-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix open issues/PRs #197 #108 #111 #236 #238 #239
Conversation
Other references: #111 https://hacks.mozilla.org/2016/01/web-push-arrives-in-firefox-44/ https://developer.mozilla.org/en-US/docs/Archive/Firefox_OS/API/Simple_Push_API https://support.mozilla.org/t5/Firefox/How-to-disable-web-push-notifications-in-Firefox/m-p/1281001 https://en.wikipedia.org/wiki/Push_technology https://trac.torproject.org/projects/tor/ticket/18801 https://support.mozilla.org/t5/Basic-Browsing/Web-Push-notifications-in-Firefox/ta-p/28744 https://support.mozilla.org/t5/Firefox/How-to-stop-the-webpush-notifications/m-p/1292770 https://developer.mozilla.org/en/docs/Web/API/Push_API https://github.com/chrisdavidmills/push-api-demo Closes #111
set password storage lock timeout to 1 minute fixes #235
… NOTICE: fields, prepapre work on #238 (automate section generation)
…fing: Users wanting to disable referer spoofing to workaround listed problems will still be protected against disclosing previously visited pages to target domains when clicking on a link
@pyllyukko ping, waiting for review. |
Pong. Sorry about that. I've been quite busy this week and have had zero time to look into these. Will get working on these ASAP, but it might still take few days. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
I seem to be unable to figure out how the review functionality works 😛 Tried to do one commit at a time but failed. |
user.js
Outdated
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); | ||
|
||
// PREF: ?? (disabled) | ||
// PREF: Disallow connection to servers not supporting safe renegotiation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this have the "(disabled)" suffix, as the setting is still disabled.
README.md
Outdated
@@ -596,6 +596,12 @@ For more information, see [CONTRIBUTING](https://github.com/pyllyukko/user.js/bl | |||
|
|||
-------------------------------------------------------------------------- | |||
|
|||
## License |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
user.js
Outdated
@@ -506,19 +506,19 @@ user_pref("security.sri.enable", true); | |||
// https://en.wikipedia.org/wiki/Do_not_track_header | |||
// https://dnt-dashboard.mozilla.org | |||
// https://github.com/pyllyukko/user.js/issues/11 | |||
// NOTICE: DNT must be enabled manually | |||
// NOTICE: Do No Track must be enabled manually |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could be "Do Not Track (DNT)"
user.js
Outdated
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs | ||
user_pref("network.http.referer.spoofSource", true); | ||
|
||
// PREF: Accept Only 1st Party Cookies | ||
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1 | ||
// NOTICE: Breaks a number of payment gateways | ||
// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have some refs to back this up
README.md
Outdated
|
||
* Disabling DOM storage is known to cause`TypeError: localStorage is null` errors | ||
* IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled | ||
* Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should get rid of this, as Firefox Hello is no more?
* OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host | ||
* OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder | ||
* OCSP adds latency (performance) | ||
* Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added #246
user.js
Outdated
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs | ||
user_pref("network.http.referer.spoofSource", true); | ||
|
||
// PREF: Don't send referer headers when following links across different domains | ||
// https://github.com/pyllyukko/user.js/issues/227 | ||
user_pref("network.http.referer.XOriginPolicy", 2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See here: #227 (comment)
README.md
Outdated
@@ -369,13 +370,11 @@ See also: | |||
|
|||
## Known problems | |||
|
|||
There are plenty! Hardening your browser will break your interwebs. Here's some examples: | |||
Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Hardening your"... what?
README.md
Outdated
* Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon | ||
* Blocking 3rd-party cookies breaks a number of payment gateways | ||
* You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 | ||
* Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should have similar refs parsing as in "what does it do" section?
add missing (disabled) suffix remove license section from readme add notice about serviceworkers breakage
Fixed all points mentioned in the review f14e293 |
Incomplete PR in the current state (#238 work still going on) but thefirst commits can be reviewed/merged independently (see commit messages):