From 7c87abbe78577de6607701b5a53b45491d035ef3 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 25 May 2017 07:40:40 +1200 Subject: [PATCH] Standardize Part3 #115 --- user.js | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/user.js b/user.js index b8630a70..8859893d 100644 --- a/user.js +++ b/user.js @@ -444,6 +444,7 @@ user_pref("ghacks_user.js.parrot", "0900 syntax error: the parrot's expired!"); // user_pref("signon.rememberSignons", false); /* 0902: use a master password (recommended if you save passwords) * There are no preferences for this. It is all handled internally. + * [SETTING] Options>Security>Logins>Use a master password * [1] https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins ***/ /* 0903: set how often Firefox should ask for the master password * 0=the first time (default), 1=every time it's needed, 2=every n minutes (as per the next pref) ***/ @@ -464,9 +465,8 @@ user_pref("signon.storeWhenAutocompleteOff", true); /* 0907: display warnings for logins on non-secure (non HTTPS) pages * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1217156 ***/ user_pref("security.insecure_password.ui.enabled", true); -/* 0908: When attempting to fix an entered URL (see 0802: browser.fixup.alternate.enabled), - * do not fix an entered password along with it: i.e do not turn ~http://user:password@foo into - * ~http://user:password@(prefix)foo(suffix) but instead ~http://user@(prefix)foo(suffix) ***/ +/* 0908: remove user & password info when attempting to fix an entered URL (i.e 0802 is true) + * e.g //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix) ***/ user_pref("browser.fixup.hide_user_pass", true); /* 0909: disable formless login capture for Password Manager (FF51+) ***/ user_pref("signon.formlessCapture.enabled", false); @@ -518,8 +518,8 @@ user_pref("browser.sessionstore.max_windows_undo", 0); user_pref("browser.sessionstore.privacy_level", 2); /* 1022: disable resuming session from crash [SETUP] ***/ user_pref("browser.sessionstore.resume_from_crash", false); -/* 1023: If you use session restore, increasing the minimal interval between two session save - * operations can help on older machines and some websites, as well as reducing writes, see [1] +/* 1023: set the minimum interval between session save operations - increasing it + * can help on older machines and some websites, as well as reducing writes, see [1] * Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc * [WARNING] This can also affect entries in the "Recently Closed Tabs" feature: * i.e the longer the interval the more chance a quick tab open/close won't be captured. @@ -625,9 +625,11 @@ user_pref("security.ssl.enable_ocsp_stapling", true); * It's a trade-off between security (checking) and privacy (leaking info to the CA) * [1] https://en.wikipedia.org/wiki/Ocsp ***/ user_pref("security.OCSP.enabled", 1); -/* 1212: require certificate revocation check through OCSP protocol +/* 1212: enable OCSP revocation. When a CA cannot be reached to validate a cert, Firefox currently + * continues the connection. With OCSP revocation, Firefox terminates the connection instead. * [WARNING] Since FF44 the default is false. If set to true, this may/will cause some - * site breakage. Some users have previously mentioned issues with youtube, microsoft etc ***/ + * site breakage. Some users have previously mentioned issues with youtube, microsoft etc + * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/ // user_pref("security.OCSP.require", true); /** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/ /* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+) @@ -718,7 +720,8 @@ user_pref("ghacks_user.js.parrot", "1400 syntax error: the parrot's bereft of li * [SETTING] Options>Content>Font & Colors>Advanced>Allow pages to choose... * [SETUP] Disabling fonts can uglify the web a fair bit. ***/ user_pref("browser.display.use_document_fonts", 0); -/* 1402: enable icon fonts (glyphs) (FF41+) ***/ +/* 1402: enable icon fonts (glyphs) (FF41+) + * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=789788 ***/ user_pref("gfx.downloadable_fonts.enabled", true); /* 1403: disable rendering of SVG OpenType fonts * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/ @@ -868,7 +871,7 @@ user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref) user_pref("media.gmp-gmpopenh264.autoupdate", false); user_pref("media.gmp-manager.url", "data:text/plain,"); -/*** 2000: MEDIA / CAMERA / MIKE ***/ +/*** 2000: MEDIA / CAMERA / MIC ***/ user_pref("ghacks_user.js.parrot", "2000 syntax error: the parrot's snuffed it!"); /* 2001: disable WebRTC (Web Real-Time Communication) * [1] https://www.privacytools.io/#webrtc ***/ @@ -879,10 +882,11 @@ user_pref("media.peerconnection.identity.enabled", false); user_pref("media.peerconnection.identity.timeout", 1); user_pref("media.peerconnection.turn.disable", true); user_pref("media.navigator.video.enabled", false); // video capability for WebRTC -/* 2002: pref which improves the WebRTC IP Leak issue, as opposed to completely - * disabling WebRTC. You still need to enable WebRTC for this to be applicable (FF42+) - * [1] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/ -user_pref("media.peerconnection.ice.default_address_only", true); // (FF41-FF50) +/* 2002: limit WebRTC IP leaks if using WebRTC + * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1189041 + * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1297416 + * [3] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/ +user_pref("media.peerconnection.ice.default_address_only", true); // (FF42-FF50) user_pref("media.peerconnection.ice.no_host", true); // (FF51+) /* 2010: disable WebGL (Web Graphics Library), force bare minimum feature set if used & disable WebGL extensions * [1] http://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/ @@ -896,8 +900,8 @@ user_pref("webgl.disable-fail-if-major-performance-caveat", true); * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1171228 * [2] https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info ***/ user_pref("webgl.enable-debug-renderer-info", false); -/* 2012: two more webgl preferences (FF51+) ***/ -user_pref("webgl.dxgl.enabled", false); +/* 2012: disable two more webgl preferences (FF51+) ***/ +user_pref("webgl.dxgl.enabled", false); // [WINDOWS] user_pref("webgl.enable-webgl2", false); /* 2021: disable speech recognition * [1] https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition @@ -1045,7 +1049,7 @@ user_pref("full-screen-api.enabled", false); * [2] https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/ * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712 ***/ user_pref("javascript.options.asmjs", false); -/* 2421: in addition to 2420, these settings will help harden JS against exploits such as CVE-2015-0817 +/* 2421: disable Ion and baseline JIT to help harden JS against exploits such as CVE-2015-0817 * [WARNING] Causes the odd site issue and there is also a performance loss * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/ // user_pref("javascript.options.ion", false); @@ -1116,7 +1120,7 @@ user_pref("dom.keyboardevent.dispatch_during_composition", false); * [NOTE] Changing this option changes BOTH these preferences * [WARNING] [SETUP] Affects text rendering (fonts will look different) and impacts video performance * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/ -user_pref("gfx.direct2d.disabled", true); +user_pref("gfx.direct2d.disabled", true); // [WINDOWS] user_pref("layers.acceleration.disabled", true); /* 2509: disable touch events [SETUP] * fingerprinting attack vector - leaks screen res & actual screen coordinates @@ -1292,7 +1296,7 @@ user_pref("extensions.autoDisableScopes", 15); * CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1255474 ***/ user_pref("network.proxy.autoconfig_url.include_path", false); -/* 2670: close bypassing of CSP via image mime types (FF51+) +/* 2670: disable "image/" mime types bypassing CSP (FF51+) * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1288361 ***/ user_pref("security.block_script_with_wrong_mime", true); /* 2671: disable in-content SVG (Scalable Vector Graphics) (FF53+)