Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v100 #1423

Merged
merged 4 commits into from
May 9, 2022
Merged

v100 #1423

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9fe19aa
v100
Thorin-Oakenpants Apr 16, 2022
c278dd2
v100 deprecated
Thorin-Oakenpants May 5, 2022
6a3b8a0
strict mode + rpTop
Thorin-Oakenpants May 6, 2022
b13a8dd
update date
Thorin-Oakenpants May 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 15 additions & 9 deletions user.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/******
* name: arkenfox user.js
* date: 9 April 2022
* version: 99
* date: 9 May 2022
* version: 100
* url: https://github.com/arkenfox/user.js
* license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt

Expand Down Expand Up @@ -741,6 +741,9 @@ user_pref("browser.download.useDownloadDir", false);
user_pref("browser.download.alwaysOpenPanel", false);
/* 2653: disable adding downloads to the system's "recent documents" list ***/
user_pref("browser.download.manager.addToRecentDocs", false);
/* 2654: enable user interaction for security by always asking how to handle new mimetypes [FF101+]
* [SETTING] General>Files and Applications>What should Firefox do with other files ***/
user_pref("browser.download.always_ask_before_handling_new_types", true);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it really giving extra security in this case? I think that's mostly provided by browser.download.useDownloadDir, which is always going to kick in and prompt users in regardless of the mimetype.

this new pref mostly seems like an usability thing to give users the option to handle downloads with granularity, but I don't think picking a certain app to handle a file is necessarily security related. it's also somewhat annoying for users who want to just save a file and will be prompted twice like in past releases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably (I didn't test and am only assuming 2651 kicks in correctly, I don't really care TBH) not in our default arkenfox

But as a standalone pref, the description is correct - it adds security, because 2651's default in FF is true - e.g. if users override 2651

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so you plan to leave both flipped for redundancy? (speaking exclusively of the user.js)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it though? asking where to save is not the same as asking how to handle a mime type

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

asking how to handle a mime type

but is this really security related? it seems like a convenience thing more than anything (except if 2651 is set to false, but at that point the user knows he's taking the choice).

Copy link
Collaborator

@fxbrit fxbrit Apr 19, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

k, I think we can safely collapse it now :-) (edit: reverted the collapse since I figured you may want it for visibility)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd rather leave patch discussions expanded

Copy link
Collaborator

@fxbrit fxbrit May 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like v101 then.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what looks like v101?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my mac screen is so small I had never noticed the [FF101+] in the damn comment because I had to scroll horizontally, don't mind me :-}


/** EXTENSIONS ***/
/* 2660: lock down allowed extension directories
Expand Down Expand Up @@ -1174,13 +1177,6 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
* [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/
// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2]
// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
/* 7009: disable HTTP2
* [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1]
* [1] https://w3techs.com/technologies/details/ce-http2/all/all ***/
// user_pref("network.http.spdy.enabled", false);
// user_pref("network.http.spdy.enabled.deps", false);
// user_pref("network.http.spdy.enabled.http2", false);
// user_pref("network.http.spdy.websockets", false); // [FF65+]
/* 7010: disable HTTP Alternative Services [FF37+]
* [WHY] Already isolated with network partitioning (FF85+) ***/
// user_pref("network.http.altsvc.enabled", false);
Expand Down Expand Up @@ -1209,6 +1205,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
* [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
// user_pref("network.cookie.cookieBehavior", 5);
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
// user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+]
// user_pref("privacy.partition.network_state.ocsp_cache", true);
// user_pref("privacy.trackingprotection.enabled", true);
// user_pref("privacy.trackingprotection.socialtracking.enabled", true);
Expand Down Expand Up @@ -1356,6 +1353,15 @@ user_pref("app.update.background.scheduling.enabled", false);
// [1] https://developer.mozilla.org/docs/Web/HTTP/CSP
// [-] https://bugzilla.mozilla.org/1754301
user_pref("security.csp.enable", true); // [DEFAULT: true]
// FF100
// 7009: disable HTTP2 - replaced by network.http.http2* prefs
// [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1]
// [1] https://w3techs.com/technologies/details/ce-http2/all/all
// [-] https://bugzilla.mozilla.org/1752621
// user_pref("network.http.spdy.enabled", false);
// user_pref("network.http.spdy.enabled.deps", false);
// user_pref("network.http.spdy.enabled.http2", false);
// user_pref("network.http.spdy.websockets", false); // [FF65+]
// ***/

/* END: internal custom pref to test for syntax errors ***/
Expand Down