diff --git a/archives/dove.zip b/archives/dove.zip index 38adbce..528153b 100644 Binary files a/archives/dove.zip and b/archives/dove.zip differ diff --git a/build/policies/policies-spec.json b/build/policies/policies-spec.json index de6708a..12a56fd 100644 --- a/build/policies/policies-spec.json +++ b/build/policies/policies-spec.json @@ -158,8 +158,7 @@ }, "ExtensionUpdate": true, "NetworkPrediction": false, - "OfferToSaveLogins": false, - "PasswordManagerEnabled": false, + "OfferToSaveLoginsDefault": false, "PDFjs": { "EnablePermissions": false }, @@ -604,6 +603,10 @@ "Value": "", "Status": "locked" }, + "browser.search.separatePrivateDefault": { + "Value": false, + "Status": "default" + }, "browser.search.serpEventTelemetryCategorization.enabled": { "Value": false, "Status": "locked" @@ -928,10 +931,18 @@ "Value": false, "Status": "locked" }, + "extensions.autoDisableScopes": { + "Value": 15, + "Status": "locked" + }, "extensions.blocklist.enabled": { "Value": true, "Status": "locked" }, + "extensions.enabledScopes": { + "Value": 5, + "Status": "default" + }, "extensions.getAddons.discovery.api_url": { "Value": "data;", "Status": "locked" @@ -1092,10 +1103,6 @@ "Value": true, "Status": "default" }, - "network.trr.confirmation_telemetry_enabled": { - "Value": false, - "Status": "locked" - }, "network.captive-portal-service.enabled": { "Value": false, "Status": "locked" @@ -1120,6 +1127,22 @@ "Value": "", "Status": "locked" }, + "network.protocol-handler.external.shell": { + "Value": false, + "Status": "locked" + }, + "network.protocol-handler.warn-external.mailto": { + "Value": true, + "Status": "locked" + }, + "network.protocol-handler.warn-external-default": { + "Value": true, + "Status": "locked" + }, + "network.trr.confirmation_telemetry_enabled": { + "Value": false, + "Status": "locked" + }, "network.trr.custom_uri": { "Value": "https://dns.quad9.net/dns-query", "Status": "default" @@ -1144,6 +1167,10 @@ "Value": false, "Status": "locked" }, + "pdfjs.enableXfa": { + "Value": false, + "Status": "default" + }, "privacy.globalprivacycontrol.enabled": { "Value": true, "Status": "locked" @@ -1156,6 +1183,14 @@ "Value": true, "Status": "default" }, + "security.tls.version.enable-deprecated": { + "Value": false, + "Status": "locked" + }, + "security.default_personal_cert": { + "Value": "Ask Every Time", + "Status": "locked" + }, "ui.new-webcompat-reporter.enabled": { "Value": false, "Status": "locked" diff --git a/dove.cfg b/dove.cfg index 7422896..55d45db 100644 --- a/dove.cfg +++ b/dove.cfg @@ -57,8 +57,8 @@ lockPref("asanreporter.clientid", ""); lockPref("breakpad.reportURL", ""); lockPref("browser.crashReports.chancesUntilSuppress", 0); lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT] -lockPref("browser.crashReports.unsubmittedCheck.enabled", false); // [DEFAULT] -lockPref("browser.tabs.crashReporting.includeURL", false); // Defense in depth +lockPref("browser.crashReports.unsubmittedCheck.enabled", false); // [DEFAULT on Stable - but set to true on Nightly :/] +lockPref("browser.tabs.crashReporting.includeURL", false); // [DEFAULT} - Defense in depth lockPref("browser.tabs.crashReporting.sendReport", false); lockPref("toolkit.crashreporter.include_context_heap", false); // Defense in depth @@ -71,7 +71,7 @@ lockPref("security.xfocsp.errorReporting.enabled", false); /// Coverage // https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ -lockPref("toolkit.coverage.enabled", false); +lockPref("toolkit.coverage.enabled", false); // [DEFAULT] lockPref("toolkit.coverage.endpoint.base", ""); lockPref("toolkit.coverage.opt-out", true); // [HIDDEN] lockPref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN] @@ -101,12 +101,12 @@ lockPref("browser.newtabpage.activity-stream.telemetry", false); lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint", ""); lockPref("browser.newtabpage.activity-stream.telemetry.ut.events", false); lockPref("browser.places.interactions.enabled", false); // https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js -lockPref("browser.privacySegmentation.preferences.show", false); +lockPref("browser.privacySegmentation.preferences.show", false); // [DEFAULT, at least on Nightly] lockPref("browser.rights.3.shown", true); lockPref("browser.search.serpEventTelemetryCategorization.enabled", false); -lockPref("browser.search.serpEventTelemetryCategorization.regionEnabled", false); -lockPref("browser.search.serpMetricsRecordedCounter", 0); -lockPref("browser.urlbar.quicksuggest.dataCollection.enabled", false); +lockPref("browser.search.serpEventTelemetryCategorization.regionEnabled", false); // [DEFAULT, at least on Nightly] +lockPref("browser.search.serpMetricsRecordedCounter", 0); // [DEFAULT] +lockPref("browser.urlbar.quicksuggest.dataCollection.enabled", false); // [DEFAULT] lockPref("browser.urlbar.quicksuggest.onboardingDialogChoice", "reject_2"); // [HIDDEN] https://searchfox.org/mozilla-central/source/browser/components/urlbar/docs/firefox-suggest-telemetry.rst https://searchfox.org/mozilla-central/source/toolkit/components/telemetry/docs/data/environment.rst https://searchfox.org/mozilla-central/source/browser/components/urlbar/tests/quicksuggest/browser/browser_quicksuggest_onboardingDialog.js lockPref("datareporting.dau.cachedUsageProfileID", "beefbeef-beef-beef-beef-beeefbeefbee"); // [HIDDEN] https://searchfox.org/mozilla-central/source/toolkit/components/telemetry/app/ClientID.sys.mjs#44 lockPref("datareporting.healthreport.documentServerURI", ""); // [HIDDEN] @@ -135,18 +135,18 @@ lockPref("toolkit.telemetry.dap.helper.hpke", ""); lockPref("toolkit.telemetry.dap.helper.url", ""); lockPref("toolkit.telemetry.dap.leader.hpke", ""); lockPref("toolkit.telemetry.dap.leader.url", ""); -lockPref("toolkit.telemetry.dap_enabled", false); +lockPref("toolkit.telemetry.dap_enabled", false); // [DEFAULT] lockPref("toolkit.telemetry.dap_helper", ""); lockPref("toolkit.telemetry.dap_helper_owner", ""); lockPref("toolkit.telemetry.dap_leader", ""); lockPref("toolkit.telemetry.dap_leader_owner", ""); lockPref("toolkit.telemetry.dap.logLevel", "Off"); -lockPref("toolkit.telemetry.dap_task1_enabled", false); -lockPref("toolkit.telemetry.dap_task1_taskid", ""); -lockPref("toolkit.telemetry.dap_visit_counting_enabled", false); -lockPref("toolkit.telemetry.dap_visit_counting_experiment_list", "[]"); +lockPref("toolkit.telemetry.dap_task1_enabled", false); // [DEFAULT] +lockPref("toolkit.telemetry.dap_task1_taskid", ""); // [DEFAULT] +lockPref("toolkit.telemetry.dap_visit_counting_enabled", false); // [DEFAULT] +lockPref("toolkit.telemetry.dap_visit_counting_experiment_list", "[]"); // [DEFAULT] lockPref("toolkit.telemetry.debugSlowSql", false); -lockPref("toolkit.telemetry.enabled", false); +lockPref("toolkit.telemetry.enabled", false); // [DEFAULT on Stable Desktop, not on Nightly & elsewhere...] lockPref("toolkit.telemetry.firstShutdownPing.enabled", false); lockPref("toolkit.telemetry.geckoview.streaming", false); // [Android specific?] lockPref("toolkit.telemetry.healthping.enabled", false); // [HIDDEN] @@ -156,19 +156,19 @@ lockPref("toolkit.telemetry.previousBuildID", ""); lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); lockPref("toolkit.telemetry.server", "data;"); lockPref("toolkit.telemetry.server_owner", ""); -lockPref("toolkit.telemetry.shutdownPingSender.backgroundtask.enabled", false); +lockPref("toolkit.telemetry.shutdownPingSender.backgroundtask.enabled", false); // [DEFAULT] lockPref("toolkit.telemetry.shutdownPingSender.enabled", false); -lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); +lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // [DEFAULT] lockPref("toolkit.telemetry.testing.suppressPingsender", true); // [HIDDEN] lockPref("toolkit.telemetry.translations.logLevel", "Off"); lockPref("toolkit.telemetry.unified", false); lockPref("toolkit.telemetry.updatePing.enabled", false); -lockPref("toolkit.telemetry.user_characteristics_ping.current_version", 0); -lockPref("toolkit.telemetry.user_characteristics_ping.last_version_sent", 0); +lockPref("toolkit.telemetry.user_characteristics_ping.current_version", 0); // [DEFAULT] +lockPref("toolkit.telemetry.user_characteristics_ping.last_version_sent", 0); // [DEFAULT] lockPref("toolkit.telemetry.user_characteristics_ping.logLevel", "Off"); lockPref("toolkit.telemetry.user_characteristics_ping.opt-out", true); lockPref("toolkit.telemetry.user_characteristics_ping.send-once", false); // [DEFAULT] -lockPref("toolkit.telemetry.user_characteristics_ping.uuid", ""); +lockPref("toolkit.telemetry.user_characteristics_ping.uuid", ""); // [DEFAULT] /// Misc. UX - Harmless but does not apply to us @@ -186,7 +186,7 @@ lockPref("toolkit.datacollection.infoURL", ""); // https://support.mozilla.org/kb/recommendations-firefox // https://support.mozilla.org/kb/personalized-extension-recommendations -lockPref("browser.dataFeatureRecommendations.enabled", false); +lockPref("browser.dataFeatureRecommendations.enabled", false); // [DEFAULT] lockPref("browser.discovery.enabled", false); lockPref("browser.discovery.sites", ""); lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); @@ -200,24 +200,24 @@ lockPref("extensions.webservice.discoverURL", ""); /// Fakespot -lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.ctaCopy", ""); -lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.ctaUrl", ""); -lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.defaultCategoryTitle", ""); +lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.ctaCopy", ""); // [DEFAULT] +lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.ctaUrl", ""); // [DEFAULT] +lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.defaultCategoryTitle", ""); // [DEFAULT] lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.enabled", false); -lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.footerCopy", ""); -lockPref("browser.shopping.experience2023.ads.enabled", false); -lockPref("browser.shopping.experience2023.ads.exposure", false); -lockPref("browser.shopping.experience2023.ads.userEnabled", false); +lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.footerCopy", ""); // [DEFAULT] lockPref("browser.shopping.experience2023.active", false); -lockPref("browser.shopping.experience2023.autoOpen.enabled", false); +lockPref("browser.shopping.experience2023.ads.enabled", false); // [DEFAULT] +lockPref("browser.shopping.experience2023.ads.exposure", false); // [HIDDEN] +lockPref("browser.shopping.experience2023.ads.userEnabled", false); +lockPref("browser.shopping.experience2023.autoOpen.enabled", false); // [DEFAULT] lockPref("browser.shopping.experience2023.autoOpen.userEnabled", false); -lockPref("browser.shopping.experience2023.enabled", false); -lockPref("browser.shopping.experience2023.integratedSidebar", false); +lockPref("browser.shopping.experience2023.enabled", false); // [DEFAULT] +lockPref("browser.shopping.experience2023.integratedSidebar", false); // [DEFAULT] lockPref("browser.shopping.experience2023.optedIn", 2); lockPref("browser.shopping.experience2023.survey.enabled", false); lockPref("browser.shopping.experience2023.survey.hasSeen", true); -lockPref("browser.urlbar.fakespot.featureGate", false); -lockPref("browser.urlbar.fakespot.suggestedIndex", 0); +lockPref("browser.urlbar.fakespot.featureGate", false); // [DEFAULT] +lockPref("browser.urlbar.fakespot.suggestedIndex", 0); // [HIDDEN] lockPref("browser.urlbar.suggest.fakespot", false); lockPref("toolkit.shopping.ohttpConfigURL", ""); lockPref("toolkit.shopping.ohttpRelayURL", ""); @@ -228,8 +228,7 @@ lockPref("toolkit.shopping.ohttpRelayURL", ""); // https://mozilla.github.io/policy-templates/#firefoxhome // https://searchfox.org/mozilla-central/source/toolkit/components/nimbus/FeatureManifest.yaml -lockPref("browser.newtabpage.activity-stream.discoverystream.descLines", 0); -lockPref("browser.newtabpage.activity-stream.discoverystream.fourCardLayout.enabled", false); +lockPref("browser.newtabpage.activity-stream.discoverystream.fourCardLayout.enabled", false); // [DEFAULT] lockPref("browser.newtabpage.activity-stream.discoverystream.hideCardBackground.enabled", true); lockPref("browser.newtabpage.activity-stream.discoverystream.hideDescriptions.enabled", true); lockPref("browser.newtabpage.activity-stream.discoverystream.newFooterSection.enabled", false); @@ -490,13 +489,6 @@ defaultPref("app.releaseNotesURL.aboutDialog", "https://www.mozilla.org/%LOCALE% defaultPref("app.releaseNotesURL.prompt", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes"); defaultPref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%"); -/// Firefox View - -defaultPref("browser.firefox-view.search.enabled", false); -defaultPref("browser.firefox-view.virtual-list.enabled", false); -defaultPref("browser.tabs.firefox-view-newIcon", false); -defaultPref("browser.tabs.firefox-view-next", false); - /// Disable Mozilla Web Compatibility Reporter // Harmless from a privacy perspective - We just don't want to waste Mozilla's time due to our custom set-up... // Also acts as attack surface reduction & a potential performance improvement @@ -525,6 +517,11 @@ lockPref("browser.urlbar.trimURLs", false); defaultPref("browser.search.separatePrivateDefault.ui.enabled", true); +// Ensure by default we use same search engine in both Private & Normal Windows +// Otherwise, Firefox's private search appears to default to Google... :/ + +defaultPref("browser.search.separatePrivateDefault", false); + // Prompt to use Private Browsing defaultPref("browser.search.separatePrivateDefault.urlbarResult.enabled", true); @@ -854,7 +851,7 @@ defaultPref("browser.safebrowsing.provider.google.reportPhishMistakeURL", "https defaultPref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", "https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url="); defaultPref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", "https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url="); -//// Similar behavior also appears to happen when you report a URL to Safe Browsing +/// Similar behavior also appears to happen when you report a URL to Safe Browsing defaultPref("browser.safebrowsing.reportPhishURL", "https://safebrowsing.google.com/safebrowsing/report_phish/?tpl=mozilla&url="); @@ -961,28 +958,32 @@ defaultPref("browser.sessionstore.privacy_level", 2); // We also configure "SanitizeOnShutdown" in policies // https://mozilla.github.io/policy-templates/#sanitizeonshutdown-selective -lockPref("privacy.clearHistory.cache", true); +defaultPref("privacy.clearHistory.cache", true); defaultPref("privacy.clearHistory.historyFormDataAndDownloads", true); -lockPref("privacy.clearSiteData.cache", true); +defaultPref("privacy.clearSiteData.cache", true); defaultPref("privacy.clearSiteData.historyFormDataAndDownloads", true); -lockPref("privacy.clearOnShutdown.cache", true); +defaultPref("privacy.clearOnShutdown.cache", true); defaultPref("privacy.clearOnShutdown.cookies", true); defaultPref("privacy.clearOnShutdown.downloads", true); -lockPref("privacy.clearOnShutdown.formdata", true); +defaultPref("privacy.clearOnShutdown.formdata", true); defaultPref("privacy.clearOnShutdown.history", true); defaultPref("privacy.clearOnShutdown.offlineApps", true); defaultPref("privacy.clearOnShutdown.sessions", true); -lockPref("privacy.clearOnShutdown_v2.cache", true); +defaultPref("privacy.clearOnShutdown_v2.cache", true); defaultPref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); defaultPref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true); -lockPref("privacy.cpd.cache", true); -lockPref("privacy.cpd.formdata", true); -lockPref("privacy.sanitize.sanitizeOnShutdown", true); // Allows selectively clearing data on shutdown +defaultPref("privacy.cpd.cache", true); +defaultPref("privacy.cpd.formdata", true); +defaultPref("privacy.sanitize.sanitizeOnShutdown", true); // Allows selectively clearing data on shutdown /// Set time range when manually clearing data to "everything" by default defaultPref("privacy.sanitize.timeSpan", 0); +// Prevent automatically sharing Firefox Sync accounts... + +lockPref("identity.fxaccounts.migrateToDevEdition", false); + /// Prevent logging blocked domains in about:protections defaultPref("browser.contentblocking.cfr-milestone.enabled", false); @@ -1015,7 +1016,7 @@ defaultPref("browser.privatebrowsing.resetPBM.enabled", true); /// Prevent automatically starting Firefox & restoring session after reboot on Windows -lockPref("toolkit.winRegisterApplicationRestart", false); +defaultPref("toolkit.winRegisterApplicationRestart", false); /// Disable LaterRun - Tracks profile creation time & number of browser uses // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41568 @@ -1035,6 +1036,13 @@ defaultPref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN] // 014 EXTENSIONS +// Only allow installing extensions from profile & application directories (Prevents extensions being installed from the system/via other programs) +/// https://archive.is/DYjAM +/// https://github.com/arkenfox/user.js/blob/master/user.js#L612 + +defaultPref("extensions.enabledScopes", 5); +lockPref("extensions.autoDisableScopes", 15); // [DEFAULT] Defense in depth, ensures extensions installed via directories are disabled by default... + // Only allow signed extensions lockPref("extensions.langpacks.signatures.required", true); @@ -1067,6 +1075,15 @@ defaultPref("extensions.quarantineIgnoredByUser.{d19a89b9-76c1-4a61-bcd4-49e8de9 lockPref("pdfjs.enableScripting", false); +/// Disable XFA +// https://insert-script.blogspot.com/2019/01/adobe-reader-pdf-callback-via-xslt.html +// https://www.sentinelone.com/blog/malicious-pdfs-revealing-techniques-behind-attacks/ +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xfa +// https://wikipedia.org/wiki/XFA +// Not even a standard... + +defaultPref("pdfjs.enableXfa", false); + /// Never allow documents to prevent copying text /// We also set `EnablePermissions` in policies // https://mozilla.github.io/policy-templates/#pdfjs @@ -1094,10 +1111,8 @@ defaultPref("pdfjs.sidebarViewOnLoad", 2); // 016 FINGERPRINTING PROTECTION -/// Set US English as locale by default +/// Set RFP to spoof the English locale by default -defaultPref("intl.accept_languages", "en-US, en"); -defaultPref("intl.locale.requested", "en-US"); defaultPref("privacy.spoof_english", 2); /// Round window sizes @@ -1300,11 +1315,16 @@ defaultPref("gfx.font_rendering.opentype_svg.enabled", false); /// Disable WebXR // https://developer.mozilla.org/docs/Web/API/WebXR_Device_API -defaultPref("browser.xr.warning.infoURL", ""); // Harmless but does not apply to us defaultPref("permissions.default.xr", 2); // 022 MISC. SECURITY +// If a website asks for a certificate, always prompt the user +// Never automatically select one... +// https://www.stigviewer.com/stig/mozilla_firefox/2023-06-05/finding/V-251547 + +lockPref("security.default_personal_cert", "Ask Every Time"); // [DEFAULT] + /// Disable Accessibility Services // https://support.mozilla.org/kb/accessibility-services#w_malware-and-adware @@ -1372,6 +1392,36 @@ lockPref("security.block_Worker_with_wrong_mime", true); // [DEFAULT] lockPref("media.devices.insecure.enabled", false); // [DEFAULT] lockPref("media.getusermedia.insecure.enabled", false); // [DEFAULT] +/// Disable Win32k System Calls +// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15638 +// https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html +// https://docs.google.com/document/d/1gJDlk-9xkh6_8M_awrczWCaUuyr0Zd2TKjNBCiPO_G4/edit + +lockPref("security.sandbox.content.win32k-disable", true); // [DEFAULT] +lockPref("security.sandbox.gmp.win32k-disable", true); +lockPref("security.sandbox.socket.win32k-disable", true); // [DEFAULT] + +// Ensure that Firefox can't access the Windows Shell... +// https://www.stigviewer.com/stig/mozilla_firefox/2019-12-12/finding/V-15771 + +lockPref("network.protocol-handler.external.shell", false); // [DEFAULT] + +// Always warn users before launching other apps... + +lockPref("network.protocol-handler.warn-external-default", true); // [DEFAULT] +lockPref("network.protocol-handler.warn-external.mailto", true); +lockPref("security.external_protocol_requires_permission", true); // [DEFAULT] + +/// Enforce various other important security-related prefs +// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15473 + +lockPref("security.all_resource_uri_content_accessible", false); // [DEFAULT] +lockPref("security.allow_eval_in_parent_process", false); //[DEFAULT on standard Firefox releases only, not on ex. Thunderbird & other builds] +lockPref("security.allow_eval_with_system_principal", false); // [DEFAULT on standard Firefox releases only, not on ex. Thunderbird & other builds] +lockPref("security.allow_parent_unrestricted_js_loads", false); // [DEFAULT on standard Firefox releases only, not on ex. Thunderbird & other builds] +lockPref("security.allow_unsafe_parent_loads", false); // [DEFAULT] +lockPref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT] + // 023 BLOCK COOKIE BANNERS defaultPref("cookiebanners.service.mode", 1); @@ -1428,14 +1478,14 @@ defaultPref("app.update.notifyDuringDownload", true); // Ensure that users are n defaultPref("app.update.promptWaitTime", 3600); // Decrease time between update prompts, default is very generous... defaultPref("browser.startup.upgradeDialog.enabled", true); // Enables showing a dialog/pop-up on major upgrades -/// Enforce Extension Updates +/// Ensure we're always updating extensions by default /// We also set "ExtensionUpdate" in policies // https://mozilla.github.io/policy-templates/#extensionupdate -lockPref("extensions.systemAddon.update.enabled", true); // [DEFAULT] -lockPref("extensions.update.autoUpdateDefault", true); // [DEFAULT] -lockPref("extensions.update.enabled", true); // [DEFAULT] -lockPref("media.gmp-manager.updateEnabled", true); +defaultPref("extensions.systemAddon.update.enabled", true); // [DEFAULT] +defaultPref("extensions.update.autoUpdateDefault", true); // [DEFAULT] +defaultPref("extensions.update.enabled", true); // [DEFAULT] +defaultPref("media.gmp-manager.updateEnabled", true); // 026 DEBUGGING @@ -1463,6 +1513,7 @@ defaultPref("privacy.userContext.ui.enabled", true); lockPref("devtools.aboutdebugging.showHiddenAddons", true); /// Enable Profiles UI +// Only works on Nightly? defaultPref("browser.profiles.enabled", true); @@ -1529,7 +1580,6 @@ defaultPref("browser.sessionhistory.max_total_viewers", 7); defaultPref("browser.tabs.min_inactive_duration_before_unload", 300000); defaultPref("browser.toolbars.bookmarks.visibility", "always"); defaultPref("content.notify.interval", 100000); // https://searchfox.org/mozilla-central/rev/c1180ea13e73eb985a49b15c0d90e977a1aa919c/modules/libpref/init/StaticPrefList.yaml#1824-1834 -defaultPref("dom.enable_web_task_scheduling", true); // https://blog.mozilla.org/performance/2022/06/02/prioritized-task-scheduling-api-is-prototyped-in-nightly/ defaultPref("extensions.logging.enabled", false); // [DEFAULT] https://searchfox.org/mozilla-central/source/mobile/android/app/geckoview-prefs.js#232 defaultPref("gfx.canvas.accelerated.cache-items", 4096); defaultPref("gfx.canvas.accelerated.cache-size", 512); @@ -1571,6 +1621,7 @@ defaultPref("mousewheel.default.delta_multiplier_y", 300); // Personal Touch 💜 /// Things that are nice to have™ +// Not directly privacy & security related defaultPref("browser.uiCustomization.state", "{\"placements\":{\"widget-overflow-fixed-list\":[],\"unified-extensions-area\":[],\"nav-bar\":[\"back-button\",\"forward-button\",\"stop-reload-button\",\"urlbar-container\",\"_testpilot-containers-browser-action\",\"fxa-toolbar-menu-button\",\"reset-pbm-toolbar-button\",\"developer-button\",\"ublock0_raymondhill_net-browser-action\",\"downloads-button\",\"unified-extensions-button\"],\"TabsToolbar\":[\"tabbrowser-tabs\",\"new-tab-button\"],\"vertical-tabs\":[],\"PersonalToolbar\":[\"personal-bookmarks\"]},\"seen\":[\"reset-pbm-toolbar-button\",\"developer-button\",\"_testpilot-containers-browser-action\",\"ublock0_raymondhill_net-browser-action\"],\"dirtyAreaCache\":[\"nav-bar\",\"vertical-tabs\",\"PersonalToolbar\",\"unified-extensions-area\",\"TabsToolbar\"],\"currentVersion\":20,\"newElementCount\":4}"); // Clean-up default UI defaultPref("browser.bookmarks.autoExportHTML", true); @@ -1594,12 +1645,17 @@ defaultPref("browser.search.openintab", true); defaultPref("browser.search.widget.inNavBar", true); defaultPref("browser.spin_cursor_while_busy", true); defaultPref("browser.tabs.loadBookmarksInTabs", true); -defaultPref("browser.translations.alwaysTranslateLanguages", "de,ru,bg,ca,hr,cs,da,nl,et,fi,fr,el,hu,id,it,lv,lt,pl,pt,ro,sr,sk,sl,es,sv,tr,uk,vi"); +defaultPref("browser.translations.alwaysTranslateLanguages", "bg,ca,cs,da,de,el,en,es,et,fi,fr,hr,hu,id,it,lv,lt,nl,pl,pt,ro,ru,sk,sl,sr,sv,tr,uk,vi"); defaultPref("browser.translations.automaticallyPopup", true); // [DEFAULT] defaultPref("browser.translations.enable", true); // [DEFAULT] defaultPref("browser.translations.newSettingsUI.enable", true); defaultPref("browser.translations.select.enable", true); // [DEFAULT] defaultPref("browser.urlbar.openintab", true); +defaultPref("devtools.chrome.enabled", true); +defaultPref("devtools.command-button-measure.enabled", true); +defaultPref("devtools.command-button-rulers.enabled", true); +defaultPref("devtools.command-button-screenshot.enabled", true); +defaultPref("devtools.dom.enabled", true); defaultPref("devtools.debugger.ui.editor-wrapping", true); defaultPref("findbar.highlightAll", true); defaultPref("full-screen-api.transition-duration.enter", "0 0"); @@ -1610,19 +1666,6 @@ defaultPref("security.xfocsp.hideOpenInNewWindow", false); defaultPref("toolkit.legacyUserProfileCustomizations.stylesheets", true); defaultPref("view_source.wrap_long_lines", true); -// Misc. - -lockPref("identity.fxaccounts.migrateToDevEdition", false); -defaultPref("media.gmp-gmpopenh264.enabled", false); - -// Dev stuff :p - -defaultPref("devtools.chrome.enabled", true); -defaultPref("devtools.command-button-measure.enabled", true); -defaultPref("devtools.command-button-rulers.enabled", true); -defaultPref("devtools.command-button-screenshot.enabled", true); -defaultPref("devtools.dom.enabled", true); - // DO NOT TOUCH // These are prefs that do more harm than good and should not be touched by users @@ -1788,7 +1831,6 @@ defaultPref("services.sync.prefs.sync.browser.sessionhistory.max_total_viewers", defaultPref("services.sync.prefs.sync.browser.tabs.min_inactive_duration_before_unload", true); defaultPref("services.sync.prefs.sync.browser.toolbars.bookmarks.visibility", true); defaultPref("services.sync.prefs.sync.content.notify.interval", true); -defaultPref("services.sync.prefs.sync.dom.enable_web_task_scheduling", true); defaultPref("services.sync.prefs.sync.dom.security.https_only_mode_send_http_background_request", true); defaultPref("services.sync.prefs.sync.extensions.logging.enabled", true); defaultPref("services.sync.prefs.sync.general.smoothScroll.currentVelocityWeighting", true); @@ -1845,60 +1887,6 @@ lockPref("general.config.sandbox_enabled", true); lockPref("browser.phoenix.cfg.applied", true); -// Prefs we previously toggled but do not anymore, not recommended: - -// Prefs below are harmless & just have misleading names - actually related to Shortcuts functionality, which is harmless & manually set by users -// We still disable all the sponsored crap & clear Mozilla default sites - -//lockPref("browser.newtabpage.activity-stream.feeds.system.topsites", false); -//lockPref("browser.newtabpage.activity-stream.feeds.topsites", false); -//lockPref("browser.newtabpage.activity-stream.topSitesRows", 0); -//lockPref("browser.newtabpage.pinned", ""); -//lockPref("browser.urlbar.suggest.topsites", false); - -/// Mozilla Push & Web Notifications -/// I have yet to see a legitimate use-case for websites using push notifications... but I have very commonly seen it abused for malicious purposes & spam -// https://mozilla-push-service.readthedocs.io/en/latest/ -// https://mozilla-services.github.io/autopush-rs/ -// We still block notifications by default, because I stand my point above - these ARE almost exclusively abused -// But they can occasionally serve legitimate purposes (like chat apps), so if people really want to go out of their way and enable notifs for a specific site... fine -// Push has also previously been required for important security checks https://github.com/arkenfox/user.js/issues/1811 which I am definitely not interested in breaking... -// Mozillas push server is also pretty solid from a privacy & security standpoint - E2EE https://support.mozilla.org/kb/push-notifications-firefox - -//lockPref("dom.push.connection.enabled", false); -//lockPref("dom.push.serverURL", ""); -//lockPref("dom.push.userAgentID", ""); - -/// Disable fetching AMO Metadata -// https://support.mozilla.org/kb/how-stop-firefox-making-automatic-connections#w_add-on-metadata-updating -// Completely harmless - see https://github.com/arkenfox/user.js/issues/615 - -//lockPref("extensions.getAddons.cache.enabled", false); - -/// Disable Search Engine Updates -// Completely harmless & likely actually doing harm, updating search engines is useful & does not have any privacy gain - -//lockPref("browser.search.update", false); - -/// Disables annoying "tab manager" dropdown always showing - sadly Pref has been removed -//defaultPref("browser.tabs.tabmanager.enabled", false); -//defaultPref("services.sync.prefs.sync.browser.tabs.tabmanager.enabled", true); - -/// Enforce using standard cross-platform widget theme, pref removed - -//lockPref("widget.non-native-theme.enabled", true); // [DEFAULT] - -// TELEMETRY -// Removed https://github.com/arkenfox/user.js/issues/1918 -//lockPref("security.app_menu.recordEventTelemetry", false); -//lockPref("security.certerrors.recordEventTelemetry", false); -//lockPref("security.protectionspopup.recordEventTelemetry", false); - -// Harmless, actually useful to know when a site/plugin is misbehaving... -// https://searchfox.org/mozilla-release/source/modules/libpref/init/StaticPrefList.yaml#3013 -//lockPref("dom.ipc.processHangMonitor", false); -//lockPref("dom.ipc.reportProcessHangs", false); -//lockPref("hangmonitor.timeout", 0); // Advanced hardening. @@ -2144,10 +2132,10 @@ lockPref("mailnews.headers.useMinimalUserAgent", true); // [DEFAULT, DEFENSE IN /// Prevent leaking system locale & date/time in replies -lockPref("mailnews.reply_header_authorwroteondate", "#1 wrote on #2 #3:"); -lockPref("mailnews.reply_header_authorwrotesingle", "#1 wrote:"); -lockPref("mailnews.reply_header_ondateauthorwrote", "On #2 #3, #1 wrote:"); -lockPref("mailnews.reply_header_type", 1); +defaultPref("mailnews.reply_header_authorwroteondate", "#1 wrote on #2 #3:"); +defaultPref("mailnews.reply_header_authorwrotesingle", "#1 wrote:"); +defaultPref("mailnews.reply_header_ondateauthorwrote", "On #2 #3, #1 wrote:"); +defaultPref("mailnews.reply_header_type", 1); /// Prevent leaking spellcheck dictionary info // https://bugzilla.mozilla.org/show_bug.cgi?id=1370217 @@ -2200,15 +2188,6 @@ lockPref("privacy.trackingprotection.fingerprinting.enabled", true); lockPref("privacy.trackingprotection.pbmode.enabled", true); // [DEFAULT] lockPref("privacy.trackingprotection.socialtracking.enabled", true); -/// Enforce never using heuristics - -lockPref("privacy.antitracking.enableWebcompat", false); -lockPref("privacy.fingerprintingProtection.remoteOverrides.enabled", false); -lockPref("privacy.restrict3rdpartystorage.heuristic.opened_window_after_interaction", false); -lockPref("privacy.restrict3rdpartystorage.heuristic.recently_visited", false); -lockPref("privacy.restrict3rdpartystorage.heuristic.redirect", false); -lockPref("privacy.restrict3rdpartystorage.heuristic.window_open", false); - /// Allow toggling per session defaultPref("network.http.referer.XOriginPolicy", 0); @@ -2235,7 +2214,7 @@ lockPref("mail.e2ee.notify_on_auto_disable", true); // [DEFAULT] /// Use GnuPG if built-in RNP fails // https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Allow_the_use_of_external_GnuP -lockPref("mail.openpgp.allow_external_gnupg", true); +defaultPref("mail.openpgp.allow_external_gnupg", true); // 008 MISC. SECURITY @@ -2268,9 +2247,9 @@ defaultPref("mail.identity.default.compose_html", false); defaultPref("rss.message.loadWebPageOnSelect", 0); defaultPref("rss.show.summary", 1); -/// Do not allow calendar to extract data from emails +/// Do not allow calendar to extract data from emails by default -lockPref("calendar.extract.service.enabled", false); // [DEFAULT] +defaultPref("calendar.extract.service.enabled", false); // [DEFAULT] /// Disable Web Notifications @@ -2291,9 +2270,10 @@ lockPref("media.gmp-provider.enabled", false); lockPref("extensions.strictCompatibility", false); -/// Always disable WebGL +/// Disable SVG +// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg -lockPref("webgl.disabled", true); +defaultPref("svg.disabled", true); // DO NOT TOUCH diff --git a/policies.json b/policies.json index ed85011..8cb2567 100644 --- a/policies.json +++ b/policies.json @@ -1407,6 +1407,10 @@ "Value": "", "Status": "locked" }, + "browser.search.separatePrivateDefault": { + "Value": false, + "Status": "default" + }, "browser.search.serpEventTelemetryCategorization.enabled": { "Value": false, "Status": "locked" @@ -1731,10 +1735,18 @@ "Value": false, "Status": "locked" }, + "extensions.autoDisableScopes": { + "Value": 15, + "Status": "locked" + }, "extensions.blocklist.enabled": { "Value": true, "Status": "locked" }, + "extensions.enabledScopes": { + "Value": 5, + "Status": "default" + }, "extensions.getAddons.discovery.api_url": { "Value": "data;", "Status": "locked" @@ -1895,10 +1907,6 @@ "Value": true, "Status": "default" }, - "network.trr.confirmation_telemetry_enabled": { - "Value": false, - "Status": "locked" - }, "network.captive-portal-service.enabled": { "Value": false, "Status": "locked" @@ -1923,6 +1931,22 @@ "Value": "", "Status": "locked" }, + "network.protocol-handler.external.shell": { + "Value": false, + "Status": "locked" + }, + "network.protocol-handler.warn-external.mailto": { + "Value": true, + "Status": "locked" + }, + "network.protocol-handler.warn-external-default": { + "Value": true, + "Status": "locked" + }, + "network.trr.confirmation_telemetry_enabled": { + "Value": false, + "Status": "locked" + }, "network.trr.custom_uri": { "Value": "https://dns.quad9.net/dns-query", "Status": "default" @@ -1947,6 +1971,10 @@ "Value": false, "Status": "locked" }, + "pdfjs.enableXfa": { + "Value": false, + "Status": "default" + }, "privacy.globalprivacycontrol.enabled": { "Value": true, "Status": "locked" @@ -1959,6 +1987,14 @@ "Value": true, "Status": "default" }, + "security.tls.version.enable-deprecated": { + "Value": false, + "Status": "locked" + }, + "security.default_personal_cert": { + "Value": "Ask Every Time", + "Status": "locked" + }, "ui.new-webcompat-reporter.enabled": { "Value": false, "Status": "locked" @@ -2874,4 +2910,4 @@ ] } } -} \ No newline at end of file +}