wowana.me

website source; use git clone git://wowana.me/wowana.me.git to clone this repository.


mozilla.cfg (59176B)


      1 //
      2 /******************************************************************************
      3  * user.js                                                                    *
      4  * https://github.com/pyllyukko/user.js                                       *
      5  ******************************************************************************/
      6 
      7 //I don't want this pref
      8 ///This pref doesn't exist
      9 
     10 /******************************************************************************
     11  * SECTION: HTML5 / APIs / DOM                                                *
     12  ******************************************************************************/
     13 
     14 // PREF: Disable Service Workers
     15 // https://developer.mozilla.org/en-US/docs/Web/API/Worker
     16 // https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
     17 // https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
     18 // NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...)
     19 // Unknown security implications
     20 // CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
     21 defaultPref("dom.serviceWorkers.enabled",				false);
     22 
     23 // PREF: Disable Web Workers
     24 // https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers
     25 // https://www.w3schools.com/html/html5_webworkers.asp
     26 // NOTICE: Disabling Web Workers breaks "Download as ZIP" functionality on https://mega.nz/, WhatsApp Web and probably others
     27 ///defaultPref("dom.workers.enabled",					false);
     28 
     29 // PREF: Disable web notifications
     30 // https://support.mozilla.org/en-US/questions/1140439
     31 //defaultPref("dom.webnotifications.enabled",			false);
     32 
     33 // PREF: Disable DOM timing API
     34 // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
     35 // https://www.w3.org/TR/navigation-timing/#privacy
     36 lockPref("dom.enable_performance",				false);
     37 
     38 // PREF: Make sure the User Timing API does not provide a new high resolution timestamp
     39 // https://trac.torproject.org/projects/tor/ticket/16336
     40 // https://www.w3.org/TR/2013/REC-user-timing-20131212/#privacy-security
     41 ///defaultPref("dom.enable_user_timing",				false);
     42 
     43 // PREF: Disable Web Audio API
     44 // https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
     45 defaultPref("dom.webaudio.enabled",				false);
     46 
     47 // PREF: Disable Location-Aware Browsing (geolocation)
     48 // https://www.mozilla.org/en-US/firefox/geolocation/
     49 defaultPref("geo.enabled",					false);
     50 
     51 // PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
     52 // https://bugzilla.mozilla.org/show_bug.cgi?id=689252
     53 lockPref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
     54 
     55 // PREF: When geolocation is enabled, don't log geolocation requests to the console
     56 ///defaultPref("geo.wifi.logging.enabled", false);
     57 
     58 // PREF: Disable raw TCP socket support (mozTCPSocket)
     59 // https://trac.torproject.org/projects/tor/ticket/18863
     60 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
     61 // https://developer.mozilla.org/docs/Mozilla/B2G_OS/API/TCPSocket
     62 ///defaultPref("dom.mozTCPSocket.enabled",				false);
     63 
     64 // PREF: Disable DOM storage (disabled)
     65 // http://kb.mozillazine.org/Dom.storage.enabled
     66 // https://html.spec.whatwg.org/multipage/webstorage.html
     67 // NOTICE-DISABLED: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
     68 //defaultPref("dom.storage.enabled",		false);
     69 
     70 // PREF: Disable leaking network/browser connection information via Javascript
     71 // Network Information API provides general information about the system's connection type (WiFi, cellular, etc.)
     72 // https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
     73 // https://wicg.github.io/netinfo/#privacy-considerations
     74 // https://bugzilla.mozilla.org/show_bug.cgi?id=960426
     75 defaultPref("dom.netinfo.enabled",				false);
     76 
     77 // PREF: Disable network API (Firefox < 32)
     78 // https://developer.mozilla.org/en-US/docs/Web/API/Connection/onchange
     79 // https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses
     80 ///defaultPref("dom.network.enabled",				false);
     81 
     82 // PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox < 42)
     83 // NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools (reep.io ...)
     84 defaultPref("media.peerconnection.enabled",			false);
     85 
     86 // PREF: Don't reveal your internal IP when WebRTC is enabled (Firefox >= 42)
     87 // https://wiki.mozilla.org/Media/WebRTC/Privacy
     88 // https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC
     89 lockPref("media.peerconnection.ice.default_address_only",	true); // Firefox 42-51
     90 lockPref("media.peerconnection.ice.no_host",			true); // Firefox >= 52
     91 
     92 // PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
     93 // https://wiki.mozilla.org/Media/getUserMedia
     94 // https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/
     95 // https://developer.mozilla.org/en-US/docs/Web/API/Navigator
     96 defaultPref("media.navigator.enabled",				false);
     97 defaultPref("media.navigator.video.enabled",			false);
     98 defaultPref("media.getusermedia.screensharing.enabled",		false);
     99 defaultPref("media.getusermedia.audiocapture.enabled",		false);
    100 
    101 // PREF: Disable battery API (Firefox < 52)
    102 // https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager
    103 // https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
    104 defaultPref("dom.battery.enabled",				false);
    105 
    106 // PREF: Disable telephony API
    107 // https://wiki.mozilla.org/WebAPI/Security/WebTelephony
    108 ///defaultPref("dom.telephony.enabled",				false);
    109 
    110 // PREF: Disable "beacon" asynchronous HTTP transfers (used for analytics)
    111 // https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
    112 lockPref("beacon.enabled",					false);
    113 
    114 // PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
    115 // NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
    116 // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
    117 //defaultPref("dom.event.clipboardevents.enabled",			false);
    118 
    119 // PREF: Disable "copy to clipboard" functionality via Javascript (Firefox >= 41)
    120 // NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality
    121 // https://hg.mozilla.org/mozilla-central/rev/2f9f8ea4b9c3
    122 ///defaultPref("dom.allow_cut_copy", false);
    123 
    124 // PREF: Disable speech recognition
    125 // https://dvcs.w3.org/hg/speech-api/raw-file/tip/speechapi.html
    126 // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
    127 // https://wiki.mozilla.org/HTML5_Speech_API
    128 defaultPref("media.webspeech.recognition.enable",			false);
    129 
    130 // PREF: Disable speech synthesis
    131 // https://developer.mozilla.org/en-US/docs/Web/API/SpeechSynthesis
    132 defaultPref("media.webspeech.synth.enabled",			false);
    133 
    134 // PREF: Disable sensor API
    135 // https://wiki.mozilla.org/Sensor_API
    136 defaultPref("device.sensors.enabled",				false);
    137 
    138 // PREF: Disable pinging URIs specified in HTML <a> ping= attributes
    139 // http://kb.mozillazine.org/Browser.send_pings
    140 lockPref("browser.send_pings",					false);
    141 
    142 // PREF: When browser pings are enabled, only allow pinging the same host as the origin page
    143 // http://kb.mozillazine.org/Browser.send_pings.require_same_host
    144 lockPref("browser.send_pings.require_same_host",		true);
    145 
    146 // PREF: Disable IndexedDB (disabled)
    147 // https://developer.mozilla.org/en-US/docs/IndexedDB
    148 // https://en.wikipedia.org/wiki/Indexed_Database_API
    149 // https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review
    150 // http://forums.mozillazine.org/viewtopic.php?p=13842047
    151 // https://github.com/pyllyukko/user.js/issues/8
    152 // NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
    153 //defaultPref("dom.indexedDB.enabled",		false);
    154 
    155 // TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications"
    156 
    157 // PREF: Disable gamepad API to prevent USB device enumeration
    158 // https://www.w3.org/TR/gamepad/
    159 // https://trac.torproject.org/projects/tor/ticket/13023
    160 //defaultPref("dom.gamepad.enabled",				false);
    161 
    162 // PREF: Disable virtual reality devices APIs
    163 // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
    164 // https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
    165 defaultPref("dom.vr.enabled",					false);
    166 
    167 // PREF: Disable vibrator API
    168 //defaultPref("dom.vibrator.enabled",           false);
    169 
    170 // PREF: Disable resource timing API
    171 // https://www.w3.org/TR/resource-timing/#privacy-security
    172 lockPref("dom.enable_resource_timing",				false);
    173 
    174 // PREF: Disable Archive API (Firefox < 54)
    175 // https://wiki.mozilla.org/WebAPI/ArchiveAPI
    176 // https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
    177 ///defaultPref("dom.archivereader.enabled",				false);
    178 
    179 // PREF: Disable webGL
    180 // https://en.wikipedia.org/wiki/WebGL
    181 // https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
    182 //defaultPref("webgl.disabled",					true);
    183 // PREF: When webGL is enabled, use the minimum capability mode
    184 defaultPref("webgl.min_capability_mode",				true);
    185 // PREF: When webGL is enabled, disable webGL extensions
    186 // https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing
    187 defaultPref("webgl.disable-extensions",				true);
    188 // PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
    189 // https://trac.torproject.org/projects/tor/ticket/18603
    190 defaultPref("webgl.disable-fail-if-major-performance-caveat",	true);
    191 // PREF: When webGL is enabled, do not expose information about the graphics driver
    192 // https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
    193 // https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
    194 defaultPref("webgl.enable-debug-renderer-info",			false);
    195 // somewhat related...
    196 //defaultPref("pdfjs.enableWebGL",					false);
    197 
    198 // PREF: Spoof dual-core CPU
    199 // https://trac.torproject.org/projects/tor/ticket/21675
    200 // https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
    201 defaultPref("dom.maxHardwareConcurrency",				2);
    202 
    203 /******************************************************************************
    204  * SECTION: Misc                                                              *
    205  ******************************************************************************/
    206 
    207 // PREF: Disable face detection
    208 ///defaultPref("camera.control.face_detection.enabled",		false);
    209 
    210 // PREF: Set the default search engine to DuckDuckGo (disabled)
    211 // https://support.mozilla.org/en-US/questions/948134
    212 //defaultPref("browser.search.defaultenginename",		"DuckDuckGo");
    213 //defaultPref("browser.search.order.1",				"DuckDuckGo");
    214 //defaultPref("keyword.URL", 							"https://duckduckgo.com/html/?q=!+");  
    215 
    216 // PREF: Disable GeoIP lookup on your address to set default search engine region
    217 // https://trac.torproject.org/projects/tor/ticket/16254
    218 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
    219 //defaultPref("browser.search.countryCode",				"US");
    220 //defaultPref("browser.search.region",				"US");
    221 defaultPref("browser.search.geoip.url",				"");
    222 
    223 // PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localization
    224 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
    225 //defaultPref("intl.accept_languages",				"en-US, en");
    226 
    227 // PREF: Don't use OS values to determine locale, force using Firefox locale setting
    228 // http://kb.mozillazine.org/Intl.locale.matchOS
    229 defaultPref("intl.locale.matchOS",				false);
    230 
    231 // PREF: Don't use Mozilla-provided location-specific search engines
    232 defaultPref("browser.search.geoSpecificDefaults",			false);
    233 
    234 // PREF: Do not automatically send selection to clipboard on some Linux platforms
    235 // http://kb.mozillazine.org/Clipboard.autocopy
    236 //defaultPref("clipboard.autocopy",					false);
    237 
    238 // PREF: Prevent leaking application locale/date format using JavaScript
    239 // https://bugzilla.mozilla.org/show_bug.cgi?id=867501
    240 // https://hg.mozilla.org/mozilla-central/rev/52d635f2b33d
    241 //defaultPref("javascript.use_us_english_locale",			true);
    242 
    243 // PREF: Do not submit invalid URIs entered in the address bar to the default search engine
    244 // http://kb.mozillazine.org/Keyword.enabled
    245 defaultPref("keyword.enabled",					false);
    246 
    247 // PREF: Don't trim HTTP off of URLs in the address bar.
    248 // https://bugzilla.mozilla.org/show_bug.cgi?id=665580
    249 lockPref("browser.urlbar.trimURLs",				false);
    250 
    251 // PREF: Don't try to guess domain names when entering an invalid domain name in URL bar
    252 // http://www-archive.mozilla.org/docs/end-user/domain-guessing.html
    253 lockPref("browser.fixup.alternate.enabled",			false);
    254 
    255 // PREF: When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs
    256 // https://github.com/pyllyukko/user.js/issues/290#issuecomment-303560851
    257 defaultPref("browser.fixup.hide_user_pass", false);
    258 
    259 // PREF: Send DNS request through SOCKS when SOCKS proxying is in use
    260 // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
    261 defaultPref("network.proxy.socks_remote_dns",			true);
    262 
    263 // PREF: Don't monitor OS online/offline connection state
    264 // https://trac.torproject.org/projects/tor/ticket/18945
    265 defaultPref("network.manage-offline-status",			false);
    266 
    267 // PREF: Enforce Mixed Active Content Blocking
    268 // https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990
    269 // https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
    270 // https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
    271 defaultPref("security.mixed_content.block_active_content",	true);
    272 
    273 // PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content)
    274 // NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured
    275 defaultPref("security.mixed_content.block_display_content",	true);
    276 
    277 // PREF: Disable JAR from opening Unsafe File Types
    278 // http://kb.mozillazine.org/Network.jar.open-unsafe-types
    279 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7 
    280 defaultPref("network.jar.open-unsafe-types",			false);
    281 
    282 // CIS 2.7.4 Disable Scripting of Plugins by JavaScript
    283 // http://forums.mozillazine.org/viewtopic.php?f=7&t=153889
    284 ///defaultPref("security.xpconnect.plugin.unrestricted",		false);
    285 
    286 // PREF: Set File URI Origin Policy
    287 // http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
    288 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8
    289 defaultPref("security.fileuri.strict_origin_policy",		true);
    290 
    291 // PREF: Disable Displaying Javascript in History URLs
    292 // http://kb.mozillazine.org/Browser.urlbar.filter.javascript
    293 // CIS 2.3.6 
    294 defaultPref("browser.urlbar.filter.javascript",			true);
    295 
    296 // PREF: Disable asm.js
    297 // http://asmjs.org/
    298 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
    299 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
    300 // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
    301 defaultPref("javascript.options.asmjs",				false);
    302 
    303 // PREF: Disable SVG in OpenType fonts
    304 // https://wiki.mozilla.org/SVGOpenTypeFonts
    305 // https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle
    306 defaultPref("gfx.font_rendering.opentype_svg.enabled",		false);
    307 
    308 // PREF: Disable in-content SVG rendering (Firefox >= 53)
    309 // NOTICE: Disabling SVG support breaks many UI elements on many sites
    310 // https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
    311 // https://github.com/iSECPartners/publications/raw/master/reports/Tor%20Browser%20Bundle/Tor%20Browser%20Bundle%20-%20iSEC%20Deliverable%201.3.pdf#16
    312 //defaultPref("svg.disabled", true);
    313 
    314 
    315 // PREF: Disable video stats to reduce fingerprinting threat
    316 // https://bugzilla.mozilla.org/show_bug.cgi?id=654550
    317 // https://github.com/pyllyukko/user.js/issues/9#issuecomment-100468785
    318 // https://github.com/pyllyukko/user.js/issues/9#issuecomment-148922065
    319 //defaultPref("media.video_stats.enabled",				false);
    320 
    321 // PREF: Don't reveal build ID
    322 // Value taken from Tor Browser
    323 // https://bugzilla.mozilla.org/show_bug.cgi?id=583181
    324 ///defaultPref("general.buildID.override",				"20100101");
    325 ///defaultPref("browser.startup.homepage_override.buildID",		"20100101");
    326 
    327 // PREF: Prevent font fingerprinting
    328 // https://browserleaks.com/fonts
    329 // https://github.com/pyllyukko/user.js/issues/120
    330 //defaultPref("browser.display.use_document_fonts",			0);
    331 
    332 // PREF: Enable only whitelisted URL protocol handlers
    333 // http://kb.mozillazine.org/Network.protocol-handler.external-default
    334 // http://kb.mozillazine.org/Network.protocol-handler.warn-external-default
    335 // http://kb.mozillazine.org/Network.protocol-handler.expose.%28protocol%29
    336 // https://news.ycombinator.com/item?id=13047883
    337 // https://bugzilla.mozilla.org/show_bug.cgi?id=167475
    338 // https://github.com/pyllyukko/user.js/pull/285#issuecomment-298124005
    339 // NOTICE: Disabling nonessential protocols breaks all interaction with custom protocols such as mailto:, irc:, magnet: ... and breaks opening third-party mail/messaging/torrent/... clients when clicking on links with these protocols
    340 // TODO: Add externally-handled protocols from Windows 8.1 and Windows 10 (currently contains protocols only from Linux and Windows 7) that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
    341 // TODO: Add externally-handled protocols from Mac OS X that might pose a similar threat (see e.g. https://news.ycombinator.com/item?id=13044991)
    342 // If you want to enable a protocol, set network.protocol-handler.expose.(protocol) to true and network.protocol-handler.external.(protocol) to:
    343 //   * true, if the protocol should be handled by an external application
    344 //   * false, if the protocol should be handled internally by Firefox
    345 //defaultPref("network.protocol-handler.warn-external-default",	true);
    346 ///defaultPref("network.protocol-handler.external.http",		false);
    347 ///defaultPref("network.protocol-handler.external.https",		false);
    348 //defaultPref("network.protocol-handler.external.javascript",	false);
    349 ///defaultPref("network.protocol-handler.external.moz-extension",	false);
    350 ///defaultPref("network.protocol-handler.external.ftp",		false);
    351 ///defaultPref("network.protocol-handler.external.file",		false);
    352 ///defaultPref("network.protocol-handler.external.about",		false);
    353 ///defaultPref("network.protocol-handler.external.chrome",		false);
    354 ///defaultPref("network.protocol-handler.external.blob",		false);
    355 //defaultPref("network.protocol-handler.external.data",		false);
    356 //defaultPref("network.protocol-handler.expose-all",		false);
    357 ///defaultPref("network.protocol-handler.expose.http",		true);
    358 ///defaultPref("network.protocol-handler.expose.https",		true);
    359 ///defaultPref("network.protocol-handler.expose.javascript",		true);
    360 ///defaultPref("network.protocol-handler.expose.moz-extension",	true);
    361 ///defaultPref("network.protocol-handler.expose.ftp",		true);
    362 ///defaultPref("network.protocol-handler.expose.file",		true);
    363 ///defaultPref("network.protocol-handler.expose.about",		true);
    364 ///defaultPref("network.protocol-handler.expose.chrome",		true);
    365 ///defaultPref("network.protocol-handler.expose.blob",		true);
    366 ///defaultPref("network.protocol-handler.expose.data",		true);
    367 
    368 /******************************************************************************
    369  * SECTION: Extensions / plugins                                                       *
    370  ******************************************************************************/
    371 
    372 // PREF: Ensure you have a security delay when installing add-ons (milliseconds)
    373 // http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
    374 // http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
    375 lockPref("security.dialog_enable_delay",			3000);
    376 
    377 // PREF: Require signatures
    378 // https://wiki.mozilla.org/Addons/Extension_Signing
    379 //defaultPref("xpinstall.signatures.required",		true);
    380 
    381 // PREF: Opt-out of add-on metadata updates
    382 // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
    383 defaultPref("extensions.getAddons.cache.enabled",			false);
    384 
    385 // PREF: Opt-out of themes (Persona) updates
    386 // https://support.mozilla.org/t5/Firefox/how-do-I-prevent-autoamtic-updates-in-a-50-user-environment/td-p/144287
    387 defaultPref("lightweightThemes.update.enabled",			false);
    388 
    389 // PREF: Disable Flash Player NPAPI plugin
    390 // http://kb.mozillazine.org/Flash_plugin
    391 defaultPref("plugin.state.flash",					0);
    392 
    393 // PREF: Disable Java NPAPI plugin
    394 defaultPref("plugin.state.java",					0);
    395 
    396 // PREF: Disable sending Flash Player crash reports
    397 defaultPref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled",	false);
    398 
    399 // PREF: When Flash crash reports are enabled, don't send the visited URL in the crash report
    400 defaultPref("dom.ipc.plugins.reportCrashURL",			false);
    401 
    402 // PREF: When Flash is enabled, download and use Mozilla SWF URIs blocklist
    403 // https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
    404 // https://github.com/mozilla-services/shavar-plugin-blocklist
    405 defaultPref("browser.safebrowsing.blockedURIs.enabled", true);
    406 
    407 // PREF: Disable Shumway (Mozilla Flash renderer)
    408 // https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Shumway
    409 ///defaultPref("shumway.disabled", true);
    410 
    411 // PREF: Disable Gnome Shell Integration NPAPI plugin
    412 defaultPref("plugin.state.libgnome-shell-browser-plugin",		0);
    413 
    414 // PREF: Disable the bundled OpenH264 video codec (disabled)
    415 // http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077
    416 //defaultPref("media.gmp-provider.enabled",		false);
    417 
    418 // PREF: Enable plugins click-to-play
    419 // https://wiki.mozilla.org/Firefox/Click_To_Play
    420 // https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/
    421 defaultPref("plugins.click_to_play",				true);
    422 
    423 // PREF: Updates addons automatically
    424 // https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/
    425 defaultPref("extensions.update.enabled",				false);
    426 
    427 // PREF: Enable add-on and certificate blocklists (OneCRL) from Mozilla
    428 // https://wiki.mozilla.org/Blocklisting
    429 // https://blocked.cdn.mozilla.net/
    430 // http://kb.mozillazine.org/Extensions.blocklist.enabled
    431 // http://kb.mozillazine.org/Extensions.blocklist.url
    432 // https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
    433 // Updated at interval defined in extensions.blocklist.interval (default: 86400)
    434 //defaultPref("extensions.blocklist.enabled",			true);
    435 defaultPref("services.blocklist.update_enabled",			false);
    436 
    437 // PREF: Decrease system information leakage to Mozilla blocklist update servers
    438 // https://trac.torproject.org/projects/tor/ticket/16931
    439 defaultPref("extensions.blocklist.url",				"https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");
    440 
    441 /******************************************************************************
    442  * SECTION: Firefox (anti-)features / components                              *                            *
    443  ******************************************************************************/
    444 
    445 // PREF: Disable WebIDE
    446 // https://trac.torproject.org/projects/tor/ticket/16222
    447 // https://developer.mozilla.org/docs/Tools/WebIDE
    448 defaultPref("devtools.webide.enabled",				false);
    449 defaultPref("devtools.webide.autoinstallADBHelper",		false);
    450 ///defaultPref("devtools.webide.autoinstallFxdtAdapters",		false);
    451 
    452 // PREF: Disable remote debugging
    453 // https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop
    454 // https://developer.mozilla.org/en-US/docs/Tools/Tools_Toolbox#Advanced_settings
    455 defaultPref("devtools.debugger.remote-enabled",			false);
    456 defaultPref("devtools.chrome.enabled",				false);
    457 defaultPref("devtools.debugger.force-local",			true);
    458 
    459 // PREF: Disable Mozilla telemetry/experiments
    460 // https://wiki.mozilla.org/Platform/Features/Telemetry
    461 // https://wiki.mozilla.org/Privacy/Reviews/Telemetry
    462 // https://wiki.mozilla.org/Telemetry
    463 // https://www.mozilla.org/en-US/legal/privacy/firefox.html#telemetry
    464 // https://support.mozilla.org/t5/Firefox-crashes/Mozilla-Crash-Reporter/ta-p/1715
    465 // https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/telemetry
    466 // https://gecko.readthedocs.io/en/latest/browser/experiments/experiments/manifest.html
    467 // https://wiki.mozilla.org/Telemetry/Experiments
    468 lockPref("toolkit.telemetry.enabled",				false);
    469 defaultPref("toolkit.telemetry.unified",				false);
    470 defaultPref("experiments.supported",				false);
    471 defaultPref("experiments.enabled",				false);
    472 defaultPref("experiments.manifest.uri",				"");
    473 
    474 // PREF: Disallow Necko to do A/B testing
    475 // https://trac.torproject.org/projects/tor/ticket/13170
    476 defaultPref("network.allow-experiments",				false);
    477 
    478 // PREF: Disable sending Firefox crash reports to Mozilla servers
    479 // https://wiki.mozilla.org/Breakpad
    480 // http://kb.mozillazine.org/Breakpad
    481 // https://dxr.mozilla.org/mozilla-central/source/toolkit/crashreporter
    482 // https://bugzilla.mozilla.org/show_bug.cgi?id=411490
    483 // A list of submitted crash reports can be found at about:crashes
    484 defaultPref("breakpad.reportURL",					"");
    485 
    486 // PREF: Disable sending reports of tab crashes to Mozilla (about:tabcrashed), don't nag user about unsent crash reports
    487 // https://hg.mozilla.org/mozilla-central/file/tip/browser/app/profile/firefox.js
    488 defaultPref("browser.tabs.crashReporting.sendReport",		false);
    489 defaultPref("browser.crashReports.unsubmittedCheck.enabled",	false);
    490 
    491 // PREF: Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface)
    492 // https://wiki.mozilla.org/FlyWeb
    493 // https://wiki.mozilla.org/FlyWeb/Security_scenarios
    494 // https://docs.google.com/document/d/1eqLb6cGjDL9XooSYEEo7mE-zKQ-o-AuDTcEyNhfBMBM/edit
    495 // http://www.ghacks.net/2016/07/26/firefox-flyweb
    496 ///defaultPref("dom.flyweb.enabled",					false);
    497 
    498 // PREF: Disable the UITour backend
    499 // https://trac.torproject.org/projects/tor/ticket/19047#comment:3
    500 defaultPref("browser.uitour.enabled",				false);
    501 
    502 // PREF: Enable Firefox Tracking Protection
    503 // https://wiki.mozilla.org/Security/Tracking_protection
    504 // https://support.mozilla.org/en-US/kb/tracking-protection-firefox
    505 // https://support.mozilla.org/en-US/kb/tracking-protection-pbm
    506 // https://kontaxis.github.io/trackingprotectionfirefox/
    507 // https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/
    508 //defaultPref("privacy.trackingprotection.enabled",			true);
    509 //defaultPref("privacy.trackingprotection.pbmode.enabled",		true);
    510 
    511 // PREF: Enable contextual identity Containers feature (Firefox >= 52)
    512 // NOTICE: Containers are not available in Private Browsing mode
    513 // https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
    514 lockPref("privacy.userContext.enabled",			true);
    515 
    516 // PREF: Enable hardening against various fingerprinting vectors (Tor Uplift project)
    517 // https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
    518 // https://bugzilla.mozilla.org/show_bug.cgi?id=1333933
    519 //defaultPref("privacy.resistFingerprinting",			true);
    520 
    521 // PREF: Disable the built-in PDF viewer
    522 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2743
    523 // https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
    524 // https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
    525 lockPref("pdfjs.disabled",					true);
    526 
    527 // PREF: Disable collection/sending of the health report (healthreport.sqlite*)
    528 // https://support.mozilla.org/en-US/kb/firefox-health-report-understand-your-browser-perf
    529 // https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
    530 lockPref("datareporting.healthreport.uploadEnabled",		false);
    531 ///defaultPref("datareporting.healthreport.service.enabled",		false);
    532 lockPref("datareporting.policy.dataSubmissionEnabled",		false);
    533 
    534 // PREF: Disable Heartbeat  (Mozilla user rating telemetry)
    535 // https://wiki.mozilla.org/Advocacy/heartbeat
    536 // https://trac.torproject.org/projects/tor/ticket/19047
    537 ///defaultPref("browser.selfsupport.url",				"");
    538 
    539 // PREF: Disable Firefox Hello (disabled) (Firefox < 49)
    540 // https://wiki.mozilla.org/Loop
    541 // https://support.mozilla.org/t5/Chat-and-share/Support-for-Hello-discontinued-in-Firefox-49/ta-p/37946
    542 // NOTICE-DISABLED: Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work.
    543 ///defaultPref("loop.enabled",		false);
    544 
    545 // PREF: Disable Firefox Hello metrics collection
    546 // https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
    547 ///defaultPref("loop.logDomains",					false);
    548 
    549 // PREF: Enable Auto Update (disabled)
    550 // NOTICE: Fully automatic updates are disabled and left to package management systems on Linux. Windows users may want to change this setting.
    551 // CIS 2.1.1
    552 defaultPref("app.update.auto",					false);
    553 
    554 // PREF: Enforce checking for Firefox updates
    555 // http://kb.mozillazine.org/App.update.enabled
    556 // NOTICE: Update check page might incorrectly report Firefox ESR as out-of-date
    557 defaultPref("app.update.enabled",                 false);
    558 
    559 // PREF: Enable blocking reported web forgeries
    560 // https://wiki.mozilla.org/Security/Safe_Browsing
    561 // http://kb.mozillazine.org/Safe_browsing
    562 // https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
    563 // http://forums.mozillazine.org/viewtopic.php?f=39&t=2711237&p=12896849#p12896849
    564 // CIS 2.3.4
    565 ///defaultPref("browser.safebrowsing.enabled",			true); // Firefox < 50
    566 defaultPref("browser.safebrowsing.phishing.enabled",		false); // firefox >= 50
    567 
    568 // PREF: Enable blocking reported attack sites
    569 // http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled
    570 // CIS 2.3.5
    571 defaultPref("browser.safebrowsing.malware.enabled",		false);
    572 
    573 // PREF: Disable querying Google Application Reputation database for downloaded binary files
    574 // https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
    575 // https://wiki.mozilla.org/Security/Application_Reputation
    576 defaultPref("browser.safebrowsing.downloads.remote.enabled",	false);
    577 
    578 // PREF: Disable Pocket
    579 // https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
    580 // https://github.com/pyllyukko/user.js/issues/143
    581 ///defaultPref("browser.pocket.enabled",				false);
    582 lockPref("extensions.pocket.enabled",				false);
    583 
    584 // PREF: Disable SHIELD
    585 // https://support.mozilla.org/en-US/kb/shield
    586 // https://bugzilla.mozilla.org/show_bug.cgi?id=1370801
    587 ///defaultPref("extensions.shield-recipe-client.enabled",		false);
    588 lockPref("app.shield.optoutstudies.enabled",			false);
    589 
    590 // PREF: Disable "Recommended by Pocket" in Firefox Quantum
    591 lockPref("browser.newtabpage.activity-stream.feeds.section.topstories",	false);
    592 
    593 /******************************************************************************
    594  * SECTION: Automatic connections                                             *
    595  ******************************************************************************/
    596 
    597 // PREF: Disable prefetching of <link rel="next"> URLs
    598 // http://kb.mozillazine.org/Network.prefetch-next
    599 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
    600 lockPref("network.prefetch-next",				false);
    601 
    602 // PREF: Disable DNS prefetching
    603 // http://kb.mozillazine.org/Network.dns.disablePrefetch
    604 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
    605 lockPref("network.dns.disablePrefetch",			true);
    606 ///defaultPref("network.dns.disablePrefetchFromHTTPS",		true);
    607 
    608 // PREF: Disable the predictive service (Necko)
    609 // https://wiki.mozilla.org/Privacy/Reviews/Necko
    610 lockPref("network.predictor.enabled",				false);
    611 
    612 // PREF: Reject .onion hostnames before passing the to DNS
    613 // https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
    614 // RFC 7686
    615 defaultPref("network.dns.blockDotOnion",				true);
    616 
    617 // PREF: Disable search suggestions in the search bar
    618 // http://kb.mozillazine.org/Browser.search.suggest.enabled
    619 defaultPref("browser.search.suggest.enabled",			false);
    620 
    621 // PREF: Disable "Show search suggestions in location bar results"
    622 //defaultPref("browser.urlbar.suggest.searches",			false);
    623 // PREF: When using the location bar, don't suggest URLs from browsing history
    624 //defaultPref("browser.urlbar.suggest.history",			false);
    625 
    626 // PREF: Disable SSDP
    627 // https://bugzilla.mozilla.org/show_bug.cgi?id=1111967
    628 ///defaultPref("browser.casting.enabled",				false);
    629 
    630 // PREF: Disable automatic downloading of OpenH264 codec
    631 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
    632 // https://andreasgal.com/2014/10/14/openh264-now-in-firefox/
    633 ///defaultPref("media.gmp-gmpopenh264.enabled",			false);
    634 defaultPref("media.gmp-manager.url",				"");
    635 
    636 // PREF: Disable speculative pre-connections
    637 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections
    638 // https://bugzilla.mozilla.org/show_bug.cgi?id=814169
    639 lockPref("network.http.speculative-parallel-limit",		0);
    640 
    641 // PREF: Disable downloading homepage snippets/messages from Mozilla
    642 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content
    643 // https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
    644 lockPref("browser.aboutHomeSnippets.updateUrl",		"");
    645 
    646 // PREF: Never check updates for search engines
    647 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking
    648 defaultPref("browser.search.update",				false);
    649 
    650 // PREF: Disable automatic captive portal detection (Firefox >= 52.0)
    651 // https://support.mozilla.org/en-US/questions/1157121
    652 lockPref("network.captive-portal-service.enabled",		false);
    653 
    654 /******************************************************************************
    655  * SECTION: HTTP                                                              *
    656  ******************************************************************************/
    657 
    658 // PREF: Disallow NTLMv1
    659 // https://bugzilla.mozilla.org/show_bug.cgi?id=828183
    660 ///defaultPref("network.negotiate-auth.allow-insecure-ntlm-v1",	false);
    661 // it is still allowed through HTTPS. uncomment the following to disable it completely.
    662 ///defaultPref("network.negotiate-auth.allow-insecure-ntlm-v1-https",		false);
    663 
    664 // PREF: Enable CSP 1.1 script-nonce directive support
    665 // https://bugzilla.mozilla.org/show_bug.cgi?id=855326
    666 defaultPref("security.csp.experimentalEnabled",			true);
    667 
    668 // PREF: Enable Content Security Policy (CSP)
    669 // https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
    670 // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    671 defaultPref("security.csp.enable",				true);
    672 
    673 // PREF: Enable Subresource Integrity
    674 // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
    675 // https://wiki.mozilla.org/Security/Subresource_Integrity
    676 defaultPref("security.sri.enable",				true);
    677 
    678 // PREF: DNT HTTP header (disabled)
    679 // https://www.mozilla.org/en-US/firefox/dnt/
    680 // https://en.wikipedia.org/wiki/Do_not_track_header
    681 // https://dnt-dashboard.mozilla.org
    682 // https://github.com/pyllyukko/user.js/issues/11
    683 // NOTICE: Do No Track must be enabled manually
    684 defaultPref("privacy.donottrackheader.enabled",		true);
    685 
    686 // PREF: Send a referer header with the target URI as the source
    687 // https://bugzilla.mozilla.org/show_bug.cgi?id=822869
    688 // https://github.com/pyllyukko/user.js/issues/227
    689 // NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers
    690 // NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
    691 // NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
    692 // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
    693 //defaultPref("network.http.referer.spoofSource",			true);
    694 
    695 // PREF: Don't send referer headers when following links across different domains (disabled)
    696 // https://github.com/pyllyukko/user.js/issues/227
    697 defaultPref("network.http.referer.XOriginPolicy",		2);
    698 
    699 // PREF: Accept Only 1st Party Cookies
    700 // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
    701 // NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
    702 // CIS 2.5.1
    703 //defaultPref("network.cookie.cookieBehavior",			1);
    704 
    705 // PREF: Enable first-party isolation
    706 // https://bugzilla.mozilla.org/show_bug.cgi?id=1299996
    707 // https://bugzilla.mozilla.org/show_bug.cgi?id=1260931
    708 // https://wiki.mozilla.org/Security/FirstPartyIsolation
    709 //defaultPref("privacy.firstparty.isolate",				true);
    710 
    711 // PREF: Make sure that third-party cookies (if enabled) never persist beyond the session.
    712 // https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
    713 // http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
    714 // https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly
    715 //defaultPref("network.cookie.thirdparty.sessionOnly",		true);
    716 
    717 // PREF: Spoof User-agent (disabled)
    718 //defaultPref("general.useragent.override",				"Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0");
    719 //defaultPref("general.appname.override",				"Netscape");
    720 //defaultPref("general.appversion.override",			"5.0 (Windows)");
    721 //defaultPref("general.platform.override",				"Win32");
    722 //defaultPref("general.oscpu.override",				"Windows NT 6.1");
    723 
    724 /*******************************************************************************
    725  * SECTION: Caching                                                            *
    726  ******************************************************************************/
    727 
    728 // PREF: Permanently enable private browsing mode
    729 // https://support.mozilla.org/en-US/kb/Private-Browsing
    730 // https://wiki.mozilla.org/PrivateBrowsing
    731 // NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
    732 // NOTICE: When Javascript is enabled, Websites can detect use of Private Browsing mode
    733 // NOTICE: Private browsing breaks Kerberos authentication
    734 // NOTICE: Disables "Containers" functionality (see below)
    735 // NOTICE: "Always use private browsing mode" (browser.privatebrowsing.autostart) disables the possibility to use password manager: https://support.mozilla.org/en-US/kb/usernames-and-passwords-are-not-saved#w_private-browsing
    736 //defaultPref("browser.privatebrowsing.autostart",			true);
    737 
    738 // PREF: Do not download URLs for the offline cache
    739 // http://kb.mozillazine.org/Browser.cache.offline.enable
    740 //defaultPref("browser.cache.offline.enable",			false);
    741 
    742 // PREF: Clear history when Firefox closes
    743 // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically
    744 // NOTICE: Installing user.js will remove your browsing history, caches and local storage.
    745 // NOTICE: Installing user.js **will remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27)
    746 // NOTICE: Clearing open windows on Firefox exit causes 2 windows to open when Firefox starts https://bugzilla.mozilla.org/show_bug.cgi?id=1334945
    747 //defaultPref("privacy.sanitize.sanitizeOnShutdown",		true);
    748 //defaultPref("privacy.clearOnShutdown.cache",			true);
    749 //defaultPref("privacy.clearOnShutdown.cookies",			true);
    750 //defaultPref("privacy.clearOnShutdown.downloads",			true);
    751 //defaultPref("privacy.clearOnShutdown.formdata",			true);
    752 //defaultPref("privacy.clearOnShutdown.history",			true);
    753 //defaultPref("privacy.clearOnShutdown.offlineApps",		true);
    754 //defaultPref("privacy.clearOnShutdown.sessions",			true);
    755 //defaultPref("privacy.clearOnShutdown.openWindows",		true);
    756 
    757 // PREF: Set time range to "Everything" as default in "Clear Recent History"
    758 defaultPref("privacy.sanitize.timeSpan",				0);
    759 
    760 // PREF: Clear everything but "Site Preferences" in "Clear Recent History"
    761 //defaultPref("privacy.cpd.offlineApps",				true);
    762 //defaultPref("privacy.cpd.cache",					true);
    763 //defaultPref("privacy.cpd.cookies",				true);
    764 //defaultPref("privacy.cpd.downloads",				true);
    765 //defaultPref("privacy.cpd.formdata",				true);
    766 //defaultPref("privacy.cpd.history",				true);
    767 //defaultPref("privacy.cpd.sessions",				true);
    768 
    769 // PREF: Don't remember browsing history
    770 //defaultPref("places.history.enabled",				false);
    771 
    772 // PREF: Disable disk cache
    773 // http://kb.mozillazine.org/Browser.cache.disk.enable
    774 //defaultPref("browser.cache.disk.enable",				false);
    775 
    776 // PREF: Disable memory cache (disabled)
    777 // http://kb.mozillazine.org/Browser.cache.memory.enable
    778 //defaultPref("browser.cache.memory.enable",		false);
    779 
    780 // PREF: Disable Caching of SSL Pages
    781 // CIS Version 1.2.0 October 21st, 2011 2.5.8
    782 // http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
    783 //defaultPref("browser.cache.disk_cache_ssl",			false);
    784 
    785 // PREF: Disable download history
    786 // CIS Version 1.2.0 October 21st, 2011 2.5.5
    787 ///defaultPref("browser.download.manager.retention",			0);
    788 
    789 // PREF: Disable password manager
    790 // CIS Version 1.2.0 October 21st, 2011 2.5.2
    791 defaultPref("signon.rememberSignons",				false);
    792 
    793 // PREF: Disable form autofill, don't save information entered in web page forms and the Search Bar
    794 //defaultPref("browser.formfill.enable",				false);
    795 
    796 // PREF: Cookies expires at the end of the session (when the browser closes)
    797 // http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2
    798 //defaultPref("network.cookie.lifetimePolicy",			2);
    799 
    800 // PREF: Require manual intervention to autofill known username/passwords sign-in forms
    801 // http://kb.mozillazine.org/Signon.autofillForms
    802 // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
    803 //defaultPref("signon.autofillForms",				false);
    804 
    805 // PREF: Disable formless login capture
    806 // https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
    807 //defaultPref("signon.formlessCapture.enabled",			false);
    808 
    809 // PREF: When username/password autofill is enabled, still disable it on non-HTTPS sites
    810 // https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
    811 //defaultPref("signon.autofillForms.http",				false);
    812 
    813 // PREF: Show in-content login form warning UI for insecure login fields
    814 // https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
    815 defaultPref("security.insecure_field_warning.contextual.enabled", true);
    816 
    817 // PREF: Disable the password manager for pages with autocomplete=off (disabled)
    818 // https://bugzilla.mozilla.org/show_bug.cgi?id=956906
    819 // OWASP ASVS V9.1
    820 // Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
    821 //defaultPref("signon.storeWhenAutocompleteOff",			false);
    822 
    823 // PREF: Delete Search and Form History
    824 // CIS Version 1.2.0 October 21st, 2011 2.5.6
    825 //defaultPref("browser.formfill.expire_days",			0);
    826 
    827 // PREF: Clear SSL Form Session Data
    828 // http://kb.mozillazine.org/Browser.sessionstore.privacy_level#2
    829 // Store extra session data for unencrypted (non-HTTPS) sites only.
    830 // CIS Version 1.2.0 October 21st, 2011 2.5.7
    831 // NOTE: CIS says 1, we use 2
    832 //defaultPref("browser.sessionstore.privacy_level",			2);
    833 
    834 // PREF: Delete temporary files on exit
    835 // https://bugzilla.mozilla.org/show_bug.cgi?id=238789
    836 //defaultPref("browser.helperApps.deleteTempFileOnExit",		true);
    837 
    838 // PREF: Do not create screenshots of visited pages (relates to the "new tab page" feature)
    839 // https://support.mozilla.org/en-US/questions/973320
    840 // https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled
    841 ///defaultPref("browser.pagethumbnails.capturing_disabled",		true);
    842 
    843 // PREF: Don't fetch and permanently store favicons for Windows .URL shortcuts created by drag and drop
    844 // NOTICE: .URL shortcut files will be created with a generic icon
    845 // Favicons are stored as .ico files in $profile_dir\shortcutCache
    846 //defaultPref("browser.shell.shortcutFavicons",					false);
    847 
    848 // PREF: Disable bookmarks backups (default: 15)
    849 // http://kb.mozillazine.org/Browser.bookmarks.max_backups
    850 //defaultPref("browser.bookmarks.max_backups", 0);
    851 
    852 /*******************************************************************************
    853  * SECTION: UI related                                                         *
    854  *******************************************************************************/
    855 
    856 // PREF: Enable insecure password warnings (login forms in non-HTTPS pages)
    857 // https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
    858 // https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
    859 // https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
    860 //defaultPref("security.insecure_password.ui.enabled",		true);
    861 
    862 // PREF: Disable right-click menu manipulation via JavaScript (disabled)
    863 //defaultPref("dom.event.contextmenu.enabled",		false);
    864 
    865 // PREF: Disable "Are you sure you want to leave this page?" popups on page close
    866 // https://support.mozilla.org/en-US/questions/1043508
    867 // Does not prevent JS leaks of the page close event.
    868 // https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
    869 //defaultPref("dom.disable_beforeunload",    true);
    870 
    871 // PREF: Disable Downloading on Desktop
    872 // CIS 2.3.2
    873 //defaultPref("browser.download.folderList",			2);
    874 
    875 // PREF: Always ask the user where to download
    876 // https://developer.mozilla.org/en/Download_Manager_preferences (obsolete)
    877 //defaultPref("browser.download.useDownloadDir",			false);
    878 
    879 // PREF: Disable the "new tab page" feature and show a blank tab instead
    880 // https://wiki.mozilla.org/Privacy/Reviews/New_Tab
    881 // https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off
    882 defaultPref("browser.newtabpage.enabled",				false);
    883 //defaultPref("browser.newtab.url",					"about:blank");
    884 
    885 // PREF: Disable Activity Stream
    886 // https://wiki.mozilla.org/Firefox/Activity_Stream
    887 ///defaultPref("browser.newtabpage.activity-stream.enabled",		false);
    888 
    889 // PREF: Disable new tab tile ads & preload
    890 // http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
    891 // http://forums.mozillazine.org/viewtopic.php?p=13876331#p13876331
    892 // https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
    893 // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
    894 // https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
    895 // TODO: deprecated? not in DXR, some dead links
    896 //defaultPref("browser.newtabpage.enhanced",			false);
    897 defaultPref("browser.newtab.preload",				false);
    898 //defaultPref("browser.newtabpage.directory.ping",			"");
    899 //defaultPref("browser.newtabpage.directory.source",		"data:text/plain,{}");
    900 
    901 // PREF: Enable Auto Notification of Outdated Plugins (Firefox < 50)
    902 // https://wiki.mozilla.org/Firefox3.6/Plugin_Update_Awareness_Security_Review
    903 // CIS Version 1.2.0 October 21st, 2011 2.1.2
    904 // https://hg.mozilla.org/mozilla-central/rev/304560
    905 ///defaultPref("plugins.update.notifyUser",				true);
    906 
    907 
    908 // PREF: Force Punycode for Internationalized Domain Names
    909 // http://kb.mozillazine.org/Network.IDN_show_punycode
    910 // https://www.xudongz.com/blog/2017/idn-phishing/
    911 // https://wiki.mozilla.org/IDN_Display_Algorithm
    912 // https://en.wikipedia.org/wiki/IDN_homograph_attack
    913 // https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
    914 // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6
    915 defaultPref("network.IDN_show_punycode",				true);
    916 
    917 // PREF: Disable inline autocomplete in URL bar
    918 // http://kb.mozillazine.org/Inline_autocomplete
    919 //defaultPref("browser.urlbar.autoFill",				false);
    920 //defaultPref("browser.urlbar.autoFill.typed",			false);
    921 
    922 // PREF: Disable CSS :visited selectors
    923 // https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/
    924 // https://dbaron.org/mozilla/visited-privacy
    925 defaultPref("layout.css.visited_links_enabled",			false);
    926 
    927 // PREF: Disable URL bar autocomplete and history/bookmarks suggestions dropdown
    928 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
    929 //defaultPref("browser.urlbar.autocomplete.enabled",		false);
    930 
    931 // PREF: Do not check if Firefox is the default browser
    932 lockPref("browser.shell.checkDefaultBrowser",			false);
    933 
    934 // PREF: When password manager is enabled, lock the password storage periodically
    935 // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
    936 //defaultPref("security.ask_for_password",				2);
    937 
    938 // PREF: Lock the password storage every 1 minutes (default: 30)
    939 //defaultPref("security.password_lifetime",				1);
    940 
    941 // PREF: Display a notification bar when websites offer data for offline use
    942 // http://kb.mozillazine.org/Browser.offline-apps.notify
    943 //defaultPref("browser.offline-apps.notify",			true);
    944 
    945 /******************************************************************************
    946  * SECTION: Cryptography                                                      *
    947  ******************************************************************************/
    948 
    949 // PREF: Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
    950 // https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
    951 // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
    952 // https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
    953 //defaultPref("network.stricttransportsecurity.preloadlist",	true);
    954 
    955 // PREF: Enable Online Certificate Status Protocol
    956 // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
    957 // https://www.imperialviolet.org/2014/04/19/revchecking.html
    958 // https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/
    959 // https://wiki.mozilla.org/CA:RevocationPlan
    960 // https://wiki.mozilla.org/CA:ImprovingRevocation
    961 // https://wiki.mozilla.org/CA:OCSP-HardFail
    962 // https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html
    963 // https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
    964 // NOTICE: OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
    965 // NOTICE: OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
    966 // NOTICE: OCSP adds latency (performance)
    967 // NOTICE: Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
    968 // CIS Version 1.2.0 October 21st, 2011 2.2.4
    969 defaultPref("security.OCSP.enabled",				0);
    970 
    971 // PREF: Enable OCSP Stapling support
    972 // https://en.wikipedia.org/wiki/OCSP_stapling
    973 // https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
    974 // https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
    975 //defaultPref("security.ssl.enable_ocsp_stapling",			true);
    976 
    977 // PREF: Enable OCSP Must-Staple support (Firefox >= 45)
    978 // https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
    979 // https://www.entrust.com/ocsp-must-staple/
    980 // https://github.com/schomery/privacy-settings/issues/40
    981 // NOTICE: Firefox falls back on plain OCSP when must-staple is not configured on the host certificate
    982 //defaultPref("security.ssl.enable_ocsp_must_staple",		true);
    983 
    984 // PREF: Require a valid OCSP response for OCSP enabled certificates
    985 // https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA
    986 // Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses
    987 // NOTICE: `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable
    988 // NOTICE: `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal)
    989 defaultPref("security.OCSP.require",				true);
    990 
    991 // PREF: Disable TLS Session Tickets
    992 // https://www.blackhat.com/us-13/briefings.html#NextGen
    993 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
    994 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
    995 // https://bugzilla.mozilla.org/show_bug.cgi?id=917049
    996 // https://bugzilla.mozilla.org/show_bug.cgi?id=967977
    997 ///defaultPref("security.ssl.disable_session_identifiers",		true);
    998 
    999 // PREF: Only allow TLS 1.[0-3]
   1000 // http://kb.mozillazine.org/Security.tls.version.*
   1001 // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
   1002 // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
   1003 defaultPref("security.tls.version.min",				2);
   1004 //defaultPref("security.tls.version.max",				4);
   1005 
   1006 // PREF: Disable insecure TLS version fallback
   1007 // https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
   1008 // https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
   1009 //defaultPref("security.tls.version.fallback-limit",		3);
   1010 
   1011 // PREF: Enfore Public Key Pinning
   1012 // https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
   1013 // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
   1014 // "2. Strict. Pinning is always enforced."
   1015 defaultPref("security.cert_pinning.enforcement_level",		2);
   1016 
   1017 // PREF: Disallow SHA-1
   1018 // https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
   1019 // https://shattered.io/
   1020 defaultPref("security.pki.sha1_enforcement_level",		1);
   1021 
   1022 // PREF: Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
   1023 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
   1024 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
   1025 defaultPref("security.ssl.treat_unsafe_negotiation_as_broken",	true);
   1026 
   1027 // PREF: Disallow connection to servers not supporting safe renegotiation (disabled)
   1028 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation
   1029 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
   1030 // TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors), so is left disabled
   1031 //defaultPref("security.ssl.require_safe_negotiation",		true);
   1032 
   1033 // PREF: Disable automatic reporting of TLS connection errors
   1034 // https://support.mozilla.org/en-US/kb/certificate-pinning-reports
   1035 // we could also disable security.ssl.errorReporting.enabled, but I think it's
   1036 // good to leave the option to report potentially malicious sites if the user
   1037 // chooses to do so.
   1038 // you can test this at https://pinningtest.appspot.com/
   1039 defaultPref("security.ssl.errorReporting.automatic",		false);
   1040 
   1041 // PREF: Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog
   1042 // http://kb.mozillazine.org/Browser.ssl_override_behavior
   1043 // https://github.com/pyllyukko/user.js/issues/210
   1044 defaultPref("browser.ssl_override_behavior",			1);
   1045 
   1046 /******************************************************************************
   1047  * SECTION: Cipher suites                                                     *
   1048  ******************************************************************************/
   1049 
   1050 // PREF: Disable null ciphers
   1051 ///defaultPref("security.ssl3.rsa_null_sha",				false);
   1052 ///defaultPref("security.ssl3.rsa_null_md5",				false);
   1053 ///defaultPref("security.ssl3.ecdhe_rsa_null_sha",			false);
   1054 ///defaultPref("security.ssl3.ecdhe_ecdsa_null_sha",			false);
   1055 ///defaultPref("security.ssl3.ecdh_rsa_null_sha",			false);
   1056 ///defaultPref("security.ssl3.ecdh_ecdsa_null_sha",			false);
   1057 
   1058 // PREF: Disable SEED cipher
   1059 // https://en.wikipedia.org/wiki/SEED
   1060 ///defaultPref("security.ssl3.rsa_seed_sha",				false);
   1061 
   1062 // PREF: Disable 40/56/128-bit ciphers
   1063 // 40-bit ciphers
   1064 ///defaultPref("security.ssl3.rsa_rc4_40_md5",			false);
   1065 ///defaultPref("security.ssl3.rsa_rc2_40_md5",			false);
   1066 // 56-bit ciphers
   1067 ///defaultPref("security.ssl3.rsa_1024_rc4_56_sha",			false);
   1068 // 128-bit ciphers
   1069 ///defaultPref("security.ssl3.rsa_camellia_128_sha",			false);
   1070 ///defaultPref("security.ssl3.ecdhe_rsa_aes_128_sha",		false);
   1071 ///defaultPref("security.ssl3.ecdhe_ecdsa_aes_128_sha",		false);
   1072 ///defaultPref("security.ssl3.ecdh_rsa_aes_128_sha",			false);
   1073 ///defaultPref("security.ssl3.ecdh_ecdsa_aes_128_sha",		false);
   1074 ///defaultPref("security.ssl3.dhe_rsa_camellia_128_sha",		false);
   1075 ///defaultPref("security.ssl3.dhe_rsa_aes_128_sha",			false);
   1076 
   1077 // PREF: Disable RC4
   1078 // https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
   1079 // https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
   1080 // https://rc4.io/
   1081 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
   1082 ///defaultPref("security.ssl3.ecdh_ecdsa_rc4_128_sha",		false);
   1083 ///defaultPref("security.ssl3.ecdh_rsa_rc4_128_sha",			false);
   1084 ///defaultPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha",		false);
   1085 ///defaultPref("security.ssl3.ecdhe_rsa_rc4_128_sha",		false);
   1086 ///defaultPref("security.ssl3.rsa_rc4_128_md5",			false);
   1087 ///defaultPref("security.ssl3.rsa_rc4_128_sha",			false);
   1088 ///defaultPref("security.tls.unrestricted_rc4_fallback",		false);
   1089 
   1090 // PREF: Disable 3DES (effective key size is < 128)
   1091 // https://en.wikipedia.org/wiki/3des#Security
   1092 // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
   1093 // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
   1094 ///defaultPref("security.ssl3.dhe_dss_des_ede3_sha",			false);
   1095 ///defaultPref("security.ssl3.dhe_rsa_des_ede3_sha",			false);
   1096 ///defaultPref("security.ssl3.ecdh_ecdsa_des_ede3_sha",		false);
   1097 ///defaultPref("security.ssl3.ecdh_rsa_des_ede3_sha",		false);
   1098 ///defaultPref("security.ssl3.ecdhe_ecdsa_des_ede3_sha",		false);
   1099 ///defaultPref("security.ssl3.ecdhe_rsa_des_ede3_sha",		false);
   1100 defaultPref("security.ssl3.rsa_des_ede3_sha",			false);
   1101 ///defaultPref("security.ssl3.rsa_fips_des_ede3_sha",		false);
   1102 
   1103 // PREF: Disable ciphers with ECDH (non-ephemeral)
   1104 ///defaultPref("security.ssl3.ecdh_rsa_aes_256_sha",			false);
   1105 ///defaultPref("security.ssl3.ecdh_ecdsa_aes_256_sha",		false);
   1106 
   1107 // PREF: Disable 256 bits ciphers without PFS
   1108 ///defaultPref("security.ssl3.rsa_camellia_256_sha",			false);
   1109 
   1110 // PREF: Enable ciphers with ECDHE and key size > 128bits
   1111 //defaultPref("security.ssl3.ecdhe_rsa_aes_256_sha",		true); // 0xc014
   1112 //defaultPref("security.ssl3.ecdhe_ecdsa_aes_256_sha",		true); // 0xc00a
   1113 
   1114 // PREF: Enable GCM ciphers (TLSv1.2 only)
   1115 // https://en.wikipedia.org/wiki/Galois/Counter_Mode
   1116 //defaultPref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",	true); // 0xc02b
   1117 //defaultPref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",		true); // 0xc02f
   1118 
   1119 // PREF: Enable ChaCha20 and Poly1305 (Firefox >= 47)
   1120 // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
   1121 // https://tools.ietf.org/html/rfc7905
   1122 // https://bugzilla.mozilla.org/show_bug.cgi?id=917571
   1123 // https://bugzilla.mozilla.org/show_bug.cgi?id=1247860
   1124 // https://cr.yp.to/chacha.html
   1125 //defaultPref("security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256",	true);
   1126 //defaultPref("security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256",	true);
   1127 
   1128 // PREF: Disable ciphers susceptible to the logjam attack
   1129 // https://weakdh.org/
   1130 ///defaultPref("security.ssl3.dhe_rsa_camellia_256_sha",		false);
   1131 defaultPref("security.ssl3.dhe_rsa_aes_256_sha",			false);
   1132 
   1133 // PREF: Disable ciphers with DSA (max 1024 bits)
   1134 ///defaultPref("security.ssl3.dhe_dss_aes_128_sha",			false);
   1135 ///defaultPref("security.ssl3.dhe_dss_aes_256_sha",			false);
   1136 ///defaultPref("security.ssl3.dhe_dss_camellia_128_sha",		false);
   1137 ///defaultPref("security.ssl3.dhe_dss_camellia_256_sha",		false);
   1138 
   1139 // PREF: Fallbacks due compatibility reasons
   1140 //defaultPref("security.ssl3.rsa_aes_256_sha",			true); // 0x35
   1141 //defaultPref("security.ssl3.rsa_aes_128_sha",			true); // 0x2f
   1142