131 lines
8.2 KiB
Nix
131 lines
8.2 KiB
Nix
|
{
|
||
|
/*** [SECTION 2600]: MISCELLANEOUS ***/
|
||
|
/* 2601: prevent accessibility services from accessing your browser [RESTART]
|
||
|
* [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)
|
||
|
* [1] https://support.mozilla.org/kb/accessibility-services ***/
|
||
|
"accessibility.force_disabled" = 1;
|
||
|
/* 2602: disable sending additional analytics to web servers
|
||
|
* [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
|
||
|
"beacon.enabled" = false;
|
||
|
/* 2603: remove temp files opened with an external application
|
||
|
* [1] https://bugzilla.mozilla.org/302433 ***/
|
||
|
"browser.helperApps.deleteTempFileOnExit" = true;
|
||
|
/* 2604: disable page thumbnail collection ***/
|
||
|
"browser.pagethumbnails.capturing_disabled" = true; # [HIDDEN PREF]
|
||
|
/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
|
||
|
"browser.uitour.enabled" = false;
|
||
|
"browser.uitour.url" = "";
|
||
|
/* 2607: disable various developer tools in browser context
|
||
|
* [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
|
||
|
* [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
|
||
|
"devtools.chrome.enabled" = false;
|
||
|
/* 2608: reset remote debugging to disabled
|
||
|
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/
|
||
|
"devtools.debugger.remote-enabled" = false; # [DEFAULT: false]
|
||
|
/* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
|
||
|
* [TEST] https://arkenfox.github.io/TZP/tzp.html#misc
|
||
|
* [1] https://bugzilla.mozilla.org/1173199 ***/
|
||
|
# // user_pref("mathml.disabled", true);
|
||
|
/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
|
||
|
* [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
|
||
|
* [1] https://bugzilla.mozilla.org/1216893 ***/
|
||
|
# // user_pref("svg.disabled", true);
|
||
|
/* 2611: disable middle mouse click opening links from clipboard
|
||
|
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/
|
||
|
"middlemouse.contentLoadURL" = false;
|
||
|
/* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
|
||
|
* 0 (default) or 1=allow, 2=block
|
||
|
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/
|
||
|
# // user_pref("permissions.default.shortcuts", 2);
|
||
|
/* 2616: remove special permissions for certain mozilla domains [FF35+]
|
||
|
* [1] resource://app/defaults/permissions ***/
|
||
|
"permissions.manager.defaultsUrl" = "";
|
||
|
/* 2617: remove webchannel whitelist ***/
|
||
|
"webchannel.allowObject.urlWhitelist" = "";
|
||
|
/* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing
|
||
|
* Firefox has *some* protections, but it is better to be safe than sorry
|
||
|
* [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
|
||
|
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
|
||
|
* [1] https://wiki.mozilla.org/IDN_Display_Algorithm
|
||
|
* [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
|
||
|
* [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
|
||
|
* [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
|
||
|
"network.IDN_show_punycode" = true;
|
||
|
/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME]
|
||
|
* This setting controls if the option "Display in Firefox" is available in the setting below
|
||
|
* and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
|
||
|
* PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
|
||
|
* Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
|
||
|
* It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
|
||
|
* It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
|
||
|
* CONS: You may prefer a different pdf reader for security reasons
|
||
|
* CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)
|
||
|
* [SETTING] General>Applications>Portable Document Format (PDF) ***/
|
||
|
"pdfjs.disabled" = false; # [DEFAULT: false]
|
||
|
"pdfjs.enableScripting" = false; # [FF86+]
|
||
|
/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/
|
||
|
"network.protocol-handler.external.ms-windows-store" = false;
|
||
|
/* 2622: enforce no system colors; they can be fingerprinted
|
||
|
* [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
|
||
|
"browser.display.use_system_colors" = false; # [DEFAULT: false]
|
||
|
/* 2623: disable permissions delegation [FF73+]
|
||
|
* Currently applies to cross-origin geolocation, camera, mic and screen-sharing
|
||
|
* permissions, and fullscreen requests. Disabling delegation means any prompts
|
||
|
* for these will show/use their correct 3rd party origin
|
||
|
* [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
|
||
|
"permissions.delegation.enabled" = false;
|
||
|
/* 2624: enable "window.name" protection [FF82+]
|
||
|
* If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original
|
||
|
* string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
|
||
|
* [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
|
||
|
"privacy.window.name.update.enabled" = true; # [DEFAULT: true FF86+]
|
||
|
/* 2625: disable bypassing 3rd party extension install prompts [FF82+]
|
||
|
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/
|
||
|
"extensions.postDownloadThirdPartyPrompt" = false;
|
||
|
/* 2626: enforce non-native widget theme
|
||
|
* Security: removes/reduces system API calls, e.g. win32k API [1]
|
||
|
* Fingerprinting: provides a uniform look and feel across platforms [2]
|
||
|
* [1] https://bugzilla.mozilla.org/1381938
|
||
|
* [2] https://bugzilla.mozilla.org/1411425 ***/
|
||
|
"widget.non-native-theme.enabled" = true; # [DEFAULT: true FF89+]
|
||
|
|
||
|
/** DOWNLOADS ***/
|
||
|
/* 2650: discourage downloading to desktop
|
||
|
* 0=desktop, 1=downloads (default), 2=last used
|
||
|
* [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
|
||
|
# // user_pref("browser.download.folderList", 2);
|
||
|
/* 2651: enable user interaction for security by always asking where to download
|
||
|
* [SETUP-CHROME] On Android this blocks longtapping and saving images
|
||
|
* [SETTING] General>Downloads>Always ask you where to save files ***/
|
||
|
"browser.download.useDownloadDir" = false;
|
||
|
/* 2652: disable adding downloads to the system's "recent documents" list ***/
|
||
|
"browser.download.manager.addToRecentDocs" = false;
|
||
|
/* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN]
|
||
|
* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
|
||
|
* in such a way that it is forbidden to run external applications.
|
||
|
* [WARNING] This may interfere with some users' workflow or methods
|
||
|
* [1] https://bugzilla.mozilla.org/1281959 ***/
|
||
|
# // user_pref("browser.download.forbid_open_with", true);
|
||
|
|
||
|
/** EXTENSIONS ***/
|
||
|
/* 2660: lock down allowed extension directories
|
||
|
* [SETUP-CHROME] This will break extensions, language packs, themes and any other
|
||
|
* XPI files which are installed outside of profile and application directories
|
||
|
* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
|
||
|
* [1] archived: https://archive.is/DYjAM ***/
|
||
|
"extensions.enabledScopes" = 5; # [HIDDEN PREF]
|
||
|
"extensions.autoDisableScopes" = 15; # [DEFAULT: 15]
|
||
|
/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]
|
||
|
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
|
||
|
# // user_pref("extensions.webextensions.restrictedDomains", "");
|
||
|
|
||
|
/** SECURITY ***/
|
||
|
/* 2680: enforce CSP (Content Security Policy)
|
||
|
* [NOTE] CSP is a very important and widespread security feature. Don't disable it!
|
||
|
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
|
||
|
"security.csp.enable" = true; # [DEFAULT: true]
|
||
|
/* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
|
||
|
* [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
|
||
|
"security.dialog_enable_delay" = 1000; # [DEFAULT: 1000]
|
||
|
}
|