diff options
-rw-r--r-- | nonprism/iceweasel-hardened-preferences/PKGBUILD | 8 | ||||
-rw-r--r-- | nonprism/iceweasel-hardened-preferences/iceweasel-branding.js | 143 |
2 files changed, 99 insertions, 52 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD index 13d59d58b..97296d4db 100644 --- a/nonprism/iceweasel-hardened-preferences/PKGBUILD +++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD @@ -2,8 +2,8 @@ # Contributor: André Silva <emulatorman@parabola.nu> pkgname=iceweasel-hardened-preferences -pkgver=0.2 -pkgrel=2 +pkgver=0.3 +pkgrel=1 pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks." arch=(any) license=(MPL) @@ -20,11 +20,11 @@ source=('firefox-branding.js' 'iceweasel-hardened.install') sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e' 'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800' -'ba20f29fa176795a664168dbc05e2a28fa34c82d5a7606cee6f12d30dbc49fe0280d95da0eaf1fa3f7f52fcd341da1bd546de4cd055acd79056c8eeee97317b5' +'b5e36db1b8934358c5477b32c7d4c5e990bdf22066cc2382f6a9b9992b21704518a60a5e1710cf3722290a9a1d7af87d0930d5ceab2624503a7545cebd8a6085' 'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6') whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3' 'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2' -'e4316359d1350a0f32753923d6e20c8e998d7c7379b7dd10e62f1962d96f1bd4711755e5dc6631aa9616215da61331193b1bc66b38aa0c5a24e87bc1d214a63a' +'fb08d3dc1c264714c8f20389fb0201b7e9917e0499890821baa3cc38c3b698bc83f63bb8d6522362032e86366dd92fd89e66f8742777892b8d4de150bc8158dc' '44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9') package() { diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js index a264a0e08..a8cbabf0c 100644 --- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js +++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js @@ -64,14 +64,25 @@ pref("dom.push.maxQuotaPerSubscription", 0); pref("services.push.enabled", false); pref("services.push.serverURL", ""); +// Make sure DOM "beforeunload" is off, caches user pages in bfcache and tries to stop user from closing page. +// https://developer.mozilla.org/en-US/docs/Web/Events/beforeunload +pref("dom.disable_beforeunload", true); +pref("dom.require_user_interaction_for_beforeunload", false); + // Disable Kinto Cloud // Note: Pref may change name in future release // https://bugzilla.mozilla.org/show_bug.cgi?id=1266235#c2 -pref("services.kinto.base", ""); +// https://hg.mozilla.org/releases/mozilla-release/file/c1de04f39fa956cfce83f6065b0e709369215ed5/services/common/kinto-updater.js +pref("services.kinto.base", "data:application/json,{}"); +pref("services.kinto.changes.path", ""); // Disable MDNS (Supposedly only for Android but is in Desktop version also) // https://hg.mozilla.org/releases/mozilla-beta/file/00bcc10b3bdc/dom/presentation/provider/MulticastDNSDeviceProvider.cpp#l18 pref("dom.presentation.discovery.enabled", false); +// https://bugzilla.mozilla.org/show_bug.cgi?id=1278205 +pref("dom.presentation.controller.enabled", false); +pref("dom.presentation.receiver.enabled", false); +pref("dom.presentation.tcp_server.debug", false); pref("dom.presentation.discoverable", false); pref("dom.presentation.discovery.legacy.enabled", false); @@ -79,6 +90,9 @@ pref("dom.presentation.discovery.legacy.enabled", false); // http://dev.w3.org/html5/webstorage/#dom-localstorage // you can also see this with Panopticlick's "DOM localStorage" pref("dom.storage.enabled", false); +// https://developer.mozilla.org/en-US/docs/Web/API/Storage_API +// https://storage.spec.whatwg.org/ +pref("dom.storageManager.enabled", false); // Whether JS can get information about the network/browser connection // Network Information API provides general information about the system's connection type (WiFi, cellular, etc.) @@ -91,7 +105,12 @@ pref("dom.network.enabled", false); // Disable Web Audio API // https://bugzil.la/1288359 -pref("dom.webaudio.enabled", false); +pref("dom.webaudio.enabled", false); + +// Audio Recording API (Currently only used by WebRTC) +// https://hg.mozilla.org/releases/mozilla-beta/file/00bcc10b3bdc/dom/media/MediaManager.cpp#l1942 +pref("media.getusermedia.noise_enabled", false); +pref("media.getusermedia.audiocapture.enabled", false); // Audio_data is deprecated in future releases, but still present // in FF24. This is a dangerous combination (spotted by iSec) @@ -102,6 +121,14 @@ pref("media.audio_data.enabled", false); pref("media.autoplay.enabled", false); pref("noscript.forbidMedia", true); +// Disable Device Change API (FF 52+) +// https://developer.mozilla.org/en-US/docs/Web/Events/devicechange +// https://bugzilla.mozilla.org/show_bug.cgi?id=1152383 +// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/dom/webidl/MediaDevices.webidl#l15 +pref("media.ondevicechange.enabled", false); +// https://hg.mozilla.org/releases/mozilla-release/rev/5022a33fd3e9 +pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false); + // Don't reveal your internal IP // Check the settings with: http://net.ipcalf.com/ // https://wiki.mozilla.org/Media/WebRTC/Privacy @@ -168,12 +195,15 @@ pref("dom.gamepad.test.enabled", false); // Disable virtual reality devices // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM -pref("dom.vr.enabled", false); +pref("dom.vr.enabled", false); pref("dom.vr.cardboard.enabled", false); -pref("dom.vr.oculus.enabled", false); -pref("dom.vr.oculus050.enabled", false); -pref("dom.vr.poseprediction.enabled", false); +pref("dom.vr.oculus.enabled", false); +pref("dom.vr.oculus050.enabled", false); +pref("dom.vr.poseprediction.enabled", false); +pref("dom.vr.openvr.enabled", false); +// https://hg.mozilla.org/releases/mozilla-release/file/970d0cf1c5d9/modules/libpref/init/all.js#l4778 pref("dom.vr.add-test-devices", 0); +pref("dom.vr.osvr.enabled", false); // disable notifications pref("dom.webnotifications.enabled", false); @@ -245,7 +275,7 @@ pref("pointer-lock-api.prefixed.enabled", false); // Disable website autorefresh, user can still proceed with warning pref("accessibility.blockautorefresh", true); pref("browser.meta_refresh_when_inactive.disabled", true); -pref("noscript.forbidMetaRefresh", true); +pref("noscript.forbidMetaRefresh", true); // NoScript ignores this preference? // Disable face detection by default @@ -279,6 +309,11 @@ pref("network.proxy.type", 0); // Protect TOR ports pref("network.security.ports.banned", "9050,9051,9150,9151"); +// Make sure proxy-autoconfig is off to prevent MiTM. +// https://bugzilla.mozilla.org/show_bug.cgi?id=1255474 +// https://hg.mozilla.org/releases/mozilla-release/rev/5139b0dd7acc +pref("network.proxy.autoconfig_url.include_path", false); + // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers pref("network.proxy.socks_remote_dns", true); @@ -417,8 +452,14 @@ pref("extensions.getAddons.get.url", "about:blank"); pref("extensions.getAddons.getWithPerformance.url", "about:blank"); pref("extensions.getAddons.recommended.url", "about:blank"); pref("services.settings.server", ""); -// If blocklist downloads, we want it to be signed. +// If blocklist still downloads, we want it to be signed. pref("services.blocklist.signing.enforced", true); +// Firefox 49: https://hg.mozilla.org/releases/mozilla-release/rev/c6c57d394549 +// https://hg.mozilla.org/releases/mozilla-release/file/c6c57d394549/toolkit/mozapps/extensions/nsBlocklistService.js#l633 +pref("services.blocklist.update_enabled", false); +// https://hg.mozilla.org/releases/mozilla-release/file/c6c57d394549/services/common/blocklist-updater.js +pref("services.settings.server", "data:application/json,{\"data\":[]}"); +pref("services.blocklist.changes.path", ""); // Disable Freedom Violating DRM Feature // https://bugzilla.mozilla.org/show_bug.cgi?id=1144903#c8 @@ -427,7 +468,15 @@ pref("media.eme.enabled", false); pref("browser.eme.ui.enabled", false); pref("media.gmp-eme-adobe.enabled", false); -// Fingerprints the user, not HTTPS. Remove it. +// Google Widevine DRM +// https://blog.mozilla.org/futurereleases/2016/04/08/mozilla-to-test-widevine-cdm-in-firefox-nightly/ +// https://wiki.mozilla.org/QA/Widevine_CDM +// https://bugzilla.mozilla.org/show_bug.cgi?id=1288580 +pref("media.gmp-widevinecdm.visible", false); +pref("media.gmp-widevinecdm.enabled", false); +pref("media.gmp-widevinecdm.autoupdate", false); + +// Fingerprints the user, does not use HTTPS. Remove it. pref("pfs.datasource.url", "about:blank"); pref("pfs.filehint.url", "about:blank"); @@ -515,6 +564,7 @@ pref("datareporting.policy.dataSubmissionEnabled", false); pref("datareporting.healthreport.about.reportUrl", "about:blank"); pref("datareporting.healthreport.documentServerURI", "about:blank"); pref("datareporting.policy.firstRunTime", 0); +pref("datareporting.policy.firstRunURL", ""); // Disable new tab tile ads & preload // http://www.thewindowsclub.com/disable-remove-ad-tiles-from-firefox @@ -542,6 +592,13 @@ pref("loop.logDomains", false); pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); pref("browser.tabs.crashReporting.sendReport", false); pref("breakpad.reportURL", "about:blank"); +// https://bugzilla.mozilla.org/show_bug.cgi?id=1287178 +// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/browser/modules/ContentCrashHandlers.jsm#l383 +pref("browser.crashReports.unsubmittedCheck.enabled", false); +// https://hg.mozilla.org/releases/mozilla-release/rev/c94848691f8a +pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); +// https://hg.mozilla.org/releases/mozilla-release/file/a67a1682be8f0327435aaa2f417154330eff0017/browser/modules/ContentCrashHandlers.jsm#l511 +pref("browser.crashReports.unsubmittedCheck.chancesUntilSuppress", 0); // Disable Slow Startup Notifications pref("browser.slowStartup.maxSamples", 0); @@ -588,11 +645,11 @@ pref("browser.safebrowsing.provider.google.lists", ""); // https://bugzilla.mozilla.org/show_bug.cgi?id=1025965 pref("browser.safebrowsing.phishing.enabled", false); -pref("browser.safebrowsing.provider.google4.lists", ""); -pref("browser.safebrowsing.provider.google4.updateURL", ""); -pref("browser.safebrowsing.provider.google4.gethashURL", ""); -pref("browser.safebrowsing.provider.google4.reportURL", ""); -pref("browser.safebrowsing.provider.mozilla.lists", ""); +pref("browser.safebrowsing.provider.google4.lists", "about:blank"); +pref("browser.safebrowsing.provider.google4.updateURL", "about:blank"); +pref("browser.safebrowsing.provider.google4.gethashURL", "about:blank"); +pref("browser.safebrowsing.provider.google4.reportURL", "about:blank"); +pref("browser.safebrowsing.provider.mozilla.lists", "about:blank"); // Disable Microsoft Family Safety MiTM support // https://bugzilla.mozilla.org/show_bug.cgi?id=1239166 @@ -614,29 +671,6 @@ pref("browser.pocket.site", "about:blank"); pref("browser.pocket.useLocaleList", false); pref("browser.toolbarbuttons.introduced.pocket-button", true); -// Disable Hello (Soon to be removed upstream finally!) -pref("loop.copy.throttler", "about:blank"); -pref("loop.enabled",false); -pref("loop.facebook.appId", "about:blank"); -pref("loop.facebook.enabled", false); -pref("loop.facebook.fallbackUrl", "about:blank"); -pref("loop.facebook.shareUrl", "about:blank"); -pref("loop.feedback.baseUrl", "about:blank"); -pref("loop.feedback.formURL", "about:blank"); -pref("loop.feedback.manualFormURL", "about:blank"); -pref("loop.gettingStarted.url", "about:blank"); -pref("loop.learnMoreUrl", "about:blank"); -pref("loop.legal.ToS_url", "about:blank"); -pref("loop.legal.privacy_url", "about:blank"); -pref("loop.linkClicker.url", "about:blank"); -pref("loop.oauth.google.redirect_uri", "about:blank"); -pref("loop.oauth.google.scope", "about:blank"); -pref("loop.remote.autostart", false); -pref("loop.server", "about:blank"); -pref("loop.soft_start_hostname", "about:blank"); -pref("loop.support_url", "about:blank"); -pref("loop.throttled2", false); - // Disable Social pref("social.directories", ""); pref("social.enabled", false); @@ -655,7 +689,7 @@ pref("browser.snippets.updateUrl", "about:blank"); // Disable WAN IP leaks pref("captivedetect.canonicalURL", "about:blank"); -pref("noscript.ABE.wanIpAsLocal", false); +pref("noscript.ABE.wanIpAsLocal", false); // NoScript ignores this preference? // Disable Default Protocol Handlers, always warn user instead pref("network.protocol-handler.external-default", false); @@ -721,6 +755,7 @@ pref("browser.casting.enabled", false); // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities // http://andreasgal.com/2014/10/14/openh264-now-in-firefox/ pref("media.gmp-gmpopenh264.enabled", false); +pref("media.peerconnection.video.h264_enabled", false); // Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins pref("media.gmp-manager.url", ""); pref("media.gmp-manager.url.override", "data:text/plain"); @@ -921,7 +956,7 @@ pref("browser.pagethumbnails.capturing_disabled", true); //pref("dom.event.contextmenu.enabled", false); // Don't promote sync -pref("browser.syncPromoViewsLeftMap", "{\"addons\":0, \"passwords\":0, \"bookmarks\":0}"); +pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}"); // CIS 2.3.2 Disable Downloading on Desktop pref("browser.download.folderList", 2); @@ -975,6 +1010,8 @@ pref("browser.shell.checkDefaultBrowser", false); // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage pref("security.ask_for_password", 0); +// https://bugzilla.mozilla.org/show_bug.cgi?id=1166947 +pref("signon.formlessCapture.enabled", false); // Bug 9881: Open popups in new tabs (to avoid fullscreen popups) pref("browser.link.open_newwindow.restriction", 0); @@ -992,10 +1029,17 @@ pref("security.insecure_field_warning.contextual.enabled", true); // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List pref("network.stricttransportsecurity.preloadlist", false); +// Disable HSTS Priming, a beta feature rarely used that allows mixed content on HTTPS pages. +// https://wicg.github.io/hsts-priming/ +// https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145 +// https://hg.mozilla.org/releases/mozilla-release/rev/d7d42cef7968 +pref("security.mixed_content.send_hsts_priming", false); +pref("security.mixed_content.use_hsts", false); + // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns -pref("security.OCSP.enabled", 0); -pref("security.OCSP.require", false); +pref("security.OCSP.enabled", 0); +pref("security.OCSP.require", false); // https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ pref("security.ssl.enable_ocsp_stapling", true); @@ -1024,11 +1068,14 @@ pref("security.tls.version.max", 3); // pinning // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning // "2. Strict. Pinning is always enforced." -pref("security.cert_pinning.enforcement_level", 2); +pref("security.cert_pinning.enforcement_level", 2); // disallow SHA-1 // https://bugzilla.mozilla.org/show_bug.cgi?id=1302140 -//pref("security.pki.sha1_enforcement_level", 1); +// https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34 +// http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/ +// 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01 +pref("security.pki.sha1_enforcement_level", 1); // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken // see also CVE-2009-3555 @@ -1105,17 +1152,17 @@ pref("security.tls.unrestricted_rc4_fallback", false); // https://en.wikipedia.org/wiki/3des#Security // http://en.citizendium.org/wiki/Meet-in-the-middle_attack // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html -pref("security.ssl3.dhe_dss_des_ede3_sha", false); -pref("security.ssl3.dhe_rsa_des_ede3_sha", false); +pref("security.ssl3.dhe_dss_des_ede3_sha", false); +pref("security.ssl3.dhe_rsa_des_ede3_sha", false); pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false); pref("security.ssl3.ecdh_rsa_des_ede3_sha", false); -pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false); +pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false); pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false); pref("security.ssl3.rsa_des_ede3_sha", false); pref("security.ssl3.rsa_fips_des_ede3_sha", false); // Ciphers with ECDH (without /e$/) -pref("security.ssl3.ecdh_rsa_aes_256_sha", false); +pref("security.ssl3.ecdh_rsa_aes_256_sha", false); pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false); // 256 bits without PFS @@ -1126,7 +1173,7 @@ pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // GCM, yes please! -pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); +pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // ChaCha20 and Poly1305. Supported since Firefox 47. |