{ /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/ /* 0701: disable IPv6 * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even * assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4 * [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6 * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, * then this won't make much difference. If you are masking your IP, then it can only help. * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" * [TEST] https://ipleak.org/ * [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/ "network.dns.disableIPv6" = true; /* 0702: disable HTTP2 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to * enhance privacy, and opens up a number of server-side fingerprinting opportunities. * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites * [STATS] ~46% of sites (July 2021) [5] * [1] https://http2.github.io/faq/ * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html * [3] https://http2.github.io/http2-spec/#rfc.section.10.8 * [4] https://queue.acm.org/detail.cfm?id=2716278 * [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/ # // user_pref("network.http.spdy.enabled", false); # // user_pref("network.http.spdy.enabled.deps", false); # // user_pref("network.http.spdy.enabled.http2", false); # // user_pref("network.http.spdy.websockets", false); // [FF65+] /* 0703: disable HTTP Alternative Services [FF37+] * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the * consequences. FPI isolates these, but it was designed with the Tor protocol in mind, * and the Tor Browser has extra protection, including enhanced sanitizing per Identity. * [1] https://tools.ietf.org/html/rfc7838#section-9 * [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/ "network.http.altsvc.enabled" = false; "network.http.altsvc.oe" = false; /* 0704: set the proxy server to do any DNS lookups when using SOCKS * e.g. in Tor, this stops your local DNS server from knowing your Tor destination * as a remote Tor node will handle the DNS request * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/ "network.proxy.socks_remote_dns" = true; /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+] * [SETUP-CHROME] Can break extensions for profiles on network shares * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/ "network.file.disable_unc_paths" = true; # [HIDDEN PREF] /* 0710: disable GIO as a potential proxy bypass vector * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda, * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64) * [1] https://bugzilla.mozilla.org/1433507 * [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044 * [3] https://en.wikipedia.org/wiki/GVfs * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/ "network.gio.supported-protocols" = ""; # [HIDDEN PREF] }