217 lines
8.2 KiB
Text
217 lines
8.2 KiB
Text
========================================================================================================================
|
|
Build Notes v2 :
|
|
========================================================================================================================
|
|
|
|
- Compress tar.xz
|
|
|
|
tar cfJ <archive.tar.xz> <files>
|
|
|
|
- Files to remove :
|
|
|
|
crash-reporter...
|
|
crash-reporter...
|
|
removed-files
|
|
update...
|
|
update...
|
|
update...
|
|
browser/feature/webcomp...
|
|
browser/feature/webcomp...
|
|
browser/feature/...
|
|
|
|
- Tor files to remove :
|
|
|
|
Classic removal plus
|
|
https-everywhere addon
|
|
profile.meek-http-helper...
|
|
|
|
- Patching release :
|
|
|
|
>browser.omni.ja.chrome.browser.content.browser.preferences.in-content.privacy.origin (patch with winrar)
|
|
Tor : patch mozilla.cfg
|
|
|
|
- Tor windows :
|
|
|
|
Install it to desktop then get the files
|
|
(Only the lnk file is a new file compared to compressed version)
|
|
remove lnk file
|
|
add link.vbs
|
|
add bat file
|
|
|
|
- Tor mac :
|
|
|
|
Under mac, mount and extract all content to a folder
|
|
Copy by command .DS_Store (from dmg to folder)
|
|
run "codesign --remove-signature Tor\ Browser.app".
|
|
With disk utils, create a dmg from a folder (nocompression rw)
|
|
We are converting iso-dmg to dmg...
|
|
|
|
========================================================================================================================
|
|
JS Note & Debugging :
|
|
========================================================================================================================
|
|
|
|
// ----------
|
|
// CSP Note :
|
|
// ----------
|
|
//
|
|
// Syntax :
|
|
// One or more sources can be allowed for the default-src policy:
|
|
// Content-Security-Policy: default-src <source> <source>;
|
|
// Content-Security-Policy: default-src <source>;
|
|
//
|
|
// default-src is a fallback for :
|
|
// - child-src
|
|
// - connect-src
|
|
// - font-src
|
|
// - frame-src
|
|
// - img-src
|
|
// - manifest-src
|
|
// - media-src
|
|
// - object-src
|
|
// - prefetch-src
|
|
// - script-src
|
|
// - style-src
|
|
// - worker-src
|
|
//
|
|
// <source> can be one of the following:
|
|
//
|
|
// 'none'
|
|
// Refers to the empty set; that is, no URLs match. The single quotes are required.
|
|
//
|
|
// 'self'
|
|
// Refers to the origin from which the protected document is being served,
|
|
// including the same URL scheme and port number. You must include the single quotes.
|
|
// Some browsers specifically exclude blob and filesystem from source directives.
|
|
// Sites needing to allow these content types can specify them using the Data attribute.
|
|
//
|
|
// 'unsafe-inline'
|
|
// Allows the use of inline resources, such as inline <script> elements, javascript:
|
|
// URLs, inline event handlers, and inline <style> elements. You must include the single quotes.
|
|
//
|
|
// 'unsafe-eval'
|
|
// Allows the use of eval() and similar methods for creating code from strings.
|
|
// You must include the single quotes.
|
|
//
|
|
// <scheme-source>
|
|
// A schema such as 'http:' or 'https:'. The colon is required, single quotes
|
|
// shouldn't be used. You can also specify data schemas (not recommended).
|
|
// - data: Allows data: URIs to be used as a content source. This is insecure;
|
|
// An attacker can also inject arbitrary data: URIs.
|
|
// Use this sparingly and definitely not for scripts.
|
|
// - mediastream: Allows mediastream: URIs to be used as a content source.
|
|
// - blob: Allows blob: URIs to be used as a content source.
|
|
// - filesystem: Allows filesystem: URIs to be used as a content source.
|
|
//
|
|
// <host-source>
|
|
// Internet hosts by name or IP address, as well as an optional URL scheme and/or port number.
|
|
// The site's address may include an optional leading wildcard (the asterisk character, '*'),
|
|
// and you may use a wildcard (again, '*') as the port number, indicating that all
|
|
// legal ports are valid for the source.
|
|
// Examples:
|
|
// - http://*.example.com: Matches all attempts to load from any subdomain of example.com using the http: URL scheme.
|
|
// - mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
|
|
// - https://store.example.com: Matches all attempts to access store.example.com using https:.
|
|
//
|
|
// Sources :
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
|
|
|
|
// -----------------
|
|
// Process Isolation
|
|
// -----------------
|
|
//
|
|
// Pref : Separate process for protocol
|
|
// defaultPref("extensions.webextensions.protocol.remote", true); //default true
|
|
//
|
|
// Pref : Separate process for protocol extension
|
|
// defaultPref("extensions.webextensions.remote", false); //default true
|
|
//
|
|
// Process remote (separating process) can partially firewall extension by
|
|
// denying access to some moz-extension (extension internal url like settings page)
|
|
// but this is not reliable not usable for a purpose of firewalling
|
|
// Setting this to false will break moz-extension URI loading
|
|
// unless other process sandboxing and extension remoting prefs are changed.
|
|
// Note, extensions.webextensions.protocol.remote=false is for
|
|
// debugging purposes only. With process-level sandboxing, child
|
|
// processes (specifically content and extension processes), will
|
|
// not be able to load most moz-extension URI's when the pref is
|
|
// set to false.
|
|
|
|
// ------------------
|
|
// Restricted Domains
|
|
// ------------------
|
|
//
|
|
// "extensions.webextensions.restrictedDomains"
|
|
//
|
|
// gHacks set this to empty ""... this is list of blocked domain for ext.
|
|
// Default value :
|
|
// "accounts-static.cdn.mozilla.net,accounts.firefox.com,addons.cdn.mozilla.net,addons.mozilla.org,
|
|
// api.accounts.firefox.com,content.cdn.mozilla.net,content.cdn.mozilla.net,discovery.
|
|
// addons.mozilla.org,input.mozilla.org,install.mozilla.org,oauth.accounts.firefox.
|
|
// com,profile.accounts.firefox.com,support.mozilla.org,sync.services.
|
|
// mozilla.com,testpilot.firefox.com"
|
|
//
|
|
// Managed in
|
|
// AddonManagerWebAPI.cpp
|
|
// WebExtensionPolicy.cpp
|
|
//
|
|
// Check function (When fail directly return deny) :
|
|
//
|
|
// WebExtensionPolicy::IsRestrictedURI
|
|
// - Check againt restrictedDomains (false-allow) domains->Contains
|
|
// - Check if IsValidSite (deny access) (false-allow)
|
|
// --- Check if empty string --(false-allow)
|
|
// --- Check https/http --(false-allow)
|
|
// --- Check SSL --(false-allow)
|
|
// --- Allow those domain directly --(true---deny)
|
|
// "addons.mozilla.org"
|
|
// "discovery.addons.mozilla.org"
|
|
// "testpilot.firefox.com"
|
|
// --- If pref "extensions.webapi.testing" --(true---deny)
|
|
// is true, it allow access to other
|
|
// sites list
|
|
// --- Return false --(false-allow)
|
|
// - Return false (false-allow)
|
|
|
|
// -----------------
|
|
// Other Possibility
|
|
// -----------------
|
|
//
|
|
// Other possibility (securefox extension) compare requests to url... filter etc...
|
|
//
|
|
// Other possibility... recompile and make it a native feature... (may be for futur version)
|
|
// Just invert the code to be !domains->Contains and thus allow only listed domain
|
|
//
|
|
// Other hidden setting
|
|
// int dom.ipc.keepProcessesAlive.extension //hidden settings
|
|
//
|
|
// Conclusion : patching binary "IsRestrictedURI" function OR build own version
|
|
// Durable solution is to rebuild... this feature is paused until futur versions
|
|
//
|
|
|
|
// ---------------------------------------
|
|
// Pref : CSP Settings For Extensions I/II
|
|
// ---------------------------------------
|
|
//
|
|
// Default Value : "
|
|
// script-src 'self' https://* moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
|
|
// object-src 'self' https://* moz-extension: blob: filesystem:;
|
|
// "
|
|
//
|
|
// Default Deny Value : "
|
|
// default-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
|
|
// script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
|
|
// object-src 'self' moz-extension: blob: filesystem:;
|
|
// "
|
|
//
|
|
// Strict Deny Value : "
|
|
// default-src 'self' moz-extension: blob: filesystem:;
|
|
// script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
|
|
// object-src 'self' moz-extension: blob: filesystem:;
|
|
// "
|
|
//
|
|
// Super Strict Deny Value : "
|
|
// default-src 'none';
|
|
// script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline';
|
|
// object-src 'self' moz-extension: blob: filesystem:;
|
|
// "
|