s83/user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-06-18 16:12:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

change 4600s into do not use, #1221

Browse source 
This is a draft
- merge 4700's into 4600s
- remove old numbers in the square brackets
- remove notation of when RFP kicked in (that info is in 4500s)
- since we now do not recommend this section
   - cleanup info on each release in README section
   - do away with one char flip
   - move 4616 to deprecated where it belongs
   - remove "optional if..." lines
- start cleaning up references, descriptions to shorten the section
   - will list what I removed: e.g. bugzillas to when the pref was added are a bit useless

todo / consider
- 4600 title
- 4600 section description can be a lot better
- 4600 link to wiki page on RFP ( issue #1218 - that is, if RFP is not for you, then just use Canvas Blocker, which can leak but should fool naive scripts if any get thru etc )
- do we want to add dom.enable_performance_navigation_timing

while these all fit together as "covered by RFP", some of these seem out of place
- maybe we could split this into two
   - 4600: "optional without RFP" - these won't hurt RFP but they also won't help your fingerprinting - e.g. font vis, prefers-color, prefers-reduced-motion
   - 4700: "do not use EVER especially with RFP" - these will affect RFP, can break shit, etc, and won't help your fingerprinting - e.g. all the timing stuff, disabling APIs, etc
   - also. the webgl one seems a bit out of place since we disable webgl
   - we could always move some items back to their relevant sections as inactive with some sort of RFP tag/warning

I'm not sure what's the cleanest way to convey this. Anyway, pushing a PR to get some discussion going
This commit is contained in:
Thorin-Oakenpants 2021-08-04 18:20:41 +00:00 committed by GitHub
parent 404d1d466a
commit 6bcf5a9e17
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 75 additions and 109 deletions
Download patch file Download diff file Expand all files Collapse all files

184
user.js
View file

@ -32,14 +32,12 @@
* It is best to use the arkenfox release that is optimized for and matches your Firefox version * It is best to use the arkenfox release that is optimized for and matches your Firefox version
* EVERYONE: each release * EVERYONE: each release
- run prefsCleaner or reset deprecated prefs (9999s) and prefs made redundant by RPF (4600s) - run prefsCleaner or reset deprecated prefs (9999s)
- re-enable section 4600 if you don't use RFP
ESR78 ESR78
- If you are not using arkenfox v78... (not a definitive list) - If you are not using arkenfox v78... (not a definitive list)
- 1244: HTTPS-Only mode is enabled - 1244: HTTPS-Only mode is enabled
- 1401: document fonts is inactive as it is now covered by RFP in FF80+ - 1401: document fonts is inactive as it is now covered by RFP in FF80+
- 2626: non-native widget theme is enforced - 2626: non-native widget theme is enforced
- 4600: some prefs may apply even if you use RFP
- 9999: switch the appropriate deprecated section(s) back on - 9999: switch the appropriate deprecated section(s) back on
* INDEX: * INDEX:
@ -69,8 +67,7 @@
2800: SHUTDOWN 2800: SHUTDOWN
4000: FPI (FIRST PARTY ISOLATION) 4000: FPI (FIRST PARTY ISOLATION)
4500: RFP (RESIST FINGERPRINTING) 4500: RFP (RESIST FINGERPRINTING)
4600: RFP ALTERNATIVES 4600: DO NOT USE: RFP ALTERNATIVES
4700: RFP ALTERNATIVES (USER AGENT SPOOFING)
5000: PERSONAL 5000: PERSONAL
9999: DEPRECATED / REMOVED / LEGACY / RENAMED 9999: DEPRECATED / REMOVED / LEGACY / RENAMED
@ -1416,7 +1413,7 @@ user_pref("privacy.firstparty.isolate", true);
1217238 - reduce precision of time exposed by javascript 1217238 - reduce precision of time exposed by javascript
FF56+ FF56+
1369303 - spoof/disable performance API (see 4602, 4603) 1369303 - spoof/disable performance API (see 4602, 4603)
1333651 - spoof User Agent & Navigator API (see section 4700) 1333651 - spoof User Agent & Navigator API (see 4650)
JS: FF78+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 9 (FF91+ as 10), or Linux JS: FF78+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 9 (FF91+ as 10), or Linux
HTTP Headers: spoofed as Windows or Android HTTP Headers: spoofed as Windows or Android
1369319 - disable device sensor API (see 4604) 1369319 - disable device sensor API (see 4604)
@ -1502,116 +1499,81 @@ user_pref("browser.startup.blankWindow", false);
user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF] user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF]
/*** [SECTION 4600]: RFP ALTERNATIVES /*** [SECTION 4600]: RFP ALTERNATIVES
[WARNING] DO NOT USE prefs in this section with RFP as they can interfere [WARNING] DO NOT USE
These are all covered by RFP and if used can interfere
These prefs are insufficient, can cause breakage, and will make you stand out
***/ ***/
user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan"); user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
/* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these /* 4601: spoof number of CPU cores [FF48+] ***/
// FF55+ // user_pref("dom.maxHardwareConcurrency", 2);
// 4601: [2514] spoof number of CPU cores [FF48+] /* 4602: disable resource/navigation timing ***/
// [1] https://bugzilla.mozilla.org/1008453 // user_pref("dom.enable_resource_timing", false);
// [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675 /* 4603: disable timing attacks
// [3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127 * [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI ***/
// [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency
user_pref("dom.maxHardwareConcurrency", 2);
// FF56+
// 4602: [2411] disable resource/navigation timing
user_pref("dom.enable_resource_timing", false);
// 4603: [2412] disable timing attacks
// [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
// user_pref("dom.enable_performance", false); // user_pref("dom.enable_performance", false);
// 4604: [2512] disable device sensor API /* 4604: disable device sensor API
// Optional protection depending on your device * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758
// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758 * [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
// [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ * [3] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751 ***/
// [3] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
// user_pref("device.sensors.enabled", false); // user_pref("device.sensors.enabled", false);
// 4605: [2515] disable site specific zoom /* 4605: disable site specific zoom
// Zoom levels affect screen res and are highly fingerprintable. This does not stop you using * Zoom levels affect screen res and are highly fingerprintable. This does not stop you using
// zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs * zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs
// and new windows are reset to default and only the current tab retains the current zoom * and new windows are reset to default and only the current tab retains the current zoom ***/
user_pref("browser.zoom.siteSpecific", false); // user_pref("browser.zoom.siteSpecific", false);
// 4606: [2501] disable gamepad API - USB device ID enumeration /* 4606: disable gamepad API - USB device ID enumeration
// Optional protection depending on your connected devices * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023 ***/
// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023
// user_pref("dom.gamepad.enabled", false); // user_pref("dom.gamepad.enabled", false);
// 4607: [2503] disable giving away network info [FF31+] /* 4607: disable giving away network info [FF31+]
// e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none * e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
// [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API * [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API
// [2] https://wicg.github.io/netinfo/ * [2] https://wicg.github.io/netinfo/ ***/
// [3] https://bugzilla.mozilla.org/960426 // user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android]
user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android] /* 4608: disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
// 4608: [2021] disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API * [1] https://developer.mozilla.org/docs/Web/API/Web_Speech_API
// [1] https://developer.mozilla.org/docs/Web/API/Web_Speech_API * [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
// [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis * [3] https://wiki.mozilla.org/HTML5_Speech_API ***/
// [3] https://wiki.mozilla.org/HTML5_Speech_API // user_pref("media.webspeech.synth.enabled", false);
user_pref("media.webspeech.synth.enabled", false); /* 4610: disable video statistics - JS performance fingerprinting [FF25+]
// FF57+ * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757
// 4610: [2506] disable video statistics - JS performance fingerprinting [FF25+] * [2] https://bugzilla.mozilla.org/654550 ***/
// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757 // user_pref("media.video_stats.enabled", false);
// [2] https://bugzilla.mozilla.org/654550 /* 4611: disable touch events
user_pref("media.video_stats.enabled", false); * 0=disabled, 1=enabled, 2=autodetect
// 4611: [2509] disable touch events * [1] https://developer.mozilla.org/docs/Web/API/Touch_events
// fingerprinting attack vector - leaks screen res & actual screen coordinates * [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286 ***/
// 0=disabled, 1=enabled, 2=autodetect
// Optional protection depending on your device
// [1] https://developer.mozilla.org/docs/Web/API/Touch_events
// [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286
// user_pref("dom.w3c_touch_events.enabled", 0); // user_pref("dom.w3c_touch_events.enabled", 0);
// FF59+ /* 4612: disable media device enumeration [FF29+]
// 4612: [2505] disable media device enumeration [FF29+] * [1] https://wiki.mozilla.org/Media/getUserMedia
// [1] https://wiki.mozilla.org/Media/getUserMedia * [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/
// [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices // user_pref("media.navigator.enabled", false);
user_pref("media.navigator.enabled", false); /* 4613: disable MediaDevices change detection [FF51+]
// 4613: [2511] disable MediaDevices change detection [FF51+] * [1] https://developer.mozilla.org/docs/Web/Events/devicechange
// [1] https://developer.mozilla.org/docs/Web/Events/devicechange * [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange ***/
// [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange // user_pref("media.ondevicechange.enabled", false);
user_pref("media.ondevicechange.enabled", false); /* 4614: disable WebGL debug info being available to websites
// FF60+ * [1] https://bugzilla.mozilla.org/1171228
// 4614: [2522] disable WebGL debug info being available to websites * [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info ***/
// [1] https://bugzilla.mozilla.org/1171228 // user_pref("webgl.enable-debug-renderer-info", false);
// [2] https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info /* 4615: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART]
user_pref("webgl.enable-debug-renderer-info", false); * 0=no-preference, 1=reduce ***/
// FF63+ // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF]
// 4615: enforce prefers-reduced-motion as no-preference [FF63+] [RESTART] /* 4617: disable exposure of system colors to CSS or canvas [FF44+]
// 0=no-preference, 1=reduce * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 ***/
user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF] // user_pref("ui.use_standins_for_native_colors", true);
// FF64+ /* 4618: enforce prefers-color-scheme as light [FF67+]
// 4616: [2516] disable PointerEvents [FF86 or lower] * 0=light, 1=dark : This overrides your OS value ***/
// [1] https://developer.mozilla.org/docs/Web/API/PointerEvent //user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
// [-] https://bugzilla.mozilla.org/1688105 /* 4619: disable Web Audio API [FF51+] ***/
user_pref("dom.w3c_pointer_events.enabled", false);
// FF67+
// 4617: [2618] disable exposure of system colors to CSS or canvas [FF44+]
// [NOTE] See second listed bug: may cause black on black for elements with undefined colors
// [SETUP-CHROME] Might affect CSS in themes and extensions
// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876
user_pref("ui.use_standins_for_native_colors", true);
// 4618: enforce prefers-color-scheme as light [FF67+]
// 0=light, 1=dark : This overrides your OS value
user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
// FF72+
// 4619: [2510] disable Web Audio API [FF51+]
// [1] https://bugzilla.mozilla.org/1288359
// user_pref("dom.webaudio.enabled", false); // user_pref("dom.webaudio.enabled", false);
// FF80+ /* 4620: limit font visibility (Windows, Mac, some Linux) [FF79+]
// 4620: limit font visibility (Windows, Mac, some Linux) [FF79+] * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1]
// Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1] * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
// 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts * [NOTE] Bundled fonts are auto-allowed
// [NOTE] Bundled fonts are auto-allowed * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
// [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc // user_pref("layout.css.font-visibility.level", 1);
user_pref("layout.css.font-visibility.level", 1); /* 4650: navigator DOM object overrides
// ***/ * These prefs are insufficient and leak ***/
/*** [SECTION 4700]: RFP ALTERNATIVES (USER AGENT SPOOFING)
These prefs are insufficient and leak. Use RFP and **nothing else**
- Many of the user agent components can be derived by other means. When those
values differ, you provide more bits and raise entropy. Examples include
workers, iframes, headers, tcp/ip attributes, feature detection, and many more
- Web extensions also lack APIs to fully protect spoofing
***/
user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
/* 4701: navigator DOM object overrides
* [WARNING] DO NOT USE ***/
// user_pref("general.appname.override", ""); // [HIDDEN PREF] // user_pref("general.appname.override", ""); // [HIDDEN PREF]
// user_pref("general.appversion.override", ""); // [HIDDEN PREF] // user_pref("general.appversion.override", ""); // [HIDDEN PREF]
// user_pref("general.buildID.override", ""); // [HIDDEN PREF] // user_pref("general.buildID.override", ""); // [HIDDEN PREF]
@ -1700,6 +1662,10 @@ user_pref("browser.download.hide_plugins_without_extensions", false);
// 0105d: disable Activity Stream recent Highlights in the Library [FF57+] // 0105d: disable Activity Stream recent Highlights in the Library [FF57+]
// [-] https://bugzilla.mozilla.org/1689405 // [-] https://bugzilla.mozilla.org/1689405
// user_pref("browser.library.activity-stream.enabled", false); // user_pref("browser.library.activity-stream.enabled", false);
// 4616: disable PointerEvents
// [1] https://developer.mozilla.org/docs/Web/API/PointerEvent
// [-] https://bugzilla.mozilla.org/1688105
// user_pref("dom.w3c_pointer_events.enabled", false);
// FF89 // FF89
// 0309: disable sending Flash crash reports // 0309: disable sending Flash crash reports
// [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed] // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]