summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndré Fabian Silva Delgado <emulatorman@parabola.nu>2015-10-20 14:49:07 -0300
committerAndré Fabian Silva Delgado <emulatorman@parabola.nu>2015-10-20 14:53:11 -0300
commit76c2679545efa5f03479cfd443b368e1581442d3 (patch)
tree60acc281617fc10c3816d416c5c89b60beb867ac
parentf4a348e3560774b930d0ebbddb4deea4edec7bee (diff)
iceweasel: add more privacy settings and crypto hardening
-rw-r--r--libre/iceweasel/PKGBUILD2
-rw-r--r--libre/iceweasel/vendor.js142
2 files changed, 98 insertions, 46 deletions
diff --git a/libre/iceweasel/PKGBUILD b/libre/iceweasel/PKGBUILD
index 5db8dd1b4..10b92eda7 100644
--- a/libre/iceweasel/PKGBUILD
+++ b/libre/iceweasel/PKGBUILD
@@ -61,7 +61,7 @@ sha256sums=('707d44ac9a73868c5f2fe1832945ae66b297a8b7eaee3d45a43ab767fe9447cc'
'56eba484179c7f498076f8dc603d8795e99dce8c6ea1da9736318c59d666bff6'
'2257dc69886bd0b72c48675a27c3a88b9cf6b598252c9e9f1c99763180684fc3'
'3aea6676f1e53a09673b6ae219d281fc28054beb6002b09973611c02f827651d'
- 'af4e91893aa01d5f1cbd16f48ed118b344b86bedf5d1d52e68ff19ffec03e1d6'
+ '481781aa1b4da21e58cbe88df2ca992250bf7a7cf7c79022393e4ba974fecaca'
'68e3a5b47c6d175cc95b98b069a15205f027cab83af9e075818d38610feb6213')
prepare() {
diff --git a/libre/iceweasel/vendor.js b/libre/iceweasel/vendor.js
index a32721594..b9386b559 100644
--- a/libre/iceweasel/vendor.js
+++ b/libre/iceweasel/vendor.js
@@ -11,41 +11,12 @@ pref("extensions.shownSelectionUI", true);
// Disable "alt" as a shortcut key to open full menu bar. Conflicts with "alt" as a modifier
pref("ui.key.menuAccessKeyFocuses", false);
-// Make sure that Firefox Social stuff are empty
-pref("social.whitelist", "");
-pref("social.directories", "");
-pref("social.shareDirectory", "");
-
// Disable the GeoLocation API for content
pref("geo.enabled", false);
// Make sure that the request URL of the GeoLocation backend is empty
pref("geo.wifi.uri", "");
-// Disable the least secure encryption protocols
-pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
-pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
-pref("security.ssl3.rsa_rc4_128_md5", false);
-pref("security.ssl3.rsa_rc4_128_sha", false);
-
-// Disable Sponsored Tiles
-pref("browser.newtabpage.directory.source", "data:application/json,{}");
-pref("browser.newtabpage.directory.ping", "");
-
-// Disable Firefox Hello and make sure that the request URLs of the Firefox Hello are empty
-pref("loop.enabled", false);
-pref("loop.feedback.baseUrl", "");
-pref("loop.gettingStarted.url", "");
-pref("loop.learnMoreUrl", "");
-pref("loop.legal.ToS_url", "");
-pref("loop.legal.privacy_url", "");
-pref("loop.oauth.google.redirect_uri", "");
-pref("loop.oauth.google.scope", "");
-pref("loop.server", "");
-pref("loop.soft_start_hostname", "");
-pref("loop.support_url", "");
-pref("loop.throttled2", false);
-
// Disable Pocket and make sure that the request URLs of the Pocket are empty
pref("browser.pocket.enabled", false);
pref("browser.pocket.api", "");
@@ -54,33 +25,29 @@ pref("browser.pocket.oAuthConsumerKey", "");
pref("browser.pocket.useLocaleList", false);
pref("browser.pocket.enabledLocales", "");
-// Make sure that the request URL of the Discover Apps is empty
-pref("browser.apps.URL", "");
-
// Disable Freedom Violating DRM Feature
pref("browser.eme.ui.enabled", false);
pref("media.eme.enabled", false);
pref("media.eme.apiVisible", false);
-// Avoid openh264 being downloaded.
-pref("media.gmp-manager.url.override", "data:text/plain,");
-
-// Disable openh264.
-pref("media.gmp-provider.enabled", false);
-pref("media.gmp-gmpopenh264.provider.enabled", false);
-
// Default to classic view for about:newtab
pref("browser.newtabpage.enhanced", false);
// Poodle attack
pref("security.tls.version.min", 1);
+// Don't call home for blacklisting
+pref("extensions.blocklist.enabled", false);
+
// Disable plugin installer
pref("plugins.hide_infobar_for_missing_plugin", true);
pref("plugins.hide_infobar_for_outdated_plugin", true);
pref("plugins.notifyMissingFlash", false);
-// Speeding it up
+//https://developer.mozilla.org/en-US/docs/Web/API/MediaSource
+//pref("media.mediasource.enabled",true);
+
+//Speeding it up
pref("network.http.pipelining", true);
pref("network.http.proxy.pipelining", true);
pref("network.http.pipelining.maxrequests", 10);
@@ -89,7 +56,10 @@ pref("nglayout.initialpaint.delay", 0);
// Disable third party cookies
pref("network.cookie.cookieBehavior", 1);
-// Disable app updater URL
+// Prevent EULA dialog to popup on first run
+pref("browser.EULA.override", true);
+
+// disable app updater url
pref("app.update.url", "http://127.0.0.1/");"
// Set useragent to Firefox compatible
@@ -144,11 +114,47 @@ pref("plugin.state.flash", 1);
pref("browser.search.update", false);
// Warn when the page tries to redirect or refresh
//pref("accessibility.blockautorefresh", true);
+pref("dom.battery.enabled", false);
+pref("device.sensors.enabled", false);
+pref("camera.control.face_detection.enabled", false);
+pref("camera.control.autofocus_moving_callback.enabled", false);
+pref("network.http.speculative-parallel-limit", 0);
+
+// Crypto hardening
+// https://gist.github.com/haasn/69e19fc2fe0e25f3cff5
+//General settings
+pref("security.tls.unrestricted_rc4_fallback", false);
+pref("security.tls.insecure_fallback_hosts.use_static_list", false);
+pref("security.tls.version.min", 1);
+pref("security.ssl.require_safe_negotiation", true);
+pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
+pref("security.ssl3.rsa_seed_sha", true);
+pref("security.OCSP.enabled", 1);
+pref("security.OCSP.require", true);
+//Disable unnecessary protocols
+pref("security.ssl3.rsa_rc4_128_sha", false);
+pref("security.ssl3.rsa_rc4_128_md5", false);
+pref("security.ssl3.rsa_des_ede3_sha", false);
+pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
+pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
+// https://directory.fsf.org/wiki/Disable_DHE
+// Avoid logjam attack
+pref("security.ssl3.dhe_rsa_aes_128_sha", false);
+pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+pref("security.ssl3.dhe_dss_aes_128_sha", false);
+pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+//Optional
+//Perfect forward secrecy
+// pref("security.ssl3.rsa_aes_256_sha", false);
+//Force TLS 1.2
+// pref("security.tls.version.min", 3);
// Disable channel updates
pref("app.update.enabled", false);
pref("app.update.auto", false);
+pref("font.default.x-western", "sans-serif");
+
// Preferences for the Get Add-ons panel
pref ("extensions.webservice.discoverURL", "https://directory.fsf.org/wiki/GNU_IceCat");
pref ("extensions.getAddons.search.url", "https://directory.fsf.org/wiki/GNU_IceCat");
@@ -166,10 +172,56 @@ pref("browser.webapps.checkForUpdates", 0);
pref("browser.webapps.updateCheckUrl", "http://127.0.0.1/");
pref("app.faqURL", "http://libreplanet.org/wiki/Group:IceCat/FAQ");
-// PFS URL
+// PFS url
pref("pfs.datasource.url", "http://gnuzilla.gnu.org/plugins/PluginFinderService.php?mimetype=%PLUGIN_MIMETYPE%");
pref("pfs.filehint.url", "http://gnuzilla.gnu.org/plugins/PluginFinderService.php?mimetype=%PLUGIN_MIMETYPE%");
-// https://directory.fsf.org/wiki/Disable_DHE
-pref("security.ssl3.dhe_rsa_aes_128_sha", false);
-pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+// Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins
+pref("media.gmp-manager.url", "http://127.0.0.1/");
+pref("media.gmp-manager.url.override", "data:text/plain,");
+pref("media.gmp-provider.enabled", false);
+// Don't install openh264 codec
+pref("media.gmp-gmpopenh264.enabled", false);
+
+//Disable heartbeat
+pref("browser.selfsupport.url", "");
+
+//Disable Link to FireFox Marketplace, currently loaded with non-free "apps"
+pref("browser.apps.URL", "");
+
+//Disable Firefox Hello
+pref("loop.enabled",false);
+pref("loop.feedback.baseUrl", "");
+pref("loop.gettingStarted.url", "");
+pref("loop.learnMoreUrl", "");
+pref("loop.legal.ToS_url", "");
+pref("loop.legal.privacy_url", "");
+pref("loop.oauth.google.redirect_uri", "");
+pref("loop.oauth.google.scope", "");
+pref("loop.server", "");
+pref("loop.soft_start_hostname", "");
+pref("loop.support_url", "");
+pref("loop.throttled2",false);
+
+// Use old style preferences, that allow javascript to be disabled
+pref("browser.preferences.inContent",false);
+
+// Don't download ads for the newtab page
+pref("browser.newtabpage.directory.source", "");
+pref("browser.newtabpage.directory.ping", "");
+pref("browser.newtabpage.introShown", true);
+
+// Disable home snippets
+pref("browser.aboutHomeSnippets.updateUrl", "data:text/html");
+
+// Disable hardware acceleration and WebGL
+//pref("layers.acceleration.disabled", false);
+pref("webgl.disabled", false);
+
+// Disable SSDP
+pref("browser.casting.enabled", false);
+
+//Disable directory service
+pref("social.directories", "");
+pref("social.whitelist", "");
+pref("social.shareDirectory", "");