53 lines
3.4 KiB
Nix
53 lines
3.4 KiB
Nix
{
|
|
/*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/
|
|
/* 2401: disable website control over browser right-click context menu
|
|
* [NOTE] Shift-Right-Click will always bring up the browser right-click context menu ***/
|
|
# // user_pref("dom.event.contextmenu.enabled", false);
|
|
/* 2402: disable website access to clipboard events/content [SETUP-HARDEN]
|
|
* [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress
|
|
* This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
|
|
* [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and
|
|
* 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1]
|
|
* [1] https://bugzilla.mozilla.org/1528289 ***/
|
|
# // user_pref("dom.event.clipboardevents.enabled", false);
|
|
/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
|
|
* this disables document.execCommand("cut"/"copy") to protect your clipboard
|
|
* [1] https://bugzilla.mozilla.org/1170911 ***/
|
|
"dom.allow_cut_copy" = false;
|
|
/* 2405: disable "Confirm you want to leave" dialog on page close
|
|
* Does not prevent JS leaks of the page close event.
|
|
* [1] https://developer.mozilla.org/docs/Web/Events/beforeunload
|
|
* [2] https://support.mozilla.org/questions/1043508 ***/
|
|
"dom.disable_beforeunload" = true;
|
|
/* 2414: disable shaking the screen ***/
|
|
"dom.vibrator.enabled" = false;
|
|
/* 2420: disable asm.js [FF22+] [SETUP-PERF]
|
|
* [1] http://asmjs.org/
|
|
* [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
|
|
* [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
|
|
* [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
|
|
* [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
|
|
* [6] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
|
|
"javascript.options.asmjs" = false;
|
|
/* 2421: disable Ion and baseline JIT to harden against JS exploits [SETUP-HARDEN]
|
|
* [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
|
|
* hidden pref is enabled, then Ion can still be used by extensions (1599226)
|
|
* [WARNING] Disabling Ion/JIT can cause some site issues and performance loss
|
|
* [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
|
|
# // user_pref("javascript.options.ion", false);
|
|
# // user_pref("javascript.options.baselinejit", false);
|
|
# // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
|
|
/* 2422: disable WebAssembly [FF52+]
|
|
* Vulnerabilities have increasingly been found, including those known and fixed
|
|
* in native programs years ago [2]. WASM has powerful low-level access, making
|
|
* certain attacks (brute-force) and vulnerabilities more possible
|
|
* [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3]
|
|
* [1] https://developer.mozilla.org/docs/WebAssembly
|
|
* [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
|
|
* [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
|
|
"javascript.options.wasm" = false;
|
|
/* 2429: enable (limited but sufficient) window.opener protection [FF65+]
|
|
* Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
|
|
"dom.targetBlankNoOpener.enabled" = true; # [DEFAULT: true FF79+]
|
|
}
|