diff options
Diffstat (limited to 'nonprism/iceweasel-hardened-preferences')
-rw-r--r-- | nonprism/iceweasel-hardened-preferences/PKGBUILD | 8 | ||||
-rw-r--r-- | nonprism/iceweasel-hardened-preferences/iceweasel-branding.js | 35 |
2 files changed, 28 insertions, 15 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD index e9b16e086..521611d1c 100644 --- a/nonprism/iceweasel-hardened-preferences/PKGBUILD +++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD @@ -2,8 +2,8 @@ # Contributor: André Silva <emulatorman@parabola.nu> pkgname=iceweasel-hardened-preferences -pkgver=0.4 -pkgrel=2 +pkgver=0.5 +pkgrel=1 pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks." arch=(any) license=(MPL) @@ -20,11 +20,11 @@ source=('firefox-branding.js' 'iceweasel-hardened.install') sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e' 'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800' - '78db378524df6278b6a3ff946305d444e5bd46032cbdc4337c22ea372322b6957925c5b9bff483d95d9bc8662885b922a7414e1c15ea358fe3f12ef738934c00' + '6c62ae49435322b6dc15ea1beede998dd479ea7bdbe0136115b0f6be7145d1cc74091915d199ee631d24bcc741975049c421baadf5a13ab456f7b71bf87b1645' 'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6') whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3' 'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2' - '7a432dd6db6ab9834d92703864c8b4a8ff234bfc3834a1ae4cacca6aebd60f8e88aad4959f55aa075f1ed9efa6c0cffbeaad9e4092b7980bfecfcc606a5a8fc6' + '840b2d239aeb09b15367c54facecfe9aeb7e2fc10f73e391241fe70a3963da0c69c7eeecefebf96bcd65ade1fec43de6b4113a146e08774901aceb70579716f1' '44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9') package() { diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js index 78739ebd7..687feaeed 100644 --- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js +++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js @@ -202,7 +202,9 @@ pref("dom.indexedDB.enabled", false); // Disable gamepad input // http://www.w3.org/TR/gamepad/ pref("dom.gamepad.enabled", false); +pref("dom.gamepad.non_standard_events.enabled", false); pref("dom.gamepad.test.enabled", false); +pref("dom.gamepad.extensions.enabled", false); // Disable virtual reality devices // https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM @@ -218,6 +220,9 @@ pref("dom.vr.osvr.enabled", false); // disable notifications pref("dom.webnotifications.enabled", false); +// https://developer.mozilla.org/en-US/docs/Web/API/Notification/requireInteraction +// https://bugzilla.mozilla.org/show_bug.cgi?id=862395 +pref("dom.webnotifications.requireinteraction.enabled", false); // HTML5 privacy https://bugzilla.mozilla.org/show_bug.cgi?id=500328 pref("browser.history.allowPopState", false); @@ -669,6 +674,10 @@ pref("browser.safebrowsing.provider.mozilla.lists", "about:blank"); // https://wiki.mozilla.org/SecurityEngineering/Untrusted_Certificates_in_Windows_Child_Mode // https://hg.mozilla.org/releases/mozilla-release/file/ddb37c386bb2ffa180117b4d30ca3b41a8af233c/security/manager/ssl/nsNSSComponent.cpp#l782 pref("security.family_safety.mode", 0); +// https://bugzilla.mozilla.org/show_bug.cgi?id=1265113 +// https://hg.mozilla.org/releases/mozilla-release/rev/d9659c22b3c5 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1298883 +pref("security.enterprise_roots.enabled", false); // Disable pocket // https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox @@ -909,9 +918,9 @@ pref("privacy.clearOnShutdown.downloads", true); pref("privacy.clearOnShutdown.formdata", true); pref("privacy.clearOnShutdown.history", true); pref("privacy.clearOnShutdown.offlineApps", true); -pref("privacy.clearOnShutdown.passwords", true); +//pref("privacy.clearOnShutdown.passwords", true); // Wipes all saved passwords, best to let the user decide. pref("privacy.clearOnShutdown.sessions", true); -pref("privacy.clearOnShutdown.siteSettings", true); +pref("privacy.clearOnShutdown.siteSettings", true); // http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/ // Firefox will store small amounts (less than 50 MB) of data without asking for permission, unless this is set to false // https://support.mozilla.org/en-US/questions/1014708 @@ -1021,10 +1030,16 @@ pref("layout.css.visited_links_enabled", false); // http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5 pref("browser.urlbar.autocomplete.enabled", false); +// Require manual intervention to autofill known username/passwords sign-in forms // http://kb.mozillazine.org/Signon.autofillForms // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability pref("signon.autofillForms", false); +// Disable the password manager for pages with autocomplete=off +// Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms) +// OWASP ASVS V9.1, https://bugzilla.mozilla.org/show_bug.cgi?id=956906 +pref("signon.storeWhenAutocompleteOff", false); + // do not check if firefox is the default browser pref("browser.shell.checkDefaultBrowser", false); @@ -1064,9 +1079,6 @@ pref("network.stricttransportsecurity.preloadlist", false); pref("security.mixed_content.send_hsts_priming", false); pref("security.mixed_content.use_hsts", false); -// OWASP ASVS V9.1 -// https://bugzilla.mozilla.org/show_bug.cgi?id=956906 -pref("signon.storeWhenAutocompleteOff", false); // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns @@ -1080,6 +1092,7 @@ pref("security.ssl.enable_ocsp_stapling", true); // NOTICE: this leaks information about the sites you visit to the CA. pref("security.OCSP.require", true); +// Disable TLS Session Tickets // https://www.blackhat.com/us-13/briefings.html#NextGen // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf // https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf @@ -1090,7 +1103,7 @@ pref("security.ssl.disable_session_identifiers", true); pref("security.ssl.enable_false_start", true); pref("security.enable_tls_session_tickets", false); -// TLS 1.[012] +// TLS 1.[0-3] // http://kb.mozillazine.org/Security.tls.version.max // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.) // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol. @@ -1205,12 +1218,12 @@ pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false); pref("security.ssl3.rsa_camellia_256_sha", false); // Ciphers with ECDHE and > 128bits -pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); -pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); +pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // 0xc014 +pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a -// GCM, yes please! -pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); -pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); +// GCM, yes please! (TLSv1.2 only) +pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b +pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // 0xc02f // ChaCha20 and Poly1305. Supported since Firefox 47. // https://www.mozilla.org/en-US/firefox/47.0/releasenotes/ |