diff options
Diffstat (limited to 'firefox/user-overrides.js')
-rw-r--r-- | firefox/user-overrides.js | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js new file mode 100644 index 0000000..dfebba9 --- /dev/null +++ b/firefox/user-overrides.js @@ -0,0 +1,78 @@ +/* override recipe: enable session restore ***/ +user_pref("browser.startup.page", 3); // 0102 +user_pref("browser.sessionstore.privacy_level", 0); // 1003 optional to restore cookies/formdata +user_pref("privacy.clearOnShutdown.history", false); // 2811 +user_pref("privacy.cpd.history", false); // 2820 optional to match when you use Ctrl-Shift-Del + +/* 1601: control when to send a cross-origin referer + * 0=always (default), 1=only if base domains match, 2=only if hosts match + * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram + * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/ +user_pref("network.http.referer.XOriginPolicy", 0); + +/** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/ +/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME] + * [NOTE] If "history" is true, downloads will also be cleared + * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies + * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/ +user_pref("privacy.clearOnShutdown.downloads", false); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.history", false); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown.sessions", false); // [DEFAULT: true] + +/* 0801: disable location bar using search + * Don't leak URL typos to a search engine, give an error message instead + * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" + * [NOTE] This does not affect explicit user action such as using search buttons in the + * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) + * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/ +user_pref("keyword.enabled", true); + +/* 2620: enforce PDFJS, disable PDFJS scripting + * This setting controls if the option "Display in Firefox" is available in the setting below + * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") + * [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1] + * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). + * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. + * [NOTE] JS can still force a pdf to open in-browser by bundling its own code + * [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons + * [SETTING] General>Applications>Portable Document Format (PDF) + * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/ +user_pref("pdfjs.disabled", true); // [DEFAULT: false] + +/* 5003: disable saving passwords + * [NOTE] This does not clear any passwords already saved + * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ +user_pref("signon.rememberSignons", false); + +/* 5017: disable Form Autofill + * If .supportedCountries includes your region (browser.search.region) and .supported + * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON + * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes + * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses + * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ +user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] +user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] +user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] + +/* 2022: disable all DRM content (EME: Encryption Media Extension) + * Optionally hide the setting which also disables the DRM prompt + * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV + * [SETTING] General>DRM Content>Play DRM-controlled content + * [TEST] https://bitmovin.com/demos/drm + * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ +// user_pref("media.eme.enabled", false); // already disabled +user_pref("browser.eme.ui.enabled", false); + +/* 0701: disable IPv6 + * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming + * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4 + * [SETUP-WEB] PR_CONNECT_RESET_ERROR: this pref *might* be the cause + * [STATS] Firefox telemetry (Sept 2022) shows ~8% of successful connections are IPv6 + * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an + * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, + * then this won't make much difference. If you are masking your IP, then it can only help. + * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" + * [TEST] https://ipleak.org/ + * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ +// user_pref("network.dns.disableIPv6", true); +user_pref("network.dns.disableIPv6", false); |