iceweasel-hardening fixes

2 files changed, 47 insertions, 10 deletions

diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD
index 97296d4db..30f4e1da1 100644
--- a/nonprism/iceweasel-hardened-preferences/PKGBUILD
+++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD
@@ -2,7 +2,7 @@
 # Contributor: André Silva <emulatorman@parabola.nu>
 
 pkgname=iceweasel-hardened-preferences
-pkgver=0.3
+pkgver=0.4
 pkgrel=1
 pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks."
 arch=(any)
@@ -19,13 +19,13 @@ source=('firefox-branding.js'
 'iceweasel-branding.js'
 'iceweasel-hardened.install')
 sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e'
-'d542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
-'b5e36db1b8934358c5477b32c7d4c5e990bdf22066cc2382f6a9b9992b21704518a60a5e1710cf3722290a9a1d7af87d0930d5ceab2624503a7545cebd8a6085'
-'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
+            'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
+            '1f78311f279ed4bac4b7b411ab116fa0eded389b64bdb689249f79445195ff4af41c00586c90d361bee07341db435e7707c360f0e9681a7ac04b50b70f4fb748'
+            'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
 whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3'
-'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
-'fb08d3dc1c264714c8f20389fb0201b7e9917e0499890821baa3cc38c3b698bc83f63bb8d6522362032e86366dd92fd89e66f8742777892b8d4de150bc8158dc'
-'44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
+               'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
+               '55cffabc1a093a9179213d4f47d618c20f6b03dc33d4d199663d79dc7610e0103ecc19f7e25fdbbcb228048fcd64b0677930e2bbe3243fe223ba3c919e9ae6fc'
+               '44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
 
 package() {
   install -Dm644 iceweasel-branding.js "$pkgdir"/usr/lib/iceweasel/browser/defaults/preferences/iceweasel-branding.js
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index a8cbabf0c..6d903d7dd 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -17,8 +17,14 @@ pref("layers.acceleration.disabled",			true);
 pref("gfx.downloadable_fonts.fallback_delay", -1);
 pref("intl.charset.default", "windows-1252");
 pref("intl.locale.matchOS", false);
+// Set locale to en-US (if you are using localized version of FF)
+pref("intl.accept_languages",				"en-US, en");
 pref("javascript.use_us_english_locale", true);
 pref("noscript.forbidFonts", true);
+// Favicons cause fingerprinting by downloading your entire bookmarks toolbar on start-up.
+pref("browser.chrome.favicons", false);
+pref("browser.chrome.site_icons", false);
+pref("browser.shell.shortcutFavicons", false);
 
 /******************************************************************************
  * HTML5 / APIs / DOM                                                         *
@@ -38,6 +44,10 @@ pref("dom.mozTCPSocket.enabled",				false);
 // Disable DOM Shared Workers
 // See https://bugs.torproject.org/15562
 pref("dom.workers.sharedWorkers.enabled", 				false); 
+// https://developer.mozilla.org/en-US/docs/Web/API/Worker
+// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
+// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
+pref("dom.serviceWorkers.enabled",				false);
 
 // Disable WebSockets
 // https://www.infoq.com/news/2012/03/websockets-security
@@ -134,6 +144,7 @@ pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false);
 // https://wiki.mozilla.org/Media/WebRTC/Privacy
 pref("media.peerconnection.ice.default_address_only",	true); // Firefox < 51
 pref("media.peerconnection.ice.no_host",			true); // Firefox >= 51
+pref("media.peerconnection.ice.relay_only",		true);
 // Disable WebRTC entirely
 pref("media.peerconnection.enabled",			false);
 
@@ -232,6 +243,8 @@ pref("webgl.disable-extensions",				false);
 pref("webgl.min_capability_mode",				true);
 pref("webgl.disable-wgl",						true);
 pref("webgl.enable-webgl2",					false);
+// https://trac.torproject.org/projects/tor/ticket/18603
+pref("webgl.disable-fail-if-major-performance-caveat",	true);
 // somewhat related...
 pref("pdfjs.enableWebGL",					false);
 
@@ -724,11 +737,14 @@ pref("services.sync.log.appender.file.logOnError", false);
 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
 pref("network.prefetch-next",				false);
 
-// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
+// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine+
+// GeoIP-based search
+// https://trac.torproject.org/projects/tor/ticket/16254
+pref("browser.search.countryCode",				"US");
+pref("browser.search.region",				"US");
 pref("browser.search.geoip.url",				"");
 pref("browser.search.geoSpecificDefaults.url",		"about:blank");
 pref("browser.search.geoSpecificDefaults",			false);
-pref("browser.search.geoip.url",			"about:blank");
 
 // http://kb.mozillazine.org/Network.dns.disablePrefetch
 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
@@ -955,6 +971,11 @@ pref("browser.pagethumbnails.capturing_disabled",		true);
 // Webpages will not be able to affect the right-click menu
 //pref("dom.event.contextmenu.enabled",		false);
 
+// Disable Recently Bookmarked Folder
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1248268
+// https://hg.mozilla.org/releases/mozilla-release/rev/f98e3add979e
+//pref("browser.bookmarks.showRecentlyBookmarked", false);
+
 // Don't promote sync
 pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}");
 
@@ -1010,6 +1031,8 @@ pref("browser.shell.checkDefaultBrowser",			false);
 
 // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
 pref("security.ask_for_password",				0);
+// When security.ask_for_password is 2 (every n minutes), lock password storage every 5 minutes (default is 30)
+ pref("security.password_lifetime", 5);
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
 pref("signon.formlessCapture.enabled",			false);
 
@@ -1020,6 +1043,12 @@ pref("browser.link.open_newwindow.restriction",	0);
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1217162
 pref("security.insecure_field_warning.contextual.enabled", true);
 
+// Enable insecure password warnings (login forms in non-HTTPS pages)
+// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
+pref("security.insecure_password.ui.enabled",		true);
+
 /******************************************************************************
  * TLS / HTTPS / OCSP related stuff                                           *
  *                                                                            *
@@ -1036,6 +1065,10 @@ pref("network.stricttransportsecurity.preloadlist",	false);
 pref("security.mixed_content.send_hsts_priming",	false);
 pref("security.mixed_content.use_hsts",			false);
 
+// OWASP ASVS V9.1
+// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
+pref("signon.storeWhenAutocompleteOff",			false);
+
 // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
 // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
 pref("security.OCSP.enabled",					0);
@@ -1063,7 +1096,10 @@ pref("security.enable_tls_session_tickets", false);
 // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
 // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
 pref("security.tls.version.min",				1);
-pref("security.tls.version.max",				3);
+pref("security.tls.version.max",				4);
+
+// TLS version fallback 
+pref("security.tls.version.fallback-limit",		3);
 
 // pinning
 // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning
@@ -1075,6 +1111,7 @@ pref("security.cert_pinning.enforcement_level",	2);
 // https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34
 // http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/
 // 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01 
+// https://shattered.io/
 pref("security.pki.sha1_enforcement_level", 1);
 
 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken