[tbb-commits] [tor-browser/tor-browser-91.2.0esr-11.0-1] squash! TB4: Tor Browser's Firefox preference overrides.
sysrqb at torproject.org
sysrqb at torproject.org
Tue Nov 2 20:20:45 UTC 2021
commit 1559973d238a958aad947367881c0678cda4dbb9
Author: Matthew Finkel <sysrqb at torproject.org>
Date: Mon Nov 1 16:28:22 2021 +0000
squash! TB4: Tor Browser's Firefox preference overrides.
Bug 40177: Update prefs for Fx91esr
---
browser/app/profile/000-tor-browser.js | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js
index 0952a3ad5cfc..ed8c4c8c80dd 100644
--- a/browser/app/profile/000-tor-browser.js
+++ b/browser/app/profile/000-tor-browser.js
@@ -53,6 +53,9 @@ pref("permissions.memory_only", true);
pref("network.cookie.lifetimePolicy", 2);
pref("security.nocertdb", true);
+// Enabled LSNG
+pref("dom.storage.next_gen", true);
+
// Disk activity: TBB Directory Isolation
pref("browser.download.useDownloadDir", false);
pref("browser.shell.checkDefaultBrowser", false);
@@ -119,11 +122,12 @@ pref("privacy.annotate_channels.strict_list.enabled", false);
// Disable the Pocket extension (Bug #18886 and #31602)
pref("extensions.pocket.enabled", false);
-pref("network.http.referer.hideOnionSource", true);
// Disable use of WiFi location information
pref("browser.region.network.scan", false);
pref("browser.region.network.url", "");
+// Bug 40083: Make sure Region.jsm fetching is disabled
+pref("browser.region.update.enabled", false);
// Don't load Mozilla domains in a separate tab process
pref("browser.tabs.remote.separatedMozillaDomains", "");
@@ -177,6 +181,8 @@ pref("dom.w3c_pointer_events.enabled", false);
pref("dom.vr.enabled", false); // Bug 21607: Disable WebVR for now
// Disable randomised Firefox HTTP cache decay user test groups (Bug: 13575)
pref("security.webauth.webauthn", false); // Bug 26614: Disable Web Authentication API for now
+// Disable SAB, no matter if the sites are cross-origin isolated.
+pref("dom.postMessage.sharedArrayBuffer.withCOOP_COEP", false);
// Disable intermediate preloading (Bug 30682)
pref("security.remote_settings.intermediates.enabled", false);
// Bug 2874: Block Components.interfaces from content
@@ -190,8 +196,17 @@ pref("privacy.resistFingerprinting.letterboxing", true);
pref("dom.netinfo.enabled", false);
pref("network.http.referer.defaultPolicy", 2); // Bug 32948: Make referer behavior consistent regardless of private browing mode status
pref("media.videocontrols.picture-in-picture.enabled", false); // Bug 40148: disable until audited in #40147
+pref("network.http.referer.hideOnionSource", true);
+// Bug 40463: Disable Windows SSO
+pref("network.http.windows-sso.enabled", false);
// Bug 40383: Disable new PerformanceEventTiming
pref("dom.enable_event_timing", false);
+// Disable API for measuring text width and height.
+pref("dom.textMetrics.actualBoundingBox.enabled", false);
+pref("dom.textMetrics.baselines.enabled", false);
+pref("dom.textMetrics.emHeight.enabled", false);
+pref("dom.textMetrics.fontBoundingBox.enabled", false);
+pref("pdfjs.enableScripting", false);
// Third party stuff
pref("privacy.firstparty.isolate", true); // Always enforce first party isolation
@@ -199,6 +214,8 @@ pref("privacy.partition.network_state", false); // Disable for now until audit
pref("network.cookie.cookieBehavior", 1);
pref("network.http.spdy.allow-push", false); // Disabled for now. See https://bugs.torproject.org/27127
pref("network.predictor.enabled", false); // Temporarily disabled. See https://bugs.torproject.org/16633
+// Bug 40177: Make sure tracker cookie purging is disabled
+pref("privacy.purge_trackers.enabled", false);
// Proxy and proxy security
pref("network.proxy.socks", "127.0.0.1");
@@ -207,6 +224,8 @@ pref("network.proxy.socks_remote_dns", true);
pref("network.proxy.no_proxies_on", ""); // For fingerprinting and local service vulns (#10419)
pref("network.proxy.allow_hijacking_localhost", true); // Allow proxies for localhost (#31065)
pref("network.proxy.type", 1);
+// Bug 40548: Disable proxy-bypass
+pref("network.proxy.failover_direct", false);
pref("network.security.ports.banned", "9050,9051,9150,9151");
pref("network.dns.disabled", true); // This should cover the #5741 patch for DNS leaks
pref("network.dns.disablePrefetch", true);
@@ -307,6 +326,8 @@ pref("extensions.legacy.exceptions", "{972ce4c6-7e08-4474-a285-3208198ce6fd},tor
pref("extensions.webextensions.restrictedDomains", "");
// Bug 28896: Make sure our bundled WebExtensions are running in Private Browsing Mode
pref("extensions.allowPrivateBrowsingByDefault", true);
+// Don't give Mozilla-recommended third-party extensions special privileges.
+pref("extensions.postDownloadThirdPartyPrompt", false);
// Toolbar layout
pref("browser.uiCustomization.state", "{\"placements\":{\"widget-overflow-fixed-list\":[],\"PersonalToolbar\":[\"personal-bookmarks\"],\"nav-bar\":[\"back-button\",\"forward-button\",\"stop-reload-button\",\"urlbar-container\",\"torbutton-button\",\"security-level-button\",\"downloads-button\"],\"TabsToolbar\":[\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"toolbar-menubar\":[\"menubar-items\"],\"PanelUI-contents\":[\"home-button\",\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"save-page-button\",\"print-button\",\"bookmarks-menu-button\",\"history-panelmenu\",\"find-button\",\"preferences-button\",\"add-ons-button\",\"developer-button\"],\"addon-bar\":[\"addonbar-closebutton\",\"status-bar\"]},\"seen\":[\"developer-button\",\"https-everywhere-eff_eff_org-browser-action\",\"_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action\"],\"dirtyAreaCache\":[\"PersonalToolbar\",\"nav-bar\",\"TabsToolbar\",\"toolbar-menubar\"],\"currentVersion\":14,\"newElementCount
\":1}");
@@ -314,6 +335,9 @@ pref("browser.uiCustomization.state", "{\"placements\":{\"widget-overflow-fixed-
// Enforce certificate pinning, see: https://bugs.torproject.org/16206
pref("security.cert_pinning.enforcement_level", 2);
+// Don't load OS client certs.
+pref("security.osclientcerts.autoload", false);
+
// Don't allow MitM via Microsoft Family Safety, see bug 21686
pref("security.family_safety.mode", 0);
@@ -453,6 +477,9 @@ pref("extensions.torbutton.pref_fixup_version", 0);
#ifdef MOZ_BUNDLED_FONTS
+// Bug 40342: Always use bundled fonts
+pref("gfx.bundled-fonts.activate", 1);
+
#ifdef XP_MACOSX
pref("font.system.whitelist", "AppleGothic, Apple Color Emoji, Arial, Courier, Geneva, Georgia, Heiti TC, Helvetica, Helvetica Neue, .Helvetica Neue DeskInterface, Hiragino Kaku Gothic ProN, Lucida Grande, Monaco, Noto Sans Armenian, Noto Sans Bengali, Noto Sans Buginese, Noto Sans Canadian Aboriginal, Noto Sans Cherokee, Noto Sans Devanagari, Noto Sans Ethiopic, Noto Sans Gujarati, Noto Sans Gurmukhi, Noto Sans Kannada, Noto Sans Khmer, Noto Sans Lao, Noto Sans Malayalam, Noto Sans Mongolian, Noto Sans Myanmar, Noto Sans Oriya, Noto Sans Sinhala, Noto Sans Tamil, Noto Sans Telugu, Noto Sans Thaana, Noto Sans Tibetan, Noto Sans Yi, STHeiti, STIX Math, Tahoma, Thonburi, Times, Times New Roman, Verdana");
pref("font.name-list.cursive.x-unicode", "Apple Chancery, Noto Sans Armenian, Noto Sans Bengali, Noto Sans Buginese, Noto Sans Canadian Aboriginal, Noto Sans Cherokee, Noto Sans Devanagari, Noto Sans Ethiopic, Noto Sans Gujarati, Noto Sans Gurmukhi, Noto Sans Kannada, Noto Sans Khmer, Noto Sans Lao, Noto Sans Malayalam, Noto Sans Mongolian, Noto Sans Myanmar, Noto Sans Oriya, Noto Sans Sinhala, Noto Sans Tamil, Noto Sans Telugu, Noto Sans Thaana, Noto Sans Tibetan, Noto Sans Yi");
More information about the tbb-commits
mailing list