1 files changed, 24 insertions, 11 deletions

diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index 78739ebd7..687feaeed 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -202,7 +202,9 @@ pref("dom.indexedDB.enabled",		false);
 // Disable gamepad input
 // http://www.w3.org/TR/gamepad/
 pref("dom.gamepad.enabled",				false);
+pref("dom.gamepad.non_standard_events.enabled", false);
 pref("dom.gamepad.test.enabled", false);
+pref("dom.gamepad.extensions.enabled", false);
 
 // Disable virtual reality devices
 // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
@@ -218,6 +220,9 @@ pref("dom.vr.osvr.enabled", false);
 
 // disable notifications
 pref("dom.webnotifications.enabled",			false);
+// https://developer.mozilla.org/en-US/docs/Web/API/Notification/requireInteraction
+// https://bugzilla.mozilla.org/show_bug.cgi?id=862395
+pref("dom.webnotifications.requireinteraction.enabled", false);
 
 // HTML5 privacy https://bugzilla.mozilla.org/show_bug.cgi?id=500328
 pref("browser.history.allowPopState",		false);
@@ -669,6 +674,10 @@ pref("browser.safebrowsing.provider.mozilla.lists", "about:blank");
 // https://wiki.mozilla.org/SecurityEngineering/Untrusted_Certificates_in_Windows_Child_Mode
 // https://hg.mozilla.org/releases/mozilla-release/file/ddb37c386bb2ffa180117b4d30ca3b41a8af233c/security/manager/ssl/nsNSSComponent.cpp#l782
 pref("security.family_safety.mode", 0);
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1265113
+// https://hg.mozilla.org/releases/mozilla-release/rev/d9659c22b3c5
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1298883
+pref("security.enterprise_roots.enabled", false);
 
 // Disable pocket
 // https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
@@ -909,9 +918,9 @@ pref("privacy.clearOnShutdown.downloads",			true);
 pref("privacy.clearOnShutdown.formdata",			true);
 pref("privacy.clearOnShutdown.history",			true);
 pref("privacy.clearOnShutdown.offlineApps",		true);
-pref("privacy.clearOnShutdown.passwords",			true);
+//pref("privacy.clearOnShutdown.passwords",			true); // Wipes all saved passwords, best to let the user decide.
 pref("privacy.clearOnShutdown.sessions",			true);
-pref("privacy.clearOnShutdown.siteSettings",		true);
+pref("privacy.clearOnShutdown.siteSettings",		true); //  http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/
 
 // Firefox will store small amounts (less than 50 MB) of data without asking for permission, unless this is set to false
 // https://support.mozilla.org/en-US/questions/1014708
@@ -1021,10 +1030,16 @@ pref("layout.css.visited_links_enabled",			false);
 // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
 pref("browser.urlbar.autocomplete.enabled",		false);
 
+// Require manual intervention to autofill known username/passwords sign-in forms
 // http://kb.mozillazine.org/Signon.autofillForms
 // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
 pref("signon.autofillForms",				false);
 
+// Disable the password manager for pages with autocomplete=off
+// Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
+// OWASP ASVS V9.1, https://bugzilla.mozilla.org/show_bug.cgi?id=956906
+pref("signon.storeWhenAutocompleteOff",			false);
+
 // do not check if firefox is the default browser
 pref("browser.shell.checkDefaultBrowser",			false);
 
@@ -1064,9 +1079,6 @@ pref("network.stricttransportsecurity.preloadlist",	false);
 pref("security.mixed_content.send_hsts_priming",	false);
 pref("security.mixed_content.use_hsts",			false);
 
-// OWASP ASVS V9.1
-// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
-pref("signon.storeWhenAutocompleteOff",			false);
 
 // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
 // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
@@ -1080,6 +1092,7 @@ pref("security.ssl.enable_ocsp_stapling",			true);
 // NOTICE: this leaks information about the sites you visit to the CA.
 pref("security.OCSP.require",				true);
 
+// Disable TLS Session Tickets
 // https://www.blackhat.com/us-13/briefings.html#NextGen
 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
 // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
@@ -1090,7 +1103,7 @@ pref("security.ssl.disable_session_identifiers",		true);
 pref("security.ssl.enable_false_start",			true);
 pref("security.enable_tls_session_tickets", false);
 
-// TLS 1.[012]
+// TLS 1.[0-3]
 // http://kb.mozillazine.org/Security.tls.version.max
 // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
 // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
@@ -1205,12 +1218,12 @@ pref("security.ssl3.ecdh_ecdsa_aes_256_sha",		false);
 pref("security.ssl3.rsa_camellia_256_sha",			false);
 
 // Ciphers with ECDHE and > 128bits
-pref("security.ssl3.ecdhe_rsa_aes_256_sha",		true);
-pref("security.ssl3.ecdhe_ecdsa_aes_256_sha",		true);
+pref("security.ssl3.ecdhe_rsa_aes_256_sha",		true); // 0xc014
+pref("security.ssl3.ecdhe_ecdsa_aes_256_sha",		true); // 0xc00a
 
-// GCM, yes please!
-pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",		true);
-pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",		true);
+// GCM, yes please! (TLSv1.2 only)
+pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256",	true); // 0xc02b
+pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",		true); // 0xc02f
 
 // ChaCha20 and Poly1305. Supported since Firefox 47.
 // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/