87 lines
5.7 KiB
Nix
87 lines
5.7 KiB
Nix
{
|
|
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
|
|
Change items 0850 and above to suit for privacy vs convenience and functionality. Consider
|
|
your environment (no unwanted eyeballs), your device (restricted access), your device's
|
|
unattended state (locked, encrypted, forensic hardened). Likewise, you may want to check
|
|
the items cleared on shutdown in section 2800.
|
|
[1] https://xkcd.com/538/
|
|
***/
|
|
/* 0801: disable location bar using search
|
|
* Don't leak URL typos to a search engine, give an error message instead.
|
|
* Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com"
|
|
* [NOTE] This does **not** affect explicit user action such as using search buttons in the
|
|
* dropdown, or using keyword search shortcuts you configure in options (e.g. 'd' for DuckDuckGo)
|
|
* [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search
|
|
* engine that respects privacy, then you probably don't need this ***/
|
|
"keyword.enabled" = false;
|
|
/* 0802: disable location bar domain guessing
|
|
* domain guessing intercepts DNS "hostname not found errors" and resends a
|
|
* request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work
|
|
* via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
|
|
* as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
|
|
* intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
|
|
* and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
|
|
"browser.fixup.alternate.enabled" = false;
|
|
/* 0803: display all parts of the url in the location bar ***/
|
|
"browser.urlbar.trimURLs" = false;
|
|
/* 0805: disable coloring of visited links - CSS history leak
|
|
* [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
|
|
* redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
|
|
* attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5]
|
|
* and advanced targeted timing attacks could still produce usable results
|
|
* [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
|
|
* [2] https://dbaron.org/mozilla/visited-privacy
|
|
* [3] https://bugzilla.mozilla.org/1632765
|
|
* [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
|
|
* [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/
|
|
# // user_pref("layout.css.visited_links_enabled", false);
|
|
/* 0807: disable live search suggestions
|
|
/* [NOTE] Both must be true for the location bar to work
|
|
* [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine
|
|
* [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/
|
|
"browser.search.suggest.enabled" = false;
|
|
"browser.urlbar.suggest.searches" = false;
|
|
/* 0810: disable location bar making speculative connections [FF56+]
|
|
* [1] https://bugzilla.mozilla.org/1348275 ***/
|
|
"browser.urlbar.speculativeConnect.enabled" = false;
|
|
/* 0811: disable location bar leaking single words to a DNS provider **after searching** [FF78+]
|
|
* 0=never resolve single words, 1=heuristic (default), 2=always resolve
|
|
* [NOTE] For FF78 value 1 and 2 are the same and always resolve but that will change in future versions
|
|
* [1] https://bugzilla.mozilla.org/1642623 ***/
|
|
"browser.urlbar.dnsResolveSingleWordsAfterSearch" = 0;
|
|
/* 0850a: disable location bar suggestion types
|
|
* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/
|
|
# // user_pref("browser.urlbar.suggest.history", false);
|
|
# // user_pref("browser.urlbar.suggest.bookmark", false);
|
|
# // user_pref("browser.urlbar.suggest.openpage", false);
|
|
# // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+]
|
|
/* 0850b: disable tab-to-search [FF85+]
|
|
* Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
|
|
* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
|
|
# // user_pref("browser.urlbar.suggest.engines", false);
|
|
/* 0850c: disable location bar dropdown
|
|
* This value controls the total number of entries to appear in the location bar dropdown ***/
|
|
# // user_pref("browser.urlbar.maxRichResults", 0);
|
|
/* 0850d: disable location bar autofill
|
|
* [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
|
|
# // user_pref("browser.urlbar.autoFill", false);
|
|
/* 0860: disable search and form history
|
|
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
|
|
* [NOTE] We also clear formdata on exit (see 2803)
|
|
* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
|
|
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
|
|
* [2] https://bugzilla.mozilla.org/381681 ***/
|
|
"browser.formfill.enable" = false;
|
|
/* 0862: disable browsing and download history
|
|
* [NOTE] We also clear history and downloads on exiting Firefox (see 2803)
|
|
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
|
|
# // user_pref("places.history.enabled", false);
|
|
/* 0870: disable Windows jumplist [WINDOWS] ***/
|
|
"browser.taskbar.lists.enabled" = false;
|
|
"browser.taskbar.lists.frequent.enabled" = false;
|
|
"browser.taskbar.lists.recent.enabled" = false;
|
|
"browser.taskbar.lists.tasks.enabled" = false;
|
|
/* 0871: disable Windows taskbar preview [WINDOWS] ***/
|
|
# // user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false]
|
|
}
|