update iceweasel-hardened-preferences for FF52

author: Gaming4JC <g4jc@openmailbox.org> 2017-03-07 21:01:11 -0500
committer: Gaming4JC <g4jc@openmailbox.org> 2017-03-07 21:01:11 -0500
commit: e8cc4e986f6d7c48935b842506d5868361c6619e (patch)
tree: 8a57156b04afd55beff6837239943e269075ce4f /nonprism
parent: 6b88978044968ed299d759bda64197302b564eac (diff)
2 files changed, 28 insertions, 15 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD
index e9b16e086..521611d1c 100644
--- a/nonprism/iceweasel-hardened-preferences/PKGBUILD
+++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD
@@ -2,8 +2,8 @@
 # Contributor: André Silva <emulatorman@parabola.nu>
 
 pkgname=iceweasel-hardened-preferences
-pkgver=0.4
-pkgrel=2
+pkgver=0.5
+pkgrel=1
 pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks."
 arch=(any)
 license=(MPL)
@@ -20,11 +20,11 @@ source=('firefox-branding.js'
 'iceweasel-hardened.install')
 sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e'
             'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
-            '78db378524df6278b6a3ff946305d444e5bd46032cbdc4337c22ea372322b6957925c5b9bff483d95d9bc8662885b922a7414e1c15ea358fe3f12ef738934c00'
+            '6c62ae49435322b6dc15ea1beede998dd479ea7bdbe0136115b0f6be7145d1cc74091915d199ee631d24bcc741975049c421baadf5a13ab456f7b71bf87b1645'
             'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
 whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3'
                'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
-               '7a432dd6db6ab9834d92703864c8b4a8ff234bfc3834a1ae4cacca6aebd60f8e88aad4959f55aa075f1ed9efa6c0cffbeaad9e4092b7980bfecfcc606a5a8fc6'
+               '840b2d239aeb09b15367c54facecfe9aeb7e2fc10f73e391241fe70a3963da0c69c7eeecefebf96bcd65ade1fec43de6b4113a146e08774901aceb70579716f1'
                '44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
 
 package() {
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index 78739ebd7..687feaeed 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -202,7 +202,9 @@ pref("dom.indexedDB.enabled",		false);
 // Disable gamepad input
 // http://www.w3.org/TR/gamepad/
 pref("dom.gamepad.enabled",				false);
+pref("dom.gamepad.non_standard_events.enabled", false);
 pref("dom.gamepad.test.enabled", false);
+pref("dom.gamepad.extensions.enabled", false);
 
 // Disable virtual reality devices
 // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
@@ -218,6 +220,9 @@ pref("dom.vr.osvr.enabled", false);
 
 // disable notifications
 pref("dom.webnotifications.enabled",			false);
+// https://developer.mozilla.org/en-US/docs/Web/API/Notification/requireInteraction
+// https://bugzilla.mozilla.org/show_bug.cgi?id=862395
+pref("dom.webnotifications.requireinteraction.enabled", false);
 
 // HTML5 privacy https://bugzilla.mozilla.org/show_bug.cgi?id=500328
 pref("browser.history.allowPopState",		false);
@@ -669,6 +674,10 @@ pref("browser.safebrowsing.provider.mozilla.lists", "about:blank");
 // https://wiki.mozilla.org/SecurityEngineering/Untrusted_Certificates_in_Windows_Child_Mode
 // https://hg.mozilla.org/releases/mozilla-release/file/ddb37c386bb2ffa180117b4d30ca3b41a8af233c/security/manager/ssl/nsNSSComponent.cpp#l782
 pref("security.family_safety.mode", 0);
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1265113
+// https://hg.mozilla.org/releases/mozilla-release/rev/d9659c22b3c5
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1298883
+pref("security.enterprise_roots.enabled", false);
 
 // Disable pocket
 // https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
@@ -909,9 +918,9 @@ pref("privacy.clearOnShutdown.downloads",			true);
 pref("privacy.clearOnShutdown.formdata",			true);
 pref("privacy.clearOnShutdown.history",			true);
 pref("privacy.clearOnShutdown.offlineApps",		true);
-pref("privacy.clearOnShutdown.passwords",			true);
+//pref("privacy.clearOnShutdown.passwords",			true); // Wipes all saved passwords, best to let the user decide.
 pref("privacy.clearOnShutdown.sessions",			true);
-pref("privacy.clearOnShutdown.siteSettings",		true);
+pref("privacy.clearOnShutdown.siteSettings",		true); //  http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/
 
 // Firefox will store small amounts (less than 50 MB) of data without asking for permission, unless this is set to false
 // https://support.mozilla.org/en-US/questions/1014708
@@ -1021,10 +1030,16 @@ pref("layout.css.visited_links_enabled",			false);
 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
 pref("browser.urlbar.autocomplete.enabled",		false);
 
+// Require manual intervention to autofill known username/passwords sign-in forms
 // http://kb.mozillazine.org/Signon.autofillForms
 // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
 pref("signon.autofillForms",				false);
 
+// Disable the password manager for pages with autocomplete=off
+// Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
+// OWASP ASVS V9.1, https://bugzilla.mozilla.org/show_bug.cgi?id=956906
+pref("signon.storeWhenAutocompleteOff",			false);
+
 // do not check if firefox is the default browser
 pref("browser.shell.checkDefaultBrowser",			false);
 
@@ -1064,9 +1079,6 @@ pref("network.stricttransportsecurity.preloadlist",	false);
 pref("security.mixed_content.send_hsts_priming",	false);
 pref("security.mixed_content.use_hsts",			false);
 
-// OWASP ASVS V9.1
-// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
-pref("signon.storeWhenAutocompleteOff",			false);
 
 // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
 // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
@@ -1080,6 +1092,7 @@ pref("security.ssl.enable_ocsp_stapling",			true);
 // NOTICE: this leaks information about the sites you visit to the CA.
 pref("security.OCSP.require",				true);
 
+// Disable TLS Session Tickets
 // https://www.blackhat.com/us-13/briefings.html#NextGen
 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
@@ -1090,7 +1103,7 @@ pref("security.ssl.disable_session_identifiers",		true);
 pref("security.ssl.enable_false_start",			true);
 pref("security.enable_tls_session_tickets", false);
 
-// TLS 1.[012]
+// TLS 1.[0-3]
 // http://kb.mozillazine.org/Security.tls.version.max
 // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
 // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
@@ -1205,12 +1218,12 @@ pref("security.ssl3.ecdh_ecdsa_aes_256_sha",		false);
 pref("security.ssl3.rsa_camellia_256_sha",			false);
 
 // Ciphers with ECDHE and > 128bits
-pref("security.ssl3.ecdhe_rsa_aes_256_sha",		true);
-pref("security.ssl3.ecdhe_ecdsa_aes_256_sha",		true);
+pref("security.ssl3.ecdhe_rsa_aes_256_sha",		true); // 0xc014
+pref("security.ssl3.ecdhe_ecdsa_aes_256_sha",		true); // 0xc00a
 
-// GCM, yes please!
-pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",		true);
-pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",		true);
+// GCM, yes please! (TLSv1.2 only)
+pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",	true); // 0xc02b
+pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",		true); // 0xc02f
 
 // ChaCha20 and Poly1305. Supported since Firefox 47.
 // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
author	Gaming4JC <g4jc@openmailbox.org>	2017-03-07 21:01:11 -0500
committer	Gaming4JC <g4jc@openmailbox.org>	2017-03-07 21:01:11 -0500
commit	e8cc4e986f6d7c48935b842506d5868361c6619e (patch)
tree	8a57156b04afd55beff6837239943e269075ce4f /nonprism
parent	6b88978044968ed299d759bda64197302b564eac (diff)