShutdown.history", true);
766 user_pref("privacy.clearOnShutdown.offlineApps", true);
767 user_pref("privacy.clearOnShutdown.sessions", true);
768 user_pref("privacy.clearOnShutdown.openWindows", true);
770 // PREF: Set time range to "Everything" as default in "Clear Recent History"
771 user_pref("privacy.sanitize.timeSpan", 0);
773 // PREF: Clear everything but "Site Preferences" in "Clear Recent History"
774 user_pref("privacy.cpd.offlineApps", true);
775 user_pref("privacy.cpd.cache", true);
776 user_pref("privacy.cpd.cookies", true);
777 user_pref("privacy.cpd.downloads", true);
778 user_pref("privacy.cpd.formdata", true);
779 user_pref("privacy.cpd.history", true);
780 user_pref("privacy.cpd.sessions", true);
782 // PREF: Don't remember browsing history
783 user_pref("places.history.enabled", false);
785 // PREF: Disable disk cache
786 // http://kb.mozillazine.org/Browser.cache.disk.enable
787 user_pref("browser.cache.disk.enable", false);
789 // PREF: Disable memory cache (disabled)
790 // http://kb.mozillazine.org/Browser.cache.memory.enable
791 //user_pref("browser.cache.memory.enable", false);
793 // PREF: Disable Caching of SSL Pages
794 // CIS Version 1.2.0 October 21st, 2011 2.5.8
795 // http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
796 user_pref("browser.cache.disk_cache_ssl", false);
798 // PREF: Disable download history
799 // CIS Version 1.2.0 October 21st, 2011 2.5.5
800 user_pref("browser.download.manager.retention", 0);
802 // PREF: Disable password manager
803 // CIS Version 1.2.0 October 21st, 2011 2.5.2
804 user_pref("signon.rememberSignons", false);
806 // PREF: Disable form autofill, don't save information entered in web page forms and the Search Bar
807 user_pref("browser.formfill.enable", false);
809 // PREF: Cookies expires at the end of the session (when the browser closes)
810 // http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2
811 user_pref("network.cookie.lifetimePolicy", 2);
813 // PREF: Require manual intervention to autofill known username/passwords sign-in forms
814 // http://kb.mozillazine.org/Signon.autofillForms
815 // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
816 user_pref("signon.autofillForms", false);
818 // PREF: Disable formless login capture
819 // https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
820 user_pref("signon.formlessCapture.enabled", false);
822 // PREF: When username/password autofill is enabled, still disable it on non-HTTPS sites
823 // https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
824 user_pref("signon.autofillForms.http", false);
826 // PREF: Show in-content login form warning UI for insecure login fields
827 // https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
828 user_pref("security.insecure_field_warning.contextual.enabled", true);
830 // PREF: Disable the password manager for pages with autocomplete=off (disabled)
831 // https://bugzilla.mozilla.org/show_bug.cgi?id=956906
832 // OWASP ASVS V9.1
833 // Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
834 //user_pref("signon.storeWhenAutocompleteOff", false);
836 // PREF: Delete Search and Form History
837 // CIS Version 1.2.0 October 21st, 2011 2.5.6
838 user_pref("browser.formfill.expire_days", 0);
840 // PREF: Clear SSL Form Session Data
841 // http://kb.mozillazine.org/Browser.sessionstore.privacy_level#2
842 // Store extra session data for unencrypted (non-HTTPS) sites only.
843 // CIS Version 1.2.0 October 21st, 2011 2.5.7
844 // NOTE: CIS says 1, we use 2
845 user_pref("browser.sessionstore.privacy_level", 2);
847 // PREF: Delete temporary files on exit
848 // https://bugzilla.mozilla.org/show_bug.cgi?id=238789
849 user_pref("browser.helperApps.deleteTempFileOnExit", true);
851 // PREF: Do not create screenshots of visited pages (relates to the "new tab page" feature)
852 // https://support.mozilla.org/en-US/questions/973320
853 // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled
854 user_pref("browser.pagethumbnails.capturing_disabled", true);
856 // PREF: Don't fetch and permanently store favicons for Windows .URL shortcuts created by drag and drop
857 // NOTICE: .URL shortcut files will be created with a generic icon
858 // Favicons are stored as .ico files in $profile_dir\shortcutCache
859 user_pref("browser.shell.shortcutFavicons", false);
861 // PREF: Disable bookmarks backups (default: 15)
862 // http://kb.mozillazine.org/Browser.bookmarks.max_backups
863 user_pref("browser.bookmarks.max_backups", 0);
865 /*******************************************************************************
866 * SECTION: UI related *
867 *******************************************************************************/
869 // PREF: Enable insecure password warnings (login forms in non-HTTPS pages)
870 // https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
871 // https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
872 // https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
873 user_pref("security.insecure_password.ui.enabled", true);
875 // PREF: Disable right-click menu manipulation via JavaScript (disabled)
876 //user_pref("dom.event.contextmenu.enabled", false);
878 // PREF: Disable "Are you sure you want to leave this page?" popups on page close
879 // https://support.mozilla.org/en-US/questions/1043508
880 // Does not prevent JS leaks of the page close event.
881 // https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
882 //user_pref("dom.disable_beforeunload", true);
884 // PREF: Disable Downloading on Desktop
885 // CIS 2.3.2
886 user_pref("browser.download.folderList", 2);
888 // PREF: Always ask the user where to download
889 // https://developer.mozilla.org/en/Download_Manager_preferences (obsolete)
890 user_pref("browser.download.useDownloadDir", false);
892 // PREF: Disable the "new tab page" feature and show a blank tab instead
893 // https://wiki.mozilla.org/Privacy/Reviews/New_Tab
894 // https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off
895 user_pref("browser.newtabpage.enabled", false);
896 user_pref("browser.newtab.url", "about:blank");
898 // PREF: Disable Activity Stream
899 // https://wiki.mozilla.org/Firefox/Activity_Stream
900 user_pref("browser.newtabpage.activity-stream.enabled", false);
902 // PREF: Disable new tab tile ads & preload
903 // http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
904 // http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331
905 // https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
906 // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
907 // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
908 // TODO: deprecated? not in DXR, some dead links
909 user_pref("browser.newtabpage.enhanced", false);
910 user_pref("browser.newtab.preload", false);
911 user_pref("browser.newtabpage.directory.ping", "");
912 user_pref("browser.newtabpage.directory.source", "data:text/plain,{}");
914 // PREF: Enable Auto Notification of Outdated Plugins (Firefox < 50)
915 // https://wiki.mozilla.org/Firefox3.6/Plugin_Update_Awareness_Security_Review
916 // CIS Version 1.2.0 October 21st, 2011 2.1.2
917 // https://hg.mozilla.org/mozilla-central/rev/304560
918 user_pref("plugins.update.notifyUser", true);
920 // PREF: Force Punycode for Internationalized Domain Names
921 // http://kb.mozillazine.org/Network.IDN_show_punycode
922 // https://www.xudongz.com/blog/2017/idn-phishing/
923 // https://wiki.mozilla.org/IDN_Display_Algorithm
924 // https://en.wikipedia.org/wiki/IDN_homograph_attack
925 // https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
926 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6
927 user_pref("network.IDN_show_punycode", true);
929 // PREF: Disable inline autocomplete in URL bar
930 // http://kb.mozillazine.org/Inline_autocomplete
931 user_pref("browser.urlbar.autoFill", false);
932 user_pref("browser.urlbar.autoFill.typed", false);
934 // PREF: Disable CSS :visited selectors
935 // https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/
936 // https://dbaron.org/mozilla/visited-privacy
937 user_pref("layout.css.visited_links_enabled", false);
939 // PREF: Disable URL bar autocomplete and history/bookmarks suggestions dropdown
940 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
941 user_pref("browser.urlbar.autocomplete.enabled", false);
943 // PREF: Do not check if Firefox is the default browser
944 user_pref("browser.shell.checkDefaultBrowser", false);
946 // PREF: When password manager is enabled, lock the password storage periodically
947 // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
948 user_pref("security.ask_for_password", 2);
950 // PREF: Lock the password storage every 1 minutes (default: 30)
951 user_pref("security.password_lifetime", 1);
953 // PREF: Display a notification bar when websites offer data for offline use
954 // http://kb.mozillazine.org/Browser.offline-apps.notify
955 user_pref("browser.offline-apps.notify", true);
957 /******************************************************************************
958 * SECTION: Cryptography *
959 ******************************************************************************/
961 // PREF: Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
962 // https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
963 // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
964 // https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
965 user_pref("network.stricttransportsecurity.preloadlist", true);
967 // PREF: Enable Online Certificate Status Protocol
968 // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
969 // https://www.imperialviolet.org/2014/04/19/revchecking.html
970 // https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
971 // https://wiki.mozilla.org/CA:RevocationPlan
972 // https://wiki.mozilla.org/CA:ImprovingRevocation
973 // https://wiki.mozilla.org/CA:OCSP-HardFail
974 // https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
975 // https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
976 // NOTICE: OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
977 // NOTICE: OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
978 // NOTICE: OCSP adds latency (performance)
979 // NOTICE: Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
980 // CIS Version 1.2.0 October 21st, 2011 2.2.4
981 user_pref("security.OCSP.enabled", 1);
983 // PREF: Enable OCSP Stapling support
984 // https://en.wikipedia.org/wiki/OCSP_stapling
985 // https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
986 // https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
987 user_pref("security.ssl.enable_ocsp_stapling", true);
989 // PREF: Enable OCSP Must-Staple support (Firefox >= 45)
990 // https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
991 // https://www.entrust.com/ocsp-must-staple/
992 // https://github.com/schomery/privacy-settings/issues/40
993 // NOTICE: Firefox falls back on plain OCSP when must-staple is not configured on the host certificate
994 user_pref("security.ssl.enable_ocsp_must_staple", true);
996 // PREF: Require a valid OCSP response for OCSP enabled certificates
997 // https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
998 // Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
999 // NOTICE: `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
1000 // NOTICE: `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
1001 user_pref("security.OCSP.require", true);
1003 // PREF: Disable TLS Session Tickets
1004 // https://www.blackhat.com/us-13/briefings.html#NextGen
1005 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
1006 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
1007 // https://bugzilla.mozilla.org/show_bug.cgi?id=917049
1008 // https://bugzilla.mozilla.org/show_bug.cgi?id=967977
1009 user_pref("security.ssl.disable_session_identifiers", true);
1011 // PREF: Only allow TLS 1.[0-3]
1012 // http://kb.mozillazine.org/Security.tls.version.*
1013 // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
1014 // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
1015 // 3 = TLS 1.2 is the minimum required / maximum supported encryption protocol.
1016 // 4 = TLS 1.3 is the minimum required / maximum supported encryption protocol.
1017 user_pref("security.tls.version.min", 1);
1018 user_pref("security.tls.version.max", 4);
1020 // PREF: Disable insecure TLS version fallback
1021 // https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
1022 // https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
1023 user_pref("security.tls.version.fallback-limit", 3);
1025 // PREF: Enfore Public Key Pinning
1026 // https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
1027 // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
1028 // "2. Strict. Pinning is always enforced."
1029 user_pref("security.cert_pinning.enforcement_level", 2);
1031 // PREF: Disallow SHA-1
1032 // https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
1033 // https://shattered.io/
1034 user_pref("security.pki.sha1_enforcement_level", 1);
1036 // PREF: Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
1037 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
1038 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
1039 user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
1041 // PREF: Disallow connection to servers not supporting safe renegotiation (disabled)
1042 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation
1043 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
1044 // TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors), so is left disabled
1045 //user_pref("security.ssl.require_safe_negotiation", true);
1047 // PREF: Disable automatic reporting of TLS connection errors
1048 // https://support.mozilla.org/en-US/kb/certificate-pinning-reports
1049 // we could also disable security.ssl.errorReporting.enabled, but I think it's
1050 // good to leave the option to report potentially malicious sites if the user
1051 // chooses to do so.
1052 // you can test this at https://pinningtest.appspot.com/
1053 user_pref("security.ssl.errorReporting.automatic", false);
1055 // PREF: Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog
1056 // http://kb.mozillazine.org/Browser.ssl_override_behavior
1057 // https://github.com/pyllyukko/user.js/issues/210
1058 user_pref("browser.ssl_override_behavior", 1);
1060 /******************************************************************************
1061 * SECTION: Cipher suites *
1062 ******************************************************************************/
1064 // PREF: Disable null ciphers
1065 user_pref("security.ssl3.rsa_null_sha", false);
1066 user_pref("security.ssl3.rsa_null_md5", false);
1067 user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
1068 user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
1069 user_pref("security.ssl3.ecdh_rsa_null_sha", false);
1070 user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);
1072 // PREF: Disable SEED cipher
1073 // https://en.wikipedia.org/wiki/SEED
1074 user_pref("security.ssl3.rsa_seed_sha", false);
1076 // PREF: Disable 40/56/128-bit ciphers
1077 // 40-bit ciphers
1078 user_pref("security.ssl3.rsa_rc4_40_md5", false);
1079 user_pref("security.ssl3.rsa_rc2_40_md5", false);
1080 // 56-bit ciphers
1081 user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
1082 // 128-bit ciphers
1083 user_pref("security.ssl3.rsa_camellia_128_sha", false);
1084 user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
1085 user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
1086 user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
1087 user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
1088 user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
1089 user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
1091 // PREF: Disable RC4
1092 // https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
1093 // https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
1094 // https://rc4.io/
1095 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
1096 user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
1097 user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
1098 user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
1099 user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
1100 user_pref("security.ssl3.rsa_rc4_128_md5", false);
1101 user_pref("security.ssl3.rsa_rc4_128_sha", false);
1102 user_pref("security.tls.unrestricted_rc4_fallback", false);
1104 // PREF: Disable 3DES (effective key size is < 128)
1105 // https://en.wikipedia.org/wiki/3des#Security
1106 // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
1107 // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
1108 user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
1109 user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
1110 user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
1111 user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
1112 user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
1113 user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
1114 user_pref("security.ssl3.rsa_des_ede3_sha", false);
1115 user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
1117 // PREF: Disable ciphers with ECDH (non-ephemeral)
1118 user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
1119 user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
1121 // PREF: Disable 256 bits ciphers without PFS
1122 user_pref("security.ssl3.rsa_camellia_256_sha", false);
1124 // PREF: Enable ciphers with ECDHE and key size > 128bits
1125 user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // 0xc014
1126 user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a
1128 // PREF: Enable GCM ciphers (TLSv1.2 only)
1129 // https://en.wikipedia.org/wiki/Galois/Counter_Mode
1130 user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b
1131 user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // 0xc02f
1133 // PREF: Enable ChaCha20 and Poly1305 (Firefox >= 47)
1134 // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
1135 // https://tools.ietf.org/html/rfc7905
1136 // https://bugzilla.mozilla.org/show_bug.cgi?id=917571
1137 // https://bugzilla.mozilla.org/show_bug.cgi?id=1247860
1138 // https://cr.yp.to/chacha.html
1139 user_pref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256", true);
1140 user_pref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256", true);
1142 // PREF: Disable ciphers susceptible to the logjam attack
1143 // https://weakdh.org/
1144 user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
1145 user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
1147 // PREF: Disable ciphers with DSA (max 1024 bits)
1148 user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
1149 user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
1150 user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
1151 user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);
1153 // PREF: Fallbacks due compatibility reasons
1154 user_pref("security.ssl3.rsa_aes_256_sha", true); // 0x35
1155 user_pref("security.ssl3.rsa_aes_128_sha", true); // 0x2f