aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/firefox/user-overrides.js
diff options
context:
space:
mode:
Diffstat (limited to 'firefox/user-overrides.js')
-rw-r--r--firefox/user-overrides.js78
1 files changed, 78 insertions, 0 deletions
diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js
new file mode 100644
index 0000000..dfebba9
--- /dev/null
+++ b/firefox/user-overrides.js
@@ -0,0 +1,78 @@
+/* override recipe: enable session restore ***/
+user_pref("browser.startup.page", 3); // 0102
+user_pref("browser.sessionstore.privacy_level", 0); // 1003 optional to restore cookies/formdata
+user_pref("privacy.clearOnShutdown.history", false); // 2811
+user_pref("privacy.cpd.history", false); // 2820 optional to match when you use Ctrl-Shift-Del
+
+/* 1601: control when to send a cross-origin referer
+ * 0=always (default), 1=only if base domains match, 2=only if hosts match
+ * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram
+ * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/
+user_pref("network.http.referer.XOriginPolicy", 0);
+
+/** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/
+/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
+ * [NOTE] If "history" is true, downloads will also be cleared
+ * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
+ * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
+user_pref("privacy.clearOnShutdown.downloads", false); // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.history", false); // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.sessions", false); // [DEFAULT: true]
+
+/* 0801: disable location bar using search
+ * Don't leak URL typos to a search engine, give an error message instead
+ * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com"
+ * [NOTE] This does not affect explicit user action such as using search buttons in the
+ * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo)
+ * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/
+user_pref("keyword.enabled", true);
+
+/* 2620: enforce PDFJS, disable PDFJS scripting
+ * This setting controls if the option "Display in Firefox" is available in the setting below
+ * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
+ * [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1]
+ * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
+ * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
+ * [NOTE] JS can still force a pdf to open in-browser by bundling its own code
+ * [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons
+ * [SETTING] General>Applications>Portable Document Format (PDF)
+ * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
+user_pref("pdfjs.disabled", true); // [DEFAULT: false]
+
+/* 5003: disable saving passwords
+ * [NOTE] This does not clear any passwords already saved
+ * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/
+user_pref("signon.rememberSignons", false);
+
+/* 5017: disable Form Autofill
+ * If .supportedCountries includes your region (browser.search.region) and .supported
+ * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON
+ * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
+ * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses
+ * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/
+user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
+user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
+user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
+
+/* 2022: disable all DRM content (EME: Encryption Media Extension)
+ * Optionally hide the setting which also disables the DRM prompt
+ * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV
+ * [SETTING] General>DRM Content>Play DRM-controlled content
+ * [TEST] https://bitmovin.com/demos/drm
+ * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
+// user_pref("media.eme.enabled", false); // already disabled
+user_pref("browser.eme.ui.enabled", false);
+
+/* 0701: disable IPv6
+ * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming
+ * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4
+ * [SETUP-WEB] PR_CONNECT_RESET_ERROR: this pref *might* be the cause
+ * [STATS] Firefox telemetry (Sept 2022) shows ~8% of successful connections are IPv6
+ * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an
+ * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
+ * then this won't make much difference. If you are masking your IP, then it can only help.
+ * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
+ * [TEST] https://ipleak.org/
+ * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
+// user_pref("network.dns.disableIPv6", true);
+user_pref("network.dns.disableIPv6", false);