emdee/base_role
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ddb600ead2
base_role/templates/etc/ansible/ansible.cfg
embed@git.macaw.me b50fd16591 first
2024-01-06 01:38:28 +00:00

1742 lines
88 KiB
INI
Raw Blame History

# -*- mode: ini; tab-width: 0; coding: utf-8-unix -*-
# https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg
[default]
# its a pretty broken debugger - fix it
# debug = true
# yaml dense unixy yaml oneline selective skippy stderr myyaml actionable
stdout_callback = yaml
# skippy
display_skipped_hosts = no
# stderr
display_failed_stderr = yes
# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead. These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string. This will for example suggest using the git module
# instead of shelling out to the git command.
command_warnings = False
deprecation_warnings = False
error_on_undefined_vars = True
# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
deprecation_warnings = False
display_args_to_stdout = False
force_color = False
forks = 5
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
system_warnings = False
gather_timeout = 120
handler_includes_static = True
# Ansible by default will override variables in specific precedence orders, as described in Variables.
# When a variable of higher precedence wins, it will replace the other value.
#?! hash_behaviour = merged
host_key_checking = False
# http://chrisbergeron.com/2018/06/08/ansible_performance_tuning/
gathering = smart
fact_caching = jsonfile
fact_caching_connection = var/tmp/.ansible_fact_cache
# /usr/local/lib/python2.7/site-packages/ansible/plugins/callback/default.py
display_failed_stderr = True
# This sets the interval (in seconds) of Ansible internal processes polling each other. Lower values
# improve performance with large playbooks at the expense of extra CPU load. Higher values are more
# suitable for Ansible usage in automation scenarios, when UI responsiveness is not required but CPU usage
# might be a concern. Default corresponds to the value hardcoded in 2.1:
# Fixme: should be per user
internal_poll_interval=1
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
nocows = 1
# When a playbook fails by default a .retry file will be created in ~/
# You can disable this feature by setting retry_files_enabled to False
# and you can change the location of the files by setting retry_files_save_path
retry_files_enabled = False
handler_includes_static = True
timeout = 60
gather_timeout = 90
#! fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/bin/lsblk --list --noheadings --paths --output NAME,UUID --exclude 2", "msg": "Timer expired after 30 seconds", "rc": 257}
// BEGIN ANSIBLE MANAGED BLOCK privacy ghacks-user.js
// etc/testforge/firefox/ghacks-user.js
/******
* name: ghacks user.js
* date: 11 March 2020
* version 74-alpha
* authors: v52+ github | v51- www.ghacks.net
* url: https://github.com/ghacksuserjs/ghacks-user.js
* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
* releases: These are end-of-stable-life-cycle legacy archives.
*Always* use the master branch user.js for a current up-to-date version.
url: https://github.com/ghacksuserjs/ghacks-user.js/releases
* README:
0. Consider using Tor Browser if it meets your needs or fits your threat model better
* https://www.torproject.org/about/torusers.html.en
1. READ the full README
* https://github.com/ghacksuserjs/ghacks-user.js/blob/master/README.md
2. READ this
* https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation
3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
* Real time binary checks with Google services are disabled (0412)
* You will still get prompts to update Firefox, but auto-installing them is disabled (0302a)
* Some user data is erased on close (section 2800). Change this to suit your needs
* EACH RELEASE check:
- 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
or enable them as an alternative to RFP (or some of them for ESR users)
- 9999s: reset deprecated prefs in about:config or enable the relevant section for ESR
* Site breakage WILL happen
- There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting
and these need to be balanced against Functionality & Convenience & Breakage
* You will need to make changes, and to troubleshoot at times (choose wisely, there is always a trade-off).
While not 100% definitive, search for "[SETUP". If required, add each pref to your overrides section at
default values (or comment them out and reset them in about:config). Here are the main ones:
[SETUP-SECURITY] it's one item, read it
[SETUP-WEB] can cause some websites to break
[SETUP-CHROME] changes how Firefox itself behaves (i.e. NOT directly website related)
[SETUP-PERF] may impact performance
[SETUP-HARDEN] maybe you should consider using the Tor Browser
* [WARNING] tags are extra special and used sparingly, so heed them
4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki#small_orange_diamond-maintenance
* INDEX:
0100: STARTUP
0200: GEOLOCATION / LANGUAGE / LOCALE
0300: QUIET FOX
0400: BLOCKLISTS / SAFE BROWSING
0500: SYSTEM ADD-ONS / EXPERIMENTS
0600: BLOCK IMPLICIT OUTBOUND
0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc
0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
0900: PASSWORDS
1000: CACHE / SESSION (RE)STORE / FAVICONS
1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
1400: FONTS
1600: HEADERS / REFERERS
1700: CONTAINERS
1800: PLUGINS
2000: MEDIA / CAMERA / MIC
2200: WINDOW MEDDLING & LEAKS / POPUPS
2300: WEB WORKERS
2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT
2500: HARDWARE FINGERPRINTING
2600: MISCELLANEOUS
2700: PERSISTENT STORAGE
2800: SHUTDOWN
4000: FPI (FIRST PARTY ISOLATION)
4500: RFP (RESIST FINGERPRINTING)
4600: RFP ALTERNATIVES
4700: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING)
5000: PERSONAL
9999: DEPRECATED / REMOVED / LEGACY / RENAMED
******/
user_pref('general.warnOnAboutConfig', false); // XUL/XHTML version
user_pref('browser.aboutConfig.showWarning', false); // HTML version [FF71+]
user_pref('browser.shell.checkDefaultBrowser', false);
user_pref('browser.startup.page', 0);
//me user_pref('browser.startup.homepage', 'about:blank');
user_pref('browser.newtabpage.enabled', false);
user_pref('browser.newtab.preload', false);
user_pref('browser.newtabpage.activity-stream.feeds.telemetry', false);
user_pref('browser.newtabpage.activity-stream.telemetry', false);
user_pref('browser.newtabpage.activity-stream.feeds.snippets', false);
user_pref('browser.newtabpage.activity-stream.asrouter.providers.snippets', '');
user_pref('browser.newtabpage.activity-stream.feeds.section.topstories', false);
user_pref('browser.newtabpage.activity-stream.section.highlights.includePocket', false);
user_pref('browser.newtabpage.activity-stream.showSponsored', false);
user_pref('browser.newtabpage.activity-stream.feeds.discoverystreamfeed', false); // [FF66+]
// user_pref('browser.library.activity-stream.enabled', false);
//me user_pref('browser.privatebrowsing.autostart', true);
user_pref('geo.enabled', false); //me
// user_pref('permissions.default.geo', 2);
user_pref('geo.provider.network.url', '');
// user_pref('geo.provider.network.logging.enabled', true); // [HIDDEN PREF]
user_pref('geo.provider.ms-windows-location', false); // [WINDOWS]
user_pref('geo.provider.use_corelocation', false); // [MAC]
user_pref('geo.provider.use_gpsd', false); // [LINUX]
user_pref('browser.search.region', 'US'); // [HIDDEN PREF]
user_pref('browser.search.geoip.url', '');
user_pref('browser.search.geoSpecificDefaults', false);
user_pref('browser.search.geoSpecificDefaults.url', '');
user_pref('intl.accept_languages', 'en-US, en');
user_pref('javascript.use_us_english_locale', true); // [HIDDEN PREF]
user_pref('intl.charset.fallback.override', 'latin-1'); //me
user_pref('extensions.update.enabled', false); //me
user_pref('app.update.auto', false);
user_pref('extensions.update.autoUpdateDefault', false); //me
// user_pref('extensions.getAddons.cache.enabled', false);
user_pref('browser.search.update', false);
user_pref('dom.ipc.plugins.flash.subprocess.crashreporter.enabled', false);
user_pref('dom.ipc.plugins.reportCrashURL', false);
user_pref('extensions.getAddons.showPane', false); // [HIDDEN PREF]
user_pref('extensions.htmlaboutaddons.recommendations.enabled', false);
user_pref('toolkit.telemetry.unified', false);
user_pref('toolkit.telemetry.enabled', false); // see [NOTE] above FF58+
user_pref('toolkit.telemetry.server', 'data:,');
user_pref('toolkit.telemetry.archive.enabled', false);
user_pref('toolkit.telemetry.newProfilePing.enabled', false); // [FF55+]
user_pref('toolkit.telemetry.shutdownPingSender.enabled', false); // [FF55+]
user_pref('toolkit.telemetry.updatePing.enabled', false); // [FF56+]
user_pref('toolkit.telemetry.bhrPing.enabled', false); // [FF57+] Background Hang Reporter
user_pref('toolkit.telemetry.firstShutdownPing.enabled', false); // [FF57+]
user_pref('toolkit.telemetry.coverage.opt-out', true); // [HIDDEN PREF]
user_pref('toolkit.coverage.opt-out', true); // [FF64+] [HIDDEN PREF]
user_pref('toolkit.coverage.endpoint.base', '');
user_pref('datareporting.healthreport.uploadEnabled', false);
user_pref('datareporting.policy.dataSubmissionEnabled', false);
user_pref('app.shield.optoutstudies.enabled', false);
user_pref('browser.discovery.enabled', false);
user_pref('breakpad.reportURL', '');
user_pref('browser.tabs.crashReporting.sendReport', false); // [FF44+]
user_pref('browser.crashReports.unsubmittedCheck.enabled', false); // [FF51+]
user_pref('browser.crashReports.unsubmittedCheck.autoSubmit2', false); // [FF58+]
user_pref('captivedetect.canonicalURL', '');
user_pref('network.captive-portal-service.enabled', false); // [FF52+]
user_pref('network.connectivity-service.enabled', false);
user_pref('extensions.blocklist.enabled', true); // [DEFAULT: true]
// user_pref('extensions.blocklist.url', 'https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/');
// user_pref('browser.safebrowsing.malware.enabled', false);
// user_pref('browser.safebrowsing.phishing.enabled', false);
// user_pref('browser.safebrowsing.downloads.enabled', false);
user_pref('browser.safebrowsing.downloads.remote.enabled', false);
user_pref('browser.safebrowsing.downloads.remote.url', '');
user_pref('browser.safebrowsing.downloads.remote.block_potentially_unwanted', false); //me
user_pref('browser.safebrowsing.downloads.remote.block_uncommon', false); //me
// user_pref('browser.safebrowsing.allowOverride', false);
user_pref('app.normandy.enabled', false);
user_pref('app.normandy.api_url', '');
user_pref('extensions.systemAddon.update.enabled', false); // [FF62+]
user_pref('extensions.systemAddon.update.url', ''); // [FF44+]
user_pref('browser.ping-centre.telemetry', false);
user_pref('extensions.screenshots.disabled', true); // [FF55+] me
user_pref('extensions.screenshots.upload-disabled', true); // [FF60+] me
user_pref('extensions.formautofill.addresses.enabled', false); // [FF55+]
user_pref('extensions.formautofill.available', 'off'); // [FF56+]
user_pref('extensions.formautofill.creditCards.enabled', false); // [FF56+]
user_pref('extensions.formautofill.heuristics.enabled', false); // [FF55+]
user_pref('extensions.webcompat-reporter.enabled', false);
user_pref('network.prefetch-next', false);
user_pref('network.dns.disablePrefetch', true);
user_pref('network.dns.disablePrefetchFromHTTPS', true); // [HIDDEN PREF ESR] [DEFAULT: true FF70+]
user_pref('network.predictor.enabled', false);
user_pref('network.predictor.enable-prefetch', false); // [FF48+]
user_pref('network.http.speculative-parallel-limit', 0);
user_pref('browser.send_pings', false); // [DEFAULT: false]
user_pref('browser.send_pings.require_same_host', true);
user_pref('network.dns.disableIPv6', true);
// we leave these all default - we need http2 for alt-svc
// https://trac.torproject.org/projects/tor/ticket/26365
user_pref('network.http.spdy.enabled', true);
// user_pref('network.http.spdy.enabled.deps', false);
user_pref('network.http.spdy.enabled.http2', true);
// user_pref('network.http.spdy.websockets', false); // [FF65+]
user_pref('network.http.altsvc.enabled', true); //me
// https://bitsup.blogspot.com/2015/03/opportunistic-encryption-for-firefox.html
user_pref('network.http.altsvc.oe', true); //me
user_pref('network.http.spdy.allow-push', false); //me?
user_pref('network.proxy.socks_remote_dns', true);
// user_pref('network.ftp.enabled', false);
user_pref('network.file.disable_unc_paths', true); // [HIDDEN PREF]
user_pref('network.gio.supported-protocols', ''); // [HIDDEN PREF]
user_pref('keyword.enabled', false);
user_pref('browser.fixup.alternate.enabled', false);
user_pref('browser.urlbar.trimURLs', false);
user_pref('layout.css.visited_links_enabled', false);
user_pref('browser.search.suggest.enabled', false);
user_pref('browser.urlbar.suggest.searches', false);
user_pref('browser.urlbar.usepreloadedtopurls.enabled', false);
user_pref('browser.urlbar.speculativeConnect.enabled', false);
user_pref('browser.urlbar.suggest.history', true); //me
// user_pref('browser.urlbar.suggest.bookmark', false);
user_pref('browser.urlbar.suggest.openpage', true); //me
// user_pref('browser.urlbar.maxRichResults', 0);
user_pref('browser.urlbar.autoFill', false);
// user_pref('browser.urlbar.oneOffSearches', false);
user_pref('browser.formfill.enable', false);
// user_pref('places.history.enabled', false);
user_pref('browser.taskbar.lists.enabled', false);
user_pref('browser.taskbar.lists.frequent.enabled', false);
user_pref('browser.taskbar.lists.recent.enabled', false);
user_pref('browser.taskbar.lists.tasks.enabled', false);
user_pref('browser.taskbar.previews.enable', false);
// user_pref('signon.rememberSignons', false);
user_pref('security.ask_for_password', 2);
user_pref('security.password_lifetime', 5);
user_pref('signon.autofillForms', false);
user_pref('signon.formlessCapture.enabled', false);
user_pref('network.auth.subresource-http-auth-allow', 1);
user_pref('browser.cache.disk.enable', false);
user_pref('browser.cache.memory.enable', true);
user_pref('browser.cache.memory.capacity', 16384); // [HIDDEN PREF ESR] ?size
// user_pref('permissions.memory_only', true); // [HIDDEN PREF]
// user_pref('browser.sessionstore.max_tabs_undo', 0);
user_pref('browser.sessionstore.privacy_level', 2);
// user_pref('browser.sessionstore.resume_from_crash', false);
user_pref('browser.sessionstore.interval', 30000);
user_pref('toolkit.winRegisterApplicationRestart', false);
user_pref('browser.shell.shortcutFavicons', false);
// user_pref('browser.chrome.site_icons', false);
// user_pref('alerts.showFavicons', false); // [DEFAULT: false]
user_pref('security.ssl.require_safe_negotiation', true);
user_pref('security.tls.version.min', 3);
// user_pref('security.tls.version.max', 4);
user_pref('security.tls.version.enable-deprecated', false);
user_pref('security.ssl.disable_session_identifiers', true); // [HIDDEN PREF]
user_pref('security.ssl.errorReporting.automatic', false);
user_pref('security.ssl.errorReporting.enabled', false);
user_pref('security.ssl.errorReporting.url', '');
user_pref('security.tls.enable_0rtt_data', false);
user_pref('security.ssl.enable_ocsp_stapling', true);
user_pref('security.OCSP.enabled', 1);
user_pref('security.OCSP.require', true);
user_pref('security.pki.sha1_enforcement_level', 1);
user_pref('security.family_safety.mode', 0);
// user_pref('security.nocertdb', true); // [HIDDEN PREF]
user_pref('security.cert_pinning.enforcement_level', 2);
user_pref('security.mixed_content.block_active_content', true); // [DEFAULT: true]
user_pref('security.mixed_content.block_display_content', true);
user_pref('security.mixed_content.block_object_subrequest', true);
// user_pref('security.ssl3.rsa_des_ede3_sha', false);
// user_pref('security.ssl3.ecdhe_ecdsa_aes_128_sha', false);
// user_pref('security.ssl3.ecdhe_rsa_aes_128_sha', false);
// user_pref('security.ssl3.dhe_rsa_aes_128_sha', false);
// user_pref('security.ssl3.dhe_rsa_aes_256_sha', false);
// user_pref('security.ssl3.rsa_aes_128_sha', false);
// user_pref('security.ssl3.rsa_aes_256_sha', false);
user_pref('security.ssl.treat_unsafe_negotiation_as_broken', true);
user_pref('browser.ssl_override_behavior', 1);
user_pref('browser.xul.error_pages.expert_bad_cert', true);
user_pref('security.insecure_connection_icon.enabled', true); // [FF59+] [DEFAULT: true FF70+]
user_pref('security.insecure_connection_text.enabled', false); // [FF60+] me
//me leave this enabled for bootstrap
user_pref('browser.display.use_document_fonts', 1);
user_pref('gfx.downloadable_fonts.enabled', true); // [FF41+]
// user_pref('gfx.downloadable_fonts.fallback_delay', -1);
user_pref('gfx.font_rendering.opentype_svg.enabled', true); //me
user_pref('gfx.font_rendering.graphite.enabled', false);
// user_pref('font.system.whitelist', ''); // [HIDDEN PREF]
// user_pref('network.http.sendRefererHeader', 2); // [DEFAULT: 2]
// user_pref('network.http.referer.trimmingPolicy', 0); // [DEFAULT: 0]
user_pref('network.http.referer.XOriginPolicy', 1);
user_pref('network.http.referer.XOriginTrimmingPolicy', 0); // [DEFAULT: 0]
// user_pref('network.http.referer.spoofSource', false); // [DEFAULT: false]
// user_pref('network.http.referer.defaultPolicy', 3); // [DEFAULT: 3]
// user_pref('network.http.referer.defaultPolicy.pbmode', 2); // [DEFAULT: 2]
user_pref('network.http.referer.hideOnionSource', true);
user_pref('privacy.donottrackheader.enabled', true);
user_pref('privacy.userContext.ui.enabled', true);
user_pref('privacy.userContext.enabled', true);
// user_pref('privacy.userContext.newTabContainerOnLeftClick.enabled', true);
user_pref('plugin.state.flash', 0);
// user_pref('media.gmp-provider.enabled', false);
user_pref('media.gmp-widevinecdm.visible', false);
user_pref('media.gmp-widevinecdm.enabled', false);
user_pref('media.eme.enabled', false);
user_pref('media.peerconnection.enabled', false);
user_pref('media.peerconnection.ice.default_address_only', true);
user_pref('media.peerconnection.ice.no_host', true); // [FF51+]
user_pref('media.peerconnection.ice.proxy_only_if_behind_proxy', true); // [FF70+]
user_pref('webgl.disabled', true);
user_pref('webgl.enable-webgl2', false);
user_pref('webgl.min_capability_mode', true);
user_pref('webgl.disable-fail-if-major-performance-caveat', true);
user_pref('media.getusermedia.screensharing.enabled', false);
user_pref('media.getusermedia.browser.enabled', false);
user_pref('media.getusermedia.audiocapture.enabled', false);
// user_pref('permissions.default.camera', 2);
// user_pref('permissions.default.microphone', 2);
// user_pref('media.autoplay.default', 5);
user_pref('media.autoplay.enabled.user-gestures-needed', false);
user_pref('dom.disable_window_open_feature.close', true);
user_pref('dom.disable_window_open_feature.location', true); // [DEFAULT: true]
user_pref('dom.disable_window_open_feature.menubar', true);
user_pref('dom.disable_window_open_feature.minimizable', true);
user_pref('dom.disable_window_open_feature.personalbar', true); // bookmarks toolbar
user_pref('dom.disable_window_open_feature.resizable', true); // [DEFAULT: true]
user_pref('dom.disable_window_open_feature.status', true); // [DEFAULT: true]
user_pref('dom.disable_window_open_feature.titlebar', true);
user_pref('dom.disable_window_open_feature.toolbar', true);
user_pref('dom.disable_window_move_resize', true);
user_pref('browser.link.open_newwindow', 3);
user_pref('browser.link.open_newwindow.restriction', 0);
// user_pref('full-screen-api.enabled', false);
user_pref('dom.disable_open_during_load', true);
user_pref('dom.popup_allowed_events', 'click dblclick');
user_pref('dom.serviceWorkers.enabled', false);
// user_pref('dom.webnotifications.enabled', false); // [FF22+]
// user_pref('dom.webnotifications.serviceworker.enabled', false); // [FF44+]
user_pref('dom.push.enabled', false);
// user_pref('dom.push.userAgentID', '');
// user_pref('permissions.default.desktop-notification', 2);
// user_pref('dom.event.contextmenu.enabled', false);
user_pref('dom.event.clipboardevents.enabled', false);
user_pref('dom.allow_cut_copy', false);
user_pref('dom.disable_beforeunload', true);
user_pref('dom.vibrator.enabled', false);
user_pref('javascript.options.asmjs', false);
// user_pref('javascript.options.ion', false);
// user_pref('javascript.options.baselinejit', false);
user_pref('javascript.options.wasm', false);
// user_pref('dom.IntersectionObserver.enabled', false);
user_pref('dom.targetBlankNoOpener.enabled', true);
// user_pref('dom.battery.enabled', false);
user_pref('media.navigator.enabled', false);
// user_pref('gfx.direct2d.disabled', true); // [WINDOWS]
// user_pref('layers.acceleration.disabled', true);
user_pref('dom.webaudio.enabled', false);
// user_pref('media.media-capabilities.enabled', false);
// user_pref('dom.vr.enabled', false);
// user_pref('permissions.default.xr', 0);
user_pref('accessibility.force_disabled', 1);
user_pref('beacon.enabled', false);
user_pref('browser.helperApps.deleteTempFileOnExit', true);
user_pref('browser.pagethumbnails.capturing_disabled', true); // [HIDDEN PREF]
user_pref('browser.tabs.remote.allowLinkedWebInFileUriProcess', false);
user_pref('browser.uitour.enabled', false);
user_pref('browser.uitour.url', '');
user_pref('devtools.chrome.enabled', false);
user_pref('devtools.debugger.remote-enabled', false);
// user_pref('mathml.disabled', true);
// user_pref('svg.disabled', true);
user_pref('middlemouse.contentLoadURL', false);
user_pref('network.http.redirection-limit', 10);
// user_pref('permissions.default.shortcuts', 2);
user_pref('permissions.manager.defaultsUrl', '');
user_pref('webchannel.allowObject.urlWhitelist', '');
user_pref('network.IDN_show_punycode', true);
user_pref('pdfjs.disabled', true); // [DEFAULT: false]
user_pref('network.protocol-handler.external.ms-windows-store', false);
user_pref('browser.display.use_system_colors', false); // [DEFAULT: false]
// user_pref('browser.download.folderList', 2);
user_pref('browser.download.useDownloadDir', false);
user_pref('browser.download.manager.addToRecentDocs', false);
user_pref('browser.download.hide_plugins_without_extensions', false);
// user_pref('browser.download.forbid_open_with', true);
user_pref('extensions.enabledScopes', 5); // [HIDDEN PREF]
user_pref('extensions.autoDisableScopes', 15); // [DEFAULT: 15]
// user_pref('extensions.webextensions.restrictedDomains', '');
user_pref('security.csp.enable', true); // [DEFAULT: true]
user_pref('security.dialog_enable_delay', 700);
user_pref('network.cookie.cookieBehavior', 1);
user_pref('browser.contentblocking.category', 'custom');
user_pref('network.cookie.thirdparty.sessionOnly', true);
user_pref('network.cookie.thirdparty.nonsecureSessionOnly', true); // [FF58+]
// user_pref('network.cookie.lifetimePolicy', 2);
// user_pref('dom.storage.enabled', false);
user_pref('browser.cache.offline.enable', false);
// user_pref('dom.caches.enabled', false);
// user_pref('dom.storageManager.enabled', false);
// user_pref('dom.storage_access.enabled', false);
user_pref('privacy.sanitize.sanitizeOnShutdown', true);
user_pref('privacy.clearOnShutdown.cache', true);
user_pref('privacy.clearOnShutdown.cookies', true);
user_pref('privacy.clearOnShutdown.downloads', false); // see note above
user_pref('privacy.clearOnShutdown.formdata', true); // Form & Search History
user_pref('privacy.clearOnShutdown.history', false); // Browsing & Download History
user_pref('privacy.clearOnShutdown.offlineApps', true); // Offline Website Data
user_pref('privacy.clearOnShutdown.sessions', true); // Active Logins
user_pref('privacy.clearOnShutdown.siteSettings', false); // Site Preferences
user_pref('privacy.cpd.cache', true);
user_pref('privacy.cpd.cookies', true);
// user_pref('privacy.cpd.downloads', true); // not used, see note above
user_pref('privacy.cpd.formdata', true); // Form & Search History
user_pref('privacy.cpd.history', false); // Browsing & Download History
user_pref('privacy.cpd.offlineApps', true); // Offline Website Data
user_pref('privacy.cpd.passwords', false); // this is not listed
user_pref('privacy.cpd.sessions', true); // Active Logins
user_pref('privacy.cpd.siteSettings', false); // Site Preferences
// user_pref('privacy.clearOnShutdown.openWindows', true);
// user_pref('privacy.cpd.openWindows', true);
user_pref('privacy.sanitize.timeSpan', 0);
user_pref('privacy.firstparty.isolate', true);
// user_pref('privacy.firstparty.isolate.restrict_opener_access', true); // [DEFAULT: true]
// user_pref('privacy.firstparty.isolate.block_post_message', true); // [HIDDEN PREF ESR]
// https://github.com/kkapsner/CanvasBlocker/issues/158
user_pref('privacy.resistFingerprinting', false);
// user_pref('privacy.window.maxInnerWidth', 1000);
// user_pref('privacy.window.maxInnerHeight', 1000);
user_pref('privacy.resistFingerprinting.block_mozAddonManager', true); // [HIDDEN PREF]
user_pref('privacy.resistFingerprinting.letterboxing', true); // [HIDDEN PREF]
// user_pref('privacy.resistFingerprinting.letterboxing.dimensions', ''); // [HIDDEN PREF]
user_pref('browser.startup.blankWindow', false);
// user_pref('dom.maxHardwareConcurrency', 2);
user_pref('dom.enable_resource_timing', false);
user_pref('dom.enable_performance', false);
// user_pref('device.sensors.enabled', false);
user_pref('browser.zoom.siteSpecific', false);
// user_pref('dom.gamepad.enabled', false);
user_pref('dom.netinfo.enabled', false); // [DEFAULT: true on Android]
user_pref('media.webspeech.synth.enabled', false);
user_pref('media.video_stats.enabled', false);
// user_pref('dom.w3c_touch_events.enabled', 0);
user_pref('media.ondevicechange.enabled', false);
user_pref('webgl.enable-debug-renderer-info', false);
user_pref('dom.w3c_pointer_events.enabled', false);
user_pref('ui.use_standins_for_native_colors', true);
user_pref('ui.systemUsesDarkTheme', 0); // [HIDDEN PREF]
// user_pref('general.useragent.override', ''); // [HIDDEN PREF]
// user_pref('general.buildID.override', ''); // [HIDDEN PREF]
// user_pref('general.appname.override', ''); // [HIDDEN PREF]
// user_pref('general.appversion.override', ''); // [HIDDEN PREF]
// user_pref('general.platform.override', ''); // [HIDDEN PREF]
// user_pref('general.oscpu.override', ''); // [HIDDEN PREF]
// user_pref('browser.startup.homepage_override.mstone', 'ignore'); // master switch
// user_pref('startup.homepage_welcome_url', '');
// user_pref('startup.homepage_welcome_url.additional', '');
// user_pref('startup.homepage_override_url', ''); // Whats New page after updates
// user_pref('browser.tabs.warnOnClose', false);
// user_pref('browser.tabs.warnOnCloseOtherTabs', false);
// user_pref('browser.tabs.warnOnOpen', false);
// user_pref('full-screen-api.warning.delay', 0);
// user_pref('full-screen-api.warning.timeout', 0);
// user_pref('browser.download.autohideButton', false); // [FF57+]
// user_pref('toolkit.cosmeticAnimations.enabled', false); // [FF55+]
// user_pref('toolkit.legacyUserProfileCustomizations.stylesheets', true); // [FF68+] allow userChrome/userContent
// user_pref('accessibility.typeaheadfind', true); // enable 'Find As You Type'
// user_pref('clipboard.autocopy', false); // disable autocopy default [LINUX]
// user_pref('layout.spellcheckDefault', 2); // 0=none, 1-multi-line, 2=multi-line & single-line
// user_pref('browser.backspace_action', 2); // 0=previous page, 1=scroll up, 2=do nothing
// user_pref('browser.tabs.closeWindowWithLastTab', false);
// user_pref('browser.tabs.loadBookmarksInTabs', true); // open bookmarks in a new tab [FF57+]
// user_pref('browser.urlbar.decodeURLsOnCopy', true); // see bugzilla 1320061 [FF53+]
// user_pref('general.autoScroll', false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux]
// user_pref('ui.key.menuAccessKey', 0); // disable alt key toggling the menu bar [RESTART]
// user_pref('view_source.tab', false); // view 'page/selection source' in a new window [FF68+, FF59 and under]
// user_pref('browser.messaging-system.whatsNewPanel.enabled', false); // Whats New [FF69+]
// user_pref('extensions.pocket.enabled', false); // Pocket Account [FF46+]
// user_pref('identity.fxaccounts.enabled', false); // Firefox Accounts & Sync [FF60+] [RESTART]
// user_pref('reader.parse-on-load.enabled', false); // Reader View
// user_pref('browser.bookmarks.max_backups', 2);
// user_pref('browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons', false); // disable CFR [FF67+]
// user_pref('browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features', false); // disable CFR [FF67+]
// user_pref('network.manage-offline-status', false); // see bugzilla 620472
// user_pref('xpinstall.signatures.required', false); // enforced extension signing (Nightly/ESR)
// user_pref('gfx.downloadable_fonts.woff2.enabled', false);
//? user_pref('plugins.click_to_play', true); // [DEFAULT: true FF25+]
// user_pref('media.autoplay.allow-muted', false);
user_pref('devtools.webide.enabled', false); // [DEFAULT: false FF70+]
user_pref('devtools.webide.autoinstallADBExtension', false); // [FF64+]
user_pref('offline-apps.allow_by_default', false);
user_pref('browser.newtabpage.activity-stream.telemetry.ping.endpoint', '');
user_pref('toolkit.telemetry.hybridContent.enabled', false); // [FF59+]
user_pref('dom.indexedDB.enabled', true); // [DEFAULT: true]
user_pref('privacy.userContext.longPressBehavior', 2);
user_pref('webgl.disable-extensions', true);
// END ANSIBLE MANAGED BLOCK privacy ghacks-user.js
// BEGIN ANSIBLE MANAGED BLOCK privacy pyllyukko-user.js
// etc/testforge/firefox/pyllyukko-user.js
// grep ^user ../../github.com/pyllyukko/user.js/user.js| sed -e 's/.*("//' -e 's/).*//' -e 's/",//' /var/local/net/Git/github.com/pyllyukko/user.js/user.js
// sed -e 's@//@#@' -e 's@^/\\**@@' -e 's@^ \\**/@@' -e 's/^ \\*/# */' -e 's/.*(\"/{ name: \"/' -e 's/).*/ }/' -e 's/\",[ \\t]*/\", val: /' /var/local/net/Git/github.com/pyllyukko/user.js/user.js >pyllyukko_user.js.yml
// * SECTION: HTML5 / APIs / DOM *
// PREF: Disable Service Workers
// https://developer.mozilla.org/en-US/docs/Web/API/Worker
// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View... )
// Unknown security implications
// CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed )
//g user_pref(.dom.serviceWorkers.enabled., false);
// PREF: Disable web notifications
// https://support.mozilla.org/en-US/questions/1140439
user_pref('dom.webnotifications.enabled', false);
// PREF: Disable DOM timing API
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
// https://www.w3.org/TR/navigation-timing/#privacy
//g user_pref(.dom.enable_performance., false);
// PREF: Make sure the User Timing API does not provide a new high resolution timestamp
// https://trac.torproject.org/projects/tor/ticket/16336
// https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security
user_pref('dom.enable_user_timing', false);
// PREF: Disable Web Audio API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
//g user_pref(.dom.webaudio.enabled., false);
// PREF: Disable Location-Aware Browsing (geolocation )
// https://www.mozilla.org/en-US/firefox/geolocation/
user_pref('geo.enabled', false);
// PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
// https://bugzilla.mozilla.org/show_bug.cgi?id=689252
//g user_pref(.geo.wifi.uri., 'https:#location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%');
// PREF: When geolocation is enabled, don't log geolocation requests to the console
user_pref('geo.wifi.logging.enabled', false);
// PREF: Disable raw TCP socket support (mozTCPSocket )
// https://trac.torproject.org/projects/tor/ticket/18863
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
// https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket
user_pref('dom.mozTCPSocket.enabled', false);
// PREF: Disable DOM storage (disabled )
// http://kb.mozillazine.org/Dom.storage.enabled
// https://html.spec.whatwg.org/multipage/webstorage.html
// NOTICE-DISABLED: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
user_pref('dom.storage.enabled', false);
// PREF: Disable leaking network/browser connection information via Javascript
// Network Information API provides general information about the system's connection type (WiFi, cellular, etc. )
// https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
// https://wicg.github.io/netinfo/#privacy-considerations
// https://bugzilla.mozilla.org/show_bug.cgi?id=960426
//g user_pref(.dom.netinfo.enabled., false);
// PREF: Disable network API (Firefox < 32 )
// https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange
// https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses
user_pref('dom.network.enabled', false);
// https://bugs.chromium.org/p/chromium/issues/detail?id=497040
// https://ipleak.net/
//
// PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox < 42 )
// NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ... )
//g user_pref(.media.peerconnection.enabled., false);
// PREF: Don't reveal your internal IP when WebRTC is enabled (Firefox >= 42 )
// https://wiki.mozilla.org/Media/WebRTC/Privacy
// https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC
//g user_pref(.media.peerconnection.ice.default_address_only., true);
//g user_pref(.media.peerconnection.ice.no_host., true);
// PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
// https://wiki.mozilla.org/Media/getUserMedia
// https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
// https://developer.mozilla.org/en-US/docs/Web/API/Navigator
//g user_pref(.media.navigator.enabled., false);
user_pref('media.navigator.video.enabled', false);
//g user_pref(.media.getusermedia.screensharing.enabled., false);
//g user_pref(.media.getusermedia.audiocapture.enabled., false);
// PREF: Disable battery API (Firefox < 52 )
// https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager
// https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
user_pref('dom.battery.enabled', false);
// PREF: Disable telephony API
// https://wiki.mozilla.org/WebAPI/Security/WebTelephony
user_pref('dom.telephony.enabled', false);
// PREF: Disable 'beacon' asynchronous HTTP transfers (used for analytics )
// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
//g user_pref(.beacon.enabled., false);
// PREF: Disable clipboard event detection (onCut/onCopy/onPaste )
// NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs... )
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
//g user_pref(.dom.event.clipboardevents.enabled., false);
// PREF: Disable 'copy to clipboard' functionality via Javascript (Firefox >= 41 )
// NOTICE: Disabling clipboard operations will break legitimate JS-based 'copy to clipboard' functionality
// https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3
//g user_pref(.dom.allow_cut_copy., false);
// PREF: Disable speech recognition
// https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
// https://wiki.mozilla.org/HTML5_Speech_API
user_pref('media.webspeech.recognition.enable', false);
// PREF: Disable speech synthesis
// https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis
//g user_pref(.media.webspeech.synth.enabled., false);
// PREF: Disable sensor API
// https://wiki.mozilla.org/Sensor_API
user_pref('device.sensors.enabled', false);
// PREF: Disable pinging URIs specified in HTML <a> ping= attributes
// http://kb.mozillazine.org/Browser.send_pings
//g user_pref(.browser.send_pings., false);
// PREF: When browser pings are enabled, only allow pinging the same host as the origin page
// http://kb.mozillazine.org/Browser.send_pings.require_same_host
// PREF: Disable IndexedDB (disabled )
// https://developer.mozilla.org/en-US/docs/IndexedDB
// https://en.wikipedia.org/wiki/Indexed_Database_API
// https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review
// http://forums.mozillazine.org/viewtopic.php?p=13842047
// https://github.com/pyllyukko/user.js/issues/8
// NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock )
//g user_pref(.dom.indexedDB.enabled., false);
// TODO: 'Access Your Location' 'Maintain Offline Storage' 'Show Notifications'
// PREF: Disable gamepad API to prevent USB device enumeration
// https://www.w3.org/TR/gamepad/
// https://trac.torproject.org/projects/tor/ticket/13023
user_pref('dom.gamepad.enabled', false);
// PREF: Disable virtual reality devices APIs
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
user_pref('dom.vr.enabled', false);
// PREF: Disable vibrator API
//g user_pref(.dom.vibrator.enabled., false);
// PREF: Disable resource timing API
// https://www.w3.org/TR/resource-timing/#privacy-security
//g user_pref(.dom.enable_resource_timing., false);
// PREF: Disable Archive API (Firefox < 54 )
// https://wiki.mozilla.org/WebAPI/ArchiveAPI
// https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
user_pref('dom.archivereader.enabled', false);
// PREF: Disable webGL
// https://en.wikipedia.org/wiki/WebGL
// https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
//g user_pref(.webgl.disabled., true);
// PREF: When webGL is enabled, use the minimum capability mode
//g user_pref(.webgl.min_capability_mode., true);
// PREF: When webGL is enabled, disable webGL extensions
// https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing
//g user_pref(.webgl.disable-extensions., true);
// PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
// https://trac.torproject.org/projects/tor/ticket/18603
//g user_pref(.webgl.disable-fail-if-major-performance-caveat., true);
// PREF: When webGL is enabled, do not expose information about the graphics driver
// https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
// https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
//g user_pref(.webgl.enable-debug-renderer-info., false);
// somewhat related...
user_pref('pdfjs.enableWebGL', false);
// PREF: Spoof dual-core CPU
// https://trac.torproject.org/projects/tor/ticket/21675
// https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
user_pref('dom.maxHardwareConcurrency', 2);
// https://github.com/stevespringett/disable-webassembly
//
// PREF: Disable WebAssembly
// https://webassembly.org/
// https://en.wikipedia.org/wiki/WebAssembly
// https://trac.torproject.org/projects/tor/ticket/21549
//g user_pref(.javascript.options.wasm., false);
// * SECTION: Misc *
// PREF: Disable face detection
user_pref('camera.control.face_detection.enabled', false);
// PREF: Disable GeoIP lookup on your address to set default search engine region
// https://trac.torproject.org/projects/tor/ticket/16254
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
user_pref('browser.search.countryCode', 'US');
//g user_pref(.browser.search.region., 'US');
// PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localizationnguage HTTP header to en-US regardless of Firefox localization
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
// PREF: Don't use OS values to determine locale, force using Firefox locale setting
// http://kb.mozillazine.org/Intl.locale.matchOS
user_pref('intl.locale.matchOS', false);
// PREF: Don't use Mozilla-provided location-specific search engines
// PREF: Do not automatically send selection to clipboard on some Linux platforms
// http://kb.mozillazine.org/Clipboard.autocopy
user_pref('clipboard.autocopy', false);
// PREF: Prevent leaking application locale/date format using JavaScript
// https://bugzilla.mozilla.org/show_bug.cgi?id=867501
// https://hg.mozilla.org/mozilla-central/rev/52d635f2b33d
//g user_pref(.javascript.use_us_english_locale., true);
// PREF: Do not submit invalid URIs entered in the address bar to the default search engine
// http://kb.mozillazine.org/Keyword.enabled
// PREF: Don't trim HTTP off of URLs in the address bar.
// https://bugzilla.mozilla.org/show_bug.cgi?id=665580
// See http://archives.seul.org/or/talk/Feb-2010/msg00048.html
// This is a bit of a guess (so make sure you remember how to
// revert!), but in about:config try setting
// browser.fixup.alternate.enabled to false. I believe that is how
// you turn off the browser attempting a prefix of www. and/or a
// suffix of .com if it doesn't think the URL you entered is correct.
//
// PREF: Don't try to guess domain names when entering an invalid domain name in URL bar
// http://www-archive.mozilla.org/docs/end-user/domain-guessing.html
// PREF: When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs
// https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851
user_pref('browser.fixup.hide_user_pass', true);
// PREF: Send DNS request through SOCKS when SOCKS proxying is in use
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
// PREF: Don't monitor OS online/offline connection state
// https://trac.torproject.org/projects/tor/ticket/18945
user_pref('network.manage-offline-status', false);
// PREF: Enforce Mixed Active Content Blocking
// https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990
// https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
// https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
//g user_pref(.security.mixed_content.block_active_content., true);
// PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content )
// NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured
// PREF: Disable JAR from opening Unsafe File Types
// http://kb.mozillazine.org/Network.jar.open-unsafe-types
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7
user_pref('network.jar.open-unsafe-types', false);
// CIS 2.7.4 Disable Scripting of Plugins by JavaScript
// http://forums.mozillazine.org/viewtopic.php?f=7&t=153889
user_pref('security.xpconnect.plugin.unrestricted', false);
// PREF: Set File URI Origin Policy
// http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8
user_pref('security.fileuri.strict_origin_policy', true);
// PREF: Disable Displaying Javascript in History URLs
// http://kb.mozillazine.org/Browser.urlbar.filter.javascript
// CIS 2.3.6
user_pref('browser.urlbar.filter.javascript', true);
// PREF: Disable asm.js - override
// http://asmjs.org/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
//g user_pref(.javascript.options.asmjs., false);
// PREF: Disable SVG in OpenType fonts
// https://wiki.mozilla.org/SVGOpenTypeFonts
// https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle
// PREF: Disable in-content SVG rendering (Firefox >= 53 )
// NOTICE-DISABLED: Disabling SVG support breaks many UI elements on many sites
// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
// https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16
user_pref('svg.disabled', true);
// PREF: Disable video stats to reduce fingerprinting threat
// https://bugzilla.mozilla.org/show_bug.cgi?id=654550
// https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785
// https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065
//g user_pref(.media.video_stats.enabled., false);
// PREF: Don't reveal build ID
// Value taken from Tor Browser
// https://bugzilla.mozilla.org/show_bug.cgi?id=583181
user_pref('general.buildID.override', '20100101');
//g user_pref(.browser.startup.homepage.override.buildID', '20100101');
// PREF: Prevent font fingerprinting
// https://browserleaks.com/fonts
// https://github.com/pyllyukko/user.js/issues/120
// PREF: Enable only whitelisted URL protocol handlers
// http://kb.mozillazine.org/Network.protocol-handler.external-default
// http://kb.mozillazine.org/Network.protocol-handler.warn-external-default
// http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29
// https://news.ycombinator.com/item?id=13047883
// https://bugzilla.mozilla.org/show_bug.cgi?id=167475
// https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005
// NOTICE: Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols
// TODO: Add externally-handled protocols from Windows 8.1 and Windows 10 (currently contains protocols only from Linux and Windows 7 )
// TODO: Add externally-handled protocols from Mac OS X that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991 )
// If you want to enable a protocol, set network.protocol-handler.expose.(protocol )
// * true, if the protocol should be handled by an external application
// * false, if the protocol should be handled internally by Firefox
user_pref('network.protocol-handler.warn-external-default', true);
user_pref('network.protocol-handler.external.http', false);
user_pref('network.protocol-handler.external.https', false);
user_pref('network.protocol-handler.external.javascript', false);
user_pref('network.protocol-handler.external.moz-extension', false);
user_pref('network.protocol-handler.external.ftp', false);
user_pref('network.protocol-handler.external.file', false);
user_pref('network.protocol-handler.external.about', false);
user_pref('network.protocol-handler.external.chrome', false);
user_pref('network.protocol-handler.external.blob', false);
user_pref('network.protocol-handler.external.data', false);
user_pref('network.protocol-handler.expose-all', false);
user_pref('network.protocol-handler.expose.http', true);
user_pref('network.protocol-handler.expose.https', true);
user_pref('network.protocol-handler.expose.javascript', true);
user_pref('network.protocol-handler.expose.moz-extension', true);
user_pref('network.protocol-handler.expose.ftp', true);
user_pref('network.protocol-handler.expose.file', true);
user_pref('network.protocol-handler.expose.about', true);
user_pref('network.protocol-handler.expose.chrome', true);
user_pref('network.protocol-handler.expose.blob', true);
user_pref('network.protocol-handler.expose.data', true);
// * SECTION: Extensions / plugins *
// PREF: Ensure you have a security delay when installing add-ons (milliseconds )
// http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
// http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
//g user_pref(.security.dialog_enable_delay., 1000);
// PREF: Require signatures
// https://wiki.mozilla.org/Addons/Extension_Signing
// { name: 'xpinstall.signatures.required', true }
// PREF: Opt-out of add-on metadata updates
// https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
user_pref('extensions.getAddons.cache.enabled', false);
// PREF: Opt-out of themes (Persona )
// https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287
user_pref('lightweightThemes.update.enabled', false);
// PREF: Disable Flash Player NPAPI plugin
// http://kb.mozillazine.org/Flash_plugin
// PREF: Disable Java NPAPI plugin
user_pref('plugin.state.java', 0);
// PREF: Disable sending Flash Player crash reports
// PREF: When Flash crash reports are enabled, don't send the visited URL in the crash report
// PREF: When Flash is enabled, download and use Mozilla SWF URIs blocklist
// https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
// https://github.com/mozilla-services/shavar-plugin-blocklist
user_pref('browser.safebrowsing.blockedURIs.enabled', true);
// PREF: Disable Shumway (Mozilla Flash renderer, invalid: [] )
// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway
user_pref('shumway.disabled', true);
// PREF: Disable Gnome Shell Integration NPAPI plugin
user_pref('plugin.state.libgnome-shell-browser-plugin', 0);
// PREF: Disable the bundled OpenH264 video codec (disabled)
// http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077
user_pref('media.gmp-provider.enabled', false);
// PREF: Enable plugins click-to-play
// https://wiki.mozilla.org/Firefox/Click_To_Play
// https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/
//g user_pref(.plugins.click_to_play., true);
// PREF: Updates addons automatically
// https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
// PREF: Enable add-on and certificate blocklists (OneCRL)
// https://wiki.mozilla.org/Blocklisting
// https://blocked.cdn.mozilla.net/
// http://kb.mozillazine.org/Extensions.blocklist.enabled
// http://kb.mozillazine.org/Extensions.blocklist.url
// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
// Updated at interval defined in extensions.blocklist.interval (default: 86400)
//g user_pref(.extensions.blocklist.enabled., true);
user_pref('services.blocklist.update_enabled', true);
// PREF: Decrease system information leakage to Mozilla blocklist update servers
// https://trac.torproject.org/projects/tor/ticket/16931
//g user_pref(.extensions.blocklist.url., 'https:#blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/');
// PREF: Disable system add-on updates (hidden & always-enabled add-ons from Mozilla)
// https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
// https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/
// https://github.com/pyllyukko/user.js/issues/419
// https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1248-1257
// NOTICE: Disabling system add-on updates prevents Mozilla from 'hotfixing' your browser to patch critical problems (one possible use case from the documentation)
//g user_pref(.extensions.systemAddon.update.enabled., false);
// * SECTION: Firefox (anti- )
// PREF: Disable Extension recommendations (Firefox >= 65 )
// https://support.mozilla.org/en-US/kb/extension-recommendations
user_pref('browser.newtabpage.activity-stream.asrouter.userprefs.cfr', false);
// ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/index.html
//?- { name: 'network.trr.mode', 5);
// PREF: Trusted Recursive Resolver (DNS-over-HTTPS )
// https://wiki.mozilla.org/Trusted_Recursive_Resolver
user_pref('network.trr.mode', 0);
// PREF: Disable WebIDE
// https://trac.torproject.org/projects/tor/ticket/16222
// https://developer.mozilla.org/docs/Tools/WebIDE
//g user_pref(.devtools.webide.enabled., false);
user_pref('devtools.webide.autoinstallADBHelper', false);
user_pref('devtools.webide.autoinstallFxdtAdapters', false);
// PREF: Disable remote debugging
// https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop
// https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings
//g user_pref(.devtools.debugger.remote-enabled., false);
//g user_pref(.devtools.chrome.enabled., false);
user_pref('devtools.debugger.force-local', true);
// PREF: Disable Mozilla telemetry/experiments
// https://wiki.mozilla.org/Platform/Features/Telemetry
// https://wiki.mozilla.org/Privacy/Reviews/Telemetry
// https://wiki.mozilla.org/Telemetry
// https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry
// https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715
// https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry
// https://gecko.readthedocs.io/en/latest/browser/experiments/experiments/manifest.html
// https://wiki.mozilla.org/Telemetry/Experiments
// https://support.mozilla.org/en-US/questions/1197144
// https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html#id1
//g user_pref(.toolkit.telemetry.enabled., false);
user_pref('experiments.supported', false);
user_pref('experiments.enabled', false);
user_pref('experiments.manifest.uri', '');
// PREF: Disallow Necko to do A/B testing
// https://trac.torproject.org/projects/tor/ticket/13170
user_pref('network.allow-experiments', false);
// PREF: Disable sending Firefox crash reports to Mozilla servers
// https://wiki.mozilla.org/Breakpad
// http://kb.mozillazine.org/Breakpad
// https://dxr.mozilla.org/mozilla-central/source/toolkit/crashreporter
// https://bugzilla.mozilla.org/show_bug.cgi?id=411490
// A list of submitted crash reports can be found at about:crashes
// PREF: Disable sending reports of tab crashes to Mozilla (about:tabcrashed )
// https://hg.mozilla.org/mozilla-central/file/tip/browser/app/profile/firefox.js
//g user_pref(.browser.tabs.crashReporting.sendReport., false);
//g user_pref(.browser.crashReports.unsubmittedCheck.enabled., false);
// PREF: Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface )
// https://wiki.mozilla.org/FlyWeb
// https://wiki.mozilla.org/FlyWeb/Security_scenarios
// https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit
// http://www.ghacks.net/2016/07/26/firefox-flyweb
user_pref('dom.flyweb.enabled', false);
// PREF: Disable the UITour backend
// https://trac.torproject.org/projects/tor/ticket/19047#comment:3
//g user_pref(.browser.uitour.enabled., false);
// PREF: Enable Firefox Tracking Protection
// https://wiki.mozilla.org/Security/Tracking_protection
// https://support.mozilla.org/en-US/kb/tracking-protection-firefox
// https://support.mozilla.org/en-US/kb/tracking-protection-pbm
// https://kontaxis.github.io/trackingprotectionfirefox/
// https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
user_pref('privacy.trackingprotection.enabled', true);
user_pref('privacy.trackingprotection.pbmode.enabled', true);
// PREF: Enable contextual identity Containers feature (Firefox >= 52 )
// NOTICE: Containers are not available in Private Browsing mode
// https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
// resist fingerprinting or RFP
// https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
// https://wiki.mozilla.org/Security/Fingerprinting
// NOTICE: RFP breaks some keyboard shortcuts used in certain websites (see #443 )
// NOTICE: RFP changes your time zone
// https://github.com/kkapsner/CanvasBlocker/issues/158
//g user_pref(.privacy.resistFingerprinting., false);
// PREF: Disable the built-in PDF viewer
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2743
// https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
//g user_pref(.pdfjs.disabled., true);
// PREF: Disable collection/sending of the health report (healthreport.sqlite* )
// https://support.mozilla.org/en-US/kb/firefox-health-report-understand-your-browser-perf
// https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
user_pref('datareporting.healthreport.service.enabled', false);
// 'Allow Firefox to make personalized extension recommendations'
// PREF: Disable Heartbeat (Mozilla user rating telemetry )
// https://wiki.mozilla.org/Advocacy/heartbeat
// https://trac.torproject.org/projects/tor/ticket/19047
user_pref('browser.selfsupport.url', '');
// PREF: Disable Firefox Hello (disabled )
// https://wiki.mozilla.org/Loop
// https://support.mozilla.org/t5/Chat-and-share/Support-for-Hello-discontinued-in-Firefox-49/ta-p/37946
// NOTICE-DISABLED: Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work.
user_pref('loop.enabled', false);
// PREF: Disable Firefox Hello metrics collection
// https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
user_pref('loop.logDomains', false);
// PREF: Enable Auto Update (disabled )
// NOTICE: Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting.
// CIS 2.1.1
// PREF: Enforce checking for Firefox updates
// http://kb.mozillazine.org/App.update.enabled
// NOTICE: Update check page might incorrectly report Firefox ESR as out-of-date
user_pref('app.update.enabled', false);
// PREF: Enable blocking reported web forgeries
// https://wiki.mozilla.org/Security/Safe_Browsing
// http://kb.mozillazine.org/Safe_browsing
// https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
// http://forums.mozillazine.org/viewtopic.php?f=39&t=2711237&p=12896849#p12896849
// CIS 2.3.4
user_pref('browser.safebrowsing.enabled', false);
user_pref('browser.safebrowsing.phishing.enabled', false);
// PREF: Enable blocking reported attack sites
// http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled
// CIS 2.3.5
user_pref('browser.safebrowsing.malware.enabled', true);
// PREF: Disable querying Google Application Reputation database for downloaded binary files
// https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
// https://wiki.mozilla.org/Security/Application_Reputation
// PREF: Disable Pocket
// https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
// https://github.com/pyllyukko/user.js/issues/143
user_pref('browser.pocket.enabled', false);
user_pref('extensions.pocket.enabled', false);
// PREF: Disable SHIELD
// https://support.mozilla.org/en-US/kb/shield
// https://bugzilla.mozilla.org/show_bug.cgi?id=1370801
user_pref('extensions.shield-recipe-client.enabled', false);
// PREF: Disable 'Recommended by Pocket' in Firefox Quantum
// * SECTION: Automatic connections *
// PREF: Limit the connection keep-alive timeout to 15 seconds (disabled } - was 600
// https://github.com/pyllyukko/user.js/issues/387
// http://kb.mozillazine.org/Network.http.keep-alive.timeout
// https://httpd.apache.org/docs/current/mod/core.html#keepalivetimeout
user_pref('network.http.keep-alive', true);
user_pref('network.http.keep-alive.timeout', 15);
// PREF: Disable prefetching of <link rel='next'> URLs
// http://kb.mozillazine.org/Network.prefetch-next
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
// PREF: Disable DNS prefetching
// http://kb.mozillazine.org/Network.dns.disablePrefetch
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
//g user_pref(.network.dns.disablePrefetch.romHTTPS', true);
// PREF: Disable the predictive service (Necko )
// https://wiki.mozilla.org/Privacy/Reviews/Necko
// PREF: Reject .onion hostnames before passing the to DNS
// https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
// RFC 7686
user_pref('network.dns.blockDotOnion', true);
// PREF: Disable search suggestions in the search bar
// http://kb.mozillazine.org/Browser.search.suggest.enabled
// PREF: Disable 'Show search suggestions in location bar results'
// PREF: When using the location bar, don't suggest URLs from browsing history
//g user_pref(.browser.urlbar.suggest.history., false);
// PREF: Disable SSDP
// https://bugzilla.mozilla.org/show_bug.cgi?id=1111967
user_pref('browser.casting.enabled', false);
// PREF: Disable automatic downloading of OpenH264 codec
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
// https://andreasgal.com/2014/10/14/openh264-now-in-firefox/
user_pref('media.gmp-gmpopenh264.enabled', false);
user_pref('media.gmp-manager.url', '');
// PREF: Disable speculative pre-connections
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
// https://bugzilla.mozilla.org/show_bug.cgi?id=814169
// PREF: Disable downloading homepage snippets/messages from Mozilla
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content
// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
user_pref('browser.aboutHomeSnippets.updateUrl', '');
// PREF: Never check updates for search engines
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
// PREF: Disable automatic captive portal detection (Firefox >= 52.0 )
// https://support.mozilla.org/en-US/questions/1157121
//g user_pref(.network.captive-portal-service.enabled., false);
// * SECTION: HTTP *
// PREF: Disallow NTLMv1
// https://bugzilla.mozilla.org/show_bug.cgi?id=828183
user_pref('network.negotiate-auth.allow-insecure-ntlm-v1', false);
// it is still allowed through HTTPS. uncomment the following to disable it completely.
user_pref('network.negotiate-auth.allow-insecure-ntlm-v1-https', false);
// PREF: Enable CSP 1.1 script-nonce directive support
// https://bugzilla.mozilla.org/show_bug.cgi?id=855326
user_pref('security.csp.experimentalEnabled', true);
// PREF: Enable Content Security Policy (CSP )
// https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
//g user_pref(.security.csp.enable., true);
// PREF: Enable Subresource Integrity
// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
// https://wiki.mozilla.org/Security/Subresource_Integrity
user_pref('security.sri.enable', true);
// PREF: DNT HTTP header (disabled )
// https://www.mozilla.org/en-US/firefox/dnt/
// https://en.wikipedia.org/wiki/Do_not_track_header
// https://dnt-dashboard.mozilla.org
// https://github.com/pyllyukko/user.js/issues/11
// NOTICE: Do No Track must be enabled manually
// PREF: Send a referer header with the target URI as the source
// https://bugzilla.mozilla.org/show_bug.cgi?id=822869
// https://github.com/pyllyukko/user.js/issues/227
// NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers
// NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
// NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
user_pref('network.http.referer.spoofSource', true);
// PREF: Don't send referer headers when following links across different domains (disabled )
// https://github.com/pyllyukko/user.js/issues/227
//g user_pref(.network.http.referer.XOriginPolicy., 2);
// PREF: Accept Only 1st Party Cookies
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
// CIS 2.5.1
//g user_pref(.network.cookie.cookieBehavior., 1);
// PREF: Enable first-party isolation
// https://bugzilla.mozilla.org/show_bug.cgi?id=1299996
// https://bugzilla.mozilla.org/show_bug.cgi?id=1260931
// https://wiki.mozilla.org/Security/FirstPartyIsolation
// NOTICE: First-party isolation breaks Microsoft Teams
// NOTICE: First-party isolation causes HTTP basic auth to ask for credentials for every new tab (see #425 )
//g user_pref(.privacy.firstparty.isolate., true);
// PREF: Make sure that third-party cookies (if enabled )
// https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
// http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
// https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly
//g user_pref(.network.cookie.thirdparty.sessionOnly., true);
// https://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/
user_pref('general.useragent.override', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36');
// PREF: Spoof User-agent (disabled )
user_pref('general.appname.override', 'Netscape');
user_pref('general.appversion.override', '5.0 (Windows)');
user_pref('general.platform.override', 'Win32');
user_pref('general.oscpu.override', 'Windows NT 6.1');
// * SECTION: Caching *
// PREF: Permanently enable private browsing mode
// https://support.mozilla.org/en-US/kb/Private-Browsing
// https://wiki.mozilla.org/PrivateBrowsing
// NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
// NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode
// NOTICE: Private browsing breaks Kerberos authentication
// NOTICE: Disables 'Containers' functionality (see below )
// NOTICE: 'Always use private browsing mode' (browser.privatebrowsing.autostart )
user_pref('browser.privatebrowsing.autostart', true);
// PREF: Do not download URLs for the offline cache
// http://kb.mozillazine.org/Browser.cache.offline.enable
//g user_pref(.browser.cache.offline.enable., false);
// PREF: Clear history when Firefox closes
// https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically
// NOTICE: Installing user.js will remove your browsing history, caches and local storage.
// NOTICE: Installing user.js **will remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27 )
// NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945
//g user_pref(.privacy.sanitize.sanitizeOnShutdown., true);
//g user_pref(.privacy.clearOnShutdown.cache., true);
//g user_pref(.privacy.clearOnShutdown.cookies., true);
//g user_pref(.privacy.clearOnShutdown.downloads., true);
//g user_pref(.privacy.clearOnShutdown.formdata., true);
//g user_pref(.privacy.clearOnShutdown.history., true);
//g user_pref(.privacy.clearOnShutdown.offlineApps., true);
//g user_pref(.privacy.clearOnShutdown.sessions., true);
user_pref('privacy.clearOnShutdown.openWindows', true);
// PREF: Set time range to 'Everything' as default in 'Clear Recent History'
//g user_pref(.privacy.sanitize.timeSpan., 0);
// PREF: Clear everything but 'Site Preferences' in 'Clear Recent History'
//g user_pref(.privacy.cpd.offlineApps., true);
//g user_pref(.privacy.cpd.cache., true);
//g user_pref(.privacy.cpd.cookies., true);
user_pref('privacy.cpd.downloads', true);
//g user_pref(.privacy.cpd.formdata., true);
//g user_pref(.privacy.cpd.history., true);
//g user_pref(.privacy.cpd.sessions., true);
// PREF: Don't remember browsing history
//- { name: 'places.history.enabled', false);
user_pref('privacy.history.custom', true);
// PREF: Disable disk cache
// http://kb.mozillazine.org/Browser.cache.disk.enable
//- { name: 'browser.cache.disk.enable', false);
// PREF: Disable memory cache (disabled )
// http://kb.mozillazine.org/Browser.cache.memory.enable
//- { name: 'browser.cache.memory.enable', false);
// PREF: Disable Caching of SSL Pages
// CIS Version 1.2.0 October 21st, 2011 2.5.8
// http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
//- { name: 'browser.cache.disk_cache_ssl', false);
// PREF: Disable download history
// CIS Version 1.2.0 October 21st, 2011 2.5.5
// - { name: 'browser.download.manager.retention', 0);
// PREF: Disable password manager
// CIS Version 1.2.0 October 21st, 2011 2.5.2
user_pref('signon.rememberSignons', false);
// PREF: Disable form autofill, don't save information entered in web page forms and the Search Bar
// PREF: Cookies expires at the end of the session (when the browser closes )
// http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2
user_pref('network.cookie.lifetimePolicy', 2);
// PREF: Require manual intervention to autofill known username/passwords sign-in forms
// http://kb.mozillazine.org/Signon.autofillForms
// https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
// PREF: Disable formless login capture
// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
// PREF: When username/password autofill is enabled, still disable it on non-HTTPS sites
// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
//g user_pref(.signon.autofillForms.http', false);
// PREF: Show in-content login form warning UI for insecure login fields
// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
user_pref('security.insecure_field_warning.contextual.enabled', true);
// PREF: Disable the password manager for pages with autocomplete=off (disabled )
// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
// OWASP ASVS V9.1
// Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms )
user_pref('signon.storeWhenAutocompleteOff', false);
// PREF: Delete Search and Form History
// CIS Version 1.2.0 October 21st, 2011 2.5.6
user_pref('browser.formfill.expire_days', 0);
// PREF: Clear SSL Form Session Data
// http://kb.mozillazine.org/Browser.sessionstore.privacy_level#2
// Store extra session data for unencrypted (non-HTTPS )
// CIS Version 1.2.0 October 21st, 2011 2.5.7
// NOTE: CIS says 1, we use 2
// PREF: Delete temporary files on exit
// https://bugzilla.mozilla.org/show_bug.cgi?id=238789
//g user_pref(.browser.helperApps.deleteTempFileOnExit., true);
// PREF: Do not create screenshots of visited pages (relates to the 'new tab page' feature )
// https://support.mozilla.org/en-US/questions/973320
// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled
//g user_pref(.browser.pagethumbnails.capturing_disabled., true);
// PREF: Don't fetch and permanently store favicons for Windows .URL shortcuts created by drag and drop
// NOTICE: .URL shortcut files will be created with a generic icon
// Favicons are stored as .ico files in $profile_dir\shortcutCache
// PREF: Disable bookmarks backups (default: 15 )
// http://kb.mozillazine.org/Browser.bookmarks.max_backups
user_pref('browser.bookmarks.max_backups', 0);
// * SECTION: UI related *
// PREF: Enable insecure password warnings (login forms in non-HTTPS pages )
// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
user_pref('security.insecure_password.ui.enabled', true);
// PREF: Disable right-click menu manipulation via JavaScript (disabled )
user_pref('dom.event.contextmenu.enabled', false);
// PREF: Disable 'Are you sure you want to leave this page?' popups on page close
// https://support.mozilla.org/en-US/questions/1043508
// Does not prevent JS leaks of the page close event.
// https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
//g user_pref(.dom.disable_beforeunload., true);
// PREF: Disable Downloading on Desktop
// CIS 2.3.2
user_pref('browser.download.folderList', 2);
// { name: 'browser.download.lastDir', '~/Downloads');
// PREF: Always ask the user where to download
// https://developer.mozilla.org/en/Download_Manager_preferences (obsolete )
//g user_pref(.browser.download.useDownloadDir., false);
// PREF: Disable the 'new tab page' feature and show a blank tab instead
// https://wiki.mozilla.org/Privacy/Reviews/New_Tab
// https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off
user_pref('browser.newtab.url', 'about:blank');
// PREF: Disable Snippets
// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
// https://support.mozilla.org/en-US/kb/snippets-firefox-faq
// PREF: Disable Activity Stream
// https://wiki.mozilla.org/Firefox/Activity_Stream
user_pref('browser.newtabpage.activity-stream.enabled', false);
// PREF: Disable new tab tile ads & preload
// http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
// http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331
// https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
// https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
// TODO: deprecated? not in DXR, some dead links
user_pref('browser.newtabpage.enhanced', false);
user_pref('browser.newtabpage.directory.ping', '');
user_pref('browser.newtabpage.directory.source', 'data:text/plain,{}');
// PREF: Enable Auto Notification of Outdated Plugins (Firefox < 50 )
// https://wiki.mozilla.org/Firefox3.6/Plugin_Update_Awareness_Security_Review
// CIS Version 1.2.0 October 21st, 2011 2.1.2
// https://hg.mozilla.org/mozilla-central/rev/304560
user_pref('plugins.update.notifyUser', true);
// https://forums.whonix.org/t/very-hard-to-notice-phishing-scam-firefox-tor-browser-url-not-showing-real-domain-name-homograph-attack-punycode/8373
// https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
//
// PREF: Force Punycode for Internationalized Domain Names
// http://kb.mozillazine.org/Network.IDN_show_punycode
// https://www.xudongz.com/blog/2017/idn-phishing/
// https://wiki.mozilla.org/IDN_Display_Algorithm
// https://en.wikipedia.org/wiki/IDN_homograph_attack
// https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6
//g user_pref(.network.IDN_show_punycode., true);
// PREF: Disable inline autocomplete in URL bar
// http://kb.mozillazine.org/Inline_autocomplete
user_pref('browser.urlbar.autoFill', false);
user_pref('browser.urlbar.autoFill.typed', false);
// PREF: Disable CSS :visited selectors
// https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/
// https://dbaron.org/mozilla/visited-privacy
// PREF: Disable URL bar autocomplete and history/bookmarks suggestions dropdown
// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
user_pref('browser.urlbar.autocomplete.enabled', false);
// PREF: Do not check if Firefox is the default browser
// PREF: When password manager is enabled, lock the password storage periodically
// CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
// PREF: Lock the password storage every 1 minutes (default: 30 )
//g user_pref(.security.password_lifetime., 1);
// PREF: Display a notification bar when websites offer data for offline use
// http://kb.mozillazine.org/Browser.offline-apps.notify
user_pref('browser.offline-apps.notify', true);
// * SECTION: Cryptography *
// PREF: Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla )
// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
user_pref('network.stricttransportsecurity.preloadlist', true);
// PREF: Enable Online Certificate Status Protocol
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
// https://www.imperialviolet.org/2014/04/19/revchecking.html
// https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
// https://wiki.mozilla.org/CA:RevocationPlan
// https://wiki.mozilla.org/CA:ImprovingRevocation
// https://wiki.mozilla.org/CA:OCSP-HardFail
// https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
// https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
// NOTICE: OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
// NOTICE: OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
// NOTICE: OCSP adds latency (performance )
// NOTICE: Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10 )
// CIS Version 1.2.0 October 21st, 2011 2.2.4
// PREF: Enable OCSP Stapling support
// https://en.wikipedia.org/wiki/OCSP_stapling
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
// https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
// PREF: Enable OCSP Must-Staple support (Firefox >= 45 )
// https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
// https://www.entrust.com/ocsp-must-staple/
// https://github.com/schomery/privacy-settings/issues/40
// NOTICE: Firefox falls back on plain OCSP when must-staple is not configured on the host certificate
user_pref('security.ssl.enable_ocsp_must_staple', true);
// PREF: Require a valid OCSP response for OCSP enabled certificates
// https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
// Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
// NOTICE: `security.OCSP.require` will make the connection fail when the OCSP ill make the connection fail when the OCSP responder is unavailable
// NOTICE: `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal )
// PREF: Disable TLS Session Tickets
// https://www.blackhat.com/us-13/briefings.html#NextGen
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
// https://bugzilla.mozilla.org/show_bug.cgi?id=917049
// https://bugzilla.mozilla.org/show_bug.cgi?id=967977
//g user_pref(.security.ssl.disable_session_identifiers., true);
// PREF: Only allow TLS 1.[0-3]
// http://kb.mozillazine.org/Security.tls.version.*
// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version. )
// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
// 3 = TLS 1.2 is the minimum required / maximum supported encryption protocol.
// 4 = TLS 1.3 is the minimum required / maximum supported encryption protocol.
user_pref('security.tls.version.min', 1);
user_pref('security.tls.version.max', 4);
// PREF: Disable insecure TLS version fallback
// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
user_pref('security.tls.version.fallback-limit', 3);
// PREF: Enforce Public Key Pinning
// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
// '2. Strict. Pinning is always enforced.'
// PREF: Disallow SHA-1
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
// https://shattered.io/
// 'safe' renegotiation
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
// PREF: Disallow connection to servers not supporting safe renegotiation (disabled )
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
// TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors )
// PREF: Disable automatic reporting of TLS connection errors
// https://support.mozilla.org/en-US/kb/certificate-pinning-reports
// we could also disable security.ssl.errorReporting.enabled, but I think it's
// good to leave the option to report potentially malicious sites if the user
// chooses to do so.
// you can test this at https://pinningtest.appspot.com/
// PREF: Pre-populate the current URL but do not pre-fetch the certificate in the 'Add Security Exception' dialog
// http://kb.mozillazine.org/Browser.ssl_override_behavior
// https://github.com/pyllyukko/user.js/issues/210
// * SECTION: Cipher suites *
// PREF: Disable null ciphers
user_pref('security.ssl3.rsa_null_sha', false);
user_pref('security.ssl3.rsa_null_md5', false);
user_pref('security.ssl3.ecdhe_rsa_null_sha', false);
user_pref('security.ssl3.ecdhe_ecdsa_null_sha', false);
user_pref('security.ssl3.ecdh_rsa_null_sha', false);
user_pref('security.ssl3.ecdh_ecdsa_null_sha', false);
// PREF: Disable SEED cipher
// https://en.wikipedia.org/wiki/SEED
user_pref('security.ssl3.rsa_seed_sha', false);
// PREF: Disable 40/56/128-bit ciphers
// 40-bit ciphers
user_pref('security.ssl3.rsa_rc4_40_md5', false);
user_pref('security.ssl3.rsa_rc2_40_md5', false);
// 56-bit ciphers
user_pref('security.ssl3.rsa_1024_rc4_56_sha', false);
// 128-bit ciphers
user_pref('security.ssl3.rsa_camellia_128_sha', false);
user_pref('security.ssl3.ecdhe_rsa_aes_128_sha', false);
user_pref('security.ssl3.ecdhe_ecdsa_aes_128_sha', false);
user_pref('security.ssl3.ecdh_rsa_aes_128_sha', false);
user_pref('security.ssl3.ecdh_ecdsa_aes_128_sha', false);
user_pref('security.ssl3.dhe_rsa_camellia_128_sha', false);
user_pref('security.ssl3.dhe_rsa_aes_128_sha', false);
// PREF: Disable RC4
// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
// https://rc4.io/
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
user_pref('security.ssl3.ecdh_ecdsa_rc4_128_sha', false);
user_pref('security.ssl3.ecdh_rsa_rc4_128_sha', false);
user_pref('security.ssl3.ecdhe_ecdsa_rc4_128_sha', false);
user_pref('security.ssl3.ecdhe_rsa_rc4_128_sha', false);
user_pref('security.ssl3.rsa_rc4_128_md5', false);
user_pref('security.ssl3.rsa_rc4_128_sha', false);
user_pref('security.tls.unrestricted_rc4_fallback', false);
// PREF: Disable 3DES (effective key size is < 128 )
// https://en.wikipedia.org/wiki/3des#Security
// http://en.citizendium.org/wiki/Meet-in-the-middle_attack
// http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
user_pref('security.ssl3.dhe_dss_des_ede3_sha', false);
user_pref('security.ssl3.dhe_rsa_des_ede3_sha', false);
user_pref('security.ssl3.ecdh_ecdsa_des_ede3_sha', false);
user_pref('security.ssl3.ecdh_rsa_des_ede3_sha', false);
user_pref('security.ssl3.ecdhe_ecdsa_des_ede3_sha', false);
user_pref('security.ssl3.ecdhe_rsa_des_ede3_sha', false);
user_pref('security.ssl3.rsa_des_ede3_sha', false);
user_pref('security.ssl3.rsa_fips_des_ede3_sha', false);
// PREF: Disable ciphers with ECDH (non-ephemeral )
user_pref('security.ssl3.ecdh_rsa_aes_256_sha', false);
user_pref('security.ssl3.ecdh_ecdsa_aes_256_sha', false);
// PREF: Disable 256 bits ciphers without PFS
user_pref('security.ssl3.rsa_camellia_256_sha', false);
// PREF: Enable ciphers with ECDHE and key size > 128bits
user_pref('security.ssl3.ecdhe_rsa_aes_256_sha', true);
user_pref('security.ssl3.ecdhe_ecdsa_aes_256_sha', true);
// PREF: Enable GCM ciphers (TLSv1.2 only )
// https://en.wikipedia.org/wiki/Galois/Counter_Mode
user_pref('security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256', true);
user_pref('security.ssl3.ecdhe_rsa_aes_128_gcm_sha256', true);
// PREF: Enable ChaCha20 and Poly1305 (Firefox >= 47 )
// https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
// https://tools.ietf.org/html/rfc7905
// https://bugzilla.mozilla.org/show_bug.cgi?id=917571
// https://bugzilla.mozilla.org/show_bug.cgi?id=1247860
// https://cr.yp.to/chacha.html
user_pref('security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256', true);
user_pref('security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256', true);
// PREF: Disable ciphers susceptible to the logjam attack
// https://weakdh.org/
user_pref('security.ssl3.dhe_rsa_camellia_256_sha', false);
user_pref('security.ssl3.dhe_rsa_aes_256_sha', false);
// PREF: Disable ciphers with DSA (max 1024 bits )
user_pref('security.ssl3.dhe_dss_aes_128_sha', false);
user_pref('security.ssl3.dhe_dss_aes_256_sha', false);
user_pref('security.ssl3.dhe_dss_camellia_128_sha', false);
user_pref('security.ssl3.dhe_dss_camellia_256_sha', false);
// PREF: Fallbacks due compatibility reasons
user_pref('security.ssl3.rsa_aes_256_sha', true);
user_pref('security.ssl3.rsa_aes_128_sha', true);
//?user_pref('network.proxy.socks_version', 4);
// END ANSIBLE MANAGED BLOCK privacy pyllyukko-user.js
// BEGIN ANSIBLE MANAGED BLOCK privacy text-user.js
// etc/testforge/firefox/text-user.js
// Set http and proxy pipelining to true
// See http://bodhizazen.net/Tutorials/Privacy
// https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/FireFoxTorPerf
// See also http://www.tweakfactor.com/articles/tweaks/firefoxtweak/4.html
user_pref('network.http.max-connections', 30);
user_pref('network.http.max-connections-per-server', 15);
user_pref('network.http.max-persistent-connections-per-proxy', 16);
user_pref('network.http.max-persistent-connections-per-server', 6);
user_pref('network.http.pipelining', true);
user_pref('network.http.pipelining.maxrequests', 8);
user_pref('network.http.pipelining.ssl', true);
user_pref('network.http.proxy.keep-alive', true);
user_pref('network.http.proxy.pipelining', true);
// NOTE2: Do not use page prefetching. Disable this if it is
// enabled. Prefetching is a speculative feature, which assumes that
// you will read the pages referenced by the links in the current page
// you are viewing. This places undue load on the Tor network and clog
// your circuits with unnecessary traffic. Its unlikely you will read
// all the pages referenced by the current page, especially in the case
// of search engines results.
// http://kpvz7ki2v5agwt35.onion/wiki/index.php/Browser_security You
// should also disable prefetching. This is when the browser tries to
// predict what the user will click next. It is a waste of Tor
// bandwidth, and should be disabled by setting:
// Ask before updating
user_pref('extensions.update.enabled', false);
user_pref('extensions.update.notifyUser', true);
// http://www.imperialviolet.org/2011/03/18/revocation.html security.OCSP.require ?
// https://github.com/joao-carloto/FireRobot
//? >=47? - xpinstall.signatures.required false
// FixMe: dangerous but needed for torbutton in firefox-esr
// https://wiki.mozilla.org/Add-ons/Extension_Signing
// The ESR release supports signing starting with version 45-based releases. Signing enforcement is enabled
// by default in these releases, and enforcement can be disabled using xpinstall.signatures.required.
// no longer supported
// { name: 'xpinstall.signatures.required', false);
// https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
//g user_pref(.privacy.resistFingerprinting., false);
// https://support.mozilla.org/en-US/questions/1202828
user_pref('browser.tabs.remote.autostart', false);
//py user_pref('media.gmp-manager.url', '');
user_pref('media.gmp-manager.url.override', '');
//py user_pref('media.gmp-provider.enabled', false);
user_pref("layout.css.devPixelsPerPx", "1.25");
//me required for chrome/userChrome.css userContent.css
user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true);
// END ANSIBLE MANAGED BLOCK privacy text-user.js
Reference in New Issue View Git Blame Copy Permalink