Comments (22)
I'm wondering about four about:config settings available on all Firefox versions and related to:
// 2404: disable JS storing data permanently
user_pref("dom.indexedDB.enabled", false);
If, when dom.indexedDB.enabled is set to true there are four related settings:
user_pref("dom.indexedDB.experimental", false); // Default=false
user_pref("dom.indexedDB.logging.details", false); // Default=true
user_pref("dom.indexedDB.logging.enabled", false); // Default=true
user_pref("dom.indexedDB.logging.profiler-marks", false); // Default=false
As you see I've set second and third to false when their default is true
What do you think of these two default values?
When set to true (default) does it mean that, given dom.indexedDB.enabled is set to true, given a site uses dom.indexedDB it would be possible for that site to keep the user's login credentials in his dedicated storage folder?
If so, do you believe it is pertinent to set these settings to false as I do or is this insignificant?
from user.js.
@earthlng pyllyukko/user.js#263 (comment)
from user.js.
Firefox currently continues the connection
then why am I getting a hard fail? Can you test this yourself please
from user.js.
OCSP Expect-Staple is @ScottHelme own proposal.
Security vs Privacy: schomery/privacy-settings#40 (comment)
from user.js.
You can still set hard fail revocation checking in Firefox, have you perhaps configured this at any point? Go to about:config
and check security.OCSP.require
is set to false.
Depending on your build the OCSP request will currently timeout after 3s or 1s and load the page without completing the revocation check.
from user.js.
In honesty I think we could probably get a long way there with sites supporting stapling. The OCSP response is valid for 7 days so a site only needs to refresh it every 24 hours and they can weather a 6 day outage of the responder.
On top of that, almost no CA actually runs their own responders without fronting them with a CDN. The OCSP request is just a HTTP GET and large providers like Akamai will front up OCSP responders and serve cached responses on behalf of the CA. I could understand historic concerns where the CA didn't have CDN support but it's 2017, I think we should be able to do OCSP properly.
from user.js.
have you perhaps configured this at any point?
No, security.OCSP.require
is and was set to false. I've tested 2 FF's, ESR52.2.1 + FF54.0.1, and I can't get your testsite to soft fail. I've also tried 2 different ways of blocking the OCSP server - HOSTS + uBlock Origin - same result.
It's actually the same behavior when security.OCSP.enabled
is set to 0 (=disabled) ie
A required TLS feature is missing. Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
... no soft fail. IDK why. Maybe FF just doesn't soft fail atm?
but it's 2017, I think we should be able to do OCSP properly.
Would be nice. ATM IMHO OCSP without stapling seems worse than useless because of the privacy concerns. I would just set security.OCSP.enabled
to 0 but I fear that would also disable OCSP stapling.
from user.js.
Ah... wait. I just had a thought and this is a serious derp. The certificate has the OCSP Must-Staple flag set and I'm not stapling to for an online OCSP check...
https://report-uri.io/home/certificate_analyser/https%3A%2F%2Frevoked.scotthelme.co.uk
Yeah... I'm going to go fix this now.
from user.js.
Ok I renewed without the OCSP Must-Staple flag and revoked, we're good :)
from user.js.
It'd be awesome if you could use the link to my site 👍
from user.js.
Ok I renewed without the OCSP Must-Staple flag and revoked, we're good :)
Thanks, now it works as expected ie soft-fail
@Thorin-Oakenpants what do you think, should we enable hard-fail by setting OSCP.require=true? IMO yes
from user.js.
security.pki.certificate_transparency.mode
This is the meta ticket for Certificate Transparency
Btw atm they disabled it again because certificate transparency signature verifications negatively impact TLS handshake performance
Re-enable Certificate Transparency telemetry collection - NEW Unassigned
from user.js.
@Thorin-Oakenpants totally OT but holy shit, just in case you missed the details of this as I did until today: (and it kinda fits in this issue of "to investigate / keep an eye on")
With respect to #DNCLeak, approximately 23,000 users posted around 140,000 unique
Tweets with that hashtag in the relevant period. Of those Tweets, roughly 2% were from
potentially Russian-linked accounts. As noted above, our automated systems at the time
detected, labeled, and hid just under half (48%) of all the original Tweets with #DNCLeak. Of
the total Tweets with the hashtag, 0.84% were hidden and also originated from accounts that met
at least one of the criteria for a Russian-linked account.
TWITTER censored 48% of tweets with #DNCLeak and only 0.84% of those were from potentially Russian-linked accounts - WTF?! Thank god RT now needs to register as agents of a foreign country 🤦♂️
... and the bitch still lost - oh the irony xD
oh and that's not all:
In the two months preceding the election, around 57,000 users posted approximately 426,000 unique Tweets containing variations of the #PodestaEmails hashtag. Approximately one quarter (25%) of those Tweets received internal tags from our automation detection systems that hid them from searches.
from user.js.
I started working on a NoRedirect replacement but there's no good way to stop refreshes yet.
from user.js.
If true, it gives a pop-up like this: This web page is being redirected to a new location. Would you like to resend the form data you have typed to the new location?
It's companion entry is: accessibility.blockautorefresh
from user.js.
About
/* 2421: disable Ion and baseline JIT to help harden JS against exploits such as CVE-2015-0817
...there are more recent exploits, listed here.
Source follows:
https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
from user.js.
This is bad:
Send telemetry events for each action on an extension
I posted in this issue, although I suggest to create a sticky for telemetry issues only.
from user.js.
I suggest to create a sticky for telemetry issues only.
we have telemetry disabled in more ways than it's probably necessary so telemetry is really not an issue and we don't need a sticky for that.
from user.js.
Regarding Certificates, there's a VPN Guide linked here where it says to remove the trust on the certificates you don't use.
from user.js.
Entry:
plugin.disable_full_page_plugin_for_types
Value:
application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks
Source listed here
from user.js.
nvm, I should have read the patch more carefully. The pref is still there and it's no longer hidden either. sorry about that
from user.js.
closing this locked topic - it's only used by myself, and I don't need it anymore
from user.js.
Related Issues (20)
- Typo in user.js HOT 2
- Clipboard pref default changed HOT 1
- Add I still dont care about cookies to optional extensions HOT 1
- ToDo: work out WTF this all means and fixup if required HOT 5
- Privacy-Preserving Attribution (FF 128) HOT 14
- Make Updater.sh shell agnostic HOT 3
- Is it necessary to disable canvas from the browser if it offers to disable or allow them on the site? As well as browser security settings presets HOT 3
- add FPP granularOverrides for the FYI factor HOT 30
- Overrides won't work HOT 6
- ToDo: diffs FF126-FF127 HOT 14
- v128 SOCKS change HOT 2
- RFP: exclude timezone as UTC/GMT and use my real one HOT 2
- How to enable click to copy? HOT 2
- Quarantined domains aren't enforced if a certain add-on is disabled HOT 3
- extensions.enabledScopes HOT 1
- Noob (likely invalid) question about TZP'ing vanilla AF (also vanilla FF + RFP) HOT 6
- Are `network.dns.disablePrefetch`/`network.dns.disablePrefetchFromHTTPS` master switches of `dom.prefetch_dns_for_anchor_http_document`/`dom.prefetch_dns_for_anchor_https_document`? HOT 2
- So i installed arkenfox user.js and for some reason now i have these thick lines on the edges of the screen and even that i did a backup they are still in there it kinda looks like it is in box. HOT 1
- ToDo: diffs FF127-FF128 HOT 27
- Disable RFP leaks mediaDevices? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from user.js.