nix-config/home/browsers/firefox/arkenfox/2400.nix

{
  /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/
  /* 2401: disable website control over browser right-click context menu
   * [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
  #  // user_pref("dom.event.contextmenu.enabled", false);
  /* 2402: disable website access to clipboard events/content [SETUP-HARDEN]
   * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress
   * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
   * [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and
   * 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1]
   * [1] https://bugzilla.mozilla.org/1528289 ***/
  #  // user_pref("dom.event.clipboardevents.enabled", false);
  /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
   * this disables document.execCommand("cut"/"copy") to protect your clipboard
   * [1] https://bugzilla.mozilla.org/1170911 ***/
  "dom.allow_cut_copy" = false;
  /* 2405: disable "Confirm you want to leave" dialog on page close
   * Does not prevent JS leaks of the page close event.
   * [1] https://developer.mozilla.org/docs/Web/Events/beforeunload
   * [2] https://support.mozilla.org/questions/1043508 ***/
  "dom.disable_beforeunload" = true;
  /* 2414: disable shaking the screen ***/
  "dom.vibrator.enabled" = false;
  /* 2420: disable asm.js [FF22+] [SETUP-PERF]
   * [1] http://asmjs.org/
   * [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
   * [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
   * [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
   * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
   * [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
  "javascript.options.asmjs" = false;
  /* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN]
   * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
   * hidden pref is enabled, then Ion can still be used by extensions (1599226)
   * [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
   * [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
  #   // user_pref("javascript.options.ion", false);
  #   // user_pref("javascript.options.baselinejit", false);
  #   // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
  /* 2422: disable WebAssembly [FF52+]
   * Vulnerabilities have increasingly been found, including those known and fixed
   * in native programs years ago [2]. WASM has powerful low-level access, making
   * certain attacks (brute-force) and vulnerabilities more possible
   * [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3]
   * [1] https://developer.mozilla.org/docs/WebAssembly
   * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
   * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
  "javascript.options.wasm" = false;
  /* 2429: enable (limited but sufficient) window.opener protection [FF65+]
   * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
  "dom.targetBlankNoOpener.enabled" = true;  # [DEFAULT: true FF79+]
}
initial commit 2022-01-18 09:32:55 +01:00			`{`
			`/* [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT */`
			`/* 2401: disable website control over browser right-click context menu`
			`* [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/`
			`# // user_pref("dom.event.contextmenu.enabled", false);`
			`/* 2402: disable website access to clipboard events/content [SETUP-HARDEN]`
			`* [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress`
			`* This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website`
			`* [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and`
			`* 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1]`
			`* [1] https://bugzilla.mozilla.org/1528289 ***/`
			`# // user_pref("dom.event.clipboardevents.enabled", false);`
			`/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]`
			`* this disables document.execCommand("cut"/"copy") to protect your clipboard`
			`* [1] https://bugzilla.mozilla.org/1170911 ***/`
			`"dom.allow_cut_copy" = false;`
			`/* 2405: disable "Confirm you want to leave" dialog on page close`
			`* Does not prevent JS leaks of the page close event.`
			`* [1] https://developer.mozilla.org/docs/Web/Events/beforeunload`
			`* [2] https://support.mozilla.org/questions/1043508 ***/`
			`"dom.disable_beforeunload" = true;`
			`/* 2414: disable shaking the screen ***/`
			`"dom.vibrator.enabled" = false;`
			`/* 2420: disable asm.js [FF22+] [SETUP-PERF]`
			`* [1] http://asmjs.org/`
			`* [2] https://www.mozilla.org/security/advisories/mfsa2015-29/`
			`* [3] https://www.mozilla.org/security/advisories/mfsa2015-50/`
			`* [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375`
			`* [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400`
			`* [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/`
			`"javascript.options.asmjs" = false;`
			`/* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN]`
			`* [NOTE] In FF75+, when both Ion and JIT are disabled, and the new`
			`* hidden pref is enabled, then Ion can still be used by extensions (1599226)`
			`* [WARNING] Disabling Ion/JIT can cause some site issues and performance loss`
			`* [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/`
			`# // user_pref("javascript.options.ion", false);`
			`# // user_pref("javascript.options.baselinejit", false);`
			`# // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]`
			`/* 2422: disable WebAssembly [FF52+]`
			`* Vulnerabilities have increasingly been found, including those known and fixed`
			`* in native programs years ago [2]. WASM has powerful low-level access, making`
			`* certain attacks (brute-force) and vulnerabilities more possible`
			`* [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3]`
			`* [1] https://developer.mozilla.org/docs/WebAssembly`
			`* [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly`
			`* [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/`
			`"javascript.options.wasm" = false;`
			`/* 2429: enable (limited but sufficient) window.opener protection [FF65+]`
			`* Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/`
			`"dom.targetBlankNoOpener.enabled" = true; # [DEFAULT: true FF79+]`
			`}`