iceweasel-hardened-configs updates for FF 51

2 files changed, 99 insertions, 52 deletions

diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD
index 13d59d58b..97296d4db 100644
--- a/nonprism/iceweasel-hardened-preferences/PKGBUILD
+++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD
@@ -2,8 +2,8 @@
 # Contributor: André Silva <emulatorman@parabola.nu>
 
 pkgname=iceweasel-hardened-preferences
-pkgver=0.2
-pkgrel=2
+pkgver=0.3
+pkgrel=1
 pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks."
 arch=(any)
 license=(MPL)
@@ -20,11 +20,11 @@ source=('firefox-branding.js'
 'iceweasel-hardened.install')
 sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e'
 'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
-'ba20f29fa176795a664168dbc05e2a28fa34c82d5a7606cee6f12d30dbc49fe0280d95da0eaf1fa3f7f52fcd341da1bd546de4cd055acd79056c8eeee97317b5'
+'b5e36db1b8934358c5477b32c7d4c5e990bdf22066cc2382f6a9b9992b21704518a60a5e1710cf3722290a9a1d7af87d0930d5ceab2624503a7545cebd8a6085'
 'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
 whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3'
 'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
-'e4316359d1350a0f32753923d6e20c8e998d7c7379b7dd10e62f1962d96f1bd4711755e5dc6631aa9616215da61331193b1bc66b38aa0c5a24e87bc1d214a63a'
+'fb08d3dc1c264714c8f20389fb0201b7e9917e0499890821baa3cc38c3b698bc83f63bb8d6522362032e86366dd92fd89e66f8742777892b8d4de150bc8158dc'
 '44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
 
 package() {
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index a264a0e08..a8cbabf0c 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -64,14 +64,25 @@ pref("dom.push.maxQuotaPerSubscription", 0);
 pref("services.push.enabled", false);
 pref("services.push.serverURL", "");
 
+// Make sure DOM "beforeunload" is off, caches user pages in bfcache and tries to stop user from closing page.
+// https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
+pref("dom.disable_beforeunload", true);
+pref("dom.require_user_interaction_for_beforeunload", false);
+
 // Disable Kinto Cloud
 // Note: Pref may change name in future release
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1266235#c2
-pref("services.kinto.base", "");
+// https://hg.mozilla.org/releases/mozilla-release/file/c1de04f39fa956cfce83f6065b0e709369215ed5/services/common/kinto-updater.js
+pref("services.kinto.base", "data:application/json,{}");
+pref("services.kinto.changes.path", "");
 
 // Disable MDNS (Supposedly only for Android but is in Desktop version also)
 // https://hg.mozilla.org/releases/mozilla-beta/file/00bcc10b3bdc/dom/presentation/provider/MulticastDNSDeviceProvider.cpp#l18
 pref("dom.presentation.discovery.enabled", false);
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1278205
+pref("dom.presentation.controller.enabled", false);
+pref("dom.presentation.receiver.enabled", false);
+pref("dom.presentation.tcp_server.debug", false);
 pref("dom.presentation.discoverable", false);
 pref("dom.presentation.discovery.legacy.enabled", false);
 
@@ -79,6 +90,9 @@ pref("dom.presentation.discovery.legacy.enabled", false);
 // http://dev.w3.org/html5/webstorage/#dom-localstorage
 // you can also see this with Panopticlick's "DOM localStorage"
 pref("dom.storage.enabled",		false);
+// https://developer.mozilla.org/en-US/docs/Web/API/Storage_API
+// https://storage.spec.whatwg.org/
+pref("dom.storageManager.enabled", false);
 
 // Whether JS can get information about the network/browser connection
 // Network Information API provides general information about the system's connection type (WiFi, cellular, etc.)
@@ -91,7 +105,12 @@ pref("dom.network.enabled",				false);
 
 // Disable Web Audio API
 // https://bugzil.la/1288359
-pref("dom.webaudio.enabled",				false);
+pref("dom.webaudio.enabled",					false);
+
+// Audio Recording API (Currently only used by WebRTC)
+// https://hg.mozilla.org/releases/mozilla-beta/file/00bcc10b3bdc/dom/media/MediaManager.cpp#l1942
+pref("media.getusermedia.noise_enabled",		false);
+pref("media.getusermedia.audiocapture.enabled",	false);
 
 // Audio_data is deprecated in future releases, but still present
 // in FF24. This is a dangerous combination (spotted by iSec)
@@ -102,6 +121,14 @@ pref("media.audio_data.enabled", false);
 pref("media.autoplay.enabled", false);
 pref("noscript.forbidMedia", true);
 
+// Disable Device Change API (FF 52+)
+// https://developer.mozilla.org/en-US/docs/Web/Events/devicechange
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1152383
+// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/dom/webidl/MediaDevices.webidl#l15
+pref("media.ondevicechange.enabled", false);
+// https://hg.mozilla.org/releases/mozilla-release/rev/5022a33fd3e9
+pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false);
+
 // Don't reveal your internal IP
 // Check the settings with: http://net.ipcalf.com/
 // https://wiki.mozilla.org/Media/WebRTC/Privacy
@@ -168,12 +195,15 @@ pref("dom.gamepad.test.enabled", false);
 
 // Disable virtual reality devices
 // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
-pref("dom.vr.enabled",					false);
+pref("dom.vr.enabled",						false);
 pref("dom.vr.cardboard.enabled", 				false);
-pref("dom.vr.oculus.enabled", 				false);
-pref("dom.vr.oculus050.enabled",				 false);
-pref("dom.vr.poseprediction.enabled", 				false);
+pref("dom.vr.oculus.enabled",					false);
+pref("dom.vr.oculus050.enabled",				false);
+pref("dom.vr.poseprediction.enabled",			false);
+pref("dom.vr.openvr.enabled",					false);
+// https://hg.mozilla.org/releases/mozilla-release/file/970d0cf1c5d9/modules/libpref/init/all.js#l4778
 pref("dom.vr.add-test-devices", 				0);
+pref("dom.vr.osvr.enabled", false);
 
 // disable notifications
 pref("dom.webnotifications.enabled",			false);
@@ -245,7 +275,7 @@ pref("pointer-lock-api.prefixed.enabled", false);
  // Disable website autorefresh, user can still proceed with warning
 pref("accessibility.blockautorefresh", 			true);
 pref("browser.meta_refresh_when_inactive.disabled",  			true);
-pref("noscript.forbidMetaRefresh",				true);
+pref("noscript.forbidMetaRefresh",				true); // NoScript ignores this preference?
 
 
 // Disable face detection by default
@@ -279,6 +309,11 @@ pref("network.proxy.type", 0);
 // Protect TOR ports
 pref("network.security.ports.banned", "9050,9051,9150,9151");
 
+// Make sure proxy-autoconfig is off to prevent MiTM.
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1255474
+// https://hg.mozilla.org/releases/mozilla-release/rev/5139b0dd7acc
+pref("network.proxy.autoconfig_url.include_path", false);
+
 // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
 pref("network.proxy.socks_remote_dns",			true);
 
@@ -417,8 +452,14 @@ pref("extensions.getAddons.get.url", "about:blank");
 pref("extensions.getAddons.getWithPerformance.url", "about:blank");
 pref("extensions.getAddons.recommended.url", "about:blank");
 pref("services.settings.server", "");
-// If blocklist downloads, we want it to be signed.
+// If blocklist still downloads, we want it to be signed.
 pref("services.blocklist.signing.enforced", true);
+// Firefox 49: https://hg.mozilla.org/releases/mozilla-release/rev/c6c57d394549
+// https://hg.mozilla.org/releases/mozilla-release/file/c6c57d394549/toolkit/mozapps/extensions/nsBlocklistService.js#l633
+pref("services.blocklist.update_enabled", false);
+// https://hg.mozilla.org/releases/mozilla-release/file/c6c57d394549/services/common/blocklist-updater.js
+pref("services.settings.server", "data:application/json,{\"data\":[]}");
+pref("services.blocklist.changes.path", "");
 
 // Disable Freedom Violating DRM Feature
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1144903#c8
@@ -427,7 +468,15 @@ pref("media.eme.enabled",				false);
 pref("browser.eme.ui.enabled",			false);
 pref("media.gmp-eme-adobe.enabled",		false);
 
-// Fingerprints the user, not HTTPS. Remove it.
+// Google Widevine DRM
+// https://blog.mozilla.org/futurereleases/2016/04/08/mozilla-to-test-widevine-cdm-in-firefox-nightly/
+// https://wiki.mozilla.org/QA/Widevine_CDM
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1288580
+pref("media.gmp-widevinecdm.visible",		false);
+pref("media.gmp-widevinecdm.enabled",		false);
+pref("media.gmp-widevinecdm.autoupdate",	false);
+
+// Fingerprints the user, does not use HTTPS. Remove it.
 pref("pfs.datasource.url", "about:blank");
 pref("pfs.filehint.url", "about:blank");
 
@@ -515,6 +564,7 @@ pref("datareporting.policy.dataSubmissionEnabled",		false);
 pref("datareporting.healthreport.about.reportUrl", "about:blank");
 pref("datareporting.healthreport.documentServerURI", "about:blank");
 pref("datareporting.policy.firstRunTime", 0);
+pref("datareporting.policy.firstRunURL", "");
 
 // Disable new tab tile ads & preload
 // http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
@@ -542,6 +592,13 @@ pref("loop.logDomains",					false);
 pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled",	false);
 pref("browser.tabs.crashReporting.sendReport", 				false);
 pref("breakpad.reportURL",						"about:blank");
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1287178
+// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/browser/modules/ContentCrashHandlers.jsm#l383
+pref("browser.crashReports.unsubmittedCheck.enabled", 		false);
+// https://hg.mozilla.org/releases/mozilla-release/rev/c94848691f8a
+pref("browser.crashReports.unsubmittedCheck.autoSubmit", 		false);
+// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/browser/modules/ContentCrashHandlers.jsm#l511
+pref("browser.crashReports.unsubmittedCheck.chancesUntilSuppress", 0);
 
 // Disable Slow Startup Notifications
 pref("browser.slowStartup.maxSamples", 0);
@@ -588,11 +645,11 @@ pref("browser.safebrowsing.provider.google.lists",				"");
 
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1025965
 pref("browser.safebrowsing.phishing.enabled", false);
-pref("browser.safebrowsing.provider.google4.lists", "");
-pref("browser.safebrowsing.provider.google4.updateURL", "");
-pref("browser.safebrowsing.provider.google4.gethashURL", "");
-pref("browser.safebrowsing.provider.google4.reportURL", "");
-pref("browser.safebrowsing.provider.mozilla.lists", "");
+pref("browser.safebrowsing.provider.google4.lists", "about:blank");
+pref("browser.safebrowsing.provider.google4.updateURL", "about:blank");
+pref("browser.safebrowsing.provider.google4.gethashURL", "about:blank");
+pref("browser.safebrowsing.provider.google4.reportURL", "about:blank");
+pref("browser.safebrowsing.provider.mozilla.lists", "about:blank");
 
 // Disable Microsoft Family Safety MiTM support
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1239166
@@ -614,29 +671,6 @@ pref("browser.pocket.site",			"about:blank");
 pref("browser.pocket.useLocaleList",			false);
 pref("browser.toolbarbuttons.introduced.pocket-button", true);
 
-// Disable Hello (Soon to be removed upstream finally!)
-pref("loop.copy.throttler", "about:blank");
-pref("loop.enabled",false);
-pref("loop.facebook.appId", "about:blank");
-pref("loop.facebook.enabled", false);
-pref("loop.facebook.fallbackUrl", "about:blank");
-pref("loop.facebook.shareUrl", "about:blank");
-pref("loop.feedback.baseUrl", "about:blank");
-pref("loop.feedback.formURL", "about:blank");
-pref("loop.feedback.manualFormURL", "about:blank");
-pref("loop.gettingStarted.url", "about:blank");
-pref("loop.learnMoreUrl", "about:blank");
-pref("loop.legal.ToS_url", "about:blank");
-pref("loop.legal.privacy_url", "about:blank");
-pref("loop.linkClicker.url", "about:blank");
-pref("loop.oauth.google.redirect_uri", "about:blank");
-pref("loop.oauth.google.scope", "about:blank");
-pref("loop.remote.autostart", false);
-pref("loop.server", "about:blank");
-pref("loop.soft_start_hostname", "about:blank");
-pref("loop.support_url", "about:blank");
-pref("loop.throttled2", false);
-
 // Disable Social
 pref("social.directories", "");
 pref("social.enabled", false);
@@ -655,7 +689,7 @@ pref("browser.snippets.updateUrl",			"about:blank");
 
 // Disable WAN IP leaks
 pref("captivedetect.canonicalURL", "about:blank");
-pref("noscript.ABE.wanIpAsLocal", false);
+pref("noscript.ABE.wanIpAsLocal", false); // NoScript ignores this preference?
 
 // Disable Default Protocol Handlers, always warn user instead
 pref("network.protocol-handler.external-default", false);
@@ -721,6 +755,7 @@ pref("browser.casting.enabled",				false);
 // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
 // http://andreasgal.com/2014/10/14/openh264-now-in-firefox/
 pref("media.gmp-gmpopenh264.enabled",			false);
+pref("media.peerconnection.video.h264_enabled", false);
 // Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins
 pref("media.gmp-manager.url",				"");
 pref("media.gmp-manager.url.override", "data:text/plain");
@@ -921,7 +956,7 @@ pref("browser.pagethumbnails.capturing_disabled",		true);
 //pref("dom.event.contextmenu.enabled",		false);
 
 // Don't promote sync
-pref("browser.syncPromoViewsLeftMap", "{\"addons\":0, \"passwords\":0, \"bookmarks\":0}");
+pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}");
 
 // CIS 2.3.2 Disable Downloading on Desktop
 pref("browser.download.folderList",			2);
@@ -975,6 +1010,8 @@ pref("browser.shell.checkDefaultBrowser",			false);
 
 // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
 pref("security.ask_for_password",				0);
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
+pref("signon.formlessCapture.enabled",			false);
 
 // Bug 9881: Open popups in new tabs (to avoid fullscreen popups)
 pref("browser.link.open_newwindow.restriction",	0);
@@ -992,10 +1029,17 @@ pref("security.insecure_field_warning.contextual.enabled", true);
 // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
 pref("network.stricttransportsecurity.preloadlist",	false);
 
+// Disable HSTS Priming, a beta feature rarely used that allows mixed content on HTTPS pages.
+// https://wicg.github.io/hsts-priming/
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145
+// https://hg.mozilla.org/releases/mozilla-release/rev/d7d42cef7968
+pref("security.mixed_content.send_hsts_priming",	false);
+pref("security.mixed_content.use_hsts",			false);
+
 // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
 // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
-pref("security.OCSP.enabled",				0);
-pref("security.OCSP.require", false);
+pref("security.OCSP.enabled",					0);
+pref("security.OCSP.require",					false);
 
 // https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
 pref("security.ssl.enable_ocsp_stapling",			true);
@@ -1024,11 +1068,14 @@ pref("security.tls.version.max",				3);
 // pinning
 // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning
 // "2. Strict. Pinning is always enforced."
-pref("security.cert_pinning.enforcement_level",		2);
+pref("security.cert_pinning.enforcement_level",	2);
 
 // disallow SHA-1
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
-//pref("security.pki.sha1_enforcement_level",		1);
+// https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34
+// http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/
+// 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01 
+pref("security.pki.sha1_enforcement_level", 1);
 
 // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
 // see also CVE-2009-3555
@@ -1105,17 +1152,17 @@ pref("security.tls.unrestricted_rc4_fallback",		false);
 // https://en.wikipedia.org/wiki/3des#Security
 // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
 // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
-pref("security.ssl3.dhe_dss_des_ede3_sha",			false);
-pref("security.ssl3.dhe_rsa_des_ede3_sha",			false);
+pref("security.ssl3.dhe_dss_des_ede3_sha",		false);
+pref("security.ssl3.dhe_rsa_des_ede3_sha",		false);
 pref("security.ssl3.ecdh_ecdsa_des_ede3_sha",		false);
 pref("security.ssl3.ecdh_rsa_des_ede3_sha",		false);
-pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha",		false);
+pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha",	false);
 pref("security.ssl3.ecdhe_rsa_des_ede3_sha",		false);
 pref("security.ssl3.rsa_des_ede3_sha",			false);
 pref("security.ssl3.rsa_fips_des_ede3_sha",		false);
 
 // Ciphers with ECDH (without /e$/)
-pref("security.ssl3.ecdh_rsa_aes_256_sha",			false);
+pref("security.ssl3.ecdh_rsa_aes_256_sha",		false);
 pref("security.ssl3.ecdh_ecdsa_aes_256_sha",		false);
 
 // 256 bits without PFS
@@ -1126,7 +1173,7 @@ pref("security.ssl3.ecdhe_rsa_aes_256_sha",		true);
 pref("security.ssl3.ecdhe_ecdsa_aes_256_sha",		true);
 
 // GCM, yes please!
-pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",	true);
+pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",		true);
 pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",		true);
 
 // ChaCha20 and Poly1305. Supported since Firefox 47.