[tor-bugs] #27059 [- Select a component]: Use sane about:config values
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Aug 7 10:25:25 UTC 2018
#27059: Use sane about:config values
--------------------------------------+--------------------
Reporter: floweb | Owner: (none)
Type: enhancement | Status: new
Priority: High | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+--------------------
While reading through various about:config security hardening guides, I
found several bad default values for the Tor Browser:
1. dom.event.clipboardevents.enabled = false
- Disable that websites can get notifications if you copy, paste, or
cut something from a web page, and it lets them know which part of the
page had been selected.
2. network.http.referer.trimmingPolicy = 2
- Send only the scheme, host, and port in the Referer header
- 0 = Send the full URL in the Referer header
- 1 = Send the URL without its query string in the Referer header
- 2 = Send only the scheme, host, and port in the Referer header
3. network.http.referer.XOriginPolicy = 2
- Only send Referer header when the full hostnames match. (Note: if
you notice significant breakage, you might try 1 combined with an
XOriginTrimmingPolicy tweak below.) Source
- 0 = Send Referer in all cases
- 1 = Send Referer to same eTLD sites
- 2 = Send Referer only when the full hostnames match
4. network.http.referer.XOriginTrimmingPolicy = 2
- When sending Referer across origins, only send scheme, host, and
port in the Referer header of cross-origin requests. Source
- 0 = Send full url in Referer
- 1 = Send url without query string in Referer
- 2 = Only send scheme, host, and port in Referer
5. webgl.disabled = true
- WebGL is a potential security risk. Source
6. network.IDN_show_punycode = true
- Not rendering IDNs as their punycode equivalent leaves you open to
phishing attacks that can be very difficult to notice. Source
7. dom.event.contextmenu.enabled = false
- Don't allow websites to prevent use of right-click, or otherwise
messing with the context menu.
8. network.http.speculative-parallel-limit = 0
- Disable prefetch link on hover.
9. extensions.pocket.enabled = false
- Disable Firefox pocket
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27059>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list