Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix open issues/PRs #197 #108 #111 #236 #238 #239

Merged
merged 17 commits into from
Mar 19, 2017
Merged

Fix open issues/PRs #197 #108 #111 #236 #238 #239

merged 17 commits into from
Mar 19, 2017

Conversation

nodiscc
Copy link
Contributor

@nodiscc nodiscc commented Mar 14, 2017

Incomplete PR in the current state (#238 work still going on) but the first commits can be reviewed/merged independently (see commit messages):

@nodiscc
Copy link
Contributor Author

nodiscc commented Mar 14, 2017

@nodiscc nodiscc changed the title Fix open issues/PRs 197 108 111 236, work on #238 Fix open issues/PRs #197 #108 #111 #236 #238 Mar 14, 2017
…fing:

Users wanting to disable referer spoofing to workaround listed problems will still be protected against disclosing previously visited pages to target domains when clicking on a link
@nodiscc
Copy link
Contributor Author

nodiscc commented Mar 17, 2017

@pyllyukko ping, waiting for review.

@pyllyukko
Copy link
Owner

@pyllyukko ping, waiting for review.

Pong. Sorry about that. I've been quite busy this week and have had zero time to look into these. Will get working on these ASAP, but it might still take few days.

Copy link
Owner

@pyllyukko pyllyukko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@pyllyukko
Copy link
Owner

I seem to be unable to figure out how the review functionality works 😛 Tried to do one commit at a time but failed.

user.js Outdated
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

// PREF: ?? (disabled)
// PREF: Disallow connection to servers not supporting safe renegotiation
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this have the "(disabled)" suffix, as the setting is still disabled.

README.md Outdated
@@ -596,6 +596,12 @@ For more information, see [CONTRIBUTING](https://github.com/pyllyukko/user.js/bl

--------------------------------------------------------------------------

## License
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already quite evident at least when browsing the README through GitHub:

license

user.js Outdated
@@ -506,19 +506,19 @@ user_pref("security.sri.enable", true);
// https://en.wikipedia.org/wiki/Do_not_track_header
// https://dnt-dashboard.mozilla.org
// https://github.com/pyllyukko/user.js/issues/11
// NOTICE: DNT must be enabled manually
// NOTICE: Do No Track must be enabled manually
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be "Do Not Track (DNT)"

user.js Outdated
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
user_pref("network.http.referer.spoofSource", true);

// PREF: Accept Only 1st Party Cookies
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
// NOTICE: Breaks a number of payment gateways
// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have some refs to back this up

README.md Outdated

* Disabling DOM storage is known to cause`TypeError: localStorage is null` errors
* IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
* Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should get rid of this, as Firefox Hello is no more?

* OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
* OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
* OCSP adds latency (performance)
* Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added #246

user.js Outdated
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
user_pref("network.http.referer.spoofSource", true);

// PREF: Don't send referer headers when following links across different domains
// https://github.com/pyllyukko/user.js/issues/227
user_pref("network.http.referer.XOriginPolicy", 2);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See here: #227 (comment)

README.md Outdated
@@ -369,13 +370,11 @@ See also:

## Known problems

There are plenty! Hardening your browser will break your interwebs. Here's some examples:
Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations:
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Hardening your"... what?

README.md Outdated
* Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
* Blocking 3rd-party cookies breaks a number of payment gateways
* You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
* Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should have similar refs parsing as in "what does it do" section?

add missing (disabled) suffix
remove license section from readme
add notice about serviceworkers breakage
@nodiscc
Copy link
Contributor Author

nodiscc commented Mar 18, 2017

Fixed all points mentioned in the review f14e293

@pyllyukko pyllyukko merged commit 4659c95 into pyllyukko:master Mar 19, 2017
@nodiscc nodiscc deleted the 2017-mar branch March 19, 2017 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants