domi/foxgirl-settings
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add more prefs and metadata to the json files

Browse source
This commit is contained in:
Shreyas Minocha 2020-04-13 19:22:02 +05:30
parent 8ae1650721
commit 6f1c31f49c
No known key found for this signature in database
GPG key ID: 3740FE9FC5772203
8 changed files with 285 additions and 307 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
librewolf.cfg/controversial.js
View file

@ -1,5 +0,0 @@
//lockPref("dom.indexedDB.logging.details", false);
//lockPref("dom.indexedDB.logging.enabled", false);
//lockPref("network.http.spdy.enabled", false);
//lockPref("network.http.spdy.enabled.deps", false);
//lockPref("network.http.spdy.enabled.http2", false);

40
librewolf.cfg/controversial.json
View file

@ -7,10 +7,50 @@
"value": true
},
{
"enabled": false,
"comments": "",
"type": "lockPref",
"key": "dom.indexedDB.logging.details",
"value": false
},
{
"enabled": false,
"comments": "",
"type": "lockPref",
"key": "dom.indexedDB.logging.enabled",
"value": false
},
{
"comments": "",
"type": "lockPref",
"key": "dom.w3c_pointer_events.enabled",
"value": false
},
{
"enabled": false,
"comments": "",
"type": "lockPref",
"key": "network.http.spdy.enabled",
"value": false
},
{
"enabled": false,
"comments": "",
"type": "lockPref",
"key": "network.http.spdy.enabled.deps",
"value": false
},
{
"enabled": false,
"comments": "",
"type": "lockPref",
"key": "network.http.spdy.enabled.http2",
"value": false
}
]

4
librewolf.cfg/defaulting.js
View file

@ -1,4 +0,0 @@
//defaultPref("intl.accept_languages", "en-US, en"); //This make lang windows unusable
//defaultPref("network.http.sendRefererHeader", 1);
//defaultPref("extensions.ui.dictionary.hidden", false);
//defaultPref("extensions.ui.locale.hidden", false);

33
librewolf.cfg/defaulting.json
View file

@ -7,6 +7,15 @@
"value": 2
},
{
"enabled": false,
"comments": "",
"notes": "This makes lang windows unusable",
"type": "defaultPref",
"key": "intl.accept_languages",
"value": "en-US, en"
},
{
"comments": "",
"type": "defaultPref",
@ -84,6 +93,14 @@
"value": false
},
{
"enabled": false,
"comments": "",
"type": "defaultPref",
"key": "network.http.sendRefererHeader",
"value": 1
},
{
"comments": "",
"type": "defaultPref",
@ -173,5 +190,21 @@
"type": "defaultPref",
"key": "extensions.ui.experiment.hidden",
"value": false
},
{
"enabled": false,
"comments": "",
"type": "defaultPref",
"key": "extensions.ui.dictionary.hidden",
"value": false
},
{
"enabled": false,
"comments": "",
"type": "defaultPref",
"key": "extensions.ui.locale.hidden",
"value": false
}
]

128
librewolf.cfg/performance.js
View file

@ -1,128 +0,0 @@
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Performance 1/5
// Defaulting settings - HW Settings can be checked under about:support
// Bench Diff : +650/5000
// >>>>>>>>>>>>>>>>>>>>>>
// Bench Diff : +100/5000
// Pref : Increases animation speed. May mitigate choppy scrolling.
defaultPref("layout.frame_rate.precise", true);
// Bench Diff : +500/5000
// Pref : Enable Hardware Acceleration and Off Main Thread Compositing (OMTC).
// It's likely your browser is already set to use these features.
// May introduce instability on some hardware.
// Tor compatibility - have inverted values in tor.
defaultPref("webgl.force-enabled", true);
defaultPref("layers.acceleration.force-enabled", true);
// Pref : 2508: disable hardware acceleration to reduce graphics fingerprinting
// [SETTING] General>Performance>Custom>Use hardware acceleration when available
// [SETUP-PERF] Affects text rendering (fonts will look different) and impacts video performance.
// Parts of Quantum that utilize the GPU will also be affected as they are rolled out
// [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
// Resolved by extension
defaultPref("gfx.direct2d.disabled", false); // [WINDOWS]
defaultPref("layers.acceleration.disabled", false);
// Bench Diff : 0/5000
// Pref :
defaultPref("html5.offmainthread", true); //default true
defaultPref("layers.offmainthreadcomposition.enabled", true);
defaultPref("layers.offmainthreadcomposition.async-animations", true);
defaultPref("layers.async-video.enabled", true);
// Bench Diff : +50/5000
// Pref : Deprecated Active
defaultPref("browser.tabs.animate", false);
// Pref : The impact for this one is negligible
//defaultPref("browser.download.animateNotifications", false);
// Bench Diff : -80/5000
// Pref : Spoof CPU Core Def 16
// Default settings seems to be the best
//defaultPref("dom.maxHardwareConcurrency", 8);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Performance 2/5
// Bench Diff : -800/5000
// >>>>>>>>>>>>>>>>>>>>>>
// Bench Diff : -500/5000
// Pref : Tell garbage collector to start running when javascript is using xx MB of memory.
// Garbage collection releases memory back to the system.
// Default settings seems to be the best
//lockPref("javascript.options.mem.high_water_mark", 96);
// Bench Diff : -200/5000
// Pref : Disable WebAssembly
// https://webassembly.org/
// https://en.wikipedia.org/wiki/WebAssembly
// https://trac.torproject.org/projects/tor/ticket/21549
// Solved by extension disabled here for performance
//lockPref("javascript.options.wasm", false);
// Bench Diff : -100/5000
// Pref : Prevent font fingerprinting
// https://browserleaks.com/fonts
// https://github.com/pyllyukko/user.js/issues/120
// Solved by extension disabled here for performance
//lockPref("browser.display.use_document_fonts", 0);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Performance 3/5
// Bench Diff : -1720/5000
// >>>>>>>>>>>>>>>>>>>>>>>
// Bench Diff : -220/5000
// Pref : Disable webGL I/II
// WebGL introduces high fingerprinting (WebGL is a js API for directly accessing hardware)
defaultPref("webgl.disabled", false); // Tor have it false but the rest is the same (webgl)
// This does not leak
lockPref("webgl.enable-webgl2", false);
lockPref("webgl.min_capability_mode", true);
// Bench Diff : 0/5000
// Pref : Disable webGL II/II
// WebGL introduces high fingerprinting (WebGL is a js API for directly accessing hardware)
lockPref("pdfjs.enableWebGL", false);
lockPref("webgl.disable-extensions", true);
lockPref("webgl.disable-fail-if-major-performance-caveat", true);
lockPref("webgl.enable-debug-renderer-info", false); //Deprecated Active
// Bench Diff : -1500/5000
// Pref : Disable asm.js
// http://asmjs.org/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
// Solved by extension disabled here for performance
// Tor enforce this
//lockPref("javascript.options.asmjs", false);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Performance 4/5
// Bench Diff : -200/5000
// >>>>>>>>>>>>>>>>>>>>>>
// Bench Diff : -200/5000
// Pref : JS Shared Memory - Default false
// https://github.com/MrAlex94/Waterfox/issues/356
lockPref("javascript.options.shared_memory", false);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Performance 5/5
// Bench Diff : -50/5000
// >>>>>>>>>>>>>>>>>>>>>
// Bench Diff : -50/5000
// Pref : 2302 : disable service workers
// Service workers essentially act as proxy servers that sit between web apps, and the browser
// and network. They are event-driven, and can control the web page/site it is associated with,
// intercepting and modifying navigation and resource requests, and caching resources.
// SW may decrease performance depending on the script that is running in background.
// So overall, disabling SW should enhance performance because it blocks SW Scripts.
// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode.
// [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access.
lockPref("dom.serviceWorkers.enabled", false);

113
librewolf.cfg/performance.json
View file

@ -1,38 +1,49 @@
[
{
"comments": "",
"comments": "Increases animation speed",
"notes": "May mitigate choppy scrolling",
"type": "defaultPref",
"key": "layout.frame_rate.precise",
"value": true
},
{
"comments": "",
"comments": "Enable Hardware Acceleration and Off Main Thread Compositing (OMTC)",
"notes": "It's likely your browser is already set to use these features. May introduce instability on some hardware. Tor compatibility - have inverted values in tor.",
"type": "defaultPref",
"key": "webgl.force-enabled",
"value": true
},
{
"comments": "",
"comments": "Enable Hardware Acceleration and Off Main Thread Compositing (OMTC)",
"notes": "It's likely your browser is already set to use these features. May introduce instability on some hardware. Tor compatibility - have inverted values in tor.",
"type": "defaultPref",
"key": "layers.acceleration.force-enabled",
"value": true
},
{
"comments": "",
"comments": "Disable hardware acceleration to reduce graphics fingerprinting",
"notes": "[WINDOWS]\nAffects text rendering (fonts will look different) and impacts video performance. Parts of Quantum that utilize the GPU will also be affected as they are rolled out\nGeneral>Performance>Custom>Use hardware acceleration when available",
"type": "defaultPref",
"key": "gfx.direct2d.disabled",
"value": false
"value": false,
"references": [
"https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration"
]
},
{
"comments": "",
"comments": "Disable hardware acceleration to reduce graphics fingerprinting",
"notes": "Affects text rendering (fonts will look different) and impacts video performance. Parts of Quantum that utilize the GPU will also be affected as they are rolled out\nGeneral>Performance>Custom>Use hardware acceleration when available",
"type": "defaultPref",
"key": "layers.acceleration.disabled",
"value": false
"value": false,
"references": [
"https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration"
]
},
{
@ -65,27 +76,83 @@
{
"comments": "",
"notes": "Deprecated Active",
"type": "defaultPref",
"key": "browser.tabs.animate",
"value": false
},
{
"enabled": false,
"comments": "",
"notes": "The impact for this one is negligible",
"type": "defaultPref",
"key": "browser.download.animateNotifications",
"value": false
},
{
"enabled": false,
"comments": "Spoof CPU Core Def 16",
"notes": "Default settings seems to be the best",
"type": "defaultPref",
"key": "dom.maxHardwareConcurrency",
"value": 8
},
{
"enabled": false,
"comments": "Tell garbage collector to start running when javascript is using xx MB of memory.",
"notes": "Garbage collection releases memory back to the system. Default settings seems to be the best",
"type": "lockPref",
"key": "javascript.options.mem.high_water_mark",
"value": 96
},
{
"enabled": false,
"comments": "Disable WebAssembly",
"notes": "Solved by extension disabled here for performance",
"type": "lockPref",
"key": "javascript.options.wasm",
"value": false,
"references": [
"https://webassembly.org/",
"https://en.wikipedia.org/wiki/WebAssembly",
"https://trac.torproject.org/projects/tor/ticket/21549"
]
},
{
"enabled": false,
"comments": "Prevent font fingerprinting",
"notes": "Solved by extension disabled here for performance",
"type": "lockPref",
"key": "browser.display.use_document_fonts",
"value": 0,
"references": [
"https://browserleaks.com/fonts",
"https://github.com/pyllyukko/user.js/issues/120"
]
},
{
"comments": "",
"notes": "WebGL introduces high fingerprinting (WebGL is a js API for directly accessing hardware). Tor has it as `false` but the rest is the same.",
"type": "defaultPref",
"key": "webgl.disabled",
"value": false
},
{
"comments": "",
"comments": "This prevents WebGL data leaks",
"type": "lockPref",
"key": "webgl.enable-webgl2",
"value": false
},
{
"comments": "",
"comments": "This prevents WebGL data leaks",
"type": "lockPref",
"key": "webgl.min_capability_mode",
"value": true
@ -114,20 +181,40 @@
{
"comments": "",
"notes": "Deprecated Active",
"type": "lockPref",
"key": "webgl.enable-debug-renderer-info",
"value": false
},
{
"comments": "",
"enabled": false,
"comments": "Disable asm.js",
"notes": "Solved by extension disabled here for performance. Tor enforces this.",
"type": "lockPref",
"key": "javascript.options.shared_memory",
"value": false
"key": "javascript.options.asmjs",
"value": false,
"references": [
"http://asmjs.org/",
"https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/",
"https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712"
]
},
{
"comments": "",
"comments": "JS Shared Memory",
"type": "lockPref",
"key": "javascript.options.shared_memory",
"value": false,
"references": [
"https://github.com/MrAlex94/Waterfox/issues/356"
]
},
{
"comments": "Disable service workers",
"notes": "Service workers essentially act as proxy servers that sit between web apps, and the browser and network. They are event-driven, and can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources. SW may decrease performance depending on the script that is running in background. So overall, disabling SW should enhance performance because it blocks SW Scripts.\nService worker APIs are hidden (in Firefox) and cannot be used when in PB mode.\nService workers only run over HTTPS. Service Workers have no DOM access.",
"type": "lockPref",
"key": "dom.serviceWorkers.enabled",
"value": false

129
librewolf.cfg/security.js
View file

@ -1,129 +0,0 @@
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Security 1/3
// Bench Diff : +0/5000
// >>>>>>>>>>>>>>>>>>>>
// Pref : Enable insecure password warnings (login forms in non-HTTPS pages)
// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
lockPref("security.insecure_password.ui.enabled", true);
// Pref : Show in-content login form warning UI for insecure login fields
// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317
lockPref("security.insecure_field_warning.contextual.enabled", true);
// Pref : Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla)
// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
lockPref("network.stricttransportsecurity.preloadlist", false);
// Pref : Disable TLS Session Tickets
// https://www.blackhat.com/us-13/briefings.html#NextGen
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
// https://bugzilla.mozilla.org/show_bug.cgi?id=917049
// https://bugzilla.mozilla.org/show_bug.cgi?id=967977
// SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
// Since the ID is unique, web servers can (and do) use it for tracking. If set to true,
// this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking
lockPref("security.ssl.disable_session_identifiers", true);
// Pref : Blocking GD Parking Scam Site
// TODO: do we still need this? librefox.com isn't relevant anymore and this pretty much
// only tells LibreWolf to look for librefox.com locally
defaultPref("network.dns.localDomains", "librefox.com");
// Pref : Disable insecure TLS version fallback
// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025
// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645
lockPref("security.tls.version.fallback-limit", 3);
// Pref : Only allow TLS 1.[0-3]
// http://kb.mozillazine.org/Security.tls.version.*
lockPref("security.tls.version.min", 2);
// Pref : Enfore Public Key Pinning
// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
// "2. Strict. Pinning is always enforced."
lockPref("security.cert_pinning.enforcement_level", 2);
// Pref : Disallow SHA-1
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
// https://shattered.io/
lockPref("security.pki.sha1_enforcement_level", 1);
// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation)
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
// Pref : Pre-populate the current URL but do not pre-fetch the certificate in the
// "Add Security Exception" dialog
// http://kb.mozillazine.org/Browser.ssl_override_behavior
// https://github.com/pyllyukko/user.js/issues/210
lockPref("browser.ssl_override_behavior", 1);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Security 2/3
// Bench Diff : +0/5000
// >>>>>>>>>>>>>>>>>>>>
// Pref :
lockPref("security.ssl.errorReporting.automatic", false);
lockPref("security.ssl.errorReporting.url", "");
// Pref : Check disabled section
// OCSP leaks the visited sites. Exactly same issue as with safebrowsing.
// Stapling forces the site to prove that its certificate is good
// through the CA, so apparently nothing is leaked in this case.
// [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
lockPref("security.OCSP.enabled", 0);
lockPref("security.OCSP.require", false);
lockPref("security.ssl.enable_ocsp_stapling", true);
// Pref :
lockPref("security.ssl.errorReporting.enabled", false);
// Pref : Manage certificates button
//lockPref("security.disable_button.openCertManager", false);
// Disabled because of a bug that disables the button regardless of its value
// Pref : Manage security devices button
//lockPref("security.disable_button.openDeviceManager", false);
// Disabled because of a bug that disables the button regardless of its value
// Pref :
lockPref("security.mixed_content.upgrade_display_content", true);
lockPref("security.mixed_content.block_object_subrequest", true);
lockPref("security.mixed_content.block_display_content", true);
lockPref("security.mixed_content.block_active_content", true);
// Pref :
lockPref("security.insecure_connection_icon.enabled", true);
lockPref("security.insecure_connection_icon.pbmode.enabled", true);
lockPref("security.insecure_connection_text.enabled", true);
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Section : Security 3/3 (Cipher)
// Bench Diff : +0/5000
// >>>>>>>>>>>>>>>>>>>>
// Pref :
lockPref("security.ssl3.rsa_des_ede3_sha", false);
lockPref("security.ssl3.rsa_aes_256_sha", false);
lockPref("security.ssl3.rsa_aes_128_sha", false);
// Pref : Disable RC4
// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882
// https://rc4.io/
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
lockPref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
lockPref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
// Pref : Disable SEED cipher
// https://en.wikipedia.org/wiki/SEED
lockPref("security.ssl3.rsa_seed_sha", false);

140
librewolf.cfg/security.json
View file

@ -1,80 +1,126 @@
[
{
"comments": "",
"comments": "Enable insecure password warnings (login forms in non-HTTPS pages)",
"type": "lockPref",
"key": "security.insecure_password.ui.enabled",
"value": true
"value": true,
"references": [
"https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/",
"https://bugzilla.mozilla.org/show_bug.cgi?id=1319119",
"https://bugzilla.mozilla.org/show_bug.cgi?id=1217156"
]
},
{
"comments": "",
"comments": "Show in-content login form warning UI for insecure login fields",
"type": "lockPref",
"key": "security.insecure_field_warning.contextual.enabled",
"value": true
"value": true,
"references": [
"https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317"
]
},
{
"comments": "",
"comments": "Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla)",
"type": "lockPref",
"key": "network.stricttransportsecurity.preloadlist",
"value": false
"value": false,
"references": [
"https://blog.mozilla.org/security/2012/11/01/preloading-hsts/",
"https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List",
"https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security"
]
},
{
"comments": "",
"comments": "Disable TLS Session Tickets",
"notes": "SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs. Since the ID is unique, web servers can (and do) use it for tracking. If set to true, this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking",
"type": "lockPref",
"key": "security.ssl.disable_session_identifiers",
"value": true
"value": true,
"references": [
"https://www.blackhat.com/us-13/briefings.html#NextGen",
"https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf",
"https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf",
"https://bugzilla.mozilla.org/show_bug.cgi?id=917049",
"https://bugzilla.mozilla.org/show_bug.cgi?id=967977"
]
},
{
"comments": "",
"comments": "Blocking GD Parking Scam Site",
"notes": "TODO: do we still need this? librefox.com isn't relevant anymore and this pretty much only tells LibreWolf to look for librefox.com locally",
"type": "defaultPref",
"key": "network.dns.localDomains",
"value": "librefox.com"
},
{
"comments": "",
"comments": "Disable insecure TLS version fallback",
"type": "lockPref",
"key": "security.tls.version.fallback-limit",
"value": 3
"value": 3,
"references": [
"https://bugzilla.mozilla.org/show_bug.cgi?id=1084025",
"https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645"
]
},
{
"comments": "",
"comments": "Only allow TLS 1.[0-3]",
"type": "lockPref",
"key": "security.tls.version.min",
"value": 2
"value": 2,
"references": [
"http://kb.mozillazine.org/Security.tls.version.*"
]
},
{
"comments": "",
"comments": "Enfore Public Key Pinning",
"notes": "2. Strict. Pinning is always enforced.",
"type": "lockPref",
"key": "security.cert_pinning.enforcement_level",
"value": 2
"value": 2,
"references": [
"https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning",
"https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning"
]
},
{
"comments": "",
"comments": "Disallow SHA-1",
"type": "lockPref",
"key": "security.pki.sha1_enforcement_level",
"value": 1
"value": 1,
"references": [
"https://bugzilla.mozilla.org/show_bug.cgi?id=1302140",
"https://shattered.io/"
]
},
{
"comments": "",
"comments": "Warn the user when server doesn't support RFC 5746 ('safe' renegotiation)",
"type": "lockPref",
"key": "security.ssl.treat_unsafe_negotiation_as_broken",
"value": true
"value": true,
"references": [
"https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken",
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555"
]
},
{
"comments": "",
"comments": "Pre-populate the current URL but do not pre-fetch the certificate in the 'Add Security Exception' dialog",
"type": "lockPref",
"key": "browser.ssl_override_behavior",
"value": 1
"value": 1,
"references": [
"http://kb.mozillazine.org/Browser.ssl_override_behavior",
"https://github.com/pyllyukko/user.js/issues/210"
]
},
{
@ -93,6 +139,7 @@
{
"comments": "",
"notes": "OCSP leaks the visited sites. Exactly same issue as with safebrowsing.",
"type": "lockPref",
"key": "security.OCSP.enabled",
"value": 0
@ -107,9 +154,13 @@
{
"comments": "",
"notes": "Stapling forces the site to prove that its certificate is good through the CA, so apparently nothing is leaked in this case.",
"type": "lockPref",
"key": "security.ssl.enable_ocsp_stapling",
"value": true
"value": true,
"references": [
"https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/"
]
},
{
@ -119,6 +170,24 @@
"value": false
},
{
"enabled": false,
"comments": "Manage certificates button",
"notes": "Disabled because of a bug that disables the button regardless of its value",
"type": "lockPref",
"key": "security.disable_button.openCertManager",
"value": false
},
{
"enabled": false,
"comments": "Manage security devices button",
"notes": "Disabled because of a bug that disables the button regardless of its value",
"type": "lockPref",
"key": "security.disable_button.openDeviceManager",
"value": false
},
{
"comments": "",
"type": "lockPref",
@ -190,23 +259,38 @@
},
{
"comments": "",
"comments": "Disable RC4",
"type": "lockPref",
"key": "security.ssl3.ecdh_ecdsa_rc4_128_sha",
"value": false
"value": false,
"references": [
"https://developer.mozilla.org/en-US/Firefox/Releases/38#Security",
"https://bugzilla.mozilla.org/show_bug.cgi?id=1138882",
"https://rc4.io/",
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566"
]
},
{
"comments": "",
"comments": "Disable RC4",
"type": "lockPref",
"key": "security.ssl3.ecdh_rsa_rc4_128_sha",
"value": false
"value": false,
"references": [
"https://developer.mozilla.org/en-US/Firefox/Releases/38#Security",
"https://bugzilla.mozilla.org/show_bug.cgi?id=1138882",
"https://rc4.io/",
"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566"
]
},
{
"comments": "",
"comments": "Disable SEED cipher",
"type": "lockPref",
"key": "security.ssl3.rsa_seed_sha",
"value": false
"value": false,
"references": [
"https://en.wikipedia.org/wiki/SEED"
]
}
]