开源软件名称: pyllyukko/user.js开源软件地址: https://github.com/pyllyukko/user.js开源编程语言:
JavaScript
83.0%
开源软件介绍: Firefox configuration hardening
A user.js configuration file for Mozilla Firefox designed to harden browser settings and make it more secure.
This is a default template with every possible hardening measure enforced. See the relaxed branch for a variant providing more usability
Limit the possibilities to track the user through web analytics .
Harden the browser against known data disclosure or code execution vulnerabilities.
Limit the browser from storing anything even remotely sensitive persistently.
Make sure the browser doesn't reveal too much information to shoulder surfers .
Harden the browser's encryption (cipher suites, protocols).
Limit possibilities to uniquely identify the browser/device using browser fingerprinting .
Hopefully limit the attack surface by disabling various features.
Still be usable in daily use.
There are several parts to all this and they are:
Different download methods are available:
Clone using git: git clone https://github.com/pyllyukko/user.js
Download and extract the ZIP file containing the latest version.
Download the latest user.js directly
Do note that these settings alter your browser behaviour quite a bit, so it is recommended to either create a completely new profile for Firefox or backup your existing profile directory before putting the user.js file in place.
To enable the Profile Manager, run Firefox with command-line arguments : firefox --no-remote -P
Copy user.js in your current user profile directory, or (recommended) to a fresh, newly created Firefox profile directory.
The file should be located at:
OS
Path
Windows 7
%APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name\user.js
Linux
~/.mozilla/firefox/XXXXXXXX.your_profile_name/user.js
OS X
~/Library/Application Support/Firefox/Profiles/XXXXXXXX.your_profile_name
Android
/data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name and see issue #14
Sailfish OS + Alien Dalvik
/opt/alien/data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name
Windows (portable)
[firefox directory]\Data\profile\
With this installation method, if you change any of user.js settings through about:configuser.js defined values after you restart Firefox. This makes sure they're always back to secure defaults when starting the browser. However this prevents persistently changing settings you don't consider appropriate. Either edit user.js directly, or use the system-wide installation method described below.
Generate a file suitable for system-wide installation, by running make with one of the following targets:
systemwide_user.js: (the value will be used as default value for all Firefox Profiles where it is not explicitly set, it can be changed in about:config and is kept across browser sessions)locked_user.js: (the value will be used as default value on Firefox profile creation, will be locked and can't be changed) in user.js or in Firefox's about:config or settings.debian_locked.js: Debian specific. Users are not able to override preferences. See #415 .
Copy the produced file to the Firefox installation directory. The file should be located at:
OS
Path
Windows
C:\Program Files (x86)\Mozilla Firefox\mozilla.cfg
Linux
/etc/firefox/syspref.js, for older versions: /etc/firefox/firefox.js
Linux (Debian)
/etc/firefox-esr/firefox-esr.js
Linux (Gentoo, Archlinux)
/usr/lib/firefox/mozilla.cfg, might also be /usr/lib32/ or /usr/lib64/
OS X
/Applications/Firefox.app/Contents/Resources/mozilla.cfg
Create local-settings.js in Firefox installation directory, with the following contents:
pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");
This file should be located at:
OS
Path
Windows
C:\Program Files (x86)\Mozilla Firefox\defaults\pref\
OS X
/Applications/Firefox.app/Contents/Resources/defaults/pref
Linux (Gentoo, Archlinux)
/usr/lib/firefox/defaults/pref/, might also be /usr/lib32/ or /usr/lib64/
If mozilla.cfg still fails to load, you must add a blank comment to the top of mozilla.cfg like so:
For any of the above methods, you can keep your browser's user.js with the latest version available here: Clone the repository, and create a symbolic link from the appropriate location to the user.js file in the repository. Just run git pull in the repository when you want to update, then restart Firefox:
cd ~/.mozilla/firefox
git clone 'https://github.com/pyllyukko/user.js.git'
cd XXXXXXXX.your_profile_name
ln -s ../user.js/user.js user.js
Verify that the settings are effective from about:support (check the "Important Modified Preferences" and "user.js Preferences" sections).
There's a whole lot of settings that this modifies and they are divided in the following sections.
Some of the settings in this user.js file might seem redundant, as some of them are already set to the same values by default. We chose to explicitely set their values, which ensures these settings are enforced if a future Firefox update changes the default value.
HTML5 / APIs / DOM related settings. Mozilla is keen to implement every new HTML5 feature, which have had unforeseen security or privacy implications. This section disables many of those new and yet to be proven technologies.
Disable Service Workers [ 1 2 3 ]
Disable web notifications [ 1 ]
Disable DOM timing API [ 1 2 ]
Disable resource timing API [ 1 ]
Make sure the User Timing API does not provide a new high resolution timestamp [ 1 2 ]
Disable Web Audio API [ 1 ]
Disable Location-Aware Browsing (geolocation) [ 1 ]
When geolocation is enabled, use Mozilla geolocation service instead of Google [ 1 ]
When geolocation is enabled, don't log geolocation requests to the console
Disable raw TCP socket support (mozTCPSocket) [ 1 2 3 ]
Disable leaking network/browser connection information via Javascript
Disable network API (Firefox < 32) [ 1 2 ]
Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox < 42)
Don't reveal your internal IP when WebRTC is enabled (Firefox >= 42) [ 1 2 ]
Disable WebRTC getUserMedia, screen sharing, audio capture, video capture [ 1 2 3 ]
Disable battery API (Firefox < 52) [ 1 2 ]
Disable telephony API [ 1 ]
Disable "beacon" asynchronous HTTP transfers (used for analytics) [ 1 ]
Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
Disable "copy to clipboard" functionality via Javascript (Firefox >= 41)
Disable speech recognition [ 1 2 3 ]
Disable speech synthesis [ 1 ]
Disable sensor API [ 1 ]
Disable pinging URIs specified in HTML ping= attributes [ 1 ]
When browser pings are enabled, only allow pinging the same host as the origin page [ 1 ]
Disable gamepad API to prevent USB device enumeration [ 1 2 ]
Disable virtual reality devices APIs [ 1 2 ]
Disable vibrator API
Disable Archive API (Firefox < 54) [ 1 2 ]
Disable webGL [ 1 2 ]
When webGL is enabled, use the minimum capability mode
When webGL is enabled, disable webGL extensions [ 1 ]
When webGL is enabled, force enabling it even when layer acceleration is not supported [ 1 ]
When webGL is enabled, do not expose information about the graphics driver [ 1 2 ]
Spoof dual-core CPU [ 1 2 ]
Disable WebAssembly [ 1 2 3 ]
Settings that do not belong to other sections or are user specific preferences.
Disable face detection
Disable GeoIP lookup on your address to set default search engine region [ 1 2 ]
Set Accept-Language HTTP header to en-US regardless of Firefox localization [ 1 ]
Don't use OS values to determine locale, force using Firefox locale setting [ 1 ]
Don't use Mozilla-provided location-specific search engines
Do not automatically send selection to clipboard on some Linux platforms [ 1 ]
Prevent leaking application locale/date format using JavaScript [ 1 2 ]
Do not submit invalid URIs entered in the address bar to the default search engine [ 1 ]
Don't trim HTTP off of URLs in the address bar. [ 1 ]
Don't try to guess domain names when entering an invalid domain name in URL bar [ 1 ]
When browser.fixup.alternate.enabled is enabled, strip password from 'user:password@...' URLs [ 1 ]
Send DNS request through SOCKS when SOCKS proxying is in use [ 1 ]
Don't monitor OS online/offline connection state [ 1 ]
Enforce Mixed Active Content Blocking [ 1 2 3 ]
Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content)
Disable JAR from opening Unsafe File Types [ 1 ]
Set File URI Origin Policy [ 1 ]
Disable Displaying Javascript in History URLs [ 1 ]
Disable asm.js [ 1 2 3 4 ]
Disable SVG in OpenType fonts [ 1 2 ]
Disable video stats to reduce fingerprinting threat [ 1 2 3 ]
Don't reveal build ID
Don't use document specified fonts to prevent installed font enumeration (fingerprinting) [ 1 2 3 ]
Enable only whitelisted URL protocol handlers [ 1 2 3 4 5 6 ]
Harden preferences related to external plugins
Ensure you have a security delay when installing add-ons (milliseconds) [ 1 2 ]
Require signatures [ 1 ]
Opt-out of add-on metadata updates [ 1 ]
Opt-out of themes (Persona) updates [ 1 ]
Disable Flash Player NPAPI plugin [ 1 ]
Disable Java NPAPI plugin
Disable sending Flash Player crash reports
When Flash crash reports are enabled, don't send the visited URL in the crash report
When Flash is enabled, download and use Mozilla SWF URIs blocklist [ 1 2 ]
Disable Gnome Shell Integration NPAPI plugin
Enable plugins click-to-play [ 1 2 ]
Updates addons automatically [ 1 ]
Enable add-on and certificate blocklists (OneCRL) from Mozilla [ 1 2 3 4 5 ]
Decrease system information leakage to Mozilla blocklist update servers [ 1 ]
Disable system add-on updates (hidden & always-enabled add-ons from Mozilla) [ 1 2 3 4 ]
Disable Firefox integrated metrics/reporting/experiments, disable potentially insecure/invasive/undesirable features
Disable Extension recommendations (Firefox >= 65) [ 1 ]
Disable WebIDE [ 1 2 ]
Disable remote debugging [ 1 2 ]
Disable Mozilla telemetry/experiments [ 1 2 3 4 5 6 7 8 9 10 ]
Disallow Necko to do A/B testing [ 1 ]
Disable sending Firefox crash reports to Mozilla servers [ 1 2 3 4 ]
Disable sending reports of tab crashes to Mozilla (about:tabcrashed), don't nag user about unsent crash reports [ 1 ]
Disable FlyWeb (discovery of LAN/proximity IoT devices that expose a Web interface) [ 1 2 3 4 ]
Disable the UITour backend [ 1 ]
Enable Firefox Tracking Protection [ 1 2 3 4 5 ]
Enable contextual identity Containers feature (Firefox >= 52)
Enable Firefox's anti-fingerprinting mode ("resist fingerprinting" or RFP) (Tor Uplift project) [ 1 2 3 ]
disable mozAddonManager Web API [FF57+] [ 1 2 3 4 5 ]
disable showing about:blank/maximized window as soon as possible during startup [FF60+] [ 1 ]
Disable the built-in PDF viewer [ 1 2 3 ]
Disable collection/sending of the health report (healthreport.sqlite*) [ 1 2 ]
Disable Shield/Heartbeat/Normandy (Mozilla user rating telemetry) [ 1 2 3 4 5 6 7 ]
Disable Firefox Hello metrics collection [ 1 ]
Enforce checking for Firefox updates [ 1 ]
Enable blocking reported web forgeries [ 1 2 3 4 ]
Enable blocking reported attack sites [ 1 ]
Disable querying Google Application Reputation database for downloaded binary files [ 1 2 ]
Disable Pocket [ 1 2 ]
Disable "Recommended by Pocket" in Firefox Quantum
Prevents the browser from auto-connecting to some Mozilla services, and from predictively opening connections to websites during browsing.
Disable prefetching of URLs [ 1 2 ]
Disable DNS prefetching [ 1 2 ]
Disable the predictive service (Necko) [ 1 ]
Reject .onion hostnames before passing the to DNS [ 1 ]
Disable search suggestions in the search bar [ 1 ]
Disable "Show search suggestions in location bar results"
When using the location bar, don't suggest URLs from browsing history
Disable Firefox Suggest [ 1 2 ]
Disable SSDP [ 1 ]
Disable automatic downloading of OpenH264 codec [ 1 2 ]
Disable speculative pre-connections [ 1 2 ]
Disable downloading homepage snippets/messages from Mozilla [ 1 2 ]
Never check updates for search engines [ 1 ]
Disable automatic captive portal detection (Firefox >= 52.0) [ 1 ]
HTTP protocol related entries. This affects cookies, the user agent, referer and others.
Disallow NTLMv1 [ 1 ]
Enable CSP 1.1 script-nonce directive support [ 1 ]
Enable Content Security Policy (CSP) [ 1 2 ]
Enable Subresource Integrity [ 1 2 ]
Don't send referer headers when following links across different domains [ 1 2 3 ]
Accept Only 1st Party Cookies [ 1 ]
Enable first-party isolation [ 1 2 3 ]
Make sure that third-party cookies (if enabled) never persist beyond the session. [ 1 2 3 ]
Enable and configure private browsing mode, don't store information locally during the browsing session
Permanently enable private browsing mode [ 1 2 ]
Do not download URLs for the offline cache [ 1 ]
Clear history when Firefox closes [ 1 ]
Set time range to "Everything" as default in "Clear Recent History"
Clear everything but "Site Preferences" in "Clear Recent History"
Don't remember browsing history
Disable disk cache [ 1 ]
Disable Caching of SSL Pages
Disable download history
Disable password manager (use an external password manager!)
Disable form autofill, don't save information entered in web page forms and the Search Bar
Cookies expires at the end of the session (when the browser closes) [ 1 ]
Require manual intervention to autofill known username/passwords sign-in forms [ 1 2 ]
Disable formless login capture [ 1 ]
When username/password autofill is enabled, still disable it on non-HTTPS sites [ 1 ]
Show in-content login form warning UI for insecure login fields [ 1 ]
Delete Search and Form History
Clear SSL Form Session Data [ 1 ]
Delete temporary files on exit [ 1 ]
Do not create screenshots of visited pages (relates to the "new tab page" feature) [ 1 2 ]
Don't fetch and permanently store favicons for Windows .URL shortcuts created by drag and drop
Disable bookmarks backups (default: 15) [ 1 ]
Disable downloading of favicons in response to favicon fingerprinting techniques [ 1 2 3 ]
Improve visibility of security-related elements, mitigate shoulder-surfing
Enable insecure password warnings (login forms in non-HTTPS pages) [ 1 2 3 ]
Disable "Are you sure you want to leave this page?" popups on page close [ 1 ]
Disable Downloading on Desktop
Always ask the user where to download [ 1 ]
Disable the "new tab page" feature and show a blank tab instead [ 1 2 ]
Disable Snippets [ 1 2 ]
Disable Activity Stream [ 1 ]
Disable new tab tile ads & preload [ 1 2 3 4 5 ]
Enable Auto Notification of Outdated Plugins (Firefox < 50) [ 1 ]
Force Punycode for Internationalized Domain Names [ 1 2 3 4 5 ]
Disable inline autocomplete in URL bar [ 1 ]
Disable CSS :visited selectors [ 1 2 ]
Disable URL bar autocomplete and history/bookmarks suggestions dropdown [ 1 ]
Do not check if Firefox is the default browser
When password manager is enabled, lock the password storage periodically
Lock the password storage every 1 minutes (default: 30)
Display a notification bar when websites offer data for offline use [ 1 ]
TLS protocol related settings
Enable HTTPS-Only Mode [ 1 2 ]
Enable HSTS preload list (pre-set HSTS sites list provided by Mozilla) [ 1 2 3 ]
Enable Online Certificate Status Protocol [ 1 2 3 4 5 6 7 8 ]
Enable OCSP Stapling support [ 1 2 3 ]
Enable OCSP Must-Staple support (Firefox >= 45) [ 1 2 3 ]
Require a valid OCSP response for OCSP enabled certificates [ 1 ]
Disable TLS Session Tickets [ 1 2 3 4 5 ]
Only allow TLS 1.[2-3] [ 1 ]
Disable insecure TLS version fallback [ 1 2 ]
Enforce Public Key Pinning [ 1 2 ]
Disallow SHA-1 [ 1 2 ]
Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) [ 1 2 ]
Disable automatic reporting of TLS connection errors [ 1 ]
Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog [ 1 2 ]
Encrypted SNI (when TRR is enabled) [ 1 2 3 ]
客服电话
APP下载
官方微信
