search

pyllyukko / user.js

user.js -- Firefox configuration hardening
MIT License
2.76k stars 232 forks source link

ghacks user.js monster diff #208

Closed pyllyukko closed 2 years ago

pyllyukko commented 7 years ago

Based on @Roman-Nopantski's diff: https://gist.github.com/pyllyukko/f5184fbb51b5e340f5637adee582c4d9

STARTUP

GEOLOCATION

QUIET FOX [PART 1]

QUIET FOX [PART 2]

BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc

PASSWORDS

CACHE

SSL / OCSP / CERTS / ENCRYPTION / HSTS/HPKP/HTTPS

FONTS

HEADERS / REFERERS

PLUGINS

MEDIA / CAMERA / MIKE

UI MEDDLING

SERVICE WORKERS

DOM & JAVASCRIPT

HARDWARE FINGERPRINTING

MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

FIRST PARTY ISOLATION (PFI)

These are commented out in the ghacks version

COOKIES & DOM STORAGE

SHUTDOWN

PERSONAL SETTINGS

26.2.2017: Disabled the rest of these as these are just personal preferences and have no security/privacy impact

Deprecated

Not checking...

Thorin-Oakenpants commented 7 years ago

I know its a list of each numbered items, but a quite a few are inactive for a reason (I hope people don't get the impression these are all on!). You could probably tick or look at those off straight away (I only have them in mine for completeness and to deter people turning them on from bad advice, or they don;t fit our purpose yet). Then again .. it's like a Lolly Scramble, isn't it (the link: I mean the NZ/Aussie game, not that slang definition which sounds painful )

here's two I quickly spotted

Here's mine: https://github.com/ghacksuserjs/ghacks-user.js/issues/10#issue-208648006 :) I'm 8 done out of 18. How are you doing :) have fun

pyllyukko commented 7 years ago

Just indent with two more spaces below, e.g.:

* [x] Issue
  * Note
publicarray commented 7 years ago

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

pyllyukko commented 7 years ago

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

I know :/ It's because I created new subkey with ED25519 curves, and it's only supported by the very latest versions of GnuPG. Last time I tried, GitHub refused to update the key with that particular subkey. Need to try it again.

pyllyukko commented 7 years ago

Small update on the PGP issue. So in here it even states "EdDSA, except Ed25519". I queried GitHub on the issue and they sayd: "Ed25519 keys are likely to be supported in the future, but we don't have a timeline of when that may be."

In the meanwhile, you can check my signatures from the command line with recent enough GnuPG:

$ git log --show-signature
commit e6592f9b8c304eead1595b978f7663fcfa373532 (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Tue 21 Feb 2017 12:17:27 AM EET
gpg:                using EDDSA key 6760F995F5DD2C1A5805744C8043380FC109A370
gpg: Good signature from "pyllyukko <pyllyukko@maimed.org>" [ultimate]
Primary key fingerprint: B284 21D6 03DE 0A1D 17AE  4415 78C2 DF2D 1A17 0CC6
     Subkey fingerprint: 6760 F995 F5DD 2C1A 5805  744C 8043 380F C109 A370
Author: pyllyukko <pyllyukko@maimed.org>
Date:   Tue Feb 21 00:17:11 2017 +0200

    security.dialog_enable_delay -> 1000

    This is the default value
Thorin-Oakenpants commented 7 years ago

nvm, no one listens to me anyway

pyllyukko commented 7 years ago

I see you;'re dragging the chain on the monster diff :)

Where's the rush?

pref("browser.aboutHomeSnippets.updateUrl", ""); // ghacks: "https://127.0.0.1"
    pyllyukko should match .. use HTTPS re MiTM re as per TBB and discussions there over this in tor tickets

? I don't get it.

And you are inconsistent with data plain text thingie - see comment ghacksuserjs/ghacks-user.js#18 (comment) - I just matched TBB. I don't think it;s all that important

True.

but I think they were used as a null/zero-length string causes issues in linux? IDK

Not that I know of.

pyllyukko commented 7 years ago

@nodiscc: I tried to mark everything from #255 as done. It would be good to double check, that I didn't miss anything.

nodiscc commented 7 years ago

0340: disable experiments can also be marked as done. Other than that, everything looks fine. thanks

Thorin-Oakenpants commented 7 years ago

0819: ticked off and stated that it is covered by browser.urlbar.maxRichResults - this is not true. 0819 is about browser.urlbar.oneOffSearches. FYI, browser.urlbar.maxRichResults is pretty much obselete. It has no effect (tested for all "dropdowns" - search, history/etc) and pretty much confirmed by looking at the code.

pyllyukko commented 7 years ago

0819: ticked off and stated that it is covered by browser.urlbar.maxRichResults - this is not true. 0819 is about browser.urlbar.oneOffSearches. FYI, browser.urlbar.maxRichResults is pretty much obselete. It has no effect (tested for all "dropdowns" - search, history/etc) and pretty much confirmed by looking at the code.

My mistake. So it's browser.urlbar.autocomplete.enabled that has this covered.

Thorin-Oakenpants commented 7 years ago

0815: Shouldn't have any effect because of keyword.enabled == false You are talking about the preference browser.urlbar.suggest.searches

This is incorrect: keyword.enabled does not control browser.urlbar.suggest.searches.

Edit: FYI there is nothing to fix (except maybe your explanation above), browser.urlbar.suggest.searches is at false in your js.

pyllyukko commented 7 years ago

@Thorin-Oakenpants: Thanks. Fixed it.

pyllyukko commented 7 years ago

@nodiscc: Will do. There's actually more improvements that we should make to location bar behavior. For instance, the browser.urlbar.suggest.openpage is actually pretty useful, when you have gazillion tabs open.

Thorin-Oakenpants commented 7 years ago

Yes, urlbar.maxRichResults is deprecated

I'm lost. What does that commit have to do with maxRichResults? ;)

Thorin-Oakenpants commented 7 years ago

@pyllyukko If you are suggesting browser.urlbar.suggest.openpage -> true for convenience when you have a gazillion tabs open, then you are allowing extra chances for shoulder surfers and that is not "hardening" IMO.

You also have browser.urlbar.autocomplete.enabled-> false, so this renders browser.urlbar.suggest.openpage -> true as immaterial. It's at complete odds with your current setting.

note: FYI: 0850a is browser.urlbar.autocomplete.enabled

/* 0850c: disable location bar suggestion types
 * [SETTING] Options>Privacy>Location Bar>When using the location bar, suggest
 * [NOTE] If you wish to enable these suggestions, make sure 0850a is at default ***/
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.openpage", false);
pyllyukko commented 7 years ago

You also have browser.urlbar.autocomplete.enabled-> false, so this renders browser.urlbar.suggest.openpage -> true as immaterial. It's at complete odds with your current setting.

Yes, I know.

pyllyukko commented 7 years ago

I'm lost. What does that commit have to do with maxRichResults? ;)

It's the line 7805 of the test output: Deprecated : browser.urlbar.maxRichResults.

Thorin-Oakenpants commented 7 years ago

It's the line 7805 of the test output: Deprecated : browser.urlbar.maxRichResults.

Ahh .. had to fiddle with NS, uBo & uMatrix to get that part to load (I just looked at the commit listed at the top)

I assume this is your internal list of items to ignore, because clearly there are many items marked as "deprecated" that aren't, including ones in your js. I'm just pointing out that browser.urlbar.maxRichResults is actually deprecated so you can correct your js, not to ignore it (although I am not sure if it is still in ESR). At least you now know for the future.

nodiscc commented 7 years ago

What does that commit have to do with maxRichResults? ;) I assume this is your internal list of items to ignore

Sorry, linking directly to line 7805 of the travis log did not work. The build script compares prefs found in user.js against prefs present in Firefox source. In latest firefox revisions this pref is no longer present (hence on line 7805 of https://travis-ci.org/pyllyukko/user.js#L7805 the script outputs Deprecated : browser.urlbar.maxRichResults)

clearly there are many items marked as "deprecated" that aren't, including ones in your js

Are there? Which ones? Note that this is an automated comparison of user.js with the latest known Firefox source code revision (unreleased FF version), so they might still be present in a specific version. These are the URLs we use to compare against. You can set SOURCEVERSION to something else (tag names found at https://hg.mozilla.org/mozilla-central/tags) to compare with a fixed version (eg. FIREFOX_AURORA_50_BASE for Firefox 50). Maybe we are missing a Firefox source file to compare against?

nodiscc commented 7 years ago

browser.urlbar.suggest.openpage = true

Thorin-Oakenpants commented 7 years ago

Are there? Which ones? 

Deprecated : browser.crashReports.unsubmittedCheck.enabled
Deprecated : privacy.clearOnShutdown.cache
Deprecated : privacy.clearOnShutdown.cookies
Deprecated : privacy.clearOnShutdown.downloads
Deprecated : privacy.clearOnShutdown.formdata
Deprecated : privacy.clearOnShutdown.history
Deprecated : privacy.clearOnShutdown.offlineApps
Deprecated : privacy.clearOnShutdown.passwords
Deprecated : privacy.clearOnShutdown.sessions
Deprecated : privacy.cpd.cache
Deprecated : privacy.cpd.cookies
Deprecated : privacy.cpd.downloads
Deprecated : privacy.cpd.formdata
Deprecated : privacy.cpd.history
Deprecated : privacy.cpd.offlineApps
Deprecated : privacy.cpd.sessions
Deprecated : privacy.resistFingerprinting
Deprecated : privacy.sanitize.sanitizeOnShutdown
Deprecated : privacy.sanitize.timeSpan

Do I need to list more? Something is clearly wrong if these are marked as actually deprecated by your script

ALSO: you are not taking into account hidden prefs which are not listed in these js files

nodiscc commented 7 years ago

Something is clearly wrong if these are marked as actually deprecated by your script

Thanks, it appears we are missing https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js where these prefs are located.

you are not taking into account hidden prefs which are not listed in these js files

Yes, some prefs are created at runtime by Firefox itself. Fortunatefely most of these are covered in Mozilla unit tests prefs files, which the script also considers; but it's possible we are still missing some of them. Do you have an example of a missing preference?

Thorin-Oakenpants commented 7 years ago

I don't know of any hidden prefs that aren't in tests - all the hidden ones we're using are maked as "(hidden pref)" in the ghacks js, so you could scrape that

EDIT: 29 of them (1 in the deprecated section)

PS: this also doesn't account for legacy code: eg, yup, I'll say it again :) .. browser.urlbar.maxRichResults because its still in the js :) .. seriously, test it (FF52+, not sure about earlier). It has no effect on the dropdown whatsoever.

nodiscc commented 7 years ago

Indeed preferences that are marked (hidden pref) in ghacks user.js can not be found in our copies of Firefox source files:

$ make downloadffprefs 
2017-04-04 21:54:28 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/datareporting-prefs.js [717/717] -> "-" [1]
2017-04-04 21:54:30 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/healthreport-prefs.js [547/547] -> "-" [1]
2017-04-04 21:54:32 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/security-prefs.js [5802/5802] -> "-" [1]
2017-04-04 21:54:38 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/modules/libpref/init/all.js [245079/245079] -> "-" [1]
2017-04-04 21:54:42 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/testing/profiles/prefs_general.js [19377/19377] -> "-" [1]
2017-04-04 21:54:46 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-preferences.js [6579/6579] -> "-" [1]
2017-04-04 21:54:48 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/js/src/tests/user.js [1912/1912] -> "-" [1]
2017-04-04 21:54:53 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js [77214/77214] -> "-" [1]

$ curl --silent 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js' | grep 'hidden pref' | awk -F'"' '{print $2}' > ghacks-hidden.js

$ for line in $(cat ghacks-hidden.js); do grep "$line" sourceprefs.js >/dev/null || echo "hidden pref $line not found in Firefox source"; done

hidden pref browser.search.region not found in Firefox source
hidden pref javascript.use_us_english_locale not found in Firefox source
hidden pref toolkit.telemetry.unifiedIsOptIn not found in Firefox source
hidden pref datareporting.healthreport.service.enabled not found in Firefox source
hidden pref browser.selfsupport.enabled not found in Firefox source
hidden pref social.enabled not found in Firefox source
hidden pref services.sync.enabled not found in Firefox source
hidden pref network.dns.disablePrefetchFromHTTPS not found in Firefox source
hidden pref permissions.memory_only not found in Firefox source
hidden pref security.ssl.disable_session_identifiers not found in Firefox source
hidden pref security.nocertdb not found in Firefox source
hidden pref font.system.whitelist not found in Firefox source
hidden pref media.gmp-gmpopenh264.enabled not found in Firefox source
hidden pref dom.allow_cut_copy not found in Firefox source
hidden pref browser.tabs.remote.force-enable not found in Firefox source
hidden pref general.useragent.override not found in Firefox source
hidden pref general.buildID.override not found in Firefox source
hidden pref general.appname.override not found in Firefox source
hidden pref general.appversion.override not found in Firefox source
hidden pref general.platform.override not found in Firefox source
hidden pref general.oscpu.override not found in Firefox source
hidden pref ui.submenuDelay not found in Firefox source
hidden pref privacy.donottrackheader.value not found in Firefox source
Thorin-Oakenpants commented 7 years ago

So I guess I'm not useless after all :) You owe me a :beer:

That last one hidden pref privacy.donottrackheader.value not found in Firefox source is legacy. Francois told me.

nodiscc commented 7 years ago

Regarding privacy.donottrackheader.value: Searching for this string on DXR reveals that:

// Deprecated Do Not Track setting, Firefox <36, https://hg.mozilla.org/mozilla-central/rev/9a16137bc7b4
"privacy.donottrackheader.value"

So I guess I'm not useless after all :) You owe me a :beer:

Never said you were (I think? Sorry if I sounded rude in any way, English is not my native language). Have some. :beer::beer::beer::coffee::beer::beer::beer::coffee::beer::beer::beer::coffee::beer::beer:

Same investigation method can be applied to other prefs if needed. Eg. https://dxr.mozilla.org/mozilla-central/search?q=browser.search.region&redirect=false... There are definitely some prefs that are created/checked randomly through the code (eg https://dxr.mozilla.org/mozilla-central/source/dom/base/Navigator.cpp?q=general.oscpu.override&redirect_type=single#479). We can move this to a new issue. -> Moved #261

Edit: (Note that you can run make checknotcovered to see all detected Firefox prefs that are not covered by user.js. Outdated log for reference)

nodiscc commented 7 years ago

Re: browser.urlbar.maxRichResults, it seems we are also missing many prefs files in https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/ and https://dxr.mozilla.org/mozilla-central/source/browser/app/profile. Thanks!

add https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/debugger.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/devtools.js https://dxr.mozilla.org/mozilla-central/source/browser/branding/unofficial/pref/firefox-branding.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox-l10n.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/webide-prefs.js https://dxr.mozilla.org/mozilla-central/source/browser/app/profile/channel-prefs.js those files are generated from:

nodiscc commented 7 years ago
pyllyukko commented 7 years ago

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

FYI: It's working again.

claustromaniac commented 6 years ago

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files, before [insert random asshole's name here] plagiarises it.

That's all. Keep up the good fight :+1:

pyllyukko commented 6 years ago

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files

Thanks!

Gitoffthelawn commented 2 years ago

In the event that the link that @claustromaniac provided becomes invalid, here is the new official link to their Compare-UserJS tool:
https://github.com/claustromaniac/Compare-UserJS