--- /dev/null
+/* Certificates and trust */
+
+/* Disable OCSP, which checks for certificate revocation by sending
+ * your browser history to a third-party. I think this leaves stapling
+ * enabled, which is what we should be using anyway. Not that I believe
+ * in the CA infrastructure to begin with!
+ *
+ * WARNING: of all the preferences set in this file, this one is likely
+ * the most controversial.
+ *
+ * References:
+ *
+ * 1. https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
+ * 2. https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
+ *
+ */
+user_pref("security.OCSP.enabled", 0);
--- /dev/null
+/* Cookie policy */
+
+
+/* Isolate cookies (and a bunch of other stuff) to their own domain.
+ *
+ * References:
+ *
+ * 1. https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
+ * 2. https://www.ctrl.blog/entry/firefox-fpi
+ */
+user_pref("privacy.firstparty.isolate", true);
+
+
+/* Accept cookies only from the originating site.
+ *
+ * References:
+ *
+ * 1. http://kb.mozillazine.org/Network.cookie.cookieBehavior
+ *
+ */
+user_pref("network.cookie.cookieBehavior", 1);
+
+
+/* Delete all cookies after my session has expired.
+ *
+ * References:
+ *
+ * 1. http://kb.mozillazine.org/Network.cookie.lifetimePolicy
+ *
+ */
+user_pref("network.cookie.lifetimePolicy", 2);
+
+
--- /dev/null
+/* Referer obfuscation */
+
+
+/* Only send the "referer" header when I _do_ something.
+ *
+ * References:
+ *
+ * 1. https://wiki.mozilla.org/Security/Referrer
+ *
+ */
+user_pref("network.http.sendRefererHeader", 1);
+
+
+/* Don't send the "referer" header for cross-domain requests.
+ *
+ * References:
+ *
+ * 1. https://wiki.mozilla.org/Security/Referrer
+ *
+ */
+user_pref("network.http.referer.XOriginPolicy", 1);
+
+
+/* Don't send the querystring across origins (that is, to subdomains,
+ * since XOriginPolicy is set to "1" above).
+ *
+ * References:
+ *
+ * 1. https://wiki.mozilla.org/Security/Referrer
+ *
+ */
+user_pref("network.http.referer.XOriginTrimmingPolicy", 1);
--- /dev/null
+/* Disabling speculative fetching */
+
+
+/* Disable speculative DNS queries.
+ *
+ * References:
+ *
+ * 1. http://kb.mozillazine.org/Network.dns.disablePrefetch
+ */
+user_pref("network.dns.disablePrefetch", true);
+
+
+/* Disable speculative HTTP requests.
+ *
+ * References:
+ *
+ * 1. http://kb.mozillazine.org/Network.prefetch-next
+ *
+ */
+user_pref("network.prefetch-next", false);
+
+
+/* Disable speculation while I'm typing a URL.
+ *
+ * References:
+ *
+ * 1. https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
+ */
+user_pref("browser.urlbar.speculativeConnect.enabled", false);
--- /dev/null
+/* Tracking protection */
+
+
+/* Don't notify servers when I leave a webpage.
+ *
+ * References:
+ *
+ * 1. https://bugzilla.mozilla.org/show_bug.cgi?id=1387745
+ *
+ */
+user_pref("beacon.enabled", false);
+
+
+/* Don't let websites query the battery status of my PC.
+ * This should now be disabled... but let's turn it off
+ * again, just in case.
+ *
+ * References:
+ *
+ * 1. https://bugzilla.mozilla.org/show_bug.cgi?id=1387745
+ * 2. https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
+ * 3. https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
+ */
+user_pref("dom.battery.enabled", false);
+
+
+/* Don't allow websites to spy on my copy/paste actions.
+ *
+ * References:
+ *
+ * 1. https://bugzilla.mozilla.org/show_bug.cgi?id=1387745
+ * 2. https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
+ * 3. https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
+ */
+user_pref("dom.event.clipboardevents.enabled", false);
+
+
+/* Disable WebRTC. I don't need a web browser to chat, thanks.
+ *
+ * References:
+ *
+ * 1. https://restoreprivacy.com/webrtc-leaks/
+ * 2. https://wiki.mozilla.org/Media/WebRTC/Privacy
+ */
+user_pref("media.peerconnection.enabled", false);
+
+
+/* Don't allow websites to snoop on my webcam or microphone.
+ *
+ * References:
+ *
+ * 1. https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
+ * 2. https://wiki.mozilla.org/Media/getUserMedia
+ */
+user_pref("media.navigator.enabled", false);
+
+
+/* Disable geolocation. Websites shouldn't know where I am,
+ * and neither should Google (whose API is used to track me).
+ *
+ * References:
+ *
+ * 1. http://www.mozilla.com/en-US/firefox/geolocation/
+ * 2. https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
+ *
+ */
+user_pref("geo.enabled", false);
+
+
+/* Disable WebGL. I actually don't need websites to be able to
+ * directly access my video hardware.
+ *
+ * References:
+ *
+ * 1. https://www.contextis.com/en/blog/webgl-a-new-dimension-for-browser-exploitation
+ *
+ */
+user_pref("webgl.disabled", true);
\ No newline at end of file
--- /dev/null
+/* User-interface tweaks */
+
+
+/* Don't do anything when I start the browser unless I say so.
+ *
+ * References:
+ *
+ * 1. http://kb.mozillazine.org/Browser.startup.homepage
+ */
+user_pref("browser.startup.homepage", "about:blank");
+
+
+/* Don't hide important information in the URL bar
+ *
+ * References:
+ *
+ * 1. https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.urlbar.trimURLs
+ *
+ */
+user_pref("browser.urlbar.trimURLs", false);
+
+
+/* Don't allow unicode trickery in the URL bar.
+ *
+ * References:
+ *
+ * 1. http://kb.mozillazine.org/Network.IDN_show_punycode
+ * 2. https://ma.ttias.be/show-idn-punycode-firefox-avoid-phishing-urls/
+ *
+ */
+user_pref("network.IDN_show_punycode", true);
+
projects / firefox-user-prefs.git / commitdiff