pyllyukko / user.js Goto Github PK

didnt know how to word title properly.

info here #54
one may want to use this user.js but have a few things in it which they want configured differently. appending to the end of the file overrides previous entries but apparently that breaks git stuff

i just came across this http://kb.mozillazine.org/Locking_preferences
havent tried it yet but it if a file of lockprefs can override user.js then this might be a solution? people would just need to add their preferences as lockprefs in the lockprefs file. but i just realised, if it reads these files in a particular order, it may be possible to just put regular user_pref's in one of these files

will test

i just want to see what people think about this lol. its not me asking for anything to be put in user.js. i had uMatrix's behind-the-scene logger open and then firefox tried to update its addon blocklist. this was the url: https://blocklist.addons.mozilla.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/41.0.2/Firefox/20151014143721/WINNT_x86-msvc/en-US/release/Windows_NT%206.1/default/default/7/528/1/. so i checked about:config and i saw that extensions.blocklist.url = https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
this is the only update url in about:config that i can see which sends so many items in the url. i wondered if it really needed all that information. so i requested https://blocklist.addons.mozilla.org/blocklist/3/%20/%20/%20/%20/%20/%20/%20/%20/%20/%20/%20/%20/%20/ and i got exactly the same results in return. as long as the right amount of values are in the url it gives the same blocklist. it doesnt matter what the values are. im guessing its just to build statistics or something?

then i thought about spoofing some of the values but then i realised that it wasnt worth it. but the ping values interested me.
%TOTAL_PING_COUNT% seems to be the total amount of times my browser has updated its blocklist ever and it is stored in about:config as extensions.blocklist.pingCountTotal
%PING_COUNT% is the amount of times my browser has updated the blocklist on this browser version and the value is stored at extensions.blocklist.pingCountVersion
%DAYS_SINCE_LAST_PING% is what it sounds like and if u use ur browser everyday it will be 1 since the default blocklist update interval extensions.blocklist.interval is set to 24 hours

im definitely not claiming mozilla is tracking users through this lol, but maybe some people can see how it could be used that way. not only does the server recieve every day (if you are online everyday) your OS, browser version etc etc., it has unique numbers of how many times the url has been accessed and how long ago which greatly improve its ability to point back to you. remember its all probably linked back to your ip address too. what can they tell from it? probably not much lol. that you were online? you used your browser today?

if that bothers someone they could make user.js reset extensions.blocklist.pingCountTotal and extensions.blocklist.pingCountVersion or they could modify extensions.blocklist.url to always send a value like 1 or something else for the ping counts. though that would make you more trackable unless your ip changed a lot. the best thing would be to randomize the values, but that would require an extension probably and who cares enough to make that?

by the time i finished writing this my conviction that these are things we shouldnt mess with has only grown stronger. thanks for reading i dont know why i wrote this

Hi, just installed user.js and I've noticed that when I start Firefox (about:blank is my start page) he make some connections:
netstat -nputw|grep firefox
tcp 0 0 xxx.xxx.xxx.xxx:33848 216.58.208.206:443 ESTABLISHED 13427/firefox
tcp 0 0 xxx.xxx.xxx.xxx:49776 216.58.208.206:80 ESTABLISHED 13427/firefox
tcp 0 0 xxx.xxx.xxx.xxx:42962 93.184.220.29:80 ESTABLISHED 13427/firefox
tcp 0 0 xxx.xxx.xxx.xxx:41561 52.25.32.149:443 ESTABLISHED 13427/firefox
tcp 0 0 xxx.xxx.xxx.xxx:33846 216.58.208.206:443 ESTABLISHED 13427/firefox
tcp 0 0 xxx.xxx.xxx.xxx:36906 68.232.34.191:443 ESTABLISHED 14420/firefox

There is any way in user.js to disable this automatic connections?
Thanks!

PS. OS: Fedora 22 x64, Firefox 38.0.5, no add-ons loaded

https://github.com/pyllyukko/user.js/blob/master/user.js:

user_pref("browser.safebrowsing.enabled", false);

user_pref("privacy.trackingprotection.enabled", true);

See amq/firefox-debloat#2 (comment)

thanks!

I see no reference to this preference in https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking

I don't use this preference so I am not sure what the symptoms are in wireshark.

Btw I am "hardening" [1] Firefox over here https://github.com/Webconverger/webc/blob/master/opt/firefox/browser/defaults/preferences/webconverger.js

[1] Hardening means no automatic 3rd party connections for me 😁

security.OCSP.enabled is set to true in your config, however, it is actually an integer. 1 is default in Firefox 3 and above.

I don't know if this is very off topic or if I may ask,

Is it important to change DNS servers? For security and performance.

At the moment I am using my network provider's default DNS servers.

i did this for my own reasons but thought i would post it here in case it would be useful to anybody else. i read my cert8.db and these were the ocsp servers i found. it could be useful for those who might go as far as to block all background connections except whitelisted ones, or maybe those who force https on all domains except whitelisted ones (the majority of ocsp servers dont use https). or maybe those just wondering what the connections to these ips are
see my post underneath this for ocsp servers not included by default

commercial.ocsp.identrust.com
ocsp.affirmtrust.com
ocsp.comodoca.com
ocsp.comodoca2.com
ocsp.comodoca3.com
ocsp.comodoca4.com
ocsp.digicert.com
ocsp.entrust.net
ocsp.geotrust.com
ocsp.globalsign.com
ocsp.godaddy.com
ocsp.netsolssl.com
ocsp.omniroot.com
ocsp.quovadisglobal.com
ocsp.root-x1.letsencrypt.org
ocsp.starfieldtech.com
ocsp.startssl.com
ocsp.swisssign.net
ocsp.thawte.com
ocsp.trust-provider.com
ocsp.trustwave.com
ocsp.usertrust.com
ocsp.verisign.com
ocsp.wosign.com
ocsp.ws.symantec.com
ocsp1.wosign.com
ocsp2.wosign.cn

IPs:

# host commercial.ocsp.identrust.com
commercial.ocsp.identrust.com has address 192.35.177.155
# host ocsp.affirmtrust.com
ocsp.affirmtrust.com has address 150.70.178.190
# host ocsp.comodoca.com
ocsp.comodoca.com has address 178.255.83.1
ocsp.comodoca.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.comodoca2.com
ocsp.comodoca2.com is an alias for ocsp.comodoca2.com.edgesuite.net.
ocsp.comodoca2.com.edgesuite.net is an alias for a1638.b.akamai.net.
a1638.b.akamai.net has address 185.52.170.18
a1638.b.akamai.net has address 185.52.170.11
# host ocsp.comodoca3.com
ocsp.comodoca3.com is an alias for ocsp.comodoca2.com.edgesuite.net.
ocsp.comodoca2.com.edgesuite.net is an alias for a1638.b.akamai.net.
a1638.b.akamai.net has address 185.52.170.18
a1638.b.akamai.net has address 185.52.170.11
# host ocsp.comodoca4.com
ocsp.comodoca4.com has address 178.255.83.1
ocsp.comodoca4.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.digicert.com
ocsp.digicert.com is an alias for cs9.wac.phicdn.net.
cs9.wac.phicdn.net has address 93.184.220.29
# host ocsp.entrust.net
ocsp.entrust.net is an alias for ocsp.entrust.net.edgekey.net.
ocsp.entrust.net.edgekey.net is an alias for e6913.dscx.akamaiedge.net.
e6913.dscx.akamaiedge.net has address 104.81.127.62
e6913.dscx.akamaiedge.net has IPv6 address 2a02:26f0:f:28a::1b01
e6913.dscx.akamaiedge.net has IPv6 address 2a02:26f0:f:287::1b01
# host ocsp.geotrust.com
ocsp.geotrust.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp.globalsign.com
ocsp.globalsign.com has address 108.162.232.200
ocsp.globalsign.com has address 108.162.232.197
ocsp.globalsign.com has address 108.162.232.207
ocsp.globalsign.com has address 108.162.232.196
ocsp.globalsign.com has address 108.162.232.199
ocsp.globalsign.com has address 108.162.232.198
ocsp.globalsign.com has address 108.162.232.203
ocsp.globalsign.com has address 108.162.232.204
ocsp.globalsign.com has address 108.162.232.205
ocsp.globalsign.com has address 108.162.232.202
ocsp.globalsign.com has address 108.162.232.201
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cd
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c8
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cc
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c7
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c5
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8ca
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cf
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c6
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c9
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cb
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c4
# host ocsp.godaddy.com
ocsp.godaddy.com is an alias for ocsp.godaddy.com.akadns.net.
ocsp.godaddy.com.akadns.net has address 188.121.36.239
# host ocsp.netsolssl.com
ocsp.netsolssl.com is an alias for ocsp.comodoca.com.
ocsp.comodoca.com has address 178.255.83.1
ocsp.comodoca.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.omniroot.com
ocsp.omniroot.com is an alias for wac.BFDD.edgecastcdn.net.
wac.BFDD.edgecastcdn.net is an alias for gpla1.wac.v2cdn.net.
gpla1.wac.v2cdn.net has address 93.184.220.20
# host ocsp.quovadisglobal.com
ocsp.quovadisglobal.com has address 199.68.194.254
# host ocsp.root-x1.letsencrypt.org
ocsp.root-x1.letsencrypt.org is an alias for ocsp.root-x1.letsencrypt.org.edgesuite.net.
ocsp.root-x1.letsencrypt.org.edgesuite.net is an alias for a1126.dscd.akamai.net.
a1126.dscd.akamai.net has address 185.52.170.9
a1126.dscd.akamai.net has address 185.52.170.24
a1126.dscd.akamai.net has IPv6 address 2a02:d88:3::b934:aa18
a1126.dscd.akamai.net has IPv6 address 2a02:d88:3::b934:aa09
# host ocsp.starfieldtech.com
ocsp.starfieldtech.com is an alias for ocsp.godaddy.com.akadns.net.
ocsp.godaddy.com.akadns.net has address 188.121.36.239
# host ocsp.startssl.com
ocsp.startssl.com is an alias for www.startssl.com.edgesuite.net.
www.startssl.com.edgesuite.net is an alias for a1603.g1.akamai.net.
a1603.g1.akamai.net has address 185.52.170.16
a1603.g1.akamai.net has address 185.52.170.26
# host ocsp.swisssign.net
ocsp.swisssign.net has address 91.194.146.7
# host ocsp.thawte.com
ocsp.thawte.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp.trust-provider.com
ocsp.trust-provider.com is an alias for ocsp.comodoca.com.
ocsp.comodoca.com has address 178.255.83.1
ocsp.comodoca.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.trustwave.com
ocsp.trustwave.com is an alias for ocsp.trustwave.com.edgesuite.net.
ocsp.trustwave.com.edgesuite.net is an alias for a1213.g.akamai.net.
a1213.g.akamai.net has address 185.52.170.26
a1213.g.akamai.net has address 185.52.170.19
# host ocsp.usertrust.com
ocsp.usertrust.com has address 178.255.83.1
ocsp.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.verisign.com
ocsp.verisign.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp.wosign.com
ocsp.wosign.com has address 202.102.99.245
ocsp.wosign.com has address 106.120.160.249
# host ocsp.ws.symantec.com
ocsp.ws.symantec.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp1.wosign.com
ocsp1.wosign.com has address 106.120.160.249
# host ocsp2.wosign.cn
ocsp2.wosign.cn has address 106.120.160.249

Tiphat to: https://security.stackexchange.com/questions/97376/

Source: https://hg.mozilla.org/mozilla-central/rev/462b94db3335

Also: https://dxr.mozilla.org/mozilla-central/search?q=searchdefaulthash&redirect=true&case=false&limit=84&offset=0

Looking for some way to find out what it is and how to turn it off if it infringes on user privacy.

https://bugzilla.mozilla.org/show_bug.cgi?id=583181
https://www.browserleaks.com/javascript#comments
http://browserspy.dk/showprop.php

You have set
user_pref("browser.pagethumbnails.capturing_disabled", false);

This means the feature is active.
Mozillas wiki page regarding that setting is contradictory, quote:

Default value: true

Values
false (default)
The application creates screenshots of visited web pages.
true
The application doesn't create screenshots of visited web pages.

Given the name of the setting it must be assumed that setting it to true means the feature is turned off.

Hi, I was reading https://www.gnu.org/software/gnuzilla/ and found out it has a special about:icecat page

Adds a custom "about:icecat" homepage with links to information about the free software and privacy features in IceCat, and checkboxes to enable and disable the ones more prone to break websites.

Since people tend to recommend Icecat as a countermeasure to Firefox/Mozilla's recent "misbehaviour", and that Icecat is an outdated, low-workforce fork of Firefox which seems to only bring preinstalled addons and config changes, I think reasonable Free Software oriented distributions could simply distribute FF with an altered default config like this user.js. I have started working on a more "relaxed" preferences set in https://github.com/nodiscc/user.js/commits/dbu and I wish we could convice the Debian project to distribute this by default - there are several open bug requests on the Debian BTS for similar issues.

I am still curious whether Icecat has something more to offer; would an Icecat user please copy-paste the settings found in about:icecat here?

This would allow working on privacy/security/FOSS-oriented settings that user.js may be missing. The about:icecat is also similar to the request in #25.

To simplify the config, consider removing old settings that no longer apply. As of Firefox 39.0.3, the following settings no longer apply:

• browser.frames.enabled
• browser.download.manager.retention
• browser.history_expire_days
• browser.history_expire_sites
• browser.history_expire_visits
• general.useragent.override
• plugins.hide_infobar_for_outdated_plugin

I use Firefox without installation: extract, use, delete so I need to suppress initial questions and notices. Here they are:

user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.rights.3.shown", true);
user_pref("browser.toolbarbuttons.introduced.pocket-button", false);
user_pref("datareporting.healthreport.service.firstRun", true);
user_pref("datareporting.policy.dataSubmissionPolicyBypassNotification", true);
user_pref("browser.reader.detectedFirstArticle", true);
user_pref("browser.displayedE10SPrompt.1", 1);
user_pref("browser.displayedE10SNotice", 4);
user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true);

Please consider including them in the README.

snip

Hello all

One question: can the Zenmate browser extension be edited? The reason I'm asking is that when the web browser (Firefox or Chrome) is opened up with the internet lead disconnected, Zenmate still says that it is connected publicly to the last place the user chose, for example Germany.

This makes me think that the locations that can be chosen is in the code somewhere within the .XPI file, rather than coming from Zenmate's own server. Is this right or not and if so, where is the code? If it is right, how is it possible to add the UK to the list again?

Many thanks.

In order for the browser to not prefetch DNS entries for resources, it should be set to true.

Change:
user_pref("network.dns.disablePrefetch", false);
to
user_pref("network.dns.disablePrefetch", true);

Should security.tls.unrestricted_rc4_fallback be set to false and security.tls.insecure_fallback_hosts.use_static_list set to false as well?

References:

• https://archive.is/hyK60
• https://bugzilla.mozilla.org/show_bug.cgi?id=1128227

I don't know if this is well known but supposedly you're able to sync any random about:config entry by creating a boolean with the convention:
services.sync.prefs.sync.[config name] = true
ex:
services.sync.prefs.sync.beacon.enabled = true

personally, I do this with all of my custom prefs vs. using the userprefs.js... or at least complementing it.

I'm pretty sure this document still applies. I also add the little sync rotating icon to my toolbar to confirm that as I make changes it rotates, acknowledging it sync those settings I change.
https://developer.mozilla.org/en-US/docs/Archive/Mozilla/Firefox_Sync/Syncing_custom_preferences

These settings in about:config might have some security/privacy related affect, but information about them is not that easily available:

• security.ssl.false_start.require-npn
• geo.wifi.uri
• browser.formfill.saveHttpsForms
• breakpad.reportURL (should we set this to ""?)
• extensions.blocklist.level
• network.stricttransportsecurity.preloadlist (quite self-explanatory, but needs reference)

See also:

• #6

What setup do you recommend for a non-advanced Mac Firefox user for uBlock?

Also, if you have other important extensions you recommend, just scream it out.

I might as well list my current setup:
EasyList‎
Peter Lowe’s Ad server list‎
EasyPrivacy‎
Malware Domain List‎
Malware domains‎
Fanboy’s Annoyance List‎
Dan Pollock’s hosts file‎
hpHosts’ Ad and tracking servers‎
Fanboy's Swedish‎ (since I am Swedish)

Thanks a lot!

When using user_pref() and user.js, Firefox and addons can change the values of your about:config entries during the session. It may not be permanent, but the effect essentially permanent (Firefox and addons can just enforce their own settings on startup every time).

Have you considered using lockPref() and mozilla.cfg instead? This prevents Firefox and addons from changing the entries' values. The downside is that if Firefox changes an entry's value that is considered more desirable than what you currently have, it will not be set and you will keep your existing, less desirable value. Practically speaking, the point of the user.js in this scenario is presumably already taking this into account, so it's not really a downside--just an inherent problem of using about:config entries in general (unless Mozilla decides to notify users of which about:config entries they have changed that conflict with your user-set entries).

On an unrelated note, you left browser.safebrowsing.malware.enabled to its default true--as a result, sites are sent to Google to be checked for malware. Many people who compiled lists of entries to enhance privacy have this set to false (including me) and instead use something dedicated to malware protection such as Malwarebytes Anti-Malware, which should be used regardless.

I can do a pull request if you want.

P.S.

network.seer.enabled is deprecated according to several sites. browser.sessionstore.enabled is deprecated. security.enable_ssl3 is deprecated.

network.http.referer.spoofSource, for example, breaks Bato.to and some other sites.
browser.privatebrowsing.autostart, for example, breaks 4chan and a few other sites.

I suggest leaving these to their default value but encouraging the use of them on the main github page if at all possible.

for those who are interested (i noticed a TODO in user.js), i came across these and it seems like these 2 features might be merging or just adding new preferences in firefox 43 (user.js is also missing some of the older preferences such as privacy.trackingprotection.pbmode.enabled (just for the sake of it))

https://wiki.mozilla.org/Safe_Browsing
https://wiki.mozilla.org/Security/Tracking_protection

i personally disable both features so im not sure what the best course of action would be for user.js

if this brings nothing to the table close the issue i guess

Hi,
why this options are commented:
//user_pref("dom.storage.enabled", false);
//user_pref("browser.cache.memory.enable", false);?
Can it break something? I assume this entries are quite important for privacy, aren't they? The second one allows to set unique identificator by e-tag and the first one allows to set kind of cookies?

The following settings are "true" by default (Firefox 39.0.3), and should perhaps not be in a hardened config:

gfx.downloadable_fonts.enabled
network.dns.disableIPv6
media.autoplay.enabled
media.wave.enabled
media.webm.enabled
media.webvtt.enabled
media.opus.enabled
media.ogg.enabled
media.eme.enabled
media.directshow.enabled
media.windows-media-foundation.enabled
media.raw.enabled
browser.safebrowsing.downloads.remote.enabled
network.negotiate-auth.allow-proxies
dom.broadcastChannel.enabled
browser.urlbar.suggest.bookmark
browser.urlbar.suggest.history
security.ssl.errorReporting.enabled
media.eme.enabled
browser.taskbar.lists.enabled
browser.uitour.enabled
camera.control.face_detection.enabled
dom.ipc.plugins.enabled
dom.server-events.enabled
dom.vibrator.enabled
experiments.enabled
extensions.getAddons.cache.enabled
social.remote-install.enabled
social.toast-notifications.enabled

Enables Firefox's built-in tracking protection

This is actually counterproductive. Websites are not forced to honour the browser's request to not be tracked and thus, you are more likely to be tracked across the web for displaying "suspicious behaviour."
The superior approach is to not include anything in the HTTP header.

It seems that some setting in this user.js breaks some extensions. Apparently it affects the ToggleButton UI feature.

OneTwo extensions that isare lacking the buttons are is Privacy Badger and Shodan Firefox Add-on.

Some error relating to this issue:

*************************
A coding exception was thrown and uncaught in a Task.

Full message: TypeError: this.Paths is null
Full stack: Agent.wipe@resource:///modules/sessionstore/SessionWorker.js:236:7
worker.dispatch@resource:///modules/sessionstore/SessionWorker.js:21:24
anonymous/AbstractWorker.prototype.handleMessage@resource://gre/modules/workers/PromiseWorker.js:122:16
@resource:///modules/sessionstore/SessionWorker.js:30:41

Hello
Question [about:networking] -- How to disable the experimental real time recordings for Http [Hostnames] | Sockets [IP @] | DNS | WebSockets ???
Your solutions in "about:config" please for the privacy ...
Thanks for your precious help ...
Regards,

Please consider splitting up user.js to sections into user.js.d directory and add a build script:
cat user.js.d/* > user.js

Opening this a bit sooner than necessary, but oh well.

http://www.ghacks.net/2015/06/28/mozilla-removes-option-to-change-new-tab-page-from-firefox/

These two cipher suites were disabled in #18 due to the LogJam vulnerability. As they still have the forward secrecy property, it might be good idea to re-enable them at some point in the future.

Related:

• RFC 5932 (Camellia Cipher Suites for TLS)

Turning beacon.enabled off disables navigator.sendBeacon which appears to be used for analytics.

https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon

Is DuckDcukGo not supposed to be DuckDuckGo?

user_pref("browser.search.defaultenginename", "DuckDcukGo");

Installation of user.js causes saved passwords to be removed from the Firefox This wasn't explicitly listed as intended behavior in the README file, though it appears to be quite intentional. I would suggest warning potential users about what may be, to them, an unintended consequence. Strong language about backing up profile data before proceeding would be highly advisable.

Otherwise, great work.

I created a fresh profile, copied the user.js to this profile and installed the zenmate Addon from https://www.zenmate.com.

After starting vpn connection trough the addon no more website conenction is possible -> "Connection failed". I read that some settings can break addon functions. Do you have a hint what setting cause the issue?

Version: 42.0b4 (x64) @ Windows 7 Prof. x64
Build-ID: 20151005144425

Please let me know if you need more informations.

mozilla removed the plugins.enumerable_names leaving people's plugins list exposed but in this thread some solutions were found: dillbyrne/random-agent-spoofer#283

a user created a userscript which can easily be a noscript surrogate instead dillbyrne/random-agent-spoofer#283 (comment)

noscript.surrogate.noplugin.exceptions =
noscript.surrogate.noplugin.replacement=Object.defineProperty(navigator, "plugins", {value: []});
noscript.surrogate.noplugin.sources=@^https?://

this hides plugins from websites for noscript users. not sure if this is something to include in user.js but i hope people will find it useful

Is there a plan to add a Prefernces file for Chromium?
https://www.chromium.org/administrators/configuring-other-preferences

See #84.

Seems like I can't search anymore in the Adress/URL bar. It only works with the dedicated search bar. The error I get is "Server not found". Any idea which setting I need to change in order to fix this?

We need to try to avoid simple JavaScript syntax bugs and I think it should be possible by hooking the project to some continuous integration service.

Some of these?

Any recommendations?

With Firefox 34 and before, this user.js and my builds of the Firefox port of uBlock work perfectly fine together.

With Firefox 35, uBlock still works perfectly on its own - tested with new profiles - but using this user.js causes it to break:

https://gist.github.com/dewbasaur/8ddff1830856369db97f

The following settings are duplicated in the config file:
security.ssl3.dhe_dss_des_ede3_sha
security.ssl3.ecdh_ecdsa_des_ede3_sha
security.ssl3.ecdh_rsa_des_ede3_sha
security.ssl3.rsa_aes_128_sha
security.ssl3.rsa_aes_256_sha

The first 3 seem to be duplicated because they fulfill multiple criteria to be disabled. The fourth cipher on the list is commented out, but then enabled again later on. The last cipher is first disabled, then enabled again.

Consider removing duplicates to simplify the configuration file and remove conflicting settings.

Disable Pocket to reduce attack surface. See information about Pocket here: https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox

The option in the config is named "browser.pocket.enabled"

A tab which opens "https://www.mozilla.org/de/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update" on every Firefox Startup.

I created a fresh profile and copied only the user.js to this profile.

Version: 42.0b4 (x64) @ Windows 7 Prof. x64
Build-ID: 20151005144425

Please let me know if you need more informations.

I have found out that browser.display.use_document_fonts can be used to disable font fingerprinting. I have used it in my own user.js and have not found a problem with it. I recommend adding it to this project.

// disable front fingerprinting
// test with http://www.browserleaks.com/fonts or https://panopticlick.eff.org
user_pref("browser.display.use_document_fonts", 0);

before:

after:

Just a small suggestion. I see that the README is quite long, with many external links throughout. Personally, all the information would be easier to consume if the single file was divided into several wiki articles here.

I am interested in hearing what others have to say. I mean, even if the wiki option was turned down, I think a TOC in the README would be the best alternative.

toolkit.telemetry.unified -> false
toolkit.telemetry.unifiedIsOptIn -> true
toolkit.telemetry.archive.enabled -> false i looked in my profile folder and found that it was storing things in a folder called /saved-telemetry-pings/
toolkit.telemetry.server -> ""
experiments.manifest.uri -> ""
toolkit.telemetry.cachedClientID -> ""
datareporting.policy.dataSubmissionEnabled -> false
datareporting.healthreport.pendingDeleteRemoteData -> false
datareporting.sessions.currentIndex -> 0 or "0"? in one of my firefox's its a string and in one its an integer lol
datareporting.sessions.prunedIndex -> 0
experiments.enabled -> false
experiments.supported -> false

sources:
https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
https://wiki.mozilla.org/QA/Telemetry/AboutPreferences
my about:config

you might wanna search your about:config for 'datareporting' and 'telemetry'. mine had a lot of weird datareporting session things saved which i removed. also check the /datareporting/ folder in your profile folder. it seems to be recreated and files written even when these features are disabled? i added them to ccleaner and also the /saved-telemetry-pings/ folder. its worth it checking your profile folder for unnecessary/weird files and folders if your profile is as old as mine.

Hi.
"Harden the browser, so it doesn't spill >it's< guts when asked (have you seen what BeEF can do?)"
it's should say its.

Great project by the way! Do you know of any similar Chrome projects?