summaryrefslogtreecommitdiff
path: root/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
diff options
context:
space:
mode:
Diffstat (limited to 'nonprism/iceweasel-hardened-preferences/iceweasel-branding.js')
-rw-r--r--nonprism/iceweasel-hardened-preferences/iceweasel-branding.js43
1 files changed, 40 insertions, 3 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index a8cbabf0c..6d903d7dd 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -17,8 +17,14 @@ pref("layers.acceleration.disabled", true);
pref("gfx.downloadable_fonts.fallback_delay", -1);
pref("intl.charset.default", "windows-1252");
pref("intl.locale.matchOS", false);
+// Set locale to en-US (if you are using localized version of FF)
+pref("intl.accept_languages", "en-US, en");
pref("javascript.use_us_english_locale", true);
pref("noscript.forbidFonts", true);
+// Favicons cause fingerprinting by downloading your entire bookmarks toolbar on start-up.
+pref("browser.chrome.favicons", false);
+pref("browser.chrome.site_icons", false);
+pref("browser.shell.shortcutFavicons", false);
/******************************************************************************
* HTML5 / APIs / DOM *
@@ -38,6 +44,10 @@ pref("dom.mozTCPSocket.enabled", false);
// Disable DOM Shared Workers
// See https://bugs.torproject.org/15562
pref("dom.workers.sharedWorkers.enabled", false);
+// https://developer.mozilla.org/en-US/docs/Web/API/Worker
+// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
+// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
+pref("dom.serviceWorkers.enabled", false);
// Disable WebSockets
// https://www.infoq.com/news/2012/03/websockets-security
@@ -134,6 +144,7 @@ pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false);
// https://wiki.mozilla.org/Media/WebRTC/Privacy
pref("media.peerconnection.ice.default_address_only", true); // Firefox < 51
pref("media.peerconnection.ice.no_host", true); // Firefox >= 51
+pref("media.peerconnection.ice.relay_only", true);
// Disable WebRTC entirely
pref("media.peerconnection.enabled", false);
@@ -232,6 +243,8 @@ pref("webgl.disable-extensions", false);
pref("webgl.min_capability_mode", true);
pref("webgl.disable-wgl", true);
pref("webgl.enable-webgl2", false);
+// https://trac.torproject.org/projects/tor/ticket/18603
+pref("webgl.disable-fail-if-major-performance-caveat", true);
// somewhat related...
pref("pdfjs.enableWebGL", false);
@@ -724,11 +737,14 @@ pref("services.sync.log.appender.file.logOnError", false);
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F
pref("network.prefetch-next", false);
-// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine
+// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine+
+// GeoIP-based search
+// https://trac.torproject.org/projects/tor/ticket/16254
+pref("browser.search.countryCode", "US");
+pref("browser.search.region", "US");
pref("browser.search.geoip.url", "");
pref("browser.search.geoSpecificDefaults.url", "about:blank");
pref("browser.search.geoSpecificDefaults", false);
-pref("browser.search.geoip.url", "about:blank");
// http://kb.mozillazine.org/Network.dns.disablePrefetch
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
@@ -955,6 +971,11 @@ pref("browser.pagethumbnails.capturing_disabled", true);
// Webpages will not be able to affect the right-click menu
//pref("dom.event.contextmenu.enabled", false);
+// Disable Recently Bookmarked Folder
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1248268
+// https://hg.mozilla.org/releases/mozilla-release/rev/f98e3add979e
+//pref("browser.bookmarks.showRecentlyBookmarked", false);
+
// Don't promote sync
pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}");
@@ -1010,6 +1031,8 @@ pref("browser.shell.checkDefaultBrowser", false);
// CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
pref("security.ask_for_password", 0);
+// When security.ask_for_password is 2 (every n minutes), lock password storage every 5 minutes (default is 30)
+ pref("security.password_lifetime", 5);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
pref("signon.formlessCapture.enabled", false);
@@ -1020,6 +1043,12 @@ pref("browser.link.open_newwindow.restriction", 0);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217162
pref("security.insecure_field_warning.contextual.enabled", true);
+// Enable insecure password warnings (login forms in non-HTTPS pages)
+// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
+pref("security.insecure_password.ui.enabled", true);
+
/******************************************************************************
* TLS / HTTPS / OCSP related stuff *
* *
@@ -1036,6 +1065,10 @@ pref("network.stricttransportsecurity.preloadlist", false);
pref("security.mixed_content.send_hsts_priming", false);
pref("security.mixed_content.use_hsts", false);
+// OWASP ASVS V9.1
+// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
+pref("signon.storeWhenAutocompleteOff", false);
+
// CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
pref("security.OCSP.enabled", 0);
@@ -1063,7 +1096,10 @@ pref("security.enable_tls_session_tickets", false);
// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
pref("security.tls.version.min", 1);
-pref("security.tls.version.max", 3);
+pref("security.tls.version.max", 4);
+
+// TLS version fallback
+pref("security.tls.version.fallback-limit", 3);
// pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning
@@ -1075,6 +1111,7 @@ pref("security.cert_pinning.enforcement_level", 2);
// https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34
// http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/
// 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01
+// https://shattered.io/
pref("security.pki.sha1_enforcement_level", 1);
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
generated by cgit v1.2.2 (git 2.25.0) at 2024-05-17 02:20:08 +0000