/******

* name: ghacks user.js

* date: 4 April 2018

* version 60-alpha: Call Me Pants, Maybe

* "Your stare was holding, ripped JEANS, skin was showin'"

* authors: v52+ github | v51- www.ghacks.net

* url: https://github.com/ghacksuserjs/ghacks-user.js

* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt

* releases: These are end-of-stable-life-cycle legacy archives.

*Always* use the master branch user.js for a current up-to-date version.

url: https://github.com/ghacksuserjs/ghacks-user.js/releases

* README:

1. READ the full README

* https://github.com/ghacksuserjs/ghacks-user.js/blob/master/README.md

2. READ this

* https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation

3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum

* Auto-installing updates for Firefox and extensions are disabled (section 0302's)

* Some user data is erased on close (section 2800), namely history (browsing, form, download)

* Cookies are denied by default (2701), we use site exceptions. In Firefox 58 and lower, this breaks

extensions that use IndexedDB, so you need to allow exceptions for those as well: see [1] below

[1] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1.1-Setting-Extension-Permission-Exceptions

* EACH RELEASE check:

- 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)

or enable them as an alternative to RFP or for ESR users

- 9999s: reset deprecated prefs in about:config or enable relevant section(s) for ESR

* Site breakage WILL happen

- There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting

and these need to be balanced against Functionality & Convenience & Breakage

* You will need to make a few changes to suit your own needs

- Search this file for the "[SETUP]" tag to find SOME common items you could check

before using to avoid unexpected surprises

- Search this file for the "[WARNING]" tag to troubleshoot or prevent SOME common issues

4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)

5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki#small_orange_diamond-maintenance

******/

/* START: internal custom pref to test for syntax errors (thanks earthling)

* Yes, this next pref setting is redundant, but we like it!

* [1] https://en.wikipedia.org/wiki/Dead_parrot

* [2] https://en.wikipedia.org/wiki/Warrant_canary ***/

user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");

/* 0000: disable about:config warning ***/

user_pref("general.warnOnAboutConfig", false);

/* 0001: start Firefox in PB (Private Browsing) mode

* [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode

* [SETTING-ESR52] Privacy>History>Custom Settings>Always use private browsing mode

* [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed

* [NOTE] The P in PB mode is misleading: it means no "persistent" local storage of history,

* caches, searches or cookies (which you can achieve in normal mode). In fact, it limits or

* removes the ability to control these, and you need to quit Firefox to clear them. PB is best

* used as a one off window (File>New Private Window) to provide a temporary self-contained

* new instance. Closing all Private Windows clears all traces. Repeat as required.

* [WARNING] PB does not allow indexedDB which breaks many Extensions that use it

* including uBlock Origin, uMatrix, Violentmonkey and Stylus

* [1] https://wiki.mozilla.org/Private_Browsing ***/

// user_pref("browser.privatebrowsing.autostart", true);

/*** 0100: STARTUP ***/

user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");

/* 0101: disable "slow startup" options

* warnings, disk history, welcomes, intros, EULA, default browser check ***/

user_pref("browser.slowStartup.notificationDisabled", true);

user_pref("browser.slowStartup.maxSamples", 0);

user_pref("browser.slowStartup.samples", 0);

user_pref("browser.rights.3.shown", true);

user_pref("browser.startup.homepage_override.mstone", "ignore");

user_pref("startup.homepage_welcome_url", "");

user_pref("startup.homepage_welcome_url.additional", "");

user_pref("startup.homepage_override_url", ""); // what's new page after updates

user_pref("browser.laterrun.enabled", false);

user_pref("browser.shell.checkDefaultBrowser", false);

/* 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)

* [SETTING] General>Startup>When Firefox starts ***/

// user_pref("browser.startup.page", 0);

/* 0103: set your "home" page (see 0102) ***/

// user_pref("browser.startup.homepage", "https://www.example.com/");

/*** 0200: GEOLOCATION ***/

user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");

/* 0201: disable Location-Aware Browsing

* [1] https://www.mozilla.org/firefox/geolocation/ ***/

user_pref("geo.enabled", false);

/* 0202: disable GeoIP-based search results

* [NOTE] May not be hidden if Firefox has changed your settings due to your locale

* [1] https://trac.torproject.org/projects/tor/ticket/16254

* [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/

user_pref("browser.search.countryCode", "US"); // (hidden pref)

user_pref("browser.search.region", "US"); // (hidden pref)

user_pref("browser.search.geoip.url", "");

/* 0205: set OS & APP locale (FF59+)

* If set to empty, the OS locales are used. If not set at all, default locale is used ***/

user_pref("intl.locale.requested", "en-US"); // (hidden pref)

/* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"

* i.e. ignore all of Mozilla's various search engines in multiple locales ***/

user_pref("browser.search.geoSpecificDefaults", false);

user_pref("browser.search.geoSpecificDefaults.url", "");

/* 0207: set language to match ***/

user_pref("intl.accept_languages", "en-US, en");

/* 0208: enforce US English locale regardless of the system locale

* [1] https://bugzilla.mozilla.org/867501 ***/

user_pref("javascript.use_us_english_locale", true); // (hidden pref)

/* 0209: use APP locale over OS locale in regional preferences (FF56+)

* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1379420,1364789 ***/

user_pref("intl.regional_prefs.use_os_locales", false);

/* 0210: use Mozilla geolocation service instead of Google when geolocation is enabled

* Optionally enable logging to the console (defaults to false) ***/

user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");

// user_pref("geo.wifi.logging.enabled", true); // (hidden pref)

/* 0211: set a default permission for Location (FF58+)

* [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location

* [SETTING] to manage site exceptions: Privacy & Security>Permissions>Location>Settings ***/

// user_pref("permissions.default.geo", 2); // 0=always ask (default), 1=allow, 2=block

/*** 0300: QUIET FOX

We choose to not disable auto-CHECKs (0301's) but to disable auto-INSTALLs (0302's).

There are many legitimate reasons to turn off auto-INSTALLS, including hijacked or

monetized extensions, time constraints, legacy issues, and fear of breakage/bugs.

It is still important to do updates for security reasons, please do so manually. ***/

user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");

/* 0301a: disable auto-update checks for Firefox

* [NOTE] Firefox currently checks every 12 hrs and allows 8 day notification dismissal

* [SETTING] General>Firefox Updates>Never check for updates

* [SETTING-ESR52] Advanced>Update>Never check for updates ***/

// user_pref("app.update.enabled", false);

/* 0301b: disable auto-update checks for extensions

* [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/

// user_pref("extensions.update.enabled", false);

/* 0302a: disable auto update installing for Firefox (after the check in 0301a)

* [SETTING] General>Firefox Updates>Check for updates but let you choose...

* [SETTING-ESR52] Advanced>Update>Check for updates but let you choose...

* [NOTE] The UI checkbox also controls the behavior for checking, the pref only controls auto installing ***/

user_pref("app.update.auto", false);

/* 0302b: disable auto update installing for extensions (after the check in 0301b)

* [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/

user_pref("extensions.update.autoUpdateDefault", false);

/* 0303: disable background update service [WINDOWS]

* [SETTING] General>Firefox Updates>Use a background service to install updates

* [SETTING-ESR52] Advanced>Update>Use a background service to install updates ***/

user_pref("app.update.service.enabled", false);

/* 0304: disable background update staging ***/

user_pref("app.update.staging.enabled", false);

/* 0305: enforce update information is displayed

* This is the update available, downloaded, error and success information ***/

user_pref("app.update.silent", false);

/* 0306: disable extension metadata updating

* sends daily pings to Mozilla about extensions and recent startups ***/

user_pref("extensions.getAddons.cache.enabled", false);

/* 0307: disable auto updating of personas (themes) ***/

user_pref("lightweightThemes.update.enabled", false);

/* 0308: disable search update

* [SETTING] General>Firefox Update>Automatically update search engines

* [SETTING-ESR52] Advanced>Update>Automatically update: Search Engines ***/

user_pref("browser.search.update", false);

/* 0309: disable sending Flash crash reports ***/

user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);

/* 0310: disable sending the URL of the website where a plugin crashed ***/

user_pref("dom.ipc.plugins.reportCrashURL", false);

/* 0320: disable about:addons' Get Add-ons panel (uses Google-Analytics) ***/

user_pref("extensions.getAddons.showPane", false); // hidden pref

user_pref("extensions.webservice.discoverURL", "");

/* 0330: disable telemetry

* the pref (.unified) affects the behaviour of the pref (.enabled)

* IF unified=false then .enabled controls the telemetry module

* IF unified=true then .enabled ONLY controls whether to record extended data

* so make sure to have both set as false

* [NOTE] FF58+ `toolkit.telemetry.enabled` is now LOCKED to reflect prerelease

* or release builds (true and false respectively), see [2]

* [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html

* [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/

user_pref("toolkit.telemetry.unified", false);

user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+

user_pref("toolkit.telemetry.server", "data:,");

user_pref("toolkit.telemetry.archive.enabled", false);

user_pref("toolkit.telemetry.cachedClientID", "");

user_pref("toolkit.telemetry.newProfilePing.enabled", false); // (FF55+)

user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // (FF55+)

user_pref("toolkit.telemetry.updatePing.enabled", false); // (FF56+)

user_pref("toolkit.telemetry.bhrPing.enabled", false); // (FF57+) Background Hang Reporter

user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // (FF57+)

user_pref("toolkit.telemetry.hybridContent.enabled", false); // (FF59+)

/* 0333: disable health report

* [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/

user_pref("datareporting.healthreport.uploadEnabled", false);

/* 0334: disable new data submission, master kill switch (FF41+)

* If disabled, no policy is shown or upload takes place, ever

* [1] https://bugzilla.mozilla.org/1195552 ***/

user_pref("datareporting.policy.dataSubmissionEnabled", false);

/* 0350: disable crash reports ***/

user_pref("breakpad.reportURL", "");

/* 0351: disable sending of crash reports (FF44+)

* [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send crash reports ***/

user_pref("browser.tabs.crashReporting.sendReport", false);

user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // (FF51+)

user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51-57)

user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // (FF58+)

/* 0360: disable new tab tile ads & preload & marketing junk ***/

user_pref("browser.newtab.preload", false);

user_pref("browser.newtabpage.directory.source", "data:text/plain,");

user_pref("browser.newtabpage.enabled", false);

user_pref("browser.newtabpage.enhanced", false);

user_pref("browser.newtabpage.introShown", true);

/* 0370: disable "Snippets" (Mozilla content shown on about:home screen)

* [1] https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service ***/

user_pref("browser.aboutHomeSnippets.updateUrl", "data:,");

/* 0380: disable Browser Error Reporter (FF60+)

* [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection

* [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html ***/

user_pref("browser.chrome.errorReporter.enabled", false);

user_pref("browser.chrome.errorReporter.submitUrl", "");

/*** 0400: BLOCKLISTS / SAFE BROWSING / TRACKING PROTECTION

This section has security & tracking protection implications vs privacy concerns vs effectiveness

vs 3rd party 'censorship'. We DO NOT advocate no protection. If you disable Tracking Protection (TP)

and/or Safe Browsing (SB), then SECTION 0400 REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.

Safe Browsing is designed to protect users from malicious sites. Tracking Protection is designed

to lessen the impact of third parties on websites to reduce tracking and to speed up your browsing.

These do rely on 3rd parties (Google for SB and Disconnect for TP), but many steps, which are

continually being improved, have been taken to preserve privacy. Disable at your own risk.

***/

user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");

/** BLOCKLISTS ***/

/* 0401: enable Firefox blocklist, but sanitize blocklist url

* [NOTE] It includes updates for "revoked certificates"

* [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/

* [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/

user_pref("extensions.blocklist.enabled", true);

user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");

/* 0402: enable Kinto blocklist updates (FF50+)

* What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications

* As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be

* revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes ***/

user_pref("services.blocklist.update_enabled", true);

user_pref("services.blocklist.signing.enforced", true);

/* 0403: disable individual unwanted/unneeded parts of the Kinto blocklists ***/

// user_pref("services.blocklist.onecrl.collection", ""); // revoked certificates

// user_pref("services.blocklist.addons.collection", "");

// user_pref("services.blocklist.plugins.collection", "");

// user_pref("services.blocklist.gfx.collection", "");

/** SAFE BROWSING (SB)

This sub-section has been redesigned to differentiate between "real-time"/"user initiated"

data being sent to Google from all other settings such as using local blocklists/whitelists and

updating those lists. There are NO privacy issues here. *IF* required, a full url is never sent

to Google, only a PART-hash of the prefix, and this is hidden with noise of other real PART-hashes.

Google also swear it is anonymized and only used to flag malicious sites/activity. Firefox

also takes measures such as striping out identifying parameters and storing safe browsing

cookies in a separate jar. (#Turn on browser.safebrowsing.debug to monitor this activity)

#Required reading [#] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

[1] https://wiki.mozilla.org/Security/Safe_Browsing ***/

/* 0410: disable "Block dangerous and deceptive content" (under Options>Privacy & Security)

* This covers deceptive sites such as phishing and social engineering ***/

// user_pref("browser.safebrowsing.malware.enabled", false);

// user_pref("browser.safebrowsing.phishing.enabled", false); // (FF50+)

/* 0411: disable "Block dangerous downloads" (under Options>Privacy & Security)

* This covers malware and PUPs (potentially unwanted programs) ***/

// user_pref("browser.safebrowsing.downloads.enabled", false);

/* 0412: disable "Warn me about unwanted and uncommon software" (under Options>Privacy & Security) (FF48+) ***/

// user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);

// user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);

// user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false); // (FF49+)

// user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); // (FF49+)

/* 0413: disable Google safebrowsing updates ***/

// user_pref("browser.safebrowsing.provider.google.updateURL", "");

// user_pref("browser.safebrowsing.provider.google.gethashURL", "");

// user_pref("browser.safebrowsing.provider.google4.updateURL", ""); // (FF50+)

// user_pref("browser.safebrowsing.provider.google4.gethashURL", ""); // (FF50+)

/* 0414: disable binaries NOT in local lists being checked by Google (real-time checking) ***/

user_pref("browser.safebrowsing.downloads.remote.enabled", false);

user_pref("browser.safebrowsing.downloads.remote.url", "");

/* 0415: disable reporting URLs ***/

user_pref("browser.safebrowsing.provider.google.reportURL", "");

user_pref("browser.safebrowsing.reportPhishURL", "");

user_pref("browser.safebrowsing.provider.google4.reportURL", ""); // (FF50+)

user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); // (FF54+)

user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); // (FF54+)

user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); // (FF54+)

user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); // (FF54+)

/* 0416: disable 'ignore this warning' on Safe Browsing warnings which when clicked

* bypasses the block for that session. This is a means for admins to enforce SB

* [TEST] see github wiki APPENDIX C: Test Sites: Section 5

* [1] https://bugzilla.mozilla.org/1226490 ***/

// user_pref("browser.safebrowsing.allowOverride", false);

/* 0417: disable data sharing (FF58+) ***/

user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);

user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");

/** TRACKING PROTECTION (TP)

There are NO privacy concerns here, but we strongly recommend to use uBlock Origin as well,

as it offers more comprehensive and specialized lists. It also allows per domain control. ***/

/* 0420: enable Tracking Protection in all windows

* [NOTE] TP sends DNT headers regardless of the DNT pref (see 1610)

* [1] https://wiki.mozilla.org/Security/Tracking_protection

* [2] https://support.mozilla.org/kb/tracking-protection-firefox ***/

// user_pref("privacy.trackingprotection.pbmode.enabled", true); // default: true

// user_pref("privacy.trackingprotection.enabled", true);

/* 0421: enable more Tracking Protection choices under Options>Privacy & Security>Use Tracking Protection

* Displays three choices: "Always", "Only in private windows", "Never" ***/

user_pref("privacy.trackingprotection.ui.enabled", true);

/* 0422: enable "basic" or "strict" tracking protecting list - ONLY USE ONE!

* [SETTING] Privacy & Security>Tracking Protection>Change Block List

* [SETTING-ESR52] Privacy>Use Tracking Protection>Change Block List ***/

// user_pref("urlclassifier.trackingTable", "test-track-simple,base-track-digest256"); // basic

// user_pref("urlclassifier.trackingTable", "test-track-simple,base-track-digest256,content-track-digest256"); // strict

/* 0423: disable Mozilla's blocklist for known Flash tracking/fingerprinting (FF48+)

* [1] https://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/

* [2] https://bugzilla.mozilla.org/1237198 ***/

// user_pref("browser.safebrowsing.blockedURIs.enabled", false);

/* 0424: disable Mozilla's tracking protection and Flash blocklist updates ***/

// user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");

// user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");

/* 0425: disable passive Tracking Protection (FF53+)

* Passive TP annotates channels to lower the priority of network loads for resources on the tracking protection list

* [NOTE] It has no effect if TP is enabled, but keep in mind that by default TP is only enabled in Private Windows

* This is included for people who want to completely disable Tracking Protection.

* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1170190,1141814 ***/

// user_pref("privacy.trackingprotection.annotate_channels", false);

// user_pref("privacy.trackingprotection.lower_network_priority", false);

/*** 0500: SYSTEM ADD-ONS / EXPERIMENTS

System Add-ons are a method for shipping extensions, considered to be

built-in features to Firefox, that are hidden from the about:addons UI.

To view your System Add-ons go to about:support, they are listed under "Firefox Features"

Some System Add-ons have no on-off prefs. Instead you can manually remove them. Note that app

updates will restore them. They may also be updated and possibly restored automatically (see 0505)

* Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit)

* Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit)

* Mac: "...\Applications\Firefox\Contents\Resources\browser\features\"

[NOTE] On Mac you can right-click on the application and select "Show Package Contents"

* Linux: "/usr/lib/firefox/browser/features" (or similar)

[1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html

[2] https://dxr.mozilla.org/mozilla-central/source/browser/extensions

***/

user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!");

/* 0501: disable experiments

* [1] https://wiki.mozilla.org/Telemetry/Experiments ***/

user_pref("experiments.enabled", false);

user_pref("experiments.manifest.uri", "");

user_pref("experiments.supported", false);

user_pref("experiments.activeExperiment", false);

/* 0502: disable Mozilla permission to silently opt you into tests ***/

user_pref("network.allow-experiments", false);

/* 0503: disable Normandy/Shield (FF60+)

* Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"

* [1] https://wiki.mozilla.org/Firefox/Shield

* [2] https://github.com/mozilla/normandy ***/

user_pref("app.normandy.enabled", false);

user_pref("app.normandy.api_url", "");

user_pref("app.shield.optoutstudies.enabled", false);

/* 0505: block URL used for System Add-on updates (FF44+)

* [NOTE] You will not get any System Add-on updates except when you update Firefox ***/

// user_pref("extensions.systemAddon.update.url", "");

/* 0506: disable PingCentre telemetry (used in several System Add-ons) (FF57+)

* Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0333) ***/

user_pref("browser.ping-centre.telemetry", false);

/* 0510: disable Pocket (FF39+)

* Pocket is a third party (now owned by Mozilla) "save for later" cloud service

* [1] https://en.wikipedia.org/wiki/Pocket_(application)

* [2] https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ ***/

user_pref("extensions.pocket.enabled", false);

/* 0512: disable Shield (FF53-FF59) - replaced internally by Normandy (see 0503)

* Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"

* [1] https://wiki.mozilla.org/Firefox/Shield

* [2] https://github.com/mozilla/normandy ***/

user_pref("extensions.shield-recipe-client.enabled", false);

user_pref("extensions.shield-recipe-client.api_url", "");

/* 0513: disable Follow On Search (FF53+)

* Just DELETE the XPI file in your System Add-ons directory

* [1] https://blog.mozilla.org/data/2017/06/05/measuring-search-in-firefox/ ***/

/* 0514: disable Activity Stream (FF54+)

* Activity Stream replaces "New Tab" with one based on metadata and browsing behavior,

* and includes telemetry as well as web content such as snippets and "spotlight"

* [1] https://wiki.mozilla.org/Firefox/Activity_Stream

* [2] https://www.ghacks.net/2016/02/15/firefox-mockups-show-activity-stream-new-tab-page-and-share-updates/ ***/

user_pref("browser.newtabpage.activity-stream.enabled", false);

user_pref("browser.library.activity-stream.enabled", false); // (FF57+)

/* 0515: disable Screenshots (FF55+)

* [1] https://github.com/mozilla-services/screenshots

* [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/

// user_pref("extensions.screenshots.disabled", true);

/* 0516: disable Onboarding (FF55+)

* Onboarding is an interactive tour/setup for new installs/profiles and features. Every time

* about:home or about:newtab is opened, the onboarding overlay is injected into that page

* [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]

* [1] https://wiki.mozilla.org/Firefox/Onboarding

* [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf

* [3] https://bugzilla.mozilla.org/863246#c154 ***/

user_pref("browser.onboarding.enabled", false);

/* 0517: disable Form Autofill (FF55+)

* [SETTING] Privacy & Security>Forms & Passwords>Enable Profile Autofill

* [SETTING-ESR52] Privacy>Forms & Passwords>Enable Profile Autofill

* [NOTE] Stored data is NOT secure (uses a JSON file)

* [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes

* [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill

* [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/

user_pref("extensions.formautofill.addresses.enabled", false);

user_pref("extensions.formautofill.available", "off"); // (FF56+)

user_pref("extensions.formautofill.creditCards.enabled", false); // (FF56+)

user_pref("extensions.formautofill.heuristics.enabled", false);

/* 0518: disable Web Compatibility Reporter (FF56+)

* Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/

user_pref("extensions.webcompat-reporter.enabled", false);

/*** 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/

user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!");

/* 0601: disable link prefetching

* [1] https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ ***/

user_pref("network.prefetch-next", false);

/* 0602: disable DNS prefetching

* [1] https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/

* [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/

user_pref("network.dns.disablePrefetch", true);

user_pref("network.dns.disablePrefetchFromHTTPS", true); // (hidden pref)

/* 0603a: disable Seer/Necko

* [1] https://developer.mozilla.org/docs/Mozilla/Projects/Necko ***/

user_pref("network.predictor.enabled", false);

/* 0603b: disable more Necko/Captive Portal

* [1] https://en.wikipedia.org/wiki/Captive_portal

* [2] https://wiki.mozilla.org/Necko/CaptivePortal

* [3] https://trac.torproject.org/projects/tor/ticket/21790 ***/

user_pref("captivedetect.canonicalURL", "");

user_pref("network.captive-portal-service.enabled", false); // (FF52+)

/* 0605: disable link-mouseover opening connection to linked server

* [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests

* [2] https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links/ ***/

user_pref("network.http.speculative-parallel-limit", 0);

/* 0606: disable pings (but enforce same host in case)

* [1] http://kb.mozillazine.org/Browser.send_pings

* [2] http://kb.mozillazine.org/Browser.send_pings.require_same_host ***/

user_pref("browser.send_pings", false);

user_pref("browser.send_pings.require_same_host", true);

/* 0607: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS]

* [1] https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/ ***/

user_pref("network.protocol-handler.external.ms-windows-store", false);

/* 0608: disable predictor / prefetching (FF48+) ***/

user_pref("network.predictor.enable-prefetch", false);

/*** 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/

user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");

/* 0701: disable IPv6 (included for knowledge ONLY [WARNING] do not do this)

* This is all about covert channels such as MAC addresses being included/abused in the

* IPv6 protocol for tracking. If you want to mask your IP address, this is not the way

* to do it. It's 2016, IPv6 is here. Here are some old links

* 2010: https://christopher-parsons.com/ipv6-and-the-future-of-privacy/

* 2011: https://iapp.org/news/a/2011-09-09-facing-the-privacy-implications-of-ipv6/

* 2012: http://www.zdnet.com/article/security-versus-privacy-with-ipv6-deployment/

* [NOTE] It is a myth that disabling IPv6 will speed up your internet connection

* [1] https://www.howtogeek.com/195062/no-disabling-ipv6-probably-wont-speed-up-your-internet-connection/ ***/

// user_pref("network.dns.disableIPv6", true);

// user_pref("network.http.fast-fallback-to-IPv4", true); // default: true

/* 0702: disable HTTP2 (which was based on SPDY which is now deprecated)

* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance

* privacy, and in fact opens up a number of server-side fingerprinting opportunities

* [1] https://http2.github.io/faq/

* [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html

* [3] https://queue.acm.org/detail.cfm?id=2716278

* [4] https://github.com/ghacksuserjs/ghacks-user.js/issues/107 ***/

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.deps", false);

user_pref("network.http.spdy.enabled.http2", false);

/* 0703: disable HTTP Alternative Services (FF37+)

* [1] https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3970881

* [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/

user_pref("network.http.altsvc.enabled", false);

user_pref("network.http.altsvc.oe", false);

/* 0704: enforce the proxy server to do any DNS lookups when using SOCKS

* e.g. in TOR, this stops your local DNS server from knowing your Tor destination

* as a remote Tor node will handle the DNS request

* [1] http://kb.mozillazine.org/Network.proxy.socks_remote_dns

* [2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/

user_pref("network.proxy.socks_remote_dns", true);

/* 0705: disable DNS requests for hostnames with a .onion TLD (FF45+)

* [1] https://bugzilla.mozilla.org/1228457 ***/

user_pref("network.dns.blockDotOnion", true);

/* 0706: remove paths when sending URLs to PAC scripts (FF51+)

* CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)

* [1] https://bugzilla.mozilla.org/1255474 ***/

user_pref("network.proxy.autoconfig_url.include_path", false);

/*** 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS [SETUP]

If you are in a private environment (no unwanted eyeballs) and your device is private

(restricted access), and the device is secure when unattended (locked, encrypted, forensic

hardened), then items 0850 and above can be relaxed in return for more convenience and

functionality. Likewise, you may want to check the items cleared on shutdown in section 2800.

[NOTE] The urlbar is also commonly referred to as the location bar and address bar

#Required reading [#] https://xkcd.com/538/

***/

user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");

/* 0801: disable location bar using search - PRIVACY

* don't leak typos to a search engine, give an error message instead ***/

user_pref("keyword.enabled", false);

/* 0802: disable location bar domain guessing - PRIVACY/SECURITY

* domain guessing intercepts DNS "hostname not found errors" and resends a

* request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work

* via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com

* as the 411 for DNS errors?), privacy issues (why connect to sites you didn't

* intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),

* and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/

user_pref("browser.fixup.alternate.enabled", false);

/* 0803: display all parts of the url in the location bar - helps SECURITY ***/

user_pref("browser.urlbar.trimURLs", false);

/* 0804: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY

* This is a PER TAB session history. You still have a full history stored under all history

* default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages

* use it as a means of referral (e.g. hotlinking), 4 or 6 or 10 may be more practical ***/

user_pref("browser.sessionhistory.max_entries", 10);

/* 0805: disable CSS querying page history - CSS history leak - PRIVACY

* [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's

* only in 'certain circumstances', also see latest comments in [2]

* [TEST] http://lcamtuf.coredump.cx/yahh/ (see github wiki APPENDIX C on how to use)

* [1] https://dbaron.org/mozilla/visited-privacy

* [2] https://bugzilla.mozilla.org/147777

* [3] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector ***/

user_pref("layout.css.visited_links_enabled", false);

/* 0806: disable displaying javascript in history URLs - SECURITY ***/

user_pref("browser.urlbar.filter.javascript", true);

/* 0807: disable search bar LIVE search suggestions - PRIVACY

* [SETTING] Search>Provide search suggestions ***/

user_pref("browser.search.suggest.enabled", false);

/* 0808: disable location bar LIVE search suggestions (requires 0807 = true) - PRIVACY

* Also disable the location bar prompt to enable/disable or learn more about it.

* [SETTING] Search>Show search suggestions in address bar results ***/

user_pref("browser.urlbar.suggest.searches", false);

user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true); // (FF41+)

/* 0809: disable location bar suggesting "preloaded" top websites (FF54+)

* [1] https://bugzilla.mozilla.org/1211726 ***/

user_pref("browser.urlbar.usepreloadedtopurls.enabled", false);

/* 0810: disable location bar making speculative connections (FF56+)

* [1] https://bugzilla.mozilla.org/1348275 ***/

user_pref("browser.urlbar.speculativeConnect.enabled", false);

/* 0850a: disable location bar autocomplete and suggestion types

* If you enforce any of the suggestion types, you MUST enforce 'autocomplete'

* - If *ALL* of the suggestion types are false, 'autocomplete' must also be false

* - If *ANY* of the suggestion types are true, 'autocomplete' must also be true

* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest

* [SETTING-ESR52] Privacy>Location Bar>When using the location bar, suggest

* [WARNING] If all three suggestion types are false, search engine keywords are disabled ***/

user_pref("browser.urlbar.autocomplete.enabled", false);

user_pref("browser.urlbar.suggest.history", false);

user_pref("browser.urlbar.suggest.bookmark", false);

user_pref("browser.urlbar.suggest.openpage", false);

/* 0850c: disable location bar dropdown

* This value controls the total number of entries to appear in the location bar dropdown

* [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always

* be displayed (no we do not know how these are calculated or what the threshold is),

* and this does not affect the search by search engine suggestion (see 0808)

* [USAGE] This setting is only useful if you want to enable search engine keywords

* (i.e. at least one of 0850a suggestion types must be true) but you want to *limit* suggestions shown ***/

// user_pref("browser.urlbar.maxRichResults", 0);

/* 0850d: disable location bar autofill

* [1] http://kb.mozillazine.org/Inline_autocomplete ***/

user_pref("browser.urlbar.autoFill", false);

user_pref("browser.urlbar.autoFill.typed", false);

/* 0850e: disable location bar one-off searches (FF51+)

* [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/

user_pref("browser.urlbar.oneOffSearches", false);

/* 0850f: disable location bar suggesting local search history (FF57+)

* [1] https://bugzilla.mozilla.org/1181644 ***/

user_pref("browser.urlbar.maxHistoricalSearchSuggestions", 0); // max. number of search suggestions

/* 0860: disable search and form history

* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history

* [SETTING-ESR52] Privacy>History>Custom Settings>Remember search and form history

* [NOTE] You can clear formdata on exiting Firefox (see 2803) ***/

user_pref("browser.formfill.enable", false);

/* 0862: disable browsing and download history

* [SETTING] Privacy & Security>History>Custom Settings>Remember my browsing and download history

* [SETTING-ESR52] Privacy>History>Custom Settings>Remember my browsing and download history

* [NOTE] You can clear history and downloads on exiting Firefox (see 2803) ***/

// user_pref("places.history.enabled", false);

/* 0870: disable Windows jumplist [WINDOWS] ***/

user_pref("browser.taskbar.lists.enabled", false);

user_pref("browser.taskbar.lists.frequent.enabled", false);

user_pref("browser.taskbar.lists.recent.enabled", false);

user_pref("browser.taskbar.lists.tasks.enabled", false);

/* 0871: disable Windows taskbar preview [WINDOWS] ***/

user_pref("browser.taskbar.previews.enable", false);

/*** 0900: PASSWORDS ***/

user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");

/* 0901: disable saving passwords

* [SETTING] Privacy & Security>Forms & Passwords>Remember logins and passwords for sites

* [SETTING-ESR52] Security>Logins>Remember logins for sites

* [NOTE] This does not clear any passwords already saved ***/

// user_pref("signon.rememberSignons", false);

/* 0902: use a master password (recommended if you save passwords)

* There are no preferences for this. It is all handled internally.

* [SETTING] Privacy & Security>Forms & Passwords>Use a master password

* [SETTING-ESR52] Security>Logins>Use a master password

* [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/

/* 0903: set how often Firefox should ask for the master password

* 0=the first time (default), 1=every time it's needed, 2=every n minutes (as per the next pref) ***/

user_pref("security.ask_for_password", 2);

/* 0904: set how often in minutes Firefox should ask for the master password (see pref above)

* in minutes, default is 30 ***/

user_pref("security.password_lifetime", 5);

/* 0905: disable auto-filling username & password form fields - SECURITY

* can leak in cross-site forms AND be spoofed

* [NOTE] Password will still be auto-filled after a user name is manually entered

* [1] http://kb.mozillazine.org/Signon.autofillForms ***/

user_pref("signon.autofillForms", false);

/* 0906: disable websites' autocomplete="off" (FF30+)

* Don't let sites dictate use of saved logins and passwords. Increase security through

* stronger password use. The trade-off is the convenience. Some sites should never be

* saved (such as banking sites). Set at true, informed users can make their own choice. ***/

user_pref("signon.storeWhenAutocompleteOff", true);

/* 0907: display warnings for logins on non-secure (non HTTPS) pages

* [1] https://bugzilla.mozilla.org/1217156 ***/

user_pref("security.insecure_password.ui.enabled", true);

/* 0908: remove user & password info when attempting to fix an entered URL (i.e. 0802 is true)

* e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix) ***/

user_pref("browser.fixup.hide_user_pass", true);

/* 0909: disable formless login capture for Password Manager (FF51+) ***/

user_pref("signon.formlessCapture.enabled", false);

/* 0910: disable autofilling saved passwords on HTTP pages and show warning (FF52+)

* [1] https://www.fxsitecompat.com/en-CA/docs/2017/insecure-login-forms-now-disable-autofill-show-warning-beneath-input-control/

* [2] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 ***/

user_pref("signon.autofillForms.http", false);

user_pref("security.insecure_field_warning.contextual.enabled", true);

/* 0911: prevent cross-origin images from triggering an HTTP-Authentication prompt (FF55+)

* [1] https://bugzilla.mozilla.org/1357835 ***/

user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);

/*** 1000: CACHE [SETUP] ***/

user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");

/** CACHE ***/

/* 1001: disable disk cache ***/

user_pref("browser.cache.disk.enable", false);

user_pref("browser.cache.disk.capacity", 0);

user_pref("browser.cache.disk.smart_size.enabled", false);

user_pref("browser.cache.disk.smart_size.first_run", false);

/* 1002: disable disk cache for SSL pages

* [1] http://kb.mozillazine.org/Browser.cache.disk_cache_ssl ***/

user_pref("browser.cache.disk_cache_ssl", false);

/* 1003: disable memory cache

* [NOTE] Not recommended due to performance issues ***/

// user_pref("browser.cache.memory.enable", false);

// user_pref("browser.cache.memory.capacity", 0); // (hidden pref)

/* 1005: disable fastback cache

* To improve performance when pressing back/forward Firefox stores visited pages

* so they don't have to be re-parsed. This is not the same as memory cache.

* 0=none, -1=auto (that's minus 1), or for other values see [1]

* [NOTE] Not recommended unless you know what you're doing

* [1] http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers ***/

// user_pref("browser.sessionhistory.max_total_viewers", 0);

/* 1006: disable permissions manager from writing to disk [RESTART]

* [NOTE] This means any permission changes are session only

* [1] https://bugzilla.mozilla.org/967812 ***/

// user_pref("permissions.memory_only", true); // (hidden pref)

/* 1007: disable randomized FF HTTP cache decay experiments

* [1] https://trac.torproject.org/projects/tor/ticket/13575 ***/

user_pref("browser.cache.frecency_experiment", -1);

/* 1008: set DNS cache and expiration time (default 400 and 60, same as TBB) ***/

// user_pref("network.dnsCacheEntries", 400);

// user_pref("network.dnsCacheExpiration", 60);

/** SESSIONS & SESSION RESTORE ***/

/* 1020: disable the Session Restore service completely

* [WARNING] [SETUP] This also disables the "Recently Closed Tabs" feature

* It does not affect "Recently Closed Windows" or any history. ***/

user_pref("browser.sessionstore.max_tabs_undo", 0);

user_pref("browser.sessionstore.max_windows_undo", 0);

/* 1021: disable storing extra session data

* extra session data contains contents of forms, scrollbar positions, cookies and POST data

* define on which sites to save extra session data:

* 0=everywhere, 1=unencrypted sites, 2=nowhere ***/

user_pref("browser.sessionstore.privacy_level", 2);

/* 1022: disable resuming session from crash [SETUP] ***/

user_pref("browser.sessionstore.resume_from_crash", false);

/* 1023: set the minimum interval between session save operations - increasing it

* can help on older machines and some websites, as well as reducing writes, see [1]

* Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc

* [WARNING] This can also affect entries in the "Recently Closed Tabs" feature:

* i.e. the longer the interval the more chance a quick tab open/close won't be captured.

* This longer interval *may* affect history but we cannot replicate any history not recorded

* [1] https://bugzilla.mozilla.org/1304389 ***/

user_pref("browser.sessionstore.interval", 30000);

/** FAVICONS ***/

/* 1030: disable favicons in shortcuts

* URL shortcuts use a cached randomly named .ico file which is stored in your

* profile/shortcutCache directory. The .ico remains after the shortcut is deleted.

* If set to false then the shortcuts use a generic Firefox icon ***/

user_pref("browser.shell.shortcutFavicons", false);

/* 1031: disable favicons in tabs and new bookmarks

* bookmark favicons are stored as data blobs in places.sqlite>moz_favicons ***/

// user_pref("browser.chrome.site_icons", false);

// user_pref("browser.chrome.favicons", false);

/* 1032: disable favicons in web notifications ***/

user_pref("alerts.showFavicons", false); // default: false

/*** 1200: HTTPS ( SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS )

Note that your cipher and other settings can be used server side as a fingerprint attack

vector, see [1] (It's quite technical but the first part is easy to understand

and you can stop reading when you reach the second section titled "Enter Bro")

Option 1: Use Firefox defaults for the 1260's items (item 1260 default for SHA-1, is local

only anyway). There is nothing *weak* about Firefox's defaults, but Mozilla (and

other browsers) will always lag for fear of breakage and upset end-users

Option 2: Disable the ciphers in 1261, 1262 and 1263. These shouldn't break anything.

Optionally, disable the ciphers in 1264.

[1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/

***/

user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");

/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/

/* 1201: disable old SSL/TLS - vulnerable to a MiTM attack

* [WARNING] Tested Feb 2017 - still breaks too many sites

* [1] https://wiki.mozilla.org/Security:Renegotiation ***/

// user_pref("security.ssl.require_safe_negotiation", true);

/* 1202: control TLS versions with min and max

* 1=min version of TLS 1.0, 2=min version of TLS 1.1, 3=min version of TLS 1.2 etc

* [NOTE] Jul-2017: Telemetry indicates approx 2% of TLS web traffic uses 1.0 or 1.1

* [WARNING] If you get an "SSL_ERROR_NO_CYPHER_OVERLAP" error, temporarily

* set a lower value for 'security.tls.version.min' in about:config

* [1] http://kb.mozillazine.org/Security.tls.version.*

* [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/

* [2] archived: https://archive.is/hY2Mm ***/

user_pref("security.tls.version.min", 3);

user_pref("security.tls.version.fallback-limit", 3);

user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3

/* 1203: disable SSL session tracking (FF36+)

* SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.

* Since the ID is unique, web servers can (and do) use it for tracking. If set to true,

* this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking

* [1] https://tools.ietf.org/html/rfc5077

* [2] https://bugzilla.mozilla.org/967977 ***/

user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)

/* 1204: disable SSL Error Reporting

* [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/

user_pref("security.ssl.errorReporting.automatic", false);

user_pref("security.ssl.errorReporting.enabled", false);

user_pref("security.ssl.errorReporting.url", "");

/* 1205: disable TLS1.3 0-RTT (round-trip time) (FF51+)

* [1] https://github.com/tlswg/tls13-spec/issues/1001

* [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/

user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)

/** OCSP (Online Certificate Status Protocol)

#Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/

/* 1210: enable OCSP Stapling

* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/

user_pref("security.ssl.enable_ocsp_stapling", true);

/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)

* 0=disabled, 1=enabled (default), 2=enabled for EV certificates only

* OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)

* It's a trade-off between security (checking) and privacy (leaking info to the CA)

* [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling

* [1] https://en.wikipedia.org/wiki/Ocsp ***/

user_pref("security.OCSP.enabled", 1);

/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail

* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)

* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)

* It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it

* could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)

* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

* [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/

user_pref("security.OCSP.require", true);

/** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/

/* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+)

* 0=disable detecting Family Safety mode and importing the root

* 1=only attempt to detect Family Safety mode (don't import the root)

* 2=detect Family Safety mode and import the root

* [1] https://trac.torproject.org/projects/tor/ticket/21686 ***/

user_pref("security.family_safety.mode", 0);

/* 1221: disable intermediate certificate caching (fingerprinting attack vector) [RESTART]

* [NOTE] This may be better handled under FPI (ticket 1323644, part of Tor Uplift)

* [WARNING] This affects login/cert/key dbs. The effect is all credentials are session-only.

* Saved logins and passwords are not available. Reset the pref and restart to return them.

* [TEST] https://fiprinca.0x90.eu/poc/

* [1] https://bugzilla.mozilla.org/1334485 - related bug

* [2] https://bugzilla.mozilla.org/1216882 - related bug (see comment 9) ***/

// user_pref("security.nocertdb", true); // (hidden pref)

/* 1222: enforce strict pinning

* PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict

* [WARNING] If you rely on an AV (antivirus) to protect your web browsing

* by inspecting ALL your web traffic, then leave at current default=1

* [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/

user_pref("security.cert_pinning.enforcement_level", 2);

/* 1223: enforce HSTS preload list (default is true)

* The list is compiled into Firefox and used to always load those domains over HTTPS

* [1] https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

* [2] https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List ***/

user_pref("network.stricttransportsecurity.preloadlist", true);

/** MIXED CONTENT ***/

/* 1240: disable insecure active content on https pages - mixed content

* [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/

user_pref("security.mixed_content.block_active_content", true);

/* 1241: disable insecure passive content (such as images) on https pages - mixed context ***/

user_pref("security.mixed_content.block_display_content", true);

/** CIPHERS [see the section 1200 intro] ***/

/* 1260: disable or limit SHA-1

* 0=all SHA1 certs are allowed

* 1=all SHA1 certs are blocked (including perfectly valid ones from 2015 and earlier)

* 2=deprecated option that now maps to 1

* 3=only allowed for locally-added roots (e.g. anti-virus)

* 4=only allowed for locally-added roots or for certs in 2015 and earlier

* [WARNING] When disabled, some man-in-the-middle devices (e.g. security scanners and

* antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.

* [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/

user_pref("security.pki.sha1_enforcement_level", 1);

/* 1261: disable 3DES (effective key size < 128)

* [1] https://en.wikipedia.org/wiki/3des#Security

* [2] http://en.citizendium.org/wiki/Meet-in-the-middle_attack

* [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/

// user_pref("security.ssl3.rsa_des_ede3_sha", false);

/* 1262: disable 128 bits ***/

// user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);

// user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);

/* 1263: disable DHE (Diffie-Hellman Key Exchange)

* [WARNING] May break obscure sites, but not major sites, which should support ECDH over DHE

* [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/

// user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);

// user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);

/* 1264: disable the remaining non-modern cipher suites as of FF52

* [NOTE] Commented out because it still breaks too many sites ***/

// user_pref("security.ssl3.rsa_aes_128_sha", false);

// user_pref("security.ssl3.rsa_aes_256_sha", false);

/** UI (User Interface) ***/

/* 1270: display warning (red padlock) for "broken security"

* [1] https://wiki.mozilla.org/Security:Renegotiation ***/

user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

/* 1271: control "Add Security Exception" dialog on SSL warnings

* 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)

* [1] https://github.com/pyllyukko/user.js/issues/210 ***/

user_pref("browser.ssl_override_behavior", 1);

/* 1272: display advanced information on Insecure Connection warning pages

* only works when it's possible to add an exception

* i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)

* [TEST] https://expired.badssl.com/ ***/

user_pref("browser.xul.error_pages.expert_bad_cert", true);

/* 1273: display "insecure" icon (FF59+) and "Not Secure" text (FF60+) on HTTP sites ***/

user_pref("security.insecure_connection_icon.enabled", true); // all windows

user_pref("security.insecure_connection_text.enabled", true);

// user_pref("security.insecure_connection_icon.pbmode.enabled", true); // private windows only

// user_pref("security.insecure_connection_text.pbmode.enabled", true);

/*** 1400: FONTS ***/

user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");

/* 1401: disable websites choosing fonts (0=block, 1=allow)

* If you disallow fonts, this drastically limits/reduces font

* enumeration (by JS) which is a high entropy fingerprinting vector.

* [SETTING] General>Language and Appearance>Advanced>Allow pages to choose...

* [SETTING-ESR52] Content>Font & Colors>Advanced>Allow pages to choose...

* [SETUP] Disabling fonts can uglify the web a fair bit. ***/

user_pref("browser.display.use_document_fonts", 0);

/* 1402: set more legible default fonts [SETUP]

* [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Serif|Sans-serif|Monospace

* [SETTING-ESR52] Content>Fonts & Colors>Advanced>Serif|Sans-serif|Monospace

* [NOTE] Example below for Windows/Western only ***/

// user_pref("font.name.serif.x-unicode", "Georgia");

// user_pref("font.name.serif.x-western", "Georgia"); // default: Times New Roman

// user_pref("font.name.sans-serif.x-unicode", "Arial");

// user_pref("font.name.sans-serif.x-western", "Arial"); // default: Arial

// user_pref("font.name.monospace.x-unicode", "Lucida Console");

// user_pref("font.name.monospace.x-western", "Lucida Console"); // default: Courier New

/* 1403: enable icon fonts (glyphs) (FF41+)

* [1] https://bugzilla.mozilla.org/789788 ***/

user_pref("gfx.downloadable_fonts.enabled", true); // default: true

/* 1404: disable rendering of SVG OpenType fonts

* [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/

user_pref("gfx.font_rendering.opentype_svg.enabled", false);

/* 1405: disable WOFF2 (Web Open Font Format) (FF35+) ***/

user_pref("gfx.downloadable_fonts.woff2.enabled", false);

/* 1406: disable CSS Font Loading API

* [SETUP] Disabling fonts can uglify the web a fair bit. ***/

user_pref("layout.css.font-loading-api.enabled", false);

/* 1407: disable special underline handling for a few fonts which you will probably never use [RESTART]

* Any of these fonts on your system can be enumerated for fingerprinting.

* [1] http://kb.mozillazine.org/Font.blacklist.underline_offset ***/

user_pref("font.blacklist.underline_offset", "");

/* 1408: disable graphite which FF49 turned back on by default

* In the past it had security issues. Update: This continues to be the case, see [1]

* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/

user_pref("gfx.font_rendering.graphite.enabled", false);

/* 1409: limit system font exposure to a whitelist (FF52+) [SETUP] [RESTART]

* If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.

* [NOTE] Creating your own probably highly-unique whitelist will raise your entropy. If

* you block sites choosing fonts in 1401, this preference is irrelevant. In future,

* privacy.resistFingerprinting (see 4500) may cover this, and 1401 can be relaxed.

* [1] https://bugzilla.mozilla.org/1121643 ***/

// user_pref("font.system.whitelist", ""); // (hidden pref)

/*** 1600: HEADERS / REFERERS

Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. Thus we enforce

the default values for 1601, 1602, 1605 and 1606 to minimize breakage, and only tweak 1603 and 1604.

Our default settings provide the best balance between protection and amount of breakage.

To harden it a bit more you can set XOriginPolicy (1603) to 2 (+ optionally 1604 to 1 or 2).

To fix broken sites, temporarily set XOriginPolicy=0 and XOriginTrimmingPolicy=2 in about:config,

use the site and then change the values back. If you visit those sites regularly (e.g. Vimeo), use an extension.

full URI: https://example.com:8888/foo/bar.html?id=1234

scheme+host+path+port: https://example.com:8888/foo/bar.html

scheme+host+port: https://example.com:8888

#Required reading [#] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/

***/

user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");

/* 1601: ALL: control when images/links send a referer

* 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/

user_pref("network.http.sendRefererHeader", 2);

/* 1602: ALL: control the amount of information to send

* 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/

user_pref("network.http.referer.trimmingPolicy", 0);

/* 1603: CROSS ORIGIN: control when to send a referer [SETUP]

* 0=always (default), 1=only if base domains match, 2=only if hosts match ***/

user_pref("network.http.referer.XOriginPolicy", 1);

/* 1604: CROSS ORIGIN: control the amount of information to send (FF52+)

* 0=send full URI (default), 1=scheme+host+path+port, 2=scheme+host+port ***/

user_pref("network.http.referer.XOriginTrimmingPolicy", 0);

/* 1605: ALL: disable spoofing a referer

* [WARNING] Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery) protections that some sites may rely on ***/

user_pref("network.http.referer.spoofSource", false);

/* 1606: ALL: set the default Referrer Policy

* 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade

* [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy

* [1] https://www.w3.org/TR/referrer-policy/

* [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy

* [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/

user_pref("network.http.referer.defaultPolicy", 3); // (FF59+) default: 3

user_pref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2

/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain (FF54+)

* [NOTE] Firefox cannot access .onion sites by default. We recommend you use

* TBB (Tor Browser Bundle) which is specifically designed for the dark web

* [1] https://bugzilla.mozilla.org/1305144 ***/

user_pref("network.http.referer.hideOnionSource", true);

/* 1610: ALL: disable the DNT HTTP header, which is essentially USELESS

* It is voluntary and most ad networks do not honor it. DNT is *NOT* how you stop being data mined.

* Don't encourage a setting that gives any legitimacy to 3rd parties being in control of your privacy.

* Sending a DNT header *highly likely* raises entropy, especially in standard windows.

* [SETTING] Privacy & Security>Tracking Protecting>Send websites a "Do Not Track"...

* [SETTING-ESR52] Privacy>Use Tracking Protecting>manage your Do Not Track settings

* [NOTE] DNT is enforced with TP (see 0420) regardless of this pref (e.g. in default PB Mode)

* [NOTE] If you use NoScript MAKE SURE to set the pref noscript.doNotTrack.enabled to match ***/

user_pref("privacy.donottrackheader.enabled", false);

/*** 1700: CONTAINERS [SETUP]

[1] https://support.mozilla.org/kb/containers-experiment

[2] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers

[3] https://github.com/mozilla/testpilot-containers

***/

user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");

/* 1701: enable Container Tabs setting in preferences (see 1702) (FF50+)

* [1] https://bugzilla.mozilla.org/1279029 ***/

// user_pref("privacy.userContext.ui.enabled", true);

/* 1702: enable Container Tabs (FF50+)

* [SETTING] Privacy & Security>Tabs>Enable Container Tabs

* [SETTING-ESR52] Privacy>Container Tabs>Enable Container Tabs ***/

// user_pref("privacy.userContext.enabled", true);

/* 1703: enable a private container for thumbnail loads (FF51+) ***/

// user_pref("privacy.usercontext.about_newtab_segregation.enabled", true);

/* 1704: set long press behaviour on "+ Tab" button to display container menu (FF53+)

* 0=disables long press, 1=when clicked, the menu is shown

* 2=the menu is shown after X milliseconds

* [NOTE] The menu does not contain a non-container tab option

* [1] https://bugzilla.mozilla.org/1328756 ***/

// user_pref("privacy.userContext.longPressBehavior", 2);

/*** 1800: PLUGINS ***/

user_pref("_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!");

/* 1801: set default plugin state (i.e. new plugins on discovery) to never activate

* 0=disabled, 1=ask to activate, 2=active - you can override individual plugins ***/

user_pref("plugin.default.state", 0);

user_pref("plugin.defaultXpi.state", 0);

/* 1802: enable click to play and set to 0 minutes ***/

user_pref("plugins.click_to_play", true);

user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);

/* 1803: set a plugin state: 0=deactivated 1=ask 2=enabled (Flash example)

* you can set all these plugin.state's via Add-ons>Plugins or search for plugin.state in about:config

* [NOTE] You can still over-ride individual sites e.g. youtube via site permissions

* [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/

// user_pref("plugin.state.flash", 0);

/* 1805: disable scanning for plugins [WINDOWS]

* [1] http://kb.mozillazine.org/Plugin_scanning

* plid.all = whether to scan the directories specified in the Windows registry for PLIDs.

* Used to detect RealPlayer, Java, Antivirus etc, but since FF52 only covers Flash ***/

user_pref("plugin.scan.plid.all", false);

/* 1820: disable all GMP (Gecko Media Plugins) [SETUP]

* [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/

user_pref("media.gmp-provider.enabled", false);

user_pref("media.gmp.trial-create.enabled", false);

user_pref("media.gmp-manager.url", "data:text/plain,");

user_pref("media.gmp-manager.url.override", "data:text/plain,"); // (hidden pref)

user_pref("media.gmp-manager.updateEnabled", false); // disable local fallback (hidden pref)

/* 1825: disable widevine CDM (Content Decryption Module) [SETUP] ***/

user_pref("media.gmp-widevinecdm.visible", false);

user_pref("media.gmp-widevinecdm.enabled", false);

user_pref("media.gmp-widevinecdm.autoupdate", false);

/* 1830: disable all DRM content (EME: Encryption Media Extension) [SETUP]

* [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/

user_pref("media.eme.enabled", false); // [SETTING] General>DRM Content>Play DRM-controlled content

user_pref("browser.eme.ui.enabled", false); // hides "Play DRM-controlled content" checkbox [RESTART]

/* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"

* This is the bundled codec used for video chat in WebRTC ***/

user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)

user_pref("media.gmp-gmpopenh264.autoupdate", false);