summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nonprism/iceweasel-hardened-preferences/PKGBUILD14
-rw-r--r--nonprism/iceweasel-hardened-preferences/iceweasel-branding.js43
2 files changed, 47 insertions, 10 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD
index 97296d4db..30f4e1da1 100644
--- a/nonprism/iceweasel-hardened-preferences/PKGBUILD
+++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD
@@ -2,7 +2,7 @@
# Contributor: André Silva <emulatorman@parabola.nu>
pkgname=iceweasel-hardened-preferences
-pkgver=0.3
+pkgver=0.4
pkgrel=1
pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks."
arch=(any)
@@ -19,13 +19,13 @@ source=('firefox-branding.js'
'iceweasel-branding.js'
'iceweasel-hardened.install')
sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e'
-'d542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
-'b5e36db1b8934358c5477b32c7d4c5e990bdf22066cc2382f6a9b9992b21704518a60a5e1710cf3722290a9a1d7af87d0930d5ceab2624503a7545cebd8a6085'
-'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
+ 'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
+ '1f78311f279ed4bac4b7b411ab116fa0eded389b64bdb689249f79445195ff4af41c00586c90d361bee07341db435e7707c360f0e9681a7ac04b50b70f4fb748'
+ 'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3'
-'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
-'fb08d3dc1c264714c8f20389fb0201b7e9917e0499890821baa3cc38c3b698bc83f63bb8d6522362032e86366dd92fd89e66f8742777892b8d4de150bc8158dc'
-'44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
+ 'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
+ '55cffabc1a093a9179213d4f47d618c20f6b03dc33d4d199663d79dc7610e0103ecc19f7e25fdbbcb228048fcd64b0677930e2bbe3243fe223ba3c919e9ae6fc'
+ '44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
package() {
install -Dm644 iceweasel-branding.js "$pkgdir"/usr/lib/iceweasel/browser/defaults/preferences/iceweasel-branding.js
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index a8cbabf0c..6d903d7dd 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -17,8 +17,14 @@ pref("layers.acceleration.disabled", true);
pref("gfx.downloadable_fonts.fallback_delay", -1);
pref("intl.charset.default", "windows-1252");
pref("intl.locale.matchOS", false);
+// Set locale to en-US (if you are using localized version of FF)
+pref("intl.accept_languages", "en-US, en");
pref("javascript.use_us_english_locale", true);
pref("noscript.forbidFonts", true);
+// Favicons cause fingerprinting by downloading your entire bookmarks toolbar on start-up.
+pref("browser.chrome.favicons", false);
+pref("browser.chrome.site_icons", false);
+pref("browser.shell.shortcutFavicons", false);
/******************************************************************************
* HTML5 / APIs / DOM *
@@ -38,6 +44,10 @@ pref("dom.mozTCPSocket.enabled", false);
// Disable DOM Shared Workers
// See https://bugs.torproject.org/15562
pref("dom.workers.sharedWorkers.enabled", false);
+// https://developer.mozilla.org/en-US/docs/Web/API/Worker
+// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
+// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
+pref("dom.serviceWorkers.enabled", false);
// Disable WebSockets
// https://www.infoq.com/news/2012/03/websockets-security
@@ -134,6 +144,7 @@ pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false);
// https://wiki.mozilla.org/Media/WebRTC/Privacy
pref("media.peerconnection.ice.default_address_only", true); // Firefox < 51
pref("media.peerconnection.ice.no_host", true); // Firefox >= 51
+pref("media.peerconnection.ice.relay_only", true);
// Disable WebRTC entirely
pref("media.peerconnection.enabled", false);
@@ -232,6 +243,8 @@ pref("webgl.disable-extensions", false);
pref("webgl.min_capability_mode", true);
pref("webgl.disable-wgl", true);
pref("webgl.enable-webgl2", false);
+// https://trac.torproject.org/projects/tor/ticket/18603
+pref("webgl.disable-fail-if-major-performance-caveat", true);
// somewhat related...
pref("pdfjs.enableWebGL", false);
@@ -724,11 +737,14 @@ pref("services.sync.log.appender.file.logOnError", false);
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
pref("network.prefetch-next", false);
-// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
+// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine+
+// GeoIP-based search
+// https://trac.torproject.org/projects/tor/ticket/16254
+pref("browser.search.countryCode", "US");
+pref("browser.search.region", "US");
pref("browser.search.geoip.url", "");
pref("browser.search.geoSpecificDefaults.url", "about:blank");
pref("browser.search.geoSpecificDefaults", false);
-pref("browser.search.geoip.url", "about:blank");
// http://kb.mozillazine.org/Network.dns.disablePrefetch
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
@@ -955,6 +971,11 @@ pref("browser.pagethumbnails.capturing_disabled", true);
// Webpages will not be able to affect the right-click menu
//pref("dom.event.contextmenu.enabled", false);
+// Disable Recently Bookmarked Folder
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1248268
+// https://hg.mozilla.org/releases/mozilla-release/rev/f98e3add979e
+//pref("browser.bookmarks.showRecentlyBookmarked", false);
+
// Don't promote sync
pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}");
@@ -1010,6 +1031,8 @@ pref("browser.shell.checkDefaultBrowser", false);
// CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
pref("security.ask_for_password", 0);
+// When security.ask_for_password is 2 (every n minutes), lock password storage every 5 minutes (default is 30)
+ pref("security.password_lifetime", 5);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
pref("signon.formlessCapture.enabled", false);
@@ -1020,6 +1043,12 @@ pref("browser.link.open_newwindow.restriction", 0);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217162
pref("security.insecure_field_warning.contextual.enabled", true);
+// Enable insecure password warnings (login forms in non-HTTPS pages)
+// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
+pref("security.insecure_password.ui.enabled", true);
+
/******************************************************************************
* TLS / HTTPS / OCSP related stuff *
* *
@@ -1036,6 +1065,10 @@ pref("network.stricttransportsecurity.preloadlist", false);
pref("security.mixed_content.send_hsts_priming", false);
pref("security.mixed_content.use_hsts", false);
+// OWASP ASVS V9.1
+// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
+pref("signon.storeWhenAutocompleteOff", false);
+
// CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
pref("security.OCSP.enabled", 0);
@@ -1063,7 +1096,10 @@ pref("security.enable_tls_session_tickets", false);
// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
pref("security.tls.version.min", 1);
-pref("security.tls.version.max", 3);
+pref("security.tls.version.max", 4);
+
+// TLS version fallback
+pref("security.tls.version.fallback-limit", 3);
// pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning
@@ -1075,6 +1111,7 @@ pref("security.cert_pinning.enforcement_level", 2);
// https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34
// http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/
// 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01
+// https://shattered.io/
pref("security.pki.sha1_enforcement_level", 1);
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken