summaryrefslogtreecommitdiff
path: root/nonprism/iceweasel-hardened-preferences
diff options
context:
space:
mode:
authorGaming4JC <g4jc@openmailbox.org>2017-02-04 12:58:28 -0500
committerGaming4JC <g4jc@openmailbox.org>2017-02-04 12:58:28 -0500
commita8aa8497aacb86e6f0a984d114166981bc113374 (patch)
tree2c34c634cdaab32ae1cc554d5465608cf7563745 /nonprism/iceweasel-hardened-preferences
parent41da44a710930842d2321b27b27d9ea7e06ed000 (diff)
downloadabslibre-a8aa8497aacb86e6f0a984d114166981bc113374.tar.gz
abslibre-a8aa8497aacb86e6f0a984d114166981bc113374.tar.bz2
abslibre-a8aa8497aacb86e6f0a984d114166981bc113374.zip
iceweasel-hardened-configs updates for FF 51
Diffstat (limited to 'nonprism/iceweasel-hardened-preferences')
-rw-r--r--nonprism/iceweasel-hardened-preferences/PKGBUILD8
-rw-r--r--nonprism/iceweasel-hardened-preferences/iceweasel-branding.js143
2 files changed, 99 insertions, 52 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD
index 13d59d58b..97296d4db 100644
--- a/nonprism/iceweasel-hardened-preferences/PKGBUILD
+++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD
@@ -2,8 +2,8 @@
# Contributor: André Silva <emulatorman@parabola.nu>
pkgname=iceweasel-hardened-preferences
-pkgver=0.2
-pkgrel=2
+pkgver=0.3
+pkgrel=1
pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks."
arch=(any)
license=(MPL)
@@ -20,11 +20,11 @@ source=('firefox-branding.js'
'iceweasel-hardened.install')
sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e'
'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
-'ba20f29fa176795a664168dbc05e2a28fa34c82d5a7606cee6f12d30dbc49fe0280d95da0eaf1fa3f7f52fcd341da1bd546de4cd055acd79056c8eeee97317b5'
+'b5e36db1b8934358c5477b32c7d4c5e990bdf22066cc2382f6a9b9992b21704518a60a5e1710cf3722290a9a1d7af87d0930d5ceab2624503a7545cebd8a6085'
'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3'
'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
-'e4316359d1350a0f32753923d6e20c8e998d7c7379b7dd10e62f1962d96f1bd4711755e5dc6631aa9616215da61331193b1bc66b38aa0c5a24e87bc1d214a63a'
+'fb08d3dc1c264714c8f20389fb0201b7e9917e0499890821baa3cc38c3b698bc83f63bb8d6522362032e86366dd92fd89e66f8742777892b8d4de150bc8158dc'
'44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
package() {
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index a264a0e08..a8cbabf0c 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -64,14 +64,25 @@ pref("dom.push.maxQuotaPerSubscription", 0);
pref("services.push.enabled", false);
pref("services.push.serverURL", "");
+// Make sure DOM "beforeunload" is off, caches user pages in bfcache and tries to stop user from closing page.
+// https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload
+pref("dom.disable_beforeunload", true);
+pref("dom.require_user_interaction_for_beforeunload", false);
+
// Disable Kinto Cloud
// Note: Pref may change name in future release
// https://bugzilla.mozilla.org/show_bug.cgi?id=1266235#c2
-pref("services.kinto.base", "");
+// https://hg.mozilla.org/releases/mozilla-release/file/c1de04f39fa956cfce83f6065b0e709369215ed5/services/common/kinto-updater.js
+pref("services.kinto.base", "data:application/json,{}");
+pref("services.kinto.changes.path", "");
// Disable MDNS (Supposedly only for Android but is in Desktop version also)
// https://hg.mozilla.org/releases/mozilla-beta/file/00bcc10b3bdc/dom/presentation/provider/MulticastDNSDeviceProvider.cpp#l18
pref("dom.presentation.discovery.enabled", false);
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1278205
+pref("dom.presentation.controller.enabled", false);
+pref("dom.presentation.receiver.enabled", false);
+pref("dom.presentation.tcp_server.debug", false);
pref("dom.presentation.discoverable", false);
pref("dom.presentation.discovery.legacy.enabled", false);
@@ -79,6 +90,9 @@ pref("dom.presentation.discovery.legacy.enabled", false);
// http://dev.w3.org/html5/webstorage/#dom-localstorage
// you can also see this with Panopticlick's "DOM localStorage"
pref("dom.storage.enabled", false);
+// https://developer.mozilla.org/en-US/docs/Web/API/Storage_API
+// https://storage.spec.whatwg.org/
+pref("dom.storageManager.enabled", false);
// Whether JS can get information about the network/browser connection
// Network Information API provides general information about the system's connection type (WiFi, cellular, etc.)
@@ -91,7 +105,12 @@ pref("dom.network.enabled", false);
// Disable Web Audio API
// https://bugzil.la/1288359
-pref("dom.webaudio.enabled", false);
+pref("dom.webaudio.enabled", false);
+
+// Audio Recording API (Currently only used by WebRTC)
+// https://hg.mozilla.org/releases/mozilla-beta/file/00bcc10b3bdc/dom/media/MediaManager.cpp#l1942
+pref("media.getusermedia.noise_enabled", false);
+pref("media.getusermedia.audiocapture.enabled", false);
// Audio_data is deprecated in future releases, but still present
// in FF24. This is a dangerous combination (spotted by iSec)
@@ -102,6 +121,14 @@ pref("media.audio_data.enabled", false);
pref("media.autoplay.enabled", false);
pref("noscript.forbidMedia", true);
+// Disable Device Change API (FF 52+)
+// https://developer.mozilla.org/en-US/docs/Web/Events/devicechange
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1152383
+// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/dom/webidl/MediaDevices.webidl#l15
+pref("media.ondevicechange.enabled", false);
+// https://hg.mozilla.org/releases/mozilla-release/rev/5022a33fd3e9
+pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false);
+
// Don't reveal your internal IP
// Check the settings with: http://net.ipcalf.com/
// https://wiki.mozilla.org/Media/WebRTC/Privacy
@@ -168,12 +195,15 @@ pref("dom.gamepad.test.enabled", false);
// Disable virtual reality devices
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
-pref("dom.vr.enabled", false);
+pref("dom.vr.enabled", false);
pref("dom.vr.cardboard.enabled", false);
-pref("dom.vr.oculus.enabled", false);
-pref("dom.vr.oculus050.enabled", false);
-pref("dom.vr.poseprediction.enabled", false);
+pref("dom.vr.oculus.enabled", false);
+pref("dom.vr.oculus050.enabled", false);
+pref("dom.vr.poseprediction.enabled", false);
+pref("dom.vr.openvr.enabled", false);
+// https://hg.mozilla.org/releases/mozilla-release/file/970d0cf1c5d9/modules/libpref/init/all.js#l4778
pref("dom.vr.add-test-devices", 0);
+pref("dom.vr.osvr.enabled", false);
// disable notifications
pref("dom.webnotifications.enabled", false);
@@ -245,7 +275,7 @@ pref("pointer-lock-api.prefixed.enabled", false);
// Disable website autorefresh, user can still proceed with warning
pref("accessibility.blockautorefresh", true);
pref("browser.meta_refresh_when_inactive.disabled", true);
-pref("noscript.forbidMetaRefresh", true);
+pref("noscript.forbidMetaRefresh", true); // NoScript ignores this preference?
// Disable face detection by default
@@ -279,6 +309,11 @@ pref("network.proxy.type", 0);
// Protect TOR ports
pref("network.security.ports.banned", "9050,9051,9150,9151");
+// Make sure proxy-autoconfig is off to prevent MiTM.
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1255474
+// https://hg.mozilla.org/releases/mozilla-release/rev/5139b0dd7acc
+pref("network.proxy.autoconfig_url.include_path", false);
+
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
pref("network.proxy.socks_remote_dns", true);
@@ -417,8 +452,14 @@ pref("extensions.getAddons.get.url", "about:blank");
pref("extensions.getAddons.getWithPerformance.url", "about:blank");
pref("extensions.getAddons.recommended.url", "about:blank");
pref("services.settings.server", "");
-// If blocklist downloads, we want it to be signed.
+// If blocklist still downloads, we want it to be signed.
pref("services.blocklist.signing.enforced", true);
+// Firefox 49: https://hg.mozilla.org/releases/mozilla-release/rev/c6c57d394549
+// https://hg.mozilla.org/releases/mozilla-release/file/c6c57d394549/toolkit/mozapps/extensions/nsBlocklistService.js#l633
+pref("services.blocklist.update_enabled", false);
+// https://hg.mozilla.org/releases/mozilla-release/file/c6c57d394549/services/common/blocklist-updater.js
+pref("services.settings.server", "data:application/json,{\"data\":[]}");
+pref("services.blocklist.changes.path", "");
// Disable Freedom Violating DRM Feature
// https://bugzilla.mozilla.org/show_bug.cgi?id=1144903#c8
@@ -427,7 +468,15 @@ pref("media.eme.enabled", false);
pref("browser.eme.ui.enabled", false);
pref("media.gmp-eme-adobe.enabled", false);
-// Fingerprints the user, not HTTPS. Remove it.
+// Google Widevine DRM
+// https://blog.mozilla.org/futurereleases/2016/04/08/mozilla-to-test-widevine-cdm-in-firefox-nightly/
+// https://wiki.mozilla.org/QA/Widevine_CDM
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1288580
+pref("media.gmp-widevinecdm.visible", false);
+pref("media.gmp-widevinecdm.enabled", false);
+pref("media.gmp-widevinecdm.autoupdate", false);
+
+// Fingerprints the user, does not use HTTPS. Remove it.
pref("pfs.datasource.url", "about:blank");
pref("pfs.filehint.url", "about:blank");
@@ -515,6 +564,7 @@ pref("datareporting.policy.dataSubmissionEnabled", false);
pref("datareporting.healthreport.about.reportUrl", "about:blank");
pref("datareporting.healthreport.documentServerURI", "about:blank");
pref("datareporting.policy.firstRunTime", 0);
+pref("datareporting.policy.firstRunURL", "");
// Disable new tab tile ads & preload
// http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox
@@ -542,6 +592,13 @@ pref("loop.logDomains", false);
pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
pref("browser.tabs.crashReporting.sendReport", false);
pref("breakpad.reportURL", "about:blank");
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1287178
+// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/browser/modules/ContentCrashHandlers.jsm#l383
+pref("browser.crashReports.unsubmittedCheck.enabled", false);
+// https://hg.mozilla.org/releases/mozilla-release/rev/c94848691f8a
+pref("browser.crashReports.unsubmittedCheck.autoSubmit", false);
+// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/browser/modules/ContentCrashHandlers.jsm#l511
+pref("browser.crashReports.unsubmittedCheck.chancesUntilSuppress", 0);
// Disable Slow Startup Notifications
pref("browser.slowStartup.maxSamples", 0);
@@ -588,11 +645,11 @@ pref("browser.safebrowsing.provider.google.lists", "");
// https://bugzilla.mozilla.org/show_bug.cgi?id=1025965
pref("browser.safebrowsing.phishing.enabled", false);
-pref("browser.safebrowsing.provider.google4.lists", "");
-pref("browser.safebrowsing.provider.google4.updateURL", "");
-pref("browser.safebrowsing.provider.google4.gethashURL", "");
-pref("browser.safebrowsing.provider.google4.reportURL", "");
-pref("browser.safebrowsing.provider.mozilla.lists", "");
+pref("browser.safebrowsing.provider.google4.lists", "about:blank");
+pref("browser.safebrowsing.provider.google4.updateURL", "about:blank");
+pref("browser.safebrowsing.provider.google4.gethashURL", "about:blank");
+pref("browser.safebrowsing.provider.google4.reportURL", "about:blank");
+pref("browser.safebrowsing.provider.mozilla.lists", "about:blank");
// Disable Microsoft Family Safety MiTM support
// https://bugzilla.mozilla.org/show_bug.cgi?id=1239166
@@ -614,29 +671,6 @@ pref("browser.pocket.site", "about:blank");
pref("browser.pocket.useLocaleList", false);
pref("browser.toolbarbuttons.introduced.pocket-button", true);
-// Disable Hello (Soon to be removed upstream finally!)
-pref("loop.copy.throttler", "about:blank");
-pref("loop.enabled",false);
-pref("loop.facebook.appId", "about:blank");
-pref("loop.facebook.enabled", false);
-pref("loop.facebook.fallbackUrl", "about:blank");
-pref("loop.facebook.shareUrl", "about:blank");
-pref("loop.feedback.baseUrl", "about:blank");
-pref("loop.feedback.formURL", "about:blank");
-pref("loop.feedback.manualFormURL", "about:blank");
-pref("loop.gettingStarted.url", "about:blank");
-pref("loop.learnMoreUrl", "about:blank");
-pref("loop.legal.ToS_url", "about:blank");
-pref("loop.legal.privacy_url", "about:blank");
-pref("loop.linkClicker.url", "about:blank");
-pref("loop.oauth.google.redirect_uri", "about:blank");
-pref("loop.oauth.google.scope", "about:blank");
-pref("loop.remote.autostart", false);
-pref("loop.server", "about:blank");
-pref("loop.soft_start_hostname", "about:blank");
-pref("loop.support_url", "about:blank");
-pref("loop.throttled2", false);
-
// Disable Social
pref("social.directories", "");
pref("social.enabled", false);
@@ -655,7 +689,7 @@ pref("browser.snippets.updateUrl", "about:blank");
// Disable WAN IP leaks
pref("captivedetect.canonicalURL", "about:blank");
-pref("noscript.ABE.wanIpAsLocal", false);
+pref("noscript.ABE.wanIpAsLocal", false); // NoScript ignores this preference?
// Disable Default Protocol Handlers, always warn user instead
pref("network.protocol-handler.external-default", false);
@@ -721,6 +755,7 @@ pref("browser.casting.enabled", false);
// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities
// http://andreasgal.com/2014/10/14/openh264-now-in-firefox/
pref("media.gmp-gmpopenh264.enabled", false);
+pref("media.peerconnection.video.h264_enabled", false);
// Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins
pref("media.gmp-manager.url", "");
pref("media.gmp-manager.url.override", "data:text/plain");
@@ -921,7 +956,7 @@ pref("browser.pagethumbnails.capturing_disabled", true);
//pref("dom.event.contextmenu.enabled", false);
// Don't promote sync
-pref("browser.syncPromoViewsLeftMap", "{\"addons\":0, \"passwords\":0, \"bookmarks\":0}");
+pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}");
// CIS 2.3.2 Disable Downloading on Desktop
pref("browser.download.folderList", 2);
@@ -975,6 +1010,8 @@ pref("browser.shell.checkDefaultBrowser", false);
// CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
pref("security.ask_for_password", 0);
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
+pref("signon.formlessCapture.enabled", false);
// Bug 9881: Open popups in new tabs (to avoid fullscreen popups)
pref("browser.link.open_newwindow.restriction", 0);
@@ -992,10 +1029,17 @@ pref("security.insecure_field_warning.contextual.enabled", true);
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
pref("network.stricttransportsecurity.preloadlist", false);
+// Disable HSTS Priming, a beta feature rarely used that allows mixed content on HTTPS pages.
+// https://wicg.github.io/hsts-priming/
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145
+// https://hg.mozilla.org/releases/mozilla-release/rev/d7d42cef7968
+pref("security.mixed_content.send_hsts_priming", false);
+pref("security.mixed_content.use_hsts", false);
+
// CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
-pref("security.OCSP.enabled", 0);
-pref("security.OCSP.require", false);
+pref("security.OCSP.enabled", 0);
+pref("security.OCSP.require", false);
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
pref("security.ssl.enable_ocsp_stapling", true);
@@ -1024,11 +1068,14 @@ pref("security.tls.version.max", 3);
// pinning
// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning
// "2. Strict. Pinning is always enforced."
-pref("security.cert_pinning.enforcement_level", 2);
+pref("security.cert_pinning.enforcement_level", 2);
// disallow SHA-1
// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140
-//pref("security.pki.sha1_enforcement_level", 1);
+// https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34
+// http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/
+// 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01
+pref("security.pki.sha1_enforcement_level", 1);
// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken
// see also CVE-2009-3555
@@ -1105,17 +1152,17 @@ pref("security.tls.unrestricted_rc4_fallback", false);
// https://en.wikipedia.org/wiki/3des#Security
// http://en.citizendium.org/wiki/Meet-in-the-middle_attack
// http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
-pref("security.ssl3.dhe_dss_des_ede3_sha", false);
-pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+pref("security.ssl3.dhe_dss_des_ede3_sha", false);
+pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
-pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
+pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
pref("security.ssl3.rsa_des_ede3_sha", false);
pref("security.ssl3.rsa_fips_des_ede3_sha", false);
// Ciphers with ECDH (without /e$/)
-pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
+pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
// 256 bits without PFS
@@ -1126,7 +1173,7 @@ pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
// GCM, yes please!
-pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
+pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
// ChaCha20 and Poly1305. Supported since Firefox 47.