summaryrefslogtreecommitdiff
path: root/nonprism/iceweasel-hardened-preferences
diff options
context:
space:
mode:
Diffstat (limited to 'nonprism/iceweasel-hardened-preferences')
-rw-r--r--nonprism/iceweasel-hardened-preferences/PKGBUILD8
-rw-r--r--nonprism/iceweasel-hardened-preferences/iceweasel-branding.js35
2 files changed, 28 insertions, 15 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD
index e9b16e086..521611d1c 100644
--- a/nonprism/iceweasel-hardened-preferences/PKGBUILD
+++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD
@@ -2,8 +2,8 @@
# Contributor: André Silva <emulatorman@parabola.nu>
pkgname=iceweasel-hardened-preferences
-pkgver=0.4
-pkgrel=2
+pkgver=0.5
+pkgrel=1
pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks."
arch=(any)
license=(MPL)
@@ -20,11 +20,11 @@ source=('firefox-branding.js'
'iceweasel-hardened.install')
sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e'
'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800'
- '78db378524df6278b6a3ff946305d444e5bd46032cbdc4337c22ea372322b6957925c5b9bff483d95d9bc8662885b922a7414e1c15ea358fe3f12ef738934c00'
+ '6c62ae49435322b6dc15ea1beede998dd479ea7bdbe0136115b0f6be7145d1cc74091915d199ee631d24bcc741975049c421baadf5a13ab456f7b71bf87b1645'
'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6')
whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3'
'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2'
- '7a432dd6db6ab9834d92703864c8b4a8ff234bfc3834a1ae4cacca6aebd60f8e88aad4959f55aa075f1ed9efa6c0cffbeaad9e4092b7980bfecfcc606a5a8fc6'
+ '840b2d239aeb09b15367c54facecfe9aeb7e2fc10f73e391241fe70a3963da0c69c7eeecefebf96bcd65ade1fec43de6b4113a146e08774901aceb70579716f1'
'44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9')
package() {
diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
index 78739ebd7..687feaeed 100644
--- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
+++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js
@@ -202,7 +202,9 @@ pref("dom.indexedDB.enabled", false);
// Disable gamepad input
// http://www.w3.org/TR/gamepad/
pref("dom.gamepad.enabled", false);
+pref("dom.gamepad.non_standard_events.enabled", false);
pref("dom.gamepad.test.enabled", false);
+pref("dom.gamepad.extensions.enabled", false);
// Disable virtual reality devices
// https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM
@@ -218,6 +220,9 @@ pref("dom.vr.osvr.enabled", false);
// disable notifications
pref("dom.webnotifications.enabled", false);
+// https://developer.mozilla.org/en-US/docs/Web/API/Notification/requireInteraction
+// https://bugzilla.mozilla.org/show_bug.cgi?id=862395
+pref("dom.webnotifications.requireinteraction.enabled", false);
// HTML5 privacy https://bugzilla.mozilla.org/show_bug.cgi?id=500328
pref("browser.history.allowPopState", false);
@@ -669,6 +674,10 @@ pref("browser.safebrowsing.provider.mozilla.lists", "about:blank");
// https://wiki.mozilla.org/SecurityEngineering/Untrusted_Certificates_in_Windows_Child_Mode
// https://hg.mozilla.org/releases/mozilla-release/file/ddb37c386bb2ffa180117b4d30ca3b41a8af233c/security/manager/ssl/nsNSSComponent.cpp#l782
pref("security.family_safety.mode", 0);
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1265113
+// https://hg.mozilla.org/releases/mozilla-release/rev/d9659c22b3c5
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1298883
+pref("security.enterprise_roots.enabled", false);
// Disable pocket
// https://support.mozilla.org/en-US/kb/save-web-pages-later-pocket-firefox
@@ -909,9 +918,9 @@ pref("privacy.clearOnShutdown.downloads", true);
pref("privacy.clearOnShutdown.formdata", true);
pref("privacy.clearOnShutdown.history", true);
pref("privacy.clearOnShutdown.offlineApps", true);
-pref("privacy.clearOnShutdown.passwords", true);
+//pref("privacy.clearOnShutdown.passwords", true); // Wipes all saved passwords, best to let the user decide.
pref("privacy.clearOnShutdown.sessions", true);
-pref("privacy.clearOnShutdown.siteSettings", true);
+pref("privacy.clearOnShutdown.siteSettings", true); // http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/
// Firefox will store small amounts (less than 50 MB) of data without asking for permission, unless this is set to false
// https://support.mozilla.org/en-US/questions/1014708
@@ -1021,10 +1030,16 @@ pref("layout.css.visited_links_enabled", false);
// http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5
pref("browser.urlbar.autocomplete.enabled", false);
+// Require manual intervention to autofill known username/passwords sign-in forms
// http://kb.mozillazine.org/Signon.autofillForms
// https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
pref("signon.autofillForms", false);
+// Disable the password manager for pages with autocomplete=off
+// Does not prevent any kind of auto-completion (see browser.formfill.enable, signon.autofillForms)
+// OWASP ASVS V9.1, https://bugzilla.mozilla.org/show_bug.cgi?id=956906
+pref("signon.storeWhenAutocompleteOff", false);
+
// do not check if firefox is the default browser
pref("browser.shell.checkDefaultBrowser", false);
@@ -1064,9 +1079,6 @@ pref("network.stricttransportsecurity.preloadlist", false);
pref("security.mixed_content.send_hsts_priming", false);
pref("security.mixed_content.use_hsts", false);
-// OWASP ASVS V9.1
-// https://bugzilla.mozilla.org/show_bug.cgi?id=956906
-pref("signon.storeWhenAutocompleteOff", false);
// CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
@@ -1080,6 +1092,7 @@ pref("security.ssl.enable_ocsp_stapling", true);
// NOTICE: this leaks information about the sites you visit to the CA.
pref("security.OCSP.require", true);
+// Disable TLS Session Tickets
// https://www.blackhat.com/us-13/briefings.html#NextGen
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf
@@ -1090,7 +1103,7 @@ pref("security.ssl.disable_session_identifiers", true);
pref("security.ssl.enable_false_start", true);
pref("security.enable_tls_session_tickets", false);
-// TLS 1.[012]
+// TLS 1.[0-3]
// http://kb.mozillazine.org/Security.tls.version.max
// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
@@ -1205,12 +1218,12 @@ pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
pref("security.ssl3.rsa_camellia_256_sha", false);
// Ciphers with ECDHE and > 128bits
-pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
-pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
+pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); // 0xc014
+pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // 0xc00a
-// GCM, yes please!
-pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
-pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
+// GCM, yes please! (TLSv1.2 only)
+pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); // 0xc02b
+pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // 0xc02f
// ChaCha20 and Poly1305. Supported since Firefox 47.
// https://www.mozilla.org/en-US/firefox/47.0/releasenotes/