nix-config/home/browsers/firefox/arkenfox/2400.nix

53 lines
3.4 KiB
Nix
Raw Normal View History

2022-01-18 09:32:55 +01:00
{
/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/
/* 2401: disable website control over browser right-click context menu
* [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
# // user_pref("dom.event.contextmenu.enabled", false);
/* 2402: disable website access to clipboard events/content [SETUP-HARDEN]
* [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress
* This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
* [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and
* 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1]
* [1] https://bugzilla.mozilla.org/1528289 ***/
# // user_pref("dom.event.clipboardevents.enabled", false);
/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
* this disables document.execCommand("cut"/"copy") to protect your clipboard
* [1] https://bugzilla.mozilla.org/1170911 ***/
"dom.allow_cut_copy" = false;
/* 2405: disable "Confirm you want to leave" dialog on page close
* Does not prevent JS leaks of the page close event.
* [1] https://developer.mozilla.org/docs/Web/Events/beforeunload
* [2] https://support.mozilla.org/questions/1043508 ***/
"dom.disable_beforeunload" = true;
/* 2414: disable shaking the screen ***/
"dom.vibrator.enabled" = false;
/* 2420: disable asm.js [FF22+] [SETUP-PERF]
* [1] http://asmjs.org/
* [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
* [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
* [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
* [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
* [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
"javascript.options.asmjs" = false;
/* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN]
* [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
* hidden pref is enabled, then Ion can still be used by extensions (1599226)
* [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
* [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
# // user_pref("javascript.options.ion", false);
# // user_pref("javascript.options.baselinejit", false);
# // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
/* 2422: disable WebAssembly [FF52+]
* Vulnerabilities have increasingly been found, including those known and fixed
* in native programs years ago [2]. WASM has powerful low-level access, making
* certain attacks (brute-force) and vulnerabilities more possible
* [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3]
* [1] https://developer.mozilla.org/docs/WebAssembly
* [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
* [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
"javascript.options.wasm" = false;
/* 2429: enable (limited but sufficient) window.opener protection [FF65+]
* Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
"dom.targetBlankNoOpener.enabled" = true; # [DEFAULT: true FF79+]
}