diff options
Diffstat (limited to 'nonprism/iceweasel-hardened-preferences/iceweasel-branding.js')
-rw-r--r-- | nonprism/iceweasel-hardened-preferences/iceweasel-branding.js | 43 |
1 files changed, 40 insertions, 3 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js index a8cbabf0c..6d903d7dd 100644 --- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js +++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js @@ -17,8 +17,14 @@ pref("layers.acceleration.disabled", true); pref("gfx.downloadable_fonts.fallback_delay", -1); pref("intl.charset.default", "windows-1252"); pref("intl.locale.matchOS", false); +// Set locale to en-US (if you are using localized version of FF) +pref("intl.accept_languages", "en-US, en"); pref("javascript.use_us_english_locale", true); pref("noscript.forbidFonts", true); +// Favicons cause fingerprinting by downloading your entire bookmarks toolbar on start-up. +pref("browser.chrome.favicons", false); +pref("browser.chrome.site_icons", false); +pref("browser.shell.shortcutFavicons", false); /****************************************************************************** * HTML5 / APIs / DOM * @@ -38,6 +44,10 @@ pref("dom.mozTCPSocket.enabled", false); // Disable DOM Shared Workers // See https://bugs.torproject.org/15562 pref("dom.workers.sharedWorkers.enabled", false); +// https://developer.mozilla.org/en-US/docs/Web/API/Worker +// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API +// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers +pref("dom.serviceWorkers.enabled", false); // Disable WebSockets // https://www.infoq.com/news/2012/03/websockets-security @@ -134,6 +144,7 @@ pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false); // https://wiki.mozilla.org/Media/WebRTC/Privacy pref("media.peerconnection.ice.default_address_only", true); // Firefox < 51 pref("media.peerconnection.ice.no_host", true); // Firefox >= 51 +pref("media.peerconnection.ice.relay_only", true); // Disable WebRTC entirely pref("media.peerconnection.enabled", false); @@ -232,6 +243,8 @@ pref("webgl.disable-extensions", false); pref("webgl.min_capability_mode", true); pref("webgl.disable-wgl", true); pref("webgl.enable-webgl2", false); +// https://trac.torproject.org/projects/tor/ticket/18603 +pref("webgl.disable-fail-if-major-performance-caveat", true); // somewhat related... pref("pdfjs.enableWebGL", false); @@ -724,11 +737,14 @@ pref("services.sync.log.appender.file.logOnError", false); // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F pref("network.prefetch-next", false); -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine +// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine+ +// GeoIP-based search +// https://trac.torproject.org/projects/tor/ticket/16254 +pref("browser.search.countryCode", "US"); +pref("browser.search.region", "US"); pref("browser.search.geoip.url", ""); pref("browser.search.geoSpecificDefaults.url", "about:blank"); pref("browser.search.geoSpecificDefaults", false); -pref("browser.search.geoip.url", "about:blank"); // http://kb.mozillazine.org/Network.dns.disablePrefetch // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching @@ -955,6 +971,11 @@ pref("browser.pagethumbnails.capturing_disabled", true); // Webpages will not be able to affect the right-click menu //pref("dom.event.contextmenu.enabled", false); +// Disable Recently Bookmarked Folder +// https://bugzilla.mozilla.org/show_bug.cgi?id=1248268 +// https://hg.mozilla.org/releases/mozilla-release/rev/f98e3add979e +//pref("browser.bookmarks.showRecentlyBookmarked", false); + // Don't promote sync pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}"); @@ -1010,6 +1031,8 @@ pref("browser.shell.checkDefaultBrowser", false); // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage pref("security.ask_for_password", 0); +// When security.ask_for_password is 2 (every n minutes), lock password storage every 5 minutes (default is 30) + pref("security.password_lifetime", 5); // https://bugzilla.mozilla.org/show_bug.cgi?id=1166947 pref("signon.formlessCapture.enabled", false); @@ -1020,6 +1043,12 @@ pref("browser.link.open_newwindow.restriction", 0); // https://bugzilla.mozilla.org/show_bug.cgi?id=1217162 pref("security.insecure_field_warning.contextual.enabled", true); +// Enable insecure password warnings (login forms in non-HTTPS pages) +// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/ +// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156 +pref("security.insecure_password.ui.enabled", true); + /****************************************************************************** * TLS / HTTPS / OCSP related stuff * * * @@ -1036,6 +1065,10 @@ pref("network.stricttransportsecurity.preloadlist", false); pref("security.mixed_content.send_hsts_priming", false); pref("security.mixed_content.use_hsts", false); +// OWASP ASVS V9.1 +// https://bugzilla.mozilla.org/show_bug.cgi?id=956906 +pref("signon.storeWhenAutocompleteOff", false); + // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns pref("security.OCSP.enabled", 0); @@ -1063,7 +1096,10 @@ pref("security.enable_tls_session_tickets", false); // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.) // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol. pref("security.tls.version.min", 1); -pref("security.tls.version.max", 3); +pref("security.tls.version.max", 4); + +// TLS version fallback +pref("security.tls.version.fallback-limit", 3); // pinning // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning @@ -1075,6 +1111,7 @@ pref("security.cert_pinning.enforcement_level", 2); // https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34 // http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/ // 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01 +// https://shattered.io/ pref("security.pki.sha1_enforcement_level", 1); // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken |