{ /*** [SECTION 2600]: MISCELLANEOUS ***/ /* 2601: prevent accessibility services from accessing your browser [RESTART] * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower) * [1] https://support.mozilla.org/kb/accessibility-services ***/ "accessibility.force_disabled" = 1; /* 2602: disable sending additional analytics to web servers * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/ "beacon.enabled" = false; /* 2603: remove temp files opened with an external application * [1] https://bugzilla.mozilla.org/302433 ***/ "browser.helperApps.deleteTempFileOnExit" = true; /* 2604: disable page thumbnail collection ***/ "browser.pagethumbnails.capturing_disabled" = true; # [HIDDEN PREF] /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/ "browser.uitour.enabled" = false; "browser.uitour.url" = ""; /* 2607: disable various developer tools in browser context * [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/ "devtools.chrome.enabled" = false; /* 2608: reset remote debugging to disabled * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/ "devtools.debugger.remote-enabled" = false; # [DEFAULT: false] /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN] * [TEST] https://arkenfox.github.io/TZP/tzp.html#misc * [1] https://bugzilla.mozilla.org/1173199 ***/ # // user_pref("mathml.disabled", true); /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+] * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile. * [1] https://bugzilla.mozilla.org/1216893 ***/ # // user_pref("svg.disabled", true); /* 2611: disable middle mouse click opening links from clipboard * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/ "middlemouse.contentLoadURL" = false; /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+] * 0 (default) or 1=allow, 2=block * [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/ # // user_pref("permissions.default.shortcuts", 2); /* 2616: remove special permissions for certain mozilla domains [FF35+] * [1] resource://app/defaults/permissions ***/ "permissions.manager.defaultsUrl" = ""; /* 2617: remove webchannel whitelist ***/ "webchannel.allowObject.urlWhitelist" = ""; /* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing * Firefox has *some* protections, but it is better to be safe than sorry * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com) * [1] https://wiki.mozilla.org/IDN_Display_Algorithm * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/ * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/ "network.IDN_show_punycode" = true; /* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME] * This setting controls if the option "Display in Firefox" is available in the setting below * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most) * Exploits are rare (one serious case in seven years), treated seriously and patched quickly. * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. * CONS: You may prefer a different pdf reader for security reasons * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare) * [SETTING] General>Applications>Portable Document Format (PDF) ***/ "pdfjs.disabled" = false; # [DEFAULT: false] "pdfjs.enableScripting" = false; # [FF86+] /* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/ "network.protocol-handler.external.ms-windows-store" = false; /* 2622: enforce no system colors; they can be fingerprinted * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ "browser.display.use_system_colors" = false; # [DEFAULT: false] /* 2623: disable permissions delegation [FF73+] * Currently applies to cross-origin geolocation, camera, mic and screen-sharing * permissions, and fullscreen requests. Disabling delegation means any prompts * for these will show/use their correct 3rd party origin * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/ "permissions.delegation.enabled" = false; /* 2624: enable "window.name" protection [FF82+] * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/ "privacy.window.name.update.enabled" = true; # [DEFAULT: true FF86+] /* 2625: disable bypassing 3rd party extension install prompts [FF82+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/ "extensions.postDownloadThirdPartyPrompt" = false; /* 2626: enforce non-native widget theme * Security: removes/reduces system API calls, e.g. win32k API [1] * Fingerprinting: provides a uniform look and feel across platforms [2] * [1] https://bugzilla.mozilla.org/1381938 * [2] https://bugzilla.mozilla.org/1411425 ***/ "widget.non-native-theme.enabled" = true; # [DEFAULT: true FF89+] /** DOWNLOADS ***/ /* 2650: discourage downloading to desktop * 0=desktop, 1=downloads (default), 2=last used * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/ # // user_pref("browser.download.folderList", 2); /* 2651: enable user interaction for security by always asking where to download * [SETUP-CHROME] On Android this blocks longtapping and saving images * [SETTING] General>Downloads>Always ask you where to save files ***/ "browser.download.useDownloadDir" = false; /* 2652: disable adding downloads to the system's "recent documents" list ***/ "browser.download.manager.addToRecentDocs" = false; /* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN] * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor) * in such a way that it is forbidden to run external applications. * [WARNING] This may interfere with some users' workflow or methods * [1] https://bugzilla.mozilla.org/1281959 ***/ # // user_pref("browser.download.forbid_open_with", true); /** EXTENSIONS ***/ /* 2660: lock down allowed extension directories * [SETUP-CHROME] This will break extensions, language packs, themes and any other * XPI files which are installed outside of profile and application directories * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ * [1] archived: https://archive.is/DYjAM ***/ "extensions.enabledScopes" = 5; # [HIDDEN PREF] "extensions.autoDisableScopes" = 15; # [DEFAULT: 15] /* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+] * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ # // user_pref("extensions.webextensions.restrictedDomains", ""); /** SECURITY ***/ /* 2680: enforce CSP (Content Security Policy) * [NOTE] CSP is a very important and widespread security feature. Don't disable it! * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/ "security.csp.enable" = true; # [DEFAULT: true] /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/ "security.dialog_enable_delay" = 1000; # [DEFAULT: 1000] }